Introduction
1.1 The purpose of this Confidentiality Policy is to lay down the principles that must be observed by all who work within Penrose Health and have access to person-identifiable information or confidential information. All staff need to be aware of their responsibilities for safeguarding confidentiality and preserving information security.
1.2 All employees working in the NHS are bound by a legal duty of confidence to protect personal information they may come into contact with during the course of their work. This is not just a requirement of their contractual responsibilities but also a requirement within the common law duty of confidence and the Data Protection Act 1998. It is also a requirement within the NHS Care Record Guarantee, produced to assure patients regarding the use of their information.
1.3 It is important that Penrose Health protects and safeguards person-identifiable and confidential business information that it gathers, creates processes and discloses, in order to comply with the law, relevant NHS mandatory requirements and to provide assurance to patients and the public.
1.4 This policy sets out the requirements placed on all staff when sharing information within the NHS and between NHS and non NHS organisations.
1.5 Person-identifiable information is anything that contains the means to identify a person, e.g. name, address, postcode, date of birth, NHS number and must not be stored on removable media unless it is encrypted as per current NHS Encryption Guidance or a business case has been approved by the Information Governance Team.
1.6 Confidential information within the NHS is commonly thought of as health information; however, it can also include information that is private and not public knowledge or information that an individual would not expect to be shared. It can take many forms including patient level health information, employee records, occupational health records, etc. It also includes Penrose Health confidential business information.
1.7 Information can relate to patients and staff (including temporary staff), however stored. Information may be held on paper, CD/DVD, USB sticks, computer file or printout, laptops, palmtops, mobile phones, digital cameras or even heard by word of mouth.
1.8 A summary of Confidentiality Do’s and Don’ts can be found at Appendix A.
1.9 The Legal and NHS Mandated Framework for confidentiality which forms the key guiding principles of this policy can be found in Appendix B.
1.10 How to report a breach of this policy and what should be reported can be found in Appendix C.
1.11 Definitions of confidential information can be found in Appendix D.
Scope
2.1 This policy applies to all Penrose Health staff and agents acting on behalf of Penrose Health.
Roles and Responsibilities
3.1 Confidentiality is an obligation for all staff. Staff should note that they are bound by the Confidentiality: NHS Code of Practice 2003. There is a Confidentiality clause in their contract and that they are expected to participate in induction, training and awareness-raising sessions carried out to inform and update staff on confidentiality issues.
3.2 Specific roles and responsibilities are outlined within the Information Governance Framework
3.3 Any breach of confidentiality, inappropriate use of health, staff records or business sensitive/confidential information, or abuse of computer systems is a disciplinary offence, which could result in dismissal or termination of employment contract, and must be reported in line with the Information Security Policy.
Key Principles
4.1 All staff must ensure that the following principles are adhered to:-
- Person identifiable or confidential information must be effectively protected against improper disclosure when it is received, stored, transmitted or disposed of.
- Access to person-identifiable or confidential information must be on a need-to-know basis.
- Disclosure of person identifiable or confidential information must be limited to that purpose for which it is required.
- Recipients of disclosed information must respect that it is given to them in confidence.
- If the decision is taken to disclose information, that decision must be justified and documented.
- Any concerns about disclosure of information must be discussed with either your Line Manager or the Information Governance Team.
4.2. Penrose Health is responsible for protecting all the information it holds and must always be able to justify any decision to share information.
4.3 Person identifiable information, wherever possible, must be anonymised by removing as many identifiers as possible whilst not unduly compromising the utility of the data.
4.4 Access to rooms and offices where terminals are present or person identifiable or confidential information is stored must be controlled. Doors must be locked with keys, keypads or accessed by swipe card. In mixed office environments measures should be in place to prevent oversight of person-identifiable information by unauthorised parties.
4.5 All staff should clear their desks at the end of each day. In particular they must keep all records containing person-identifiable or confidential information in recognised filing and storage places that are locked.
4.6 Unwanted printouts containing person-identifiable or confidential information must be put into a confidential waste bin. Discs, tapes, printouts and fax messages must not be left lying around but be filed and locked away when not in use.
4.7 Your Contract of Employment includes a commitment to confidentiality. Breaches of confidentiality could be regarded as gross misconduct and may result in serious disciplinary action up to and including dismissal.
Disclosing Personal/Confidential Information
5.1 To ensure that information is only shared with the appropriate people in appropriate circumstances, care must be taken to check they have a legal basis for access to the information before releasing it.
5.2 It is important to consider how much confidential information is needed before disclosing it and only the minimal amount necessary is disclosed.
5.3 Information can be disclosed:
- When effectively anonymised in accordance with the Information Commissioners Officer Anonymisation Code of Practice.
- When the information is required by law or under a court order. In this situation staff must discuss with their Line Manager or Information Governance staff before disclosing, who will inform and obtain approval of the Caldicott Guardian.
- In identifiable form, when it is required for a specific purpose, with the individual’s written consent or with support under the Health Service (Control of patient information) regulations 2002, obtained via application to the Confidentiality Advisory Group (CAG) within the Health Research Authority. Referred to as approval under s251 of the NHS Act 2006.
- In Child Protection proceedings if it is considered that the information required is in the public or child’s interest. In this situation staff must discuss with their Line Manager or Information Governance staff before disclosing, who will inform and obtain the approval of the Caldicott Guardian.
- Where disclosure can be justified for another purpose, this is usually for the protection of the public and is likely to be in relation to the prevention and detection of serious crime. In this situation staff must discuss with their Line Manager or Information Governance staff before disclosing, who will inform and obtain approval of the Caldicott Guardian.
5.4 If staff have any concerns about disclosing information they must discuss this with their Line Manager or the Information Governance staff.
5.5 Care must be taken in transferring information to ensure that the method used is as secure as it can be. In most instances a Data Sharing/Information Sharing, Data Re-Use or Data Transfer Agreement will have been completed before any information is transferred. The Agreement will set out any conditions for use and identify the mode of transfer. For further information on Data Sharing Agreements contact the Information Governance team.
5.6 Staff must ensure that appropriate standards and safeguards are in place in respect of telephone enquiries, e-mails, faxes and surface mail.
5.7 Transferring patient information by email to anyone outside Penrose Health’s network may only be undertaken by using encryption as per the current NHS Encryption Guidance or through an exchange within the NHS Mail system (i.e. from one NHS.net account to another NHS.net account or to a secure government domain e.g. gsi.gov.uk), since this ensures that mandatory government standards on encryption are met. Sending information via email to patients is permissible, provided the risks of using unencrypted email have been explained to them, they have given their consent and the information is not person-identifiable or confidential information.
Working Away from the Office Environment
6.1 There will be times when staff may need to work from another location or whilst travelling. This means that these staff may need to carry Penrose Health information with them which could be confidential in nature e.g. on a laptop, USB stick or paper documents.
6.2 Taking home/ removing paper documents that contain person-identifiable or confidential information from Penrose Health premises is discouraged.
6.3 To ensure safety of confidential information staff must keep them on their person at all times whilst travelling and ensure that they are kept in a secure place if they take them home or to another location. Confidential information must be safeguarded at all times and kept in lockable locations.
6.4 When working away from Penrose Health locations staff must ensure that their working practice complies with Penrose Health’s policies and procedures. Any electronic removable media must be encrypted as per the current NHS Encryption Guidance.
6.5 Staff must minimise the amount of person-identifiable information that is taken away from Penrose Health premises.
6.6 If staff do need to carry person-identifiable or confidential information they must ensure the following:
- Any personal information is in a sealed non-transparent container i.e. windowless envelope, suitable bag, etc. prior to being taken out of Penrose Health buildings.
- Confidential information is kept out of sight whilst being transported.
6.7 If staff do need to take person-identifiable or confidential information home they have personal responsibility to ensure the information is kept secure and confidential. This means that other members of their family and/or their friends/colleagues must not be able to see the content or have any access to the information.
6.8 Staff must NOT forward any person-identifiable or confidential information via email to their home e-mail account. Staff must not use or store person-identifiable or confidential information on a privately owned computer or device.
Carelessness
7.1 All staff have a legal duty of confidence to keep person-identifiable or confidential information private and not to divulge information accidentally.
Staff may be held personally liable for a breach of confidence and must not:
- Talk about person identifiable or confidential information in public places or where they can be overheard.
- Leave any person-identifiable or confidential information lying around unattended, this includes telephone messages, computer printouts, faxes and other documents.
- Leave a computer terminal logged on to a system where person-identifiable or confidential information can be accessed, unattended.
7.2 Steps must be taken to ensure physical safety and security of person identifiable or business confidential information held in paper format and on computers.
7.3 Passwords must be kept secure and must not be disclosed to unauthorised persons. Staff must not use someone else’s password to gain access to information. Action of this kind will be viewed as a serious breach of confidentiality. If you allow another person to use your password to access the network, this constitutes a disciplinary offence and is gross misconduct which may result in your dismissal.
Abuse of Privilege
8.1 It is strictly forbidden for employees to knowingly browse, search for or look at any personal or confidential information relating to themselves, their own family, friends or other persons, without a legitimate purpose. Action of this kind will be viewed as a breach of confidentiality and of the Data Protection Act.
8.2 When dealing with person-identifiable or confidential information of any nature, staff must be aware of their personal responsibility, contractual obligations and undertake to abide by the policies and procedures of Penrose Health.
8.3 If staff have concerns about this issue they should discuss it with their Line Manager or Information Governance Team.
Confidentiality Audits
9.1 Good practice requires that all organisations that handle person-identifiable or confidential information put in place processes to highlight actual or potential confidentiality breaches in their systems, and also procedures to evaluate the effectiveness of controls within these systems. This function will be co-ordinated by the Information Governance team through a programme of audits.
Distribution and Implementation
10.1 This document will be made available to all Staff via Penrose Health Intradoc site.
10.2 A global notice will be sent to all Staff notifying them of the release of this document.
Monitoring
11.1 Compliance with the policies and procedures laid down in this document will be monitored via the Information Governance team, together with independent reviews by both Internal and External Audit on a periodic basis.
11.2 The Information Governance team is responsible for the monitoring, revision and updating of this document on a 3 yearly basis or sooner if the need arises.