The practice complies with data protection and access to medical records legislation.

Identifiable information about you will be shared with others in the following circumstances:

• To provide further medical treatment for you e.g. from district nurses and hospital services
• To help you get other services e.g. from the social work department. This requires your consent
• When we have a duty to others e.g. in child protection cases anonymised patient information will also be used at local and national level to help the health board and government plan services e.g. for diabetic care

If you do not wish anonymous information about you to be used in such a way, please let us know.

Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.

Confidentiality Policy

Caldicott Guardian: Dr WS Riddell

Introduction

The purpose of this confidentiality policy is to lay down the principals that must be observed by all who work at Crags Health Care and have access to person-identifiable information or confidential information. All members of staff need to be aware of their responsibilities for safeguarding confidentiality and preserving information security.

All employees working in the NHS are bound by a legal duty of confidence to protect personal information they may come into contact with during the course of their work. This is not just a requirement of their contractual responsibilities but also a requirement within the common law duty of confidence and the Data Protection Act 1998. It is also a requirement within the NHS Care Record Guarantee, produced to assure patients regarding the use of their information.

It is important that Crags Health Care protects and safeguards person-identifiable and confidential business information that it gathers, creates, processes and discloses, in order to comply with the law, relevant NHS mandatory requirements and to provide assurance to patients and the public.

This policy sets out the requirements placed on staff when sharing information within the NHS and between NHS and non NHS organisations.

Person-identifiable information is anything that contains the means to identify a person, e.g. name, address, postcode, date of birth, NHS number and must not be stored on removable media unless it is encrypted as per current NHS encryption guidance, or a business case has been approved by the information governance manager.

Confidential information within the NHS is commonly thought of as health information; however, it can also include information that is private and not public knowledge or information that an individual would not expect to be shared. It can take many forms including patient level health information, employee records, occupational health records, etc.

Information can relate to patients and staff (including temporary staff), however stored. Information may be held on paper, CD/DVD, USB sticks, computer file or printout, laptops, palmtops, mobile phones, digital cameras or even heard by word of mouth.

Roles and Responsibilities

The partners have overall responsibility for strategic and operational management, including ensuring Crags Health Care’s policies comply with all legal, statutory and good practice guidance requirements.

The Caldicott Guardian is responsible for ensuring implementation of the Caldicott Principles with respect to patient-identifiable information.

The information governance lead will be responsible for overseeing the development and implementation of information governance at Crags Health Care and ensure that the practice complies with supporting the legal and NHS mandatory framework with regards to information governance.

The information governance lead is responsible for providing advice, on request, to any member of staff and ensuring that training is provided for all staff groups to further understand the principles and their application and is responsible for ensuring that the contracts of all staff (permanent and temporary) are compliant with the requirements of the policy and that confidentiality is included in inductions for all staff.

Confidentiality is an obligation for all staff. Staff should note that they are bound by the confidentiality: NHS Code of Practice 2003. There is a confidentiality clause in their contract and they are expected to participate in induction, training and awareness sessions carried out to inform and update staff on confidentiality issues.

Any breach of confidentiality, inappropriate use of health or staff records, or abuse of computer systems and misuse of smart cards is a disciplinary offence, which could result in dismissal or termination of employment contract, and must be reported.

All members of staff must ensure that the following principles are adhered to:

• Person-identifiable or confidential information must be effectively protected against improper disclosure when it is received, stored, transmitted or disposed of
• Access to person-identifiable or confidential information must be on a need-to-know basis
• Disclosure of person-identifiable or confidential information must be limited to that purpose for which it is required
• Recipients of disclosed information must respect that it is given to them in confidence
• If the decision is taken to disclose information, that decision must be justified and documented
• Any concerns about disclosure must be discussed with the employee’s line manager, or Caldicott Guardian
• Crags Health Care is responsible for protecting all the information it holds and must always be able to justify any decision to share information
• Person-identifiable information, wherever possible, must be anonymised by removing as many identifiers as possible whilst not unduly compromising the utility of the data
• Access to rooms and offices where terminals are present or person-identifiable or confidential information is stored must be controlled. Where appropriate, doors must be locked. In mixed office environments measures should be in place to prevent oversight of person-identifiable information by unauthorised parties
• All staff should clear their desks at the end of each day. In particular, they must keep all records containing person-identifiable or confidential information in recognised filing and storage places that are locked
• Unwanted printouts containing person-identifiable or confidential information must be put in a confidential waste bin. Tapes, printouts and fax messages must not be left lying around but be filed and locked away when not in use

Confidentiality and freedom of information

We feel it is important that all patients are informed about what happens to personal information that is stored on our computer system.

Everyone working for the NHS has a legal duty to keep information about you confidential and all staff employed by this practice abides by our code of confidentiality.

When you register with this practice, you will be asked for information about yourself so that you can receive the appropriate care and treatment. This information is kept together with details of your health treatment so that the practice can always ensure that the care you receive is both appropriate and consistent with your medical history.

Sharing your information with other organisations

The following are sets of instances where the practice may pass information to other organisations and the conditions that must be complied with before information about you is released:

• Statutory requirement sometimes requires the practice to pass on information e.g. notification of a birth or death
• The NHS central register for England and Wales contains basic personal details of all patients registered with a general practitioner. The register does not contain clinical information
• We may use some of this information for preparing statistics to continue to improve the quality of our care and help to ensure that our services meet the needs of our patients. Steps will be taken at all times to ensure you cannot be identified

On registering with the practice you will be offered the opportunity to opt out of data sharing agreements such as the NHS summary care records. You may opt in or out of these agreements at any time.

You may be receiving care from other organisations within the NHS. To ensure that you receive a consistent programme of care, we may need to share some information about your medical history. We only ever do this if it is in your interest. The law strictly controls the sharing of some types of very sensitive information. Anyone who receives information from us is also under a legal duty to keep it confidential.