BRADFORD & AIREDALE CCG TRUST

ashcroft surgery,
bradford

Newlands Way, Eccleshill, Bradford, BD10 0JE, West Yorkshire, UK

Useful Numbers

  • CALL 111 –  open 24 hours for help with medical problems of short duration and sudden onset
  • ANY LOCAL PHARMACIST for good advice about medicines, minor illness
  • DISTRICT NURSES: 01274 256 131 for wounds, dressings, elderly people
  • HEALTH VISITORS: 01274 221 223 for advice about babies and children
  • MIDWIVES: 01274 623 952 if you’re pregnant
  • National Coronavirus Support Line 0333 880 6619

Information Governance – information data protection, confidentiality and other legal matters

ASHCROFT LEADS

  • Data Protection Officer: Rachael Nicholson  rachael.nicholson@bradford.nhs.uk
  • Doctor:   Dr Ramesh Mehay (Caldicott Guardian)
  • Admin:  Chris Rushton (Data Controller) & Tracey Firth

DATE REVIEWED:

4th Nov 2019

DATE OF NEXT REVIEW:

Nov 2020

Basic Rule: if you are ever unsure whether to disclose information...

If you are ever unsure about whether to give out information to somebody or not, please contact the named admin leads above first and DO NOT give out any information until you have spoken to him or her.  If clinical advice is required, the admin lead will seek advice from the clinical lead..  

A note to IG Leads: There are Information Governance Leads at the CCG that can be contacted for further advice.

But the request is urgent and the leads are not available...

  • Seek the advice of one of the GP partners at Ashcroft.
  • You can also seek the opinion of an experienced member of admin staff.
  • It is important to use your judgement to strike a balance between the harm that could be done to a patient’s health if information is not used or shared and the risk of breaching confidentiality if information is shared.  If you feel sharing information is necessary to avoid or reduce harm or distress to anyone, then the legal framework in the UK will generally support it.
  • Remember, the police do NOT have the automatic right to medical information (unless there has been gun or terrorist crime).
  • Giving information to patients or relatives can usually wait – so if you are unsure whether to disclose something, wait until you can speak to one of the IG Leads mentioned above.

Other Medico-Legal Matters

  • A full range of advice sheets on all sorts of medico-legal matters can be found on this link: www.medicalprotection.org/uk/resources/factsheets/browse-by-topic.  It is a useful page by MPS and it provides fact sheets to cover the following.

    • Complaints & Claims
    • Communication
    • Confidentiality
    • Consent
    • Mental Capacity
    • Out of Hours Care
    • Patient Safety
    • Preparing for Court
    • Prescribing
    • Primary Care
    • Records & Reprots
    • Telemedicine

Frequently Asked Questions (FAQs)

We all know what information is, which is essentially data about something or someone.    Governance is another word for control of something or the manner in which something is governed.   Therefore, Information Governance (in the NHS) is about the way information about patients is controlled or governed or handled.   And it is really important that we control or ‘protect’ the way a patients information is handled because otherwise patient’s would be fearful to tell us anything if they felt that information could easily leak out.   So, Confidentiality is all about maintaining trust with patients.  Confidentiality is so important that it is protected by law.  And for that reason, Information Governance/Confidentiality is a really important area for all NHS staff to understand.   Breaking the basic rules of Information Governance could lead to you losing your job – because it is part of your job description to know and understand them.   On top of that, the practice you work for can end up facing a heavy fine.   And if you do break the rules, saying something like ‘I didn’t know the rules, no-one told me’ will not get you out of trouble – because you have some personal responsibility to make sure you are familiar with them.   So, please read this webpage carefully.  Most of it is common sense and we hope is easy reading for you.

Now, think about this for a moment.

Patients entrust us with (or allow us to gather) some very sensitive information about their health or other matters. They do this in confidence and (quite rightly) expect us to keep this infomation private. We have all been patients at some time or another. As a patient, would you be upset if information about you leaked out to someone had no right to know things about you? How would it make you feel? Would you feel that your privacy had been violated? Would you trust the doctors, nurses or the reception staff at that pratice?

That’s exactly why we must try our best to keep information about our patients private and reduce the chances of this information landing in the wrong hands.   In some circumstances, patients may lack the competence to extend this trust or may be unconscious, but this does not diminish the duty of confidence.  It is essential that we continue to provide a confidential service in order to secure the trust of our patients.   Information should only be furnished where proper informed consent has been obtained or given; consent means permission or agreement to do something.

The confidentiality requirement of staff is specifically detailed within your Contracts of Employment and a breach of this by any employed staff will be a serious occurrence and may invoke the Practice Disciplinary Procedures that could result in staff dismissal. The section states:

‘Employees shall not at any time or for any reason, whether during the term of this contract or after its termination, use or disclose to any person any confidential information.  Disclosures of confidential information or disclosures of any data of a personal nature can result in prosecution for an offence under the Data Protection Act 1998 or an action for civil damages under the same Act in addition to any disciplinary action taken by the Practice which may include dismissal and without prejudice to any professional misconduct proceedings undertaken, such as by the GMC in respect of such unauthorised disclosure.

An understanding of Confidentiality and its principles are specifically discussed during the induction (within first two weeks) of all new members of staff starting.   Confidentiality training will also be revisited during the practice’s Protected Learning Time once every year.

If you think you have done something wrong in terms of Information Governance (for example, breaching one of the rules), please do NOT keep it a hidden secret.  Please tell one of the Information Governance Leads above.    They will make sure that

  1. Early corrective measures are put in place to protect patients.
  2. Make a log of it  – this needs to happen so it can be discussed as a significant event where we can learn from it to prevent similar occurences in the future.
  3. Ensure that it is discussed as a significant event amongst the partners shortly afterwards.

Please report things as soon as possible – even if the breach was not because of you.   The practice can be fined for breaches, but the penalty is less if we can show we took action as early as possible and tried to make things right.    Failure to report a breach is one of the factors taken into consideration by the ICO when assessing monetary penalties.

  • You cannot access any patient’s record in the surgery just because you feel like it or out of curiosity/interest.  This includes records of family members or friends.
  • Patient records should only be accessed for the purpose of ensuring good clinical care of the patient – in other words, you have to access that patients record so that the surgery can provide the care they need (e.g. making an appointment, patient asking for their blood results, a practice health professional needs some relevant information)
  • Any browsing of medical records for reasons unrelated to work will be considered a serious matter and will lead to disciplinary action.
  • Please note that SystmOne keeps a track of which records you are accessing (and when) discreetly behind the scenes.
  • Our systems at present rely on all clinical and reception staff being able to access medical records, e.g. issuing prescriptions, chasing up referrals and giving out results. These systems require that all staff have level 4 access, which includes consultations. There is work ongoing to improve the systems in order to allow for access to consultation data to be restricted. In meantime where there are particular concerns about confidentiality, for example members of staff or relatives of staff who are patients, those medical records can be placed on a higher security setting allowing access only by clinicians. This can also be done if there is a specific patient request. Note that this setting does not allow staff to access any part of the record, including issuing prescriptions or even making appointments and therefore should be used with discretion.
  • Information about a patient accessing their medical records can be found here.

Different forms of Media

  • Staff should confirm the identity of the person first before discussing any patient information with the patient concerned.
  • When making appointments, staff should ask the patient to confirm their address to ensure the correct patient record has been selected. Date of birth can also be used.

Email is an insecure system. You should not use any patient identifiable information when using email. Even using and sending to an NHS mail address is not totally reliable.  If you need to communicate with colleagues via NHS mail, then observe the following rules

  • You must send ONLY from your NHS mail address. Do not communicate from your personal non-nhs email address.
  • The recipient’s address must also be an NHS mail address.
  • If more than one recipient – all must be NHS mail addresses – but think carefully about who needs to know.
  • Try and limit recognisable data – for instance, use NHS number or first three letters of first name and second name (which you can search under with Systm1) rather than releasing full information.
  • Do not send attachments in emails containing sensitive information.

When faxing items with person identifiable (or sensitive) information safe haven faxes should be used as the preferred method. Obey the following rules:

  • Always send a a fax header with all other documents sent via fax.  Ashcroft surgery has one here  http://www.ashcroftsurgery.co.uk/staff/secure-area/
  • The fax header should detail five things
    1. it must be marked “private and confidential” and should clearly have the
    2. sender’s name and contact details
    3. intended recipient’s name and contact details
    4. the total number of pages
    5. must have a message to return (if incorrect recipient)  which says something like ‘This information is confidential and should be returned without the recipient reading any further if the recipient is not the intended recipient’.
  • Double check the number you are faxing to.
  • Get a confirmation of receipt.
  • Internal email systems such as the one in System1/EMIS are secure – you can use patient identifiable information.
  • Double check: when using either of these systems, double check to make sure the recipient is definitely the person you want to send the information too.
  • All post containing person identifiable data must be clearly marked “private and confidential” – both internal and external mail.
  • Double check the name and address of the recipient
  • Use a SEALED envelope
  • Additional note for external mail: External mail – send recorded delivery second-class.
  • If sending information on a group of patients, then no more than 20 patients’ identifiable information per sealed envelope.

Ensure that all patient summaries from HVs are SHREDDED. Do not leave them lying around in your office or car.

Your PC or Laptop should not store ANY documents that contain patient identifiable data.

If you have, you must delete it and then make sure you empty the recycle bin too and wipe the empty space with a suitable ‘wipe free space’ type of software program.

You should not use USB stick to store ANY documents that contain patient identifiable data.  If you have, you must delete them and wipe the empty space with a suitable ‘wipe free space’ type of software program.  CCleaner is a free downloadable program that has a secure wipe disk utility.   Please note, just right clicking and selecting “delete” DOES NOT delete that item or its data.   It simply removes the name of the file from the directory.  The file is still there appearing invisible but in reality it is not.  That is why you have to use a “wipe free space” software program like CCleaner.

Specific Scenarios

Information about patients often leaks out because of carelessness.  Yet the fix is often very simple and easy!   Here are some examples of how patient information commonly gets accidentally leaked out.    Please pay attention to the advice given.

  1. Patient summary printouts for home visits not being discarded properly.   After home visits, all summary printouts should be shredded.  Any left in the ‘home visits box’ (after the visit date) should also be shredded.  Doctors – please note that you should keep your home visit summary printout in your doctor’s bag and it should not be left lying around in your car!
  2. Carrying a bunch of patient letters without a folder and one drops out in the patient waiting area or the corridor.  If you carry letters in a folder box, they are less likely to fall out.
  3. Prescriptions or other information being left lying around – on desks etc.   This is a particular problem on doctors’ desks.   Doctors – please remember that your rooms might be used by other workers and therefore keep your desk tidy and free of patient sensitive information.   Admin staff – if you find patient sensitive information in a doctor’s room when they are not there, please transfer to that doctor’s pigeon hole.
  4. Talking to patients or their relatives in front of other people.    Use ‘stand behind this line’ notices to provide better confidentiality for patients and their relatives speaking at reception.   See section below about what information you can and cannot disclose to relatives.
  5. Computer screens on full display to anyone!   Remember, if you need to leave your desk ensure your screen is away from public view.   Again, if you have to leave your computer, take out your smart card so that the computer goes into security mode.
  6. Doctors and nurses talking to reception staff about a patient in the waiting area.   Try and talk to staff outside of the reception area.
  7. Sending patient information (including search results) via personal email – this is forbidden!  Only send through NHS secure email.
  8. Storing patient information (including search results) on a non-encrypted NHS USB stick or any other storage medium – this is forbidden!   It’s probably safest to generally say, don’t use USB sticks in general.  If you desperately need to, ask yourself why you need it and ensure it is an NHS issued encrypted one.

Remember …. Information Security is everyone’s responsibility. So, if you see something sensitive lying around, like a patient letter , pick it up and hand it to Chris Rushton and explain where you found it.

  • The Police – just because a police officer requests information DOES NOT give them automatic right to get that information.  They still need to obtain consent from the patient.
  • A solicitor – a solicitor cannot demand information without a consent form.   All requests from solicitors should be in writing and never over the phone – even for little things.  Information must NOT be released until the consent form has been seen.   Currently, we have a practice procedure whereby Christine Serrant checks all solicitor request letters for consent forms before passing anything onto the doctor.
  • A relative – just because the person asking for information is the husband, wife, daughter or son DOES NOT give them automatic right to get that information.  Again, they need to have a consent form signed or alternatively, if for example their relative has dementia, needs to have obtained a Power of Attorney or Enduring Power of Guardianship form signed (which they do via a solicitor).
  • Another doctor or GP practice requesting information over the phone – pass this onto Mr Chris Rushton or one of the doctors – one must be careful with telephone conversations because one needs to be certain that the other person is who they say they are (e.g. not a relative pretending to be a hospital doctor or another GP elsewhere).
  • Always check with telephone calls and make sure the person is who they say they are.  For instance, if the person is claiming to be a doctor, call them back on the hospital or practice where they say they work.  Same for people claiming to work for a particular organisation – ring them back.
  • Even information about attendance at surgery or clinics is confidential!  Please do not tell relatives if their patients had attended the surgery recently!
  • Results should only be given to the patient directly unless there is explicit consent.
  • Where information about a minor (i.e. under 16) is sensitive, for example regarding contraception, pregnancy testing etc, discretion should be used regarding the giving of results or information to a guardian. Reception staff should discuss this with a doctor where there is any doubt.
  • Where information regarding a patient’s medical record is requested from a third party, e.g. insurance company, solicitor, social services etc, written consent must always be obtained. This must be seen prior to any information being released from the practice.
  • There are some rare circumstances in which it is appropriate to disclose medical records without consent, e.g. suspicion of child abuse, public safety interest. If such a circumstance is suspected, the GMS guidance on confidentiality must be followed (Confidentiality: Protecting and Providing Information. April 2004. GMS website) and/or the situation discussed with the Caldicott guardian at the PCT.

Please thing about your consulting room….

  • Do not leave patient identifiable material lying around.   You should leave your surgery at the end of the day with no patient identifiable material on your desk.   Remember, you may not be working in your room the next day and someone else might be!  If you have got patient identifiable material that you need to hang on to – stick it in your secure pigeon hole.  Or put it in a lockable draw – then lock it.
  • Don’t leave computers on when leaving your room for a prolonged period of time.  If you are leaving your room for a while, take your Smart Card out as this will lock down SystmOne.  Consider locking your door if you are going to be out of it for any length of time.
  • If a patient comes in with a third party, please remember that their presence does not mean the patient has given the third party permission to hear everything. They might want to talk to you about something which they are happy for their third party person to hear.  But they might not be happy if you start talking about other problems in the records that the third party is a) unaware of and b) has not been given permission to hear.  If you do want to talk about other matters, ask the patient if it is okay or whether they would like to have some privacy – give them that choice explicitly.  Use your head.
  • Again, if a patient comes in with a third party, remember to turn your computer screen away from the patient to directly face you.   The third party may have been given permission to hear the presenting complaint (of course – check), but not to be able to read things off the computer screen.
  • Confidentiality still exisits when a patient dies.  If someone dies and, say, an insurance company wants further information – seek consent of the executor of the will or ask the company to make a claim via court.
  • Parents who have split or divorced – the parent the child resides with the most (or who has custody) is the parent who has a right to the information on that child.  The other parent does not.   So check with the parent and ask them to provide evidence by way of a parental order.  Of course, use your head… especially if an acutely unwell child comes in with the non-custody parent.   Patient safety overrides everything.
  • The child who comes in with grandma for vaccinations.  Again, consent has to be sought from the parent, not the grandma.

The most important thing to remember is that information that can identify individual patients, must not be used or disclosed for purposes other than health care without the individual’s explicit consent.   In some specific situations, consent can be overridden (but check with the Information Leads above).  For example, consent can be overridden where

  1. there is a robust public interest to do so (e.g. to protect the public from terrorism or other harm)
  2. there is a third party involved who is also at risk if information is not shared (e.g. a child)
  3. there is a legal requirement to do so (e.g. the courts demand you release the information).    Note: Don’t confuse the courts with the police.  A police officer requesting information cannot do so without consent from the patient.  Do NOT release information to the police without talking to your Information Governance Deputy Lead, Mr Chris Rushton.

When sending information about patients to other people or organisations, please think about the nature of what you are sending.  You need to check that the recipients are authorised to recieve that information.  If it includes patient identifiable information, then it needs to be dealt with carefully.  Sending information by different methods may need additional requirements like marking ‘private & confidential’, use of courier or NHS delivery services rather than regular post, etc. Disposal of information also needs careful management e.g. for paper use a cross cut shredder.

You can disclose information to other staff and doctors (within or external to the practice) PROVIDING

  1. the recieving person needs to know that information (inorder to provide better care/treatment) AND
  2. the expectation is for this information to be used for the sole care and treatment of that particular patient only.
  3. Remember it is important to use your judgement to strike a balance between the harm that could be done to a patient’s health if information is not used or shared and the risk of breaching confidentiality if information is shared.  If you feel sharing information is necessary to avoid or reduce harm or distress to anyone, then the legal framework in the UK will generally support it.

When sending information about patients to other people or organisations, please think about the nature of what you are sending.  You need to check that the recipients are authorised to recieve that information.  If it includes patient identifiable information, then it needs to be dealt with carefully.  Sending information by different methods may need additional requirements like marking ‘private & confidential’, use of courier or NHS delivery services rather than regular post, etc. Disposal of information also needs careful management e.g. for paper use a cross cut shredder.

  • You need to ask the patient to identify themselves by asking for two pieces of additional information – like their date of birth and address or phone number.
  • Listen to the dialogue, if there is any hint of suspicion on your part, hold back, even if they are able to provide two pieces of additional information.
  • Remember, patients are only entitled to information about themselves – not their relations.
  • Only leave the minimum of information.
  • So, ‘Mrs. Brown, please can you call the surgery back and ask to speak to Sam.  It’s nothing urgent.’ is ok.
  • But ‘Mrs. Brown, just wanted to let you know that your urine result was okay’ is not okay.
  • ‘Mrs Brown, just ringing up because you were meant to attend to have your coil changed.  Anyway, please ring the surgery and ask for Sam’ is also not okay.
  • In the last two examples, you have divulged unnecessary information that another household member can pick up on. And then you will have breached confidentiality.
  • Always send a a fax header with all other documents sent via fax.  Ashcroft surgery has one here  http://www.ashcroftsurgery.co.uk/staff/secure-area/
  • The Fax Header must have a message to return (if incorrect recipient)  which says something like ‘This information is confidential and should be returned without the recipient reading any further if the recipient is not the intended recipient’.
  • If your system does not give much information other than the patient’s name, then that is fine.  So, ‘Mrs. Broom to room 8 please’ is fine.
  • However, something like ‘Mrs. Broom to the Diabetic Clinic Room 8 please’ is breaking confidentiality because other people in the waiting room now know that Mrs. Broom has diabetes.  They have no right to know that information.

Absolutely not.  You must not tear up paper with sensitive information.    Instead, shred it.  In fact, even if you are unsure as to whether something that needs disposing of contains confidential information or not – shred it.  Ashcroft surgery employs a specialist contractor to help dispose of confidential paper waste securely.   A lockable ‘shredding’ box/console can be found near the emergency exit area of the staff common room on the ground floor.   The specialist contractor will come in and securely shred paper in this box.   So….

  • Please do NOT tear up paper with sensitive information and throw it in the bin
  • Instead, stick it in the shredding box.

As many of you will know, most internal doors at most surgeries have digital keypads to help with security zoning of the different areas of the building – including areas where medical records are held.    These doors must be kept secure for two reasons 

  1. to keep areas where medical information may be lying around cordoned off, 
  2. Because all our doors are fire doors and fire doors must be kept closed to limit the spread if a fire was to happen.  

Therefore,   NEVER turn off the digial keypads and NEVER keep the doors propped open.   It’s not only a confidentiality risk but also a fire safety risk.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top