; template_pharmacy_staff_code_of_conduct_on_ig
Learning Center
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>



  • pg 1
									Template Staff Code of Conduct
Confidentiality, Data Protection and Information Governance
Patients expect that information about them will be treated as confidential and this is set out
as one of the core principles of the NHS. The NHS will respect confidentiality of individual
patients and provide open access to information about services, treatment and performance.

All NHS employees have a legal duty to protect and maintain the confidentiality of patient data
and other personal information, and to use it only for the purposes for which it was intended.

Therefore, everyone working for or within the NHS who records, handles, sorts or otherwise
comes across information that is capable of identifying an individual patient has a personal
duty of confidence to the patient and to his or her employer. The pharmacy recognises its
statutory duties and works to ensure that all staff comply with legislation and NHS guidance
relevant to the protection and use of person identifiable information.

All members of staff have a duty to:
      Conform to policies and procedures relating to the protection of confidentiality and
       security of information.
      Be aware of their responsibilities in protecting the confidentiality and security of
      Attend security and confidentiality training as required.
      Safeguard hardware, software and information in their care.

The duty of confidentiality is written into employment contracts. Any breach of confidentiality of
information gained, whether directly or indirectly, in the course of work is a disciplinary offence
that could result in dismissal and or prosecution.

Information given in confidence should not be disclosed or used in any way that might identify
a person without his or her consent. It is important to let people know that the information that
they give will be recorded and may be shared between members of care teams and between
different organisations involved in providing healthcare. All people using our services should
be provided with the following advice and help:

      Staff should provide service users with information leaflets on patient confidentiality
       and information disclosure.
      They should be given details about the information that will be shared and used and
       with whom.
      They should be made aware of the choices on how information may be disclosed and
      They should be made clear about what information can be shared with carers.
      Staff should inform service users about their right to access their health records under
       the Data Protection Act 1998.

There are some circumstances where the disclosure of confidential information is allowed
without the permission of the service user:

      Where a child is believed to be at risk of harm (Children Act 1989).
      Where there is evidence of risk of harm either to the individual or somebody else.
      For the prevention, detection and prosecution of serious crime
      When instructed by a court.
      In certain circumstances under the Mental Health Act 1983.

Template Staff Code of Conduct
Confidentiality, Data Protection and Information Governance
Patients have the right to object to the use and disclosure of confidential information that
identifies them and need to be made aware of this right. Sometimes, if patients choose not to
allow information to be disclosed to other health or social care professionals it might mean
that the care that can be provided is limited. Patients must be informed if their decisions about
disclosure have implications for the provision of their care or treatment. Clinicians cannot
usually treat patients safely or provide continuity of care without having the relevant
information about a patient’s condition or medical history.

Seeking consent may be difficult either because a patient’s difficulties or circumstances
prevent them from being informed about the likely uses of their information or because they
have difficulty in communicating their decision. Extra care must be taken to ensure that
information is provided in a suitable format or language that is accessible and to check that it
has been understood.

Where the patient is unable to give consent, information should only be disclosed in the
patient’s best interests and then only as much information as is needed to support their care.
Each situation must be judged on its own merits and great care taken to avoid breaching
confidentiality or causing difficulties for the patients. Decisions to disclose should be noted in
the patient’s record.

What does the Data Protection Act do?
It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing
or disposing of personal data, on paper and on computer systems. It also includes images
such as CCTV or X-Rays, etc.
Essentially, the Act does three things:

      It requires every organisation to inform the relevant national authority of its processing
      It obliges organisations to comply with a code of conduct on data processing (the ‘Data
       Protection Principles’) Ref Section 7
      It creates a set of enforceable expectations for individuals concerning the processing
       of their personal data (the ‘Individuals’ Rights).

As well as information held on computers, the act also covers most manual records e.g.

   Health              Finance        Personnel      Occupational Health
   Volunteers          Suppliers      Contractors    Card Indices

These are summarised into 8 Data Protection Principles.

1. First Principle
 Personal information must be fairly and lawfully processed.

2. Second Principle
Personal information shall be obtained only for one or more specified and lawful purposes,
and shall not be further processed in any manner incompatible with that purpose or those

3. Third Principle
Personal information shall be adequate, relevant and not excessive in relation to the purpose
or purposes for which they are processed.

Template Staff Code of Conduct
Confidentiality, Data Protection and Information Governance
4. Fourth Principle
Personal information must be accurate and up-to-date.

5. Fifth Principle
Personal information processed for any purpose or purposes shall not be kept for longer than
is necessary.

6. Sixth Principle
Personal information shall be processed in accordance with the rights of data subjects under
this Act.

7. Seventh Principle
Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal information and against accidental loss or destruction of, or
damage to, personal information.

8. Eighth Principle
Personal information shall not be transferred to a country or territory outside the European
Economic Area, unless that country or territory ensures an adequate level of protection of the
rights and freedoms of data subjects in relation to the processing of personal information.

Personal Data -                electronic or manual information which identifies a living

Sensitive Personal Data -      information as to a person’s religious beliefs of a similar nature,
                               racial or ethnic origin, membership of a trade union, political
                               opinions, physical or mental health, sexual life or criminal

Processing -                   any activity that can be carried out concerning personal data

Data Controller -              any person who controls the processing of personal data and
                               subject access requests

Data Subject -                 the individual person who is the subject of any relevant personal

Individuals’ Rights

Individuals are entitled to the following rights in respect of data processing:

      To be informed by any data controller whether it is processing data concerning
       him/her, and to be given a copy of such data.
      To prevent processing likely to cause him/her damage or distress.
      To prevent direct marketing to him/her.
      To prevent the taking of automated decisions concerning him/her.
      To have inaccurate data corrected or erased.
      To compensation for damage or distress caused by unlawful data processing.
      To ask the Information Commissioner to investigate the activities of any data

Template Staff Code of Conduct
Confidentiality, Data Protection and Information Governance
Freedom of Information Act 2000

The Act was passed on 30th November 2000 and gives a general right of access to all types
of ‘recorded’ information held by public authorities (and those providing services for them).
Only public authorities are covered by the Act, and these include government departments,
local authorities and NHS bodies, schools, universities, etc.

Under the Act, authorities have two main responsibilities:

       to produce a ‘publication scheme’ (effectively a guide to the information they hold
        which is publicly available)
       to deal with individual requests for information.

The Six Caldicott Principles

   1.   Justify the purpose(s) for using confidential information.
   2.   Only use personal information when absolutely necessary
   3.   Use the minimum that is required
   4.   Access should be on a strict need-to-know basis
   5.   Everyone must understand his or her responsibilities
   6.   Everyone must understand and comply with the law

Each NHS and Social Service organisation is required to appoint a Caldicott Guardian with a
remit of protecting confidential patient information and acting as a resource and advisor on
issues of confidentiality.

Confidential information sent from one NHS organisation to another or from one part of an
organisation to another is to be managed within a safe haven environment to ensure
confidentiality. All members of staff must be aware of the safe haven policy and procedures
which include location, staff responsibilities, handling information, disclosure controls storage,
archiving and destruction.


Ensure that patients are made aware of the intention to share information and that any
specific wishes to the contrary will be respected.


       Agree and strictly observe protocols that ensure sharing on a strictly ‘need-to know’
       Agree and implement authentication and access security controls to prevent
        unauthorised access and ensure that authorised access is based on the ‘need-to-
        know’ principle.

Template Staff Code of Conduct
Confidentiality, Data Protection and Information Governance

Care with Information

      Care when talking, be discreet, beware of onlookers
      Faxing information – ensure it gets to the intended recipient
      Collect faxes and printing as soon as they have been printed
      Giving information over the telephone – ensure the recipient should know it
      Proper control over medical records’ storage and access
      Log off or use a password protected screensaver if you leave a computer
      NEVER share your password, smart card etc;
      NEVER use someone else’s password
      Only use authorised software (do not download and install anything from the Internet)
      Don’t save any documents to the ‘C:’ drive on your computer
      Operate a ‘clear desk’ and ‘clear screen’ policy
      Report any concerns immediately
      Do not attempt to access information or services for which you are not authorised
      Only email clinical or confidential information within NHS.Net and after the risks have
       been assessed
      Make regular and frequent backups

Safe Havens

The term ‘safe haven’ covers the arrangements that all staff must follow to ensure that
confidential, sensitive, private and personal information can be transferred between teams or
departments safely and securely.

When using a fax machine, telephone, post, email, text, to transfer information remember to:
   Check the name and number/address of recipient
   Contact the recipient before sending
   Ask the recipient to confirm receipt of the information
   Depending on the method, clearly mark the information ‘private and confidential’

If it is absolutely necessary to transport personable identifiable information off-site ensure that
you have made a note in the file of what you have taken, the date, and reason for transporting
the information. Ensure that you keep the information safe and secure whilst it is off-site.
Return the information as soon as possible.

 All staff are responsible for ensuring the safe and secure transfer of personable identifiable

Template Staff Code of Conduct
Confidentiality, Data Protection and Information Governance
The Checklist below is for you to use within your area of work, please take a few minutes to
go through each of the questions and check whether the answer is Yes or No. If the answer is
No to any question on the checklist please raise the issue with your Pharmacy Manager or
Information Governance lead.

 Security & confidentiality of information workplace checklist                   Yes   No

1    Is there a place where you can hold confidential conversations either
     face to face or on the telephone?
2    Do you log out when your PC is left unattended or is there a screen
     saver on your PC that allows the screen to time out when not being
3    Are computer screens located so that they cannot be viewed by
     people who do not have access to confidential information?
4    Are passwords kept secure and never shared?
5    Is personable identifiable information kept safe and secure?
6    Is there a process for disposing of confidential waste and are all staff
     made aware of this process?
7    Do all staff know about the Pharmacy Information Governance policy,
     and is there a copy available in the Pharmacy?
8    Are procedures for accessing and sharing confidential information
     available and understood by all members of staff?
9    Is it possible to check patient’s details in a confidential and sensitive
     way without being overheard?
10   Do white boards or patient call systems display confidential
     information about patients in a way that can be seen or heard?
11   Are there checks in place to ensure that patient identifiable
     information that is sent or received by fax is protected and as secure
     as possible?
     Are there any procedures in place for sending records or other
12   confidential information by either internal or external post systems?
13   If records need to be taken out by members of staff are they carried
     in a safe and secure way?
     Is material containing patient identifiable information regularly left
14   lying on desks or worktops?
     Is the issue of confidentiality of information discussed with people
15   who use our services? Are copies of a patient information leaflet

  Template Staff Code of Conduct
  Confidentiality, Data Protection and Information Governance
                      MEAN FOR EMPLOYEES

Requirement                   Personal responsibilities           Penalties for breaches
Data Protection Act 1998      Keep all person identifiable        Unauthorised disclosure of
Person identifiable           information secure and              personal identifiable
information about living      confidential – see Code of          information could lead to
individuals – manual and      Conduct for specific details        court action and a criminal
automated records (e.g.                                           conviction and/or the
on computer, video tape,                                          payment of compensation to
digital images)                                                   a claimant. Penalties from
                                                                  ICO of up to £2,500 for
                                                                  individuals and up to
                                                                  £500,000 for organisations.
Human Rights Act 1998         As above                            As above
(Article 8)
An individual’s right to
privacy for themselves
and their family members

Computer Misuse Act           Do not use any other persons        A criminal record and a
1990                          access rights (e.g. user id and     prison sentence of up to 5
Unauthorised access to        password) to access a               years
computer held programs        computer database
and information/data

Common Law of                 Keep all information secure and     Disciplinary action and
Confidentiality               confidential. Also remember         possible dismissal
An individual’s right to      this covers wishes of deceased
confidentiality of their      persons – if it is recorded that
information when alive        they do not want details of their
and once they have died       treatment disclosed when they
                              die this wish will normally need
                              to be respected
Caldicott                     See Code of Conduct – further       Disciplinary action and
Security and                  information available from          possible dismissal
confidentiality of personal   Trust/Pharmacy Caldicott
health and social care        Guardian or Information
information for patients      Governance Manager
and service users

Contract of Employment Comply with contract and Code              Disciplinary action and
Employees responsibilities of Conduct                             possible dismissal
including security and
confidentiality of any
information accessed
during the course of work


To top