We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Information Governance Records Management Guidance Note Number 007: Health Records Policies and Procedures Polices and Procedures

Published
27 August 2010
Topic
Health and social care
ISBN
9780755993161

Records Management Guidance Note 007 - Health Records Policies and Procedures

View supporting documents Supporting documents

002. Confidentiality/Security and the Release and Management of Information

1. Opening Statement

Everyone working in the NHS has a legal obligation to keep all patient related information confidential.

Security and Confidentiality of data applies not only to manual health records but also computer systems both administrative and clinical, e.g.PAS, Laboratory, Radiology systems etc.

2. Your Responsibility

Staff should read and be aware of the content of the NHS Code of Practice on protecting patient confidentiality (yellow booklet). This should be provided with letter of appointment. All staff must sign a confidentiality statement on commencement of duty. Any breach of confidentiality will attract disciplinary action, which may lead to dismissal.

3. What Constitutes Confidential Data

All information held about a patient is regarded as confidential. This includes:

demographic/administrative data as well as clinical data, e.g. name, address, postcode, telephone number, clinic attended, appointment details. Give examples of what constitutes confidential data and how confidentiality may be breached.

4. Security

Describe physical controls e.g.ID badges, restricted access, key pads etc

5. Security of Computerised Data

Describe system controls e.g. Passwords/unique user name, level of access, private and unintelligible to others, audit trails ,follow up action, termination of employment, secure areas, logging off etc.

6. Staff Members with a Legitimate Right to Access Confidential Data

Medical, Nursing, Research, Health Records, Medico/legal, clinical effectiveness, Allied Health Care Professionals etc.

7. Data Protection Act/Access to Health Records Act

Refer to Data Protection Act 1998 and Access to Health Records Act 1990. Describe on a step by step basis the process for receipt of data subject access requests, processing and release. Timescale, Mandates. List all forms of access.

8. Information Sharing

This process usually requires the consent of the patient. This may be implicit i.e. implied when the patient seeks medical care or explicit i.e. the patient makes an informed decision to consent to the release/sharing of their data.

Examples of information which may be divulged under statutory obligation include:

List :

Notification of Infectious Diseases
Notification under child protection arrangements, DSSBR409 etc.

Definition of Terms & Acronyms

Reference (National/local guidelines, standards and legislation)

Links (related policies and guidance) can also include web links if applicable

Data Protection Act 1998 www.sehd.scot.nhs.uk/mels/2000_17.doc

Access to Health Records Act 1990

Caldicott Principles www.confidentiality.scot.nhs.uk/caldicott.htmwww.elib.scot.nhs.uk

"Protecting Personal Health Information" - Information Guide for Patients ( NHS- National Service Scotland)

Health Right Information Scotland.

"Confidentiality - It's Your Right" http://www.hris.org.uk

"Confidentiality - A guide for young people under 16" http://www.hris.org.uk

"How to see Your Health Records" http://www.hris.org.uk

Policy: Local IT Security

Back to top