Purpose of the Code
All employees working in the NHS are bound by a legal duty of confidentiality. This means that they are obliged to keep strictly confidential any person-identifiable information, commercially sensitive and business in confidence details they become party to as part of their employment. Information should normally only be disclosed with the consent of the individual concerned or with the approval of the department manager.
The principle behind this code is that no employee shall breach their legal duty of confidentiality, allow others to do so, or attempt to defeat any of NHS East Midlands security systems or controls in order to do so.
This Code of Conduct for Employees in Respect of Confidentiality has been written to meet the following legal requirements:
-
Data Protection Act (1998)
-
Computer Misuse Act (1990)
-
Human Rights Act (1998)
-
Common Law Duty of Confidentiality
Under the Common Law Duty of Confidentiality any employee (permanent, contracted or agent) may be personally liable in a court of law for unauthorised disclosure of personal data. This code has been produced to protect staff, by making them aware of the correct procedures for making disclosures, and dealing with personal information.
Confidentiality of Information
All employees and contractors are responsible for maintaining the confidentiality of any information gained as a result of their employment by NHS East Midlands.
Definition of Confidential Information
Confidential information can be anything that relates to patients (e.g. complaints, serious untoward incidents), staff or any other person, held either on paper, disc, computer file or printout, video, photograph or even heard by word of mouth. It includes information stored on portable devices such as laptops and palmtops. It can take many forms including patient details, audits, employee records, occupational health records etc. Person-identifiable information is anything that contains the means to identify a person.
NB. Laptops pose a particular risk, and staff who use a laptop, PDA, Blackberry or mobile phone are referred to the NHS East Midlands Mobile Computing and Tele-Working Procedure.
Requests for Information by the Police and Media
Requests for information from the Police must be referred to the FOI/Data Protection Lead. Any requests for information from the Media (newspapers, TV companies etc.) should always be referred to NHS East Midlands Communications Team.
Abuse of Privilege
All NHS East Midlands employees are strictly forbidden to access their own personal information unless specifically authorised to do so. In addition, NHS East Midlands employees are forbidden to access any personal information relating to colleagues, friends or relatives unless they have legitimate reason to do so as part of their employment responsibilities. Under the Data Protection Act Individuals have a right of access to their personal information but the request must be made in writing and may be subject to payment.
Storage of Confidential Information
Paper-based confidential information should always be kept locked away and preferably in a room that can be secured. Sensitive information should be held on the file server and kept in files that are password-protected. Memory sticks and other portable media should be not be used for permanent storage of data and should also be kept in locked storage. Advice on how to password protect files is available from the IT service/help desk. NHS East Midlands does not allow the use of memory sticks unless they are encryption enabled. If your memory stick is not encryption enabled you must obtain one from the HQ IT Manager or nominated individual within your area.
Disposal of Confidential Information
When disposing of paper-based person-identifiable or confidential information always use “Confidential Waste” bins, which are located throughout NHS East Midlands offices. These bins will be emptied by the contractors when full. Computer files containing confidential information no longer required must be deleted.
Confidentiality of Passwords
Personal passwords issued to or created by employees should be regarded as confidential and those passwords must not be communicated to anyone. Passwords should not be written down. Passwords should not relate to the employee or the system being accessed (e.g. do not use your name as a password). Passwords should be alpha numeric to comply with IT standards and DH guidance.
Password Security
No employee should attempt to bypass or defeat the security systems or attempt to obtain or use passwords or privileges issued to other employees. Any attempts to breach security should be immediately recorded on an incident reporting form and reported to the organisational Information Governance Workstream Lead. This could also result in a breach of the Computer Misuse Act 1990 that could lead to civil or criminal action.
E-Mailing Confidential Information
The transmission of personal identifiable information externally over the internet e-mail (e.g. Hotmail, AOL etc) is prohibited. Personal information should only be e-mailed to and from nhs.net accounts. However should there be an urgent need then only the absolute minimum amount of information necessary should be transmitted, it should be transmitted in a password protected file and only to recipients who have a legitimate need to know this personal information. The password for the file should be disclosed separately by telephone.
Commercially Sensitive Information
Any form of information that could adversely prejudice the commercial interests/activities of NHS East Midlands, any other organisation or individual should be considered as confidential and be used or disclosed to third parties unless required by exception.
Interpretation
If any employee requires an explanation concerning the interpretation or the relevance of this Confidentiality Code of Conduct, they should discuss the matter with their manager, the HR department or the Information Governance Workstream Lead. All relevant policies, procedures and guidance are posted on the NHS East Midlands internet site to which all employees have access.
Non-Compliance
Non-compliance with this Confidentiality Code of Conduct by any person employed by NHS East Midlands as a permanent/temporary/agency or contractor may result in disciplinary or other action being taken in accordance with NHS East Midlands disciplinary procedure, and may lead to dismissal and/or legal/civil action.
Non-Compliance
This code will be amended as necessary to reflect NHS East Midlands development of policies and procedures and the changing needs of the NHS.
