INTRODUCTION
The purpose of this Confidentiality Policy is to lay down the principals that must be observed by all who work at Beehive Surgery and have access to person-identifiable information or confidential information. All members of staff need to be aware of their responsibilities for safeguarding confidentiality and preserving information security.
All employees working in the NHS are bound by a legal duty of confidence to protect personal information they may come into contact with during the course of their work. This is not just a requirement of their contractual responsibilities but also a requirement within the common law duty of confidence and the Data Protection Act 1998. It is also a requirement within the NHS Care Record Guarantee, produced to assure patients regarding the use of their information.
It is important that Beehive Surgery protects and safeguards person-identifiable and confidential business information that it gathers, creates, processes and discloses, in order to comply with the law, relevant NHS mandatory requirements and to provide assurance to patients and the public.
This policy sets out the requirements placed on staff when sharing information within the NHS and between NHS and non NHS organisations.
Person-identifiable information is anything that contains the means to identify a person, e.g. name, address, postcode, date of birth, NHS number and must not be stored on removable media unless it is encrypted as per current NHS Encryption Guidance or a business case has been approved by the Information Governance Manager.
Confidential information within the NHS is commonly thought of as health information; however, it can also include information that is private and not public knowledge or information that an individual would not expect to be shared. It can take many forms including patient level health information, employee records, occupational health records, etc. It also includes Beehive Surgery confidential business information.
Information can relate to patients and staff (including temporary staff), however stored. Information may be held on paper, CD/DVD, USB sticks, computer file or printout, laptops, palmtops, mobile phones, digital cameras or even heard by word of mouth.
ROLES AND RESPONSIBILITIES
THE PARTNERS
Have overall responsibility for strategic and operational management, including ensuring that Beehive surgery’s policies comply with all legal, statutory and good practice guidance requirements.
THE CALDICOTT GUARDIAN
The Caldicott Guardian is responsible for ensuring implementation of the Caldicott Principles with respect to patient-identifiable information.
INFORMATION GOVERNANCE LEAD
The Information Governance lead will be responsible for overseeing the development and implementation of Information Governance at Beehive surgery and ensure that the Practice complies with supporting the Legal and NHS Mandatory Framework with regards to Information Governance.
The Information Governance lead is responsible for providing advice on request to any member of staff and ensuring that training is provided for all staff groups to further understand the principles and their application.
PRACTICE MANAGER
The Practice manager is responsible for ensuring that the contracts of all staff (permanent and temporary) are compliant with the requirements of the policy and that confidentiality is included in inductions for all staff.
TEAM LEADERS
Team Leaders are responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is on-going compliance. They must ensure that any breaches of the policy are reported, investigated and acted upon.
ALL STAFF
Confidentiality is an obligation for all staff. Staff should note that they are bound by the Confidentiality: NHS Code of Practice 2003. There is a Confidentiality clause in their contract and that they are expected to participate in induction, training and awareness raising sessions carried out to inform and update staff on confidently issues.
Any breach of confidentiality, inappropriate use of health or staff records, or abuse of computer systems and misuse of smart cards is a disciplinary offence, which could result in dismissal or termination of employment contract, and must be reported.
PRINCIPLES
All members of staff must ensure that the following principles are adhered to:
- Person-identifiable or confidential information must be effectively protected against improper disclosure when it is received, stored, transmitted or disposed of.
- Access to person-identifiable or confidential information must be on a need-to-know basis.
- Disclosure of person identifiable or confidential information must be limited to that purpose for which it is required.
- Recipients of disclosed information must respect that it is given to them in confidence.
- If the decision is taken to disclose information, that decision must be justified and documented.
- Any concerns about disclosure must be discussed with the employee’s Line Manager, Operations Manager or Caldicott Guardian. Information about this process is outlined in the Policy for Whistleblowing.
- Beehive surgery is responsible for protecting all the information it holds and must always be able to justify any decision to share information.
- Person-identifiable information, wherever possible, must be anonymised by removing as many identifiers as possible whilst not unduly compromising the utility of the data.
- Access to rooms and offices where terminals are present or person-identifiable or confidential information is stored must be controlled. Where appropriate doors must be locked with keys, keypads or accessed by swipe card. In mixed office environments measures should be in place to prevent oversight of person-indefinable information by unauthorised parties.
- All staff should clear their desks at the end of each day. In particular they must keep all records containing person-identifiable or confidential information in recognised filing and storage places that are locked.
Unwanted printouts containing person-identifiable or confidential information must be put in a confidential waste bin. Discs, tapes, printout and fax messages must not be left lying around but be filed and locked away when not in use.