Confidentiality and Data Protection Assurance – Primary Care Trusts
Has the PCT established appropriate confidentiality audit procedures to
monitor access to confidential patient information?
The NHS Care Records Guarantee requires that all NHS organisations put in
place mechanisms to ensure confidential information is protected. This
requires access to confidential information to be monitored and audited locally
and in particular requires that there are agreed procedures for investigating
Confidentiality audit procedures
All PCTs should already have control mechanisms in place to manage and safeguard
confidentiality, including mechanisms for highlighting problems such as incidents,
complaints and alerts. This Requirement asks that documented procedures are
implemented to ensure these controls are monitored and audited.
Assurances that these controls are working effectively should be part of the PCT’s
overall assurance framework and, as such, it is likely that most PCTs are, at some
level, already complying with this Requirement. For example:
The IG Lead may be undertaking reviews/follow ups of failed log-in reports
provided for Patient Administration/Information systems.
Caldicott Guardians or IG Leads may be monitoring incident reports re-
stolen/lost computers, staff disclosing confidential material, complaints.
Internal audit may be undertaking reviews of IT security that cover such areas
as patient records systems to highlight allocation, use or abuse
of passwords (indicating possible breach of access privileges).
It is important that organisations think about how they currently obtain assurance on
their confidentiality processes and how, and where, they need to improve on these in
preparation for NHS Care Records Service (NHS CRS) roll out.
Monitoring and auditing access to confidential information
The PCT should ensure that it has assigned overall responsibility for monitoring and
auditing access to confidential patient information to an appropriate senior staff
member, e.g. the Caldicott Guardian or IG Lead. This member of staff should be
responsible for ensuring that confidentiality audit procedures are developed and
communicated to all staff with the potential to access confidential patient information.
The procedures should include:
How access to confidential information will be monitored
Who will carry out the monitoring of access
Reporting processes and escalation processes
Page 1 of 2
The following are examples of events that the organisation should audit for
frequency, circumstances, location etc:
Failed attempts to access confidential information
Repeated attempts to access confidential information
Successful access of confidential information by unauthorised persons
Repeated breach of patient sealed envelopes by a particular individual
Evidence of shared login sessions/passwords
Disciplinary actions taken
Investigating confidentiality alerts
The organisation should identify a senior manager, e.g. the Caldicott Guardian or IG
Lead, to take responsibility for the management of alerts generated where
information is accessed from a patient sealed envelope. The NHS CRS will send an
automatic alert to individuals nominated for this role and to any other locally decided
personnel tasked with maintaining security and confidentiality for that organisation.
Disciplinary procedures should outline the penalties for unauthorised access, e.g.
suspension, supervised access to systems, ending a contract, firing an employee, or
bringing criminal charges.
The PCT should assign responsibility for monitoring and auditing access to
confidential patient information and ensure that there are documented
procedures relating to how these processes will be managed.
The PCT should ensure that training is provided to all staff with responsibility for
monitoring and auditing access to confidential patient information. The PCT
should ensure that the written procedures are implemented and that appropriate
action is taken where confidentiality processes have been breached. All staff
members with the potential to access confidential patient information should be
made aware of the procedures, which should be widely accessible at all times.
The PCT should ensure that the procedures for monitoring and auditing access to
confidential patient information are regularly reviewed. Where necessary, the
PCT should put measures in place to reduce or eliminate frequently encountered
confidentiality events. Additionally, PCTs with access to sealed envelope
functionality should put in place a written procedure for clinical audit of the
content of the 'clinician sealed envelope'.
Page 2 of 2