|
|
|
|
Caldicott Home |
|
|
|
|
|
Endorsements |
|
|
|
|
|
Background to
Caldicott |
|
|
|
|
|
Principals of
Caldicott |
|
|
|
|
|
Definitions |
|
|
|
|
|
Ensuring
Confidentiality |
|
|
|
|
|
Disciplinary
Proceedings and the
Law |
|
|
|
|
|
Agreements to be
signed |
|
|
|
|
|
Appx 1 - Data
Protection Principals |
|
|
|
|
|
Appx 2 - Access to
Information |
|
|
|
|
|
|
|
| Code
of Conduct on Confidentiality |
|
| and handling personal identifiable information |
| March 2002 |
| This is a generic
Code of Conduct for all Wirral NHS staff and covers personal
information concerning staff as well as patients. |
 |
|
Room access
- Personal information should not be left unattended. However,
where this can be justified, consideration should be given to
restricting room access.
If the room can be locked without compromising patient care
(e.g. where the patient information is unlikely to be needed
by non key-holders), then it should be locked.
Work areas - Identifiable, confidential information should
always be held securely. In any area which is not itself secure,
and which can be accessed by a wide range of people (including
possibly the public), such information should be put/locked
away immediately after it has been finished with. Where it is
impractical for this to be achieved, access to the work area
must be restricted. Examples of this latter situation are: |
|
° |
In a laboratory
working simultaneously on samples from a number of patients,
but where only laboratory technical staff may enter. |
|
° |
In a reporting/medical
office, where at any time reports are dictated on a number of
patients seen within a clinic, but where the office is accessed
only by medical staff. |
|
° |
Patients should
be discouraged from entering these areas. |
| 4.2 |
Safeguarding
Information |
|
Never leave personal
identifiable information around for others to find. |
|
° |
Do not walk away
from your work area leaving any documents exposed for unauthorised
persons to see. |
|
° |
Wherever possible,
avoid taking confidential information away from your work premises.
Where this is necessary in order to carry out your duties (
e.g. home visit to a patient), you must keep the information
secure and make every effort to ensure that it does not get
misplaced, lost or stolen. |
|
° |
When disposing
of paper-based information, ensure that it is shredded. Never
put confidential information directly into a general waste paper
bin or recycling bin. If your NHS organisation has a designated
confidential waste destruction programme, you must follow the
requirements of that programme - check with your head of department. |
|
° |
Working diaries
can hold a great deal of personal information and should be
kept secure when not in use. Precautions should be taken when
transporting your diary to ensure it is in your care at all
times. Remember to hand them back if you no longer need them
your job. |
|
° |
Do not take personal
notes or pocket books containing personal identifiable information
away from your place of work. If the information is no longer
required, it should be disposed of appropriately. If the information
is required for an ongoing purpose, it should be locked securely
away. All personal notes and pocket books containing personal
identifiable information must be handed back to your manager
if you no longer need them for your job. |
|
° |
If documents containing
personal information come into your possession and you are not
the intended recipient, you should either forward these to the
named person or, if this is not known, your Caldicott Guardian.
If you identify any document containing personal information,
such as letters or results, you should make every effort to
decrease the possibility of these being seen by inappropriate
persons by obscuring or turning over; case notes or nursing
notes left open should be closed. Wherever possible, these documents
should be filed and locked away. |
|
|
Remember
- you are bound by the same rules of confidentiality whilst
away from your place of work as when you are at your desk |
|
|
|
|
|
|
|
| 4.3 |
Personal identifiable
information left unattended |
|
° |
Caution should
be exercised at all times when working with personal identifiable
information. |
|
° |
Only have the minimum
information necessary on your desk for you to carry out your
work. Any other related information should be put away securely,
preferably locked away. |
|
° |
Do not walk away
from your work area leaving any documents exposed for unauthorised
persons to see. |
|
° |
Do not pass documents
containing personal identifiable information to other colleagues
by leaving it on a secretary's desk or in an "IN" tray. Always
ensure that information is in a sealed envelope addressed to
the recipient and clearly marked CONFIDENTIAL. |
|
When transferring
paper notes which contain personal identifiable information,
make sure CONFIDENTIAL is marked in a prominent place on the
front of the envelope. Ensure that the address of the recipient
is correct and clearly stated, using the following format: |
|
° |
name |
|
° |
designation
(job title) |
|
° |
department |
|
° |
organisational address |
|
° |
write
a return address on the back of the envelope (if
using a plain envelope) |
|
If patient-identifiable
information is to be sent in carrier (internal) envelopes, the
envelope must be sealed and marked CONFIDENTIAL. Internal mail
should still be properly named and addressed, e.g. not just
to "Mary from Maternity". |
|
Transfer between
hospital sites
If your organisation has a secure system for transferring patient
records between hospital sites, you should always ensure this
system is used, referring to any guidance that your organisation
issues.
Only authorised personnel may assist in the transfer of patient
records where an office, department or practice is moving premises
from one site to another. This must be done under the guidance
of an authorised employee / employees of the relevant organisation.
Transfer between departments on site
Where an organisation has an internal system for transferring
confidential information in place (e.g. routine portering transfer),
this may be used to transport records between departments. Alternatively,
appropriate special arrangements may need to be made for information
required urgently (e.g. non-routine portering transfer). In
either situation, the information must be correctly packaged
and labelled as detailed earlier. Depending upon circumstances,
it may be more appropriate and expedient to transport the information
personally. If this is the preferred option, do not leave any
information inside the car, ensure that it is locked away securely
in the boot.
It is not appropriate for unpackaged information to be handed
to another person for delivery simply because they are going
to the destination department.
If you have any specific questions regarding transferring patient
records, contact the Medical Records Department or Practice
Manager for further guidance. |
| 4.5 |
Indiscreet Conversations |
|
° |
Ensure you cannot
be overheard by unauthorised people when making sensitive telephone
calls, during meetings, and when you are having informal discussions
with colleagues about confidential information. In these situations,
if you do not need to identify a patient by name -then don't
|
|
° |
Consideration needs
to be given to the siting of an answer phone to ensure that
recorded conversations cannot be overheard or otherwise inappropriately
accessed
|
|
° |
During ward rounds
(or visits to nursing homes) when patient's details are being
discussed, staff should bear in mind that they might be overheard
by other patients in the same room, Whilst it is appreciated
that it is difficult to manage confidentiality in situations
like these, staff are expected to be aware of the possible problems
and do all they can to respect the patient's rights
|
|
° |
It is not appropriate
to discuss personal information in hallways, corridors or stairways
-or any public place where you might be overheard
|
|
° |
When speaking to
a patient or carer on the telephone, confirm the caller's identity
or ring back. If in doubt, ask for confirmation in writing,
or fax
|
|
° |
Patient information
may be released in cases where there is a danger to patients
or others. If you receive a request from another agency or the
police, etc, you should seek advice from your Caldicott Guardian
prior to releasing any information.
|
|
° |
Real patient-identifiable
data should not be used in training, testing systems, or demonstrations
without explicit consent. |
|
|
REMEMBER
- IF IN DOUBT,CHECK IT OUT |
|
|
|
|
|
|
|
| 4.6 |
Inappropriate
sending of faxes |
|
When sending faxes
that contain personal identifiable information try to use a
designated Safe Haven fax wherever possible. A designated Safe
Haven is a place where a fax containing confidential information
can be sent safely in the knowledge that procedures are in place
at the other end to ensure its security. NHS organisations are
adopting the principle of Safe Havens, and every effort should
be made to use them wherever possible. If you are faxing to
a non-safe Haven fax the procedures below should be followed: |
|
° |
telephone
first to inform the recipient that you are faxing confidential
information
|
|
° |
ask
if they could wait by their fax machine whilst you send it
|
|
° |
ask
if they could telephone to acknowledge receipt
|
|
° |
Always
double check that you have keyed in the right number before
hitting the "send" key
|
|
° |
Regularly
used numbers should be programmed into your fax machine which
would decrease the possibility of keying the wrong number |
|
Ask your manager
for a copy of "Guidelines for the secure transmission of manual
faxes". Also the "Wirral Directory of Safe Haven fax numbers
or fax machines kept in a secure room". |
| 4.7 |
Safeguarding
Computer Information |
|
The security and
confidentiality of information held on computer must be maintained
at all times. |
|
° |
Never
leave a computer logged on to a system and unprotected. Always
protect the system (e.g. log off or use password-protected screensaver)
when you have finished or stop using it for a period. Always
log off when you have finished. Failure to do this not only
leads to a risk of unauthorised access to patient information,
but you will be held responsible for any actions associated
with your sign-on.
|
|
° |
Do
not walk away from your work area and leave personal identifiable
information on your screen for unauthorised persons to see.
If you need to leave your desk, you should protect the system
(e.g. log off or use password-protected screensaver).
|
|
° |
Where
it is necessary for personal identifiable information to be
stored on your computer, ensure that it is stored in a secure
way with password protection.
|
|
° |
Do
not keep any personal identifiable information longer than necessary.
Delete personal files you do not need to keep and if the information
is stored on diskette, tape or CD, ensure that it is clearly
labelled and locked away. Excepting where the data held is the
original data (where further advice should be sought from the
appropriate department manager, practice manager, or head of
IM&T). When the information held is no longer required the
diskette, tape, or CD must be reformatted, erased or destroyed
in accordance with the relevant section of the organisation's
security policy. Further advice on the retention of information
can be found in HSC(1999)053 For the Record.
|
|
° |
Windows
users should remember that when deleting files they are moved
to the "recycle bin". Therefore, the recycle bin should be emptied
on a regular basis. If in doubt, check with your IT Department
or Systems Manager.
|
|
° |
Passwords
are the keys that provide access to information, you MUST
NOT disclose your password to ANYONE under any circumstances.
Never write your password down as this could be seen by other
users, and always change your password when prompted. It is
recommended that passwords should be a minimum of 6 characters
and be a mixture of letters and numbers, i.e. using 5 instead
of S, 1 instead of I, etc.
|
|
° |
Turn
off your computer at the end of the working day unless it is
needed to work unattended, e.g. for print outs.
|
|
° |
Never
use anyone else's code and password, even to be helpful. Never,
as a manager, ask anyone to use another's password for convenience.
If it is absolutely necessary, (e.g. to access information when
a patient or other person is in danger and the owner of the
password cannot be found), contact the IT Department, or systems
manager.
|
|
° |
Destruction
and / or disposal of computers, or parts thereof, must be carried
out by your IT Department. This will ensure that all information
is stripped from the computer and disposed of using the correct
procedures. Staff should not remove or relocate computers without
first checking with your IM&T Department. |
|
If you use a
portable computer outside your place of work ensure that: |
|
° |
you
have the authority to take equipment off-site |
|
° |
you
have permission to transfer personal identifiable information
off-site |
|
° |
your
computer is password protected to BIOS level which will be set
by the IT dept who provides the portable |
|
° |
you
store back-ups securely and complete them regularly whilst using
portables |
|
° |
databases
are encrypted |
|
° |
all
equipment is locked away when not in use |
|
° |
Turn
off your computer at the end of the working day unless it is
needed to work unattended, e.g. for print outs. |
|
° |
every
effort is taken to prevent loss or theft of your computer |
|
° |
you
do not leave your computer in your car |
|
|
Remember
- you are bound by the same rules of confidentiality whilst
away from your place of work as when you are at your desk |
|
|
|
|
|
|
|
| 4.8 |
Use of the e-mail
system |
|
You are responsible
for the contents or your e-mails. Ensure that: |
|
° |
the
content is not sexually or racially offensive, or otherwise
illegal
|
|
° |
patient-identifiable information is not be sent via the
Internet -this is not a secure system. Only use NHS addresses
which are contained in the NHS address books or end with ".nhs.uk".
It is not secure to send them to addresses such as ".com", ".co.uk"
or ".org". If you are in doubt, contact your I. T .Department
|
|
° |
you
DO NOT disclose your e-mail password to ANYONE
|
|
° |
you
remember to log out of the system when you are leaving your
computer |
|
|
REMEMBER
- IF IN DOUBT,CHECK IT OUT |
|
|
|
|
|
|
|
|
