Data Security and Protection

All NHS employees are duty bound to uphold the principles of the Data Protection Act. This important legislation underpins how our staff are expected to behave with regard to managing confidential patient and staff information. It is a key part of our staff’s employment contract with the Trust. The Trust must also satisfy its information regulator, the Information Commissioners Office (ICO), that we are managing patient information in an appropriate manner.

In this guide:

  • Why is information governance important?
  • How can we improve information governance day-to-day?
  • What sort of situations should staff be mindful of?

Why is Data Security and Protection (also known as information governance) important?

Maintaining a high degree of professionalism when managing patient information is vital to the care the Trust delivers. Information must reach the right people so that effective clinical decisions can be made but information must also be protected from inappropriate access, so that you, our patients, are assured and confident that your very personal details are not being misused.

How can the Trust improve Data Security and Protection day-to-day?

  • All staff are required to complete annual Data Security and Protection Training to ensure individuals have the knowledge and skills to handle information legally, ethically, and securely within the Trust. It ensures that data is managed responsibly, protecting both the organisation and individuals. This training helps individuals understand relevant legislation, best practices, and their specific roles and responsibilities in maintaining information governance
  • It’s important to be aware that the Trust has polices regarding how we manage information. All of our staff have access to these policies at all times.
  • The Information Commissioners Office (ICO) is the overreaching regulator for the Trust. Their website is an excellent source of data protection guidance: www.ico.org.uk.
  • If staff become aware of, or suspect, an incident involving an information governance breach are required to report this to the Data Security and Protection Team.

Accessing records appropriately

A fundamental aspect of the work of many staff at the Trust is the ability to access patient administration systems.

However, having the ability to access data does not give anyone the automatic right to see it.

Staff are only permitted to access records as a direct requirement of their role. Staff should only access patient data if they have a legitimate professional reason to do so. Staff should not access the records of a patient that they have no professional involvement with, nor should they access their own records, the records of family members, friends, partners, or anyone who is not under their care. IT systems are audited and all access can be retraced and investigated. If a member of staff is discovered to have accessed data inappropriately, they risk disciplinary action.

The above includes staff who are performing administrative support to a team, staff should only access records that they are required to access as part of their role at the Trust. Being related to a person or knowing them personally does not give anyone the right to breach a patient’s confidentiality.