Get documents about "Department name
Document Sample
Protocol for Transfer of Confidential Information
1.0 Introduction
Patients and employee’s have a right to expect that private and personal
information that they provide in confidence will be used for the provision of their
healthcare and employment, and will not be shared without their consent. Trust
staff have a professional and legal responsibility to safeguard the confidentiality,
integrity and availability of personal data, particularly when patient related. All
patient information must be shared on a strict need to know basis and must be
justified.
2.0 Aim
This protocol provides a clear definition and details the procedures that must be
followed when handling confidential information. This is especially important
when exchanging information with other organisations, where there must be an
assurance that information will be subject to the same strict controls, and not
released without consent.
3.0 Legislation and guidelines
There are a number of legal and professional regulations and guidelines that
govern the confidentiality and security of personal information.
The Data Protection Act 1998
The Caldicott Report 1997
HSC1999/012 Caldicott guardians
HSC1999/053 For the record
EL(92)60 Code of Practice for the secure handling of patient information
NHS Code of Practice: Confidentiality
BS7799 British Standard for Information Security
Common law duty of confidence
4.0 Definitions
Personal Information
Personal information is that which could identify an individual, and could
include any one, or a combination of the items listed below.
NHS number Date of birth Initials
Surname Forename NI number
Address Postcode Local identifier eg hospital number
Telephone number Gender
Ethnic group
5.0 Responsibilities
Management
The Chief Executive, Directors and Senior Managers are personally
accountable for confidentiality and Data Protection within the Trust. All line
managers are required to ensure that their staff, whether clinical or
administrative, are adequately trained and apply the relevant safeguards when
dealing with confidential information.
All staff
Everyone working for the NHS has a legal responsibility to keep personal
information confidential. All staff must be aware of their responsibility and have
attended any relevant training or awareness sessions.
Caldicott Guardian
The Caldicott Guardian is responsible for ensuring that the Caldicott principles
are respected and applied. Any exception to safe haven procedures must be
authorised by the Caldicott Guardian.
Information Governance Manager
The Information Governance manager is responsible for maintaining the
framework of information governance and ensuring staff are aware of their
legal and professional responsibilities when handling confidential information.
6.0 Transfer Procedures
6.1 Transfer of Data by Post
This guidance covers the transfer of information by post and includes, but is
not limited to records, letters, images, disks and tapes.
Internal Post
Any internal post that contains patient or personal details must be marked as
Confidential and the envelope sealed. Avoid opening confidential post in
public areas or in the presence of others.
2
Paper records being posted or transported outside of the organisation
Internal postal arrangements should be in place for the transfer of patient or
personal information such as medical records within the health community. For
added security the following measures should be applied:
Medical records should be sealed in an envelope and the sender detail
(not the patients name) labelled on the outside.
The envelope should be clearly addressed to a named individual.
A compliments slip with the senders details should be contained in the
envelope.
A register should be maintained of records moving in and out of the
department/ organisation.
The receiving organisation must sign to acknowledge receipt of the
information if delivered by courier or taxi service
Where courier or taxi services are used, there should be minimum
agreed standards for security within the contract.
Royal Mail
Using Royal Mail to transfer personal information is acceptable where there
are no alternatives options available. Staff must apply the following
safeguards:
Ensure sender details are clearly marked on the envelope, and on the
contents inside. Where sender information is not on the actual document
sent, attach a compliment slip providing details of the sender.
Clearly label the envelope to a named individual and mark as
Confidential. Do not send post to a general department such as Medical
Records.
Use special delivery to ensure secure, traceable delivery of information.
Posting disks and electronic media
Extreme care should be taken when posting information contained on disks
and other electronic media, as this may often contain large amounts of
personal or confidential data.
Suitable packaging should be used ie. Padded envelopes for disks,
storage cases for cds.
Electronic files should be zipped and password protected and where
available stored on encrypted media.
3
DO NOT send the password with the disk/ media. The recipient should
contact you separately for password details upon receipt of the parcel.
Use special delivery to ensure secure, traceable delivery of information.
6.2 Computer systems
The use of computer systems provides an effective method of storing and
exchanging information, however it also introduces a number of risks. A
confidentiality breach involving computer systems can happen quickly and
may sometimes go unnoticed. The following practices must be adopted to
prevent confidentiality and security breaches when using IT systems.
General IT security
Always position your screen away from visitors and general public.
Always lock your screen (using CTRL-ALT-DEL) when away from your
desk
Computer passwords should be changed regularly and never shared
with any other person.
Password protected screen savers should be activated when a PC is
left unattended, or not accessed for a period of time. It is recommended
that screen savers are triggered after 5 minutes of inactivity.
Never loan your Smartcard to another person, or disclose your PIN.
Always remove your Smartcards from the reader and keep it securely
on your person when not in use.
Never leave portable IT equipment unattended, lock away when not in
use.
All confidential information must be stored on network drives (server)
and not on local hard drives (ie.desktop, laptop) This provides security
from unauthorised access and business continuity as data on servers is
backed up.
Never store patient information on portable equipment such as USB
memory sticks, unless provided with 256bit encryption (nhs standard)
devices.
System owners must regularly check the staff that have access to their
systems and verify that access is still required and access levels are
correct
4
Email
The PCt recognise that the transfer of patient/confidential information across
an email system is day to day occurrence across the organisation.
Therefore the PCt recommends the following methods to adhere to in the
interim while a more robust and secure solution is investigated by the PCT.
Method Type of Information Proposal
GP to GP Email Transfers Patient queries, General Create individual email
Patient Information accounts for Patient
Identifiable Information
transfer on NHS Net
GP to PCT Referrals, Commissioning Create individual
Data, Public Health email accounts for
Information, Deadly Trio, Patient Identifiable
ad hoc information Information transfer
on NHS Net
Or message needs
to be Password
protected, minimum
of 8 characters and
a mixture of
alphanumeric.
File to be zipped
File to be encrypted
PCT to PCT Referrals, General Patient Create individual
Information, ad hoc patient email accounts for
information Patient Identifiable
Information transfer
on NHS Net
Or message needs
to be Password
protected, minimum
of 8 characters and
a mixture of
alphanumeric.
File to be zipped
File to be encrypted
5
PCT – Outside Referrals, ad –hoc patient Create individual
Organisations information email accounts for
Patient Identifiable
Information transfer
on NHS Net to
confirmed
encrypted email
address.
Or message needs
to be Password
protected, minimum
of 8 characters and
a mixture of
alphanumeric.
File to be zipped
File to be encrypted
It is also the sender responsibility to ensure that the recipient of the email is the
intended receiver, so all staff must ensure that they check the recipient details before
sending any confidential information via email.
7.0 References and Further Reading
Trust Policies
IM&T Policy and Procedure
Confidentiality Policy
Clinical Record Keeping Guidelines
Records Management Strategy
Records Management Policy
Preservation, Retention and Destruction of Records policy
Risk Management Strategy
Information sharing protocol
External websites and documents
http://www.informationcommissioner.gov.uk
Info Commissioners Office (Regulates and enforces Data Protection Act and
other legislation)
http://www.dh.gov.uk
Department of Health website for Health Service Circulars, NHS Code of
Practice and other documents
http://www.bsi-global.com/ICT/Security/index.xalter
British Standards for Information Security
6
