At Chase Lodge Hospital (CLH), the Confidentiality Policy establishes the foundational principles that all staff must uphold to protect patient and business confidentiality. Every employee, associate, and contractor is legally obligated to safeguard personally identifiable information and other confidential data they encounter during their work. Adhering to this policy is essential not only to meet contractual obligations but also to comply with the common law duty of confidence and the Data Protection Act 2018.
The primary objective of this Confidentiality Policy is to ensure that all personnel at CLH understand their responsibilities for maintaining confidentiality and preserving information security. Although CLH delivers private healthcare services, patient information may be shared with NHS colleagues, provided patient consent is obtained. This policy outlines the requirements for all staff regarding the sharing of information with both NHS and non-NHS organisations.
Personally Identifiable Information (PII) refers to any data that can identify an individual, including names, addresses, postcodes, dates of birth, NHS numbers, and National Insurance numbers. Even photographs qualify as PII. Any data combination that can indirectly identify an individual is also included.
Special categories of personal information, as defined by the Data Protection Act 2018, encompass sensitive personal information such as:
Confidential information within healthcare typically includes health-related data and extends to any private information not publicly known or that individuals would not expect to be shared. This information can take various forms, including patient health data, employee records, and occupational health information.
The CEO and company directors are accountable for ensuring CLH policies comply with all legal, statutory, and best practice guidelines. They must provide the necessary resources to enable staff to implement these policies effectively. The company director also serves as the Data Protection Officer (DPO) and represents information governance issues at the Board level.
The Registered Manager is responsible for safeguarding patient and service user information while facilitating appropriate information sharing. They provide guidance to staff and make risk-based decisions concerning the use and disclosure of confidential data. The Registered Manager collaborates with the DPO to ensure compliance with data protection laws.
Confidentiality is an obligation shared by all staff members.
Doctors must ensure their Information Commissioner’s Office (ICO) certification remains current, providing evidence to the Executive PA.
All staff must adhere to the following principles:
Patients frequently share information with staff. Please refer to Appendix A for confidentiality do’s and don’ts. Care must be taken to ensure that information sharing occurs in appropriate environments:
CLH is committed to protecting all information it holds and must always justify any decision to share information. To ensure appropriate sharing, staff must verify that recipients have a legal basis for accessing the information. Both sender and recipient details must be accurate.
Before disclosing information, staff must consider the necessary amount of confidential information and disclose only what is required. Information may be disclosed in the following ways:
When transferring information, care must be taken to ensure the method used is secure. Data sharing agreements can formalise arrangements between organisations.
When sending patient information or other confidential data via email, NHS encryption standards must be followed. Emails between NHS Mail accounts (nhs.net to nhs.net) comply with these standards, as do emails between NHS Mail and other secure government domains (e.g., nhs.net to gsi.gov.uk).
Confidential or sensitive information must not be included in the body of an email. For emails sent outside secure domains, information must be sent as an encrypted attachment, with the password communicated through a different channel or agreed upon in advance.
To mitigate the risk of inadvertently sending information to the wrong recipient, data sent via secure domains should be password-protected, with the password communicated separately.
Emailing information to patients is permissible, provided that the risks of using unencrypted email are explained, consent is obtained, or the information is not personally identifiable or confidential.
Access to rooms and offices containing terminals or confidential information must be controlled. Doors should be secured with keys, keypads, or swipe cards. In shared office environments, measures should be in place to prevent unauthorised access to personally identifiable information. Staff are required to clear their desks at the end of each day, ensuring that records containing personally identifiable or confidential information are stored securely. Unwanted printouts must be disposed of in confidential waste bins. All records should be locked away when not in use.
The CLH Contract of Employment and Practising Privileges includes a commitment to confidentiality. Appendix B outlines a summary of relevant legal and NHS mandated frameworks.
All breaches or potential breaches of confidentiality must be reported as incidents, and the Registered Manager must be informed without delay.
Breaches of confidentiality may be classified as gross misconduct, leading to severe disciplinary action, including dismissal.
There will be occasions when staff must work from alternative locations or while traveling. During these times, staff may need to carry confidential information, such as on a laptop, USB stick, or paper documents. However, removing paper documents containing personally identifiable or confidential information from CLH premises is strongly discouraged.
To ensure the safety of confidential information, staff must keep it on their person at all times while traveling. If staff take confidential information home or to another location, it must be securely stored. Confidential information should always be safeguarded and kept in lockable locations.
Staff should minimize the amount of personally identifiable information taken away from CLH premises. When transporting such information, staff must ensure the following:
If staff need to take personally identifiable or confidential information home, they must ensure it remains secure and confidential. This includes preventing family members, friends, or colleagues from seeing or accessing the information. Confidential information must not be left unattended at any time, particularly in cars. Staff must not forward any personally identifiable or confidential information via email to their home email accounts or store it on privately owned computers or devices.
All staff have a legal duty to maintain the confidentiality of personally identifiable or confidential information. Breaching this duty may result in personal liability. Staff must not:
Physical safety and security must be ensured for both paper-based and electronic confidential information. Passwords must be kept secure and not disclosed to unauthorized individuals. Staff must not use another person’s password to access information. Such actions will be regarded as a serious breach of confidentiality and could be subject to legal repercussions under the Computer Misuse Act 1990.
Employees are strictly prohibited from knowingly browsing, searching for, or viewing any personal or confidential information about themselves without a legitimate purpose, unless through established self-service mechanisms where such access is permitted. Accessing records related to family, friends, or others without a legitimate purpose is also forbidden and constitutes a breach of confidentiality and the Data Protection Act 2018. Staff must recognize their personal responsibility and contractual obligations when handling personally identifiable or confidential information.
Good practice requires that organizations handling personally identifiable or confidential information establish processes to identify actual or potential confidentiality breaches and evaluate the effectiveness of controls within their systems. This Confidentiality Policy will be reviewed every three years or sooner if changes in legislation occur.
Don’t
The Data Protection Act (2018) regulates the use of “personal data” and sets out eight principles to ensure lawful and fair processing of personal data. These principles include:
The Caldicott Report and subsequent reviews recommend principles for sharing confidential patient-identifiable information, including justifying the purpose for using such information, minimizing its use, and ensuring awareness of responsibilities.
Copyright © 2024 Chase Lodge Hospital
WhatsApp us
Automated page speed optimizations for fast site performance