Policy This course is supported by the Trust's Record Management policy, which outlines a range of procedural guidelines: IT&T Security Policy; Email Access; Clinical Records Destruction; Structure and Content of Health Care Records; Confidentiality; Sharing of Information; Access to Health Records; Safe-haven Procedures; Information Security Incident Management; Storage, Retention and Destruction; Data Quality. Record Keeping SEPT - MANDATORY TRAINING COURSE OBJECTIVES The Trust's policy; Confidentiality; Legislation; Principles; Disclosing information. COURSE OBJECTIVES The Trust's policy; Confidentiality; Legislation; Principles; Disclosing information. Introduction All employees of the Trust are responsible for maintaining confidentiality. This duty of confidentiality is written into employment contracts. Breach of confidentiality of information gained, either directly or indirectly in the course of duty, is a disciplinary offence that could result in dismissal. Staff are authorised to have access to patient information they need to know in order for them to perform their duties. Gaining access or attempting to gain access information that you do not need to see to carry out your work is a breach of confidentiality, as is passing information on to someone who is not authorised to receive it. Any personal information, non-clinical or clinical, must be treated as confidential.
SEPT - MANDATORY TRAINING Legislation Data Protection Act 1998 (8 Principles) There are 8 Data Protection principles, which regulate the use of person identifiable data (personal data). Any use of personal data should be: Fair and lawful Used only for specified and lawful purposes Adequate, relevant and not excessive to need Accurate and kept up to date Not kept for longer than necessary Processed in accordance with data subject rights, including rights of access Kept secure and protected against accidental disclosure, loss or damage Not transferred outside the EEA (European Economic Area) Human Rights Act 1998 Article 8 Everyone has the right to respect for his / her private and family life, home and correspondence. It is unlawful for a public authority to act in a way that is incompatible with a Convention right. Common Law Duty of Confidence Information obtained for one purpose should not be used for another purpose without the express, or implied, authorisation (consent) of the provider of that information. Common Law Duty of Confidence Information obtained for one purpose should not be used for another purpose without the express, or implied, authorisation (consent) of the provider of that information.
SEPT - MANDATORY TRAINING Caldicott Review 1997 The Caldicott Review of Patient Identifiable Information raised concerns about the management of NHS records. The Review, published in December 1997, was the report of a committee set up by the Chief Medical Officer to review all patient-identifiable information, which passes between NHS organisations. In the main, the Committee was satisfied that the flows of information containing patient-information were justified, but the Committee was concerned at the general lack of awareness of confidentiality and information security requirements throughout the NHS at all levels. The Committee was also concerned at the NHS's ability to limit access to patient information to those who truly need to know. In line with the Caldicott Report recommendations, the Trust has appointed the Executive Director of Corporate Affairs, Niki Richardson as Caldicott Guardian. Caldicott Principles The general principles underlying the use and sharing of personal information follow the Caldicott Principles, which are: Justify the purpose for using patient confidential information; Only use patient identifiable information when absolutely necessary; Use the minimum identifiable information required for that purpose; Access should be on a strict need-to-know basis only; Everyone must understand their responsibilities to protect information; Everyone must understand and comply with the law.
SEPT - MANDATORY TRAINING Basic Principles Any personal information given for one purpose must not be used for another purpose, without the consent of the individual concerned, because that use may breach confidentiality. A patient's right to confidentiality is protected by ethics and the law. Patients have a legal right to know what information is being collected and why, and the purposes for sharing that information. In some circumstances they have a right to choose how their personal data may be used or who is allowed to see it. To express permission, an 'Information Sharing' form must be completed. A patient / client requesting access to his / her records, due to pressure from a third party, such as employers, should be denied access. Every member of staff has an obligation to protect confidentiality and a duty to verify the authorisation of another person to ensure information is only passed on to those who have a right to see it. The rules are there to protect both the patient and staff from breaches of confidentiality, but they should not be applied so rigidly that they are impractical to follow or detrimental to the care of the individual concerned. All staff should understand their responsibility to protect the confidential information they collect and use, by following the rules and guidance that are available to them.
SEPT - MANDATORY TRAINING Disclosing Information If you are unsure about whether or not to disclose information, consult your Line Manager and / or, if necessary, obtain advice from your organisation's Caldicott Guardian, Information Governance Manager (Data Protection Officer) or Head of Records Management. Disclosing Information If you are unsure about whether or not to disclose information, consult your Line Manager and / or, if necessary, obtain advice from your organisation's Caldicott Guardian, Information Governance Manager (Data Protection Officer) or Head of Records Management. Duty of Care All reasonable care should be taken to protect the physical security of confidential information from accidental loss, damage, destruction, unauthorised access or accidental disclosure. For example: Do not use someone else's password to gain access to information held on the computers; Confidential data held on computers, laptops or disk should be kept physically secure and password protected; Confidential patient information should not be sent via the Internet without being adequate protection against unauthorised or accidental disclosure; Patient information should be kept secure and not left unattended and available for the patient or public to see; Faxing is not secure. Confidential information should be faxed only when there is no alternative and immediate receipt is absolutely necessary for clinical purposes. Safe Haven procedures should be followed; Envelopes containing patient / client confidential information must be securely sealed, labelled 'confidential' and clearly addressed to a known contact; Telephone validation procedures must be followed to confirm the identity of telephone callers before information is given to them; Follow the Trust's Information Security and Data Protection policies and procedures and seek advice when in doubt.
SEPT - MANDATORY TRAINING Safe Haven Procedures A Safe Haven is a location that is used to send and receive confidential information in a NHS organisation securely and confidentially. Any computer-ised or manual document that personally identifies a patient (name, address, postcode, age and sex) is classed as confidential. The Trust and its employees must ensure that wherever and whenever information flows to and from the Trust, those persons responsible for transmitting and receiving it are fully aware of Safe Haven principles and procedures. The Trust ensures that key members of staff 'including switchboard operators and post room staff' are made aware of the existence of Safe Haven access. Safe Haven Procedures A Safe Haven is a location that is used to send and receive confidential information in a NHS organisation securely and confidentially. Any computer-ised or manual document that personally identifies a patient (name, address, postcode, age and sex) is classed as confidential. The Trust and its employees must ensure that wherever and whenever information flows to and from the Trust, those persons responsible for transmitting and receiving it are fully aware of Safe Haven principles and procedures. The Trust ensures that key members of staff 'including switchboard operators and post room staff' are made aware of the existence of Safe Haven access. Guidance for Faxing This guidance relates to Data Protection Principle 7 and Caldicott Principle 4. If you are faxing to a known Safe Haven / secure fax, you do not need to follow any special instructions. If not, follow steps 1 - 6: Personal details should be faxed separately from clinical details, which must be accompanied by the NHS number. Do not fax personal or confidential information unless it is absolutely necessary. Telephone the recipient of the fax (or their representative) to let them know you are going to send confidential information. Ask the recipient to acknowledge receipt of the fax. Double check the fax number and use pre-programmed numbers, wherever possible. Make sure your fax cover sheet states who the information is for, and mark it 'Private and Confidential. If appropriate, request a report sheet to confirm that transmission was ok.
SEPT - MANDATORY TRAINING Guidance for Health Records Record keeping is an integral part of practice, as it is a tool of professional practice and one which should help the care process. When completing health records, you should ensure the following information is included: Use black ink, so the record can be photocopied; Basic Information: Chronological (in order); Legible (readable - e.g. clear writing and no abbreviations); Precise and accurate; Date and timed; Objective (unbiased - e.g. no personal opinions, just facts); Contemporaneous (up-to-date); Signed and printed Factual Information: Describes the patients journey; What has happened; When it happened; Why is it happening; How it has happened; Who did it / who was involved; The impact / outcome and action plan By ensuring this information is included it: will tell the patient's story to anyone accessing the record; will ensure anyone accessing the record has all the details, without delays for questioning; Remember, if you get interrupted when completing a health record, return to it again to ensure you have completed it in full.
SEPT - MANDATORY TRAINING Guidance for Post This guidance relates to Data Protection Principles 6 & 7 and Caldicott Principle 4. Confirm the name, department and address of the recipient. Seal the information in a robust envelope. Note the envelope can have the SEPT brand, but not make reference to our service. Mark the envelope 'Private & Confidential - To be opened by Addressee Only'. Note, without marking it with the 'Addressee Only' text, it will allow e.g. secretaries to open the post. When appropriate, send the information by Recorded Delivery. When necessary, ask the recipient to confirm receipt. Guidance for Telephone Calls This guidance relates to Data Protection Principle 7 and Caldicott Principle 4. Confirm the name, job title, department and organisation of the person requesting the information. Confirm the reason for the information request, if appropriate. Take a contact telephone number (e.g. main switchboard), never a direct line or mobile number. Check whether the information can be provided. If in doubt, tell the enquirer you will call them back. Provide the information only to the person who has requested it (do not leave messages). Ensure that you record your name, date and the time of disclosure, the reason for it and who authorised it. Also record the recipient's name, job title, organisation and telephone number. Remember, a text and an answer phone message constitute a record. Therefore if you receive a message via either communication tool, this must be recorded and acted on.
SEPT - MANDATORY TRAINING Patient Information Requests When asked for patient information: Use the re-dial / speed-dial procedure; Check on the source that requires the information; Ensure the information is justified. Remember, before divulging any information, make sure you are speaking to the right person. For example if you use re- dial or speed dial on your phone, you must ensure this quick step has actually worked and don't just assume you meant to call x and you've got through to x. Patient Information Requests When asked for patient information: Use the re-dial / speed-dial procedure; Check on the source that requires the information; Ensure the information is justified. Remember, before divulging any information, make sure you are speaking to the right person. For example if you use re- dial or speed dial on your phone, you must ensure this quick step has actually worked and don't just assume you meant to call x and you've got through to x. Warning! Remember the Trust has the technology to monitor all emails, Internet usage and telephone calls and has the authority to do so!! Therefore you should refrain from using these tools for personal gain or improper use (e.g. porn sites). It is essential that you don't share confidential and patient information via social networking sites (e.g. Facebook / Twitter). Contact Details Caldicott Guardian - Executive Director of Corporate Affairs, Niki Richardson Information Governance Manager (Data Protection Officer) - Elaine Brooks Head of Records Management - Kay Blencoe (freedom of information and information security)
Now You need to take the Test. SEPT - MANDATORY TRAINING Please click the ‘Test’ icon in the left column, and then click for Questions. EXAMPLE COURSE Remember to click the ‘Home’ icon when you finish the Test to save your results