Confidentiality and Data Protection


This document sets out the arrangements in the practice for the confidentiality of patient data and its protection.

All patient information is considered to be confidential and we comply fully with the Data Protection Act. All employees have access to this information in relation to their role and have signed a confidentiality agreement. Information may be shared, in confidence, with other NHS organisations in the interests of patient care.

Please note that it is the Practice’s reserved right to record all telephone calls for the purposes of patient and staff care, security, and dispute resolution. Recordings and their use will be at the Partners’ discretion and will also comply with the Practice’s Data Protection registration.

The Organisation’s Responsibilities

The Organisation will do its upmost to ensure that the confidentiality of patients is protected while also needing to identify the best way to help them.

The organisation accepts its responsibility as Data Controller for all patient data in its care, whether in electronic or paper form. We will ensure that employees fully understand all their responsibilities with regard to confidential data. The employees will undertake Data Protection learning as part of their induction and will sign a written acceptance that they understand the responsibilities they are undertaking towards the security of patient data.

The organisation will also ensure that arrangements are in place for the confidential disposal of any paper waste generated at work or the employees’ home.

The organisation will monitor and record when it is passing ownership of data to an individual (e.g. for project work or, research and development) and this may be individually and specifically authorised by the Caldicott Guardian. The individual may then need to be separately registered under the Data Protection Act 1998. The practice will otherwise fully comply with all aspects of data security as required under the Act.

The organisation will strictly apply the rules of confidentiality and in general will not release patient information to a third party without proper valid and informed consent, unless this is within the statutory exempted categories such as in the public interest, in which case the release of the information and the reasons for it will be individually and specifically documented and authorised by the responsible clinician.

The organisation will ensure that it and its suppliers maintain regular security updates including anti-virus software as necessary.

Responsibilities of Staff

Staff will ensure that Patient confidentiality is respected. Initial patient contact will endeavour to ascertain the best way to assist without being overly intrusive. This means that staff need to ask questions that are sufficiently detailed in order that patient needs are identified and met efficiently and effectively. However they must take care to ensure that sensitive information is not overheard by others.

Staff will never disturb a clinical consultation without warning the clinician (and the patient) by knocking and WAITING for permission to enter a room where there is a closed door. Urgent messages can also be sent via the BMJ short messaging and by telephone.

Staff will ensure that their access to patient records takes place in a manner which is necessary and proportionate for the purposes of providing care to patients.

Patient information, where required will be transmitted to partner agencies such as hospitals and social services etc. Staff must ensure that any such transmission will be conducted in a safe manner and the information transmitted will be proportionate to the purpose of the transmission. This may include clarifying who the third party is and why the data is required, checking the identity of the recipient and the channel (address, email address or fax number) by which the information is to be transferred.

Family, friends, acquaintances and patients ‘in the public eye’. Staff will not ‘research’ the data of patients known to them. If they are aware of a medical need of a family member or friend, they must ask a colleague or their manager to deal with it. The Practice will invoke disciplinary proceedings to protect patient confidentiality. Staff must ensure that there is ‘no conflict of interest’ and if they are unsure they must ask a manager.

Protecting Patient Data against Viruses and Malware

Data is vulnerable to loss or corruption caused by viruses. Malware may seek to harvest confidential data and use it illegally. Staff will ensure that they use the computers provided by the Practice in a safe and appropriate manner. Viruses and Malware may be introduced from memory sticks and other storage media BUT MAINLY they obtain access to our system by direct links via e-mail and web browsing.

Staff must:

  • 1. Delete any e-mail that asks for their password details
  • 2. Not open attachments that come from unrecognised sources, but delete the entire email
  • 3. Ensure that their computer is fully turned off at least once a week to allow for security updates to take place.
  • 4. When browsing, to minimise risk, only access ‘safe’ mainstream sites.