Date published: September 2006
Last Reviewed : September 2012
Reviewed Oct 2015
Next review Sept 2015
Purpose
The purpose of the protocol is to set out the obligations for all working at Grove Road Surgery concerning the confidentiality of information, whether held electronically or in hard copy, about patients of Grove Road Surgery and of Grove Road Surgery as an employer.
This protocol is relevant to all employers and any one who works at the practice, including
Locum GP's, non-employed nursing staff, any non-clinical staff including temporary staff and contractors. Individuals on training placements and visitors/observers on the premises must also adhere to this protocol.
This protocol will be reviewed annually to ensure that it remains effective and relevant.
Importance of confidentiality
Confidentiality is a fundamental part of health care and crucial to the trust between doctors and patients. Patients entrust the practice with sensitive information relating to their health and other matters in order to receive the treatment and services they require. They should be able to expect that this information will remain confidential unless there is a compelling reason why it should not. All staff in the NHS have legal, ethical and contractual obligations of confidentiality and must ensure they act appropriately to protect patient information against improper disclosure.
Some patients may lack the capacity to give or withhold their consent to disclosure of confidential information but this does not diminish the duty of confidence. The duty of confidentiality applies to all patients regardless of race, gender, social class, age, religion, sexual orientation, appearance, disability or medical condition.
Information that can identify individual patients must not be used or disclosed for purposes other than healthcare unless the patient ( or appointed representative ) has given explicit consent, except where the law requires disclosure or there is an overriding public interest to disclose. All patient identifiable health information must be treated as confidential information, regardless of the format in which it is held. Information which is effectively anonymised can be used with fewer constraints.
The confidentiality of other sensitive information held about the practice and staff must also be respected.
[*] against an item denotes reference to another practice document
Page 1 of 5

Date published: September 2006
Last Reviewed : September 2012
Reviewed Oct 2015
Next review Sept 2015
Obligations for all staff
All staff must:
1) always endeavour to maintain patient confidentiality;
2) not discuss confidential information with colleagues without patient consent (unless it is part of the provision of care);
3) not discuss confidential information in a location or manner that allows it to be overheard;
4) handle patient information received from another provider sensitively and confidentially;
5) not allow confidential information to be visible in public places;
6) store and dispose of confidential information in accordance with the Data Protection Act
1998 and the Department of
Health’s Records Management Code of Practice (Part 2);
7) not access confidential information about a patient unless it is necessary as part of their work;
8) not remove confidential information from the premises unless it is necessary to do so to provide treatment to a patient, the appropriate technical safeguards are in place and there is agreement from the information governance lead or Caldicott Guardian;
9) contact the information governance lead ( Practice Manager ) or Caldicott Guardian ( Dr
Bruuns ) if there are barriers to maintaining confidentiality;
10) report any loss, inappropriate storage or incorrect disclosure of confidential information to the information governance lead ( Practice Manager ) or Caldicott Guardian ( Dr
Bruuns );
11) document, copy, store and transfer information in the ways agreed with other providers ( see Information Security & Confidentiality Policy – separate document );
It is expected that members of staff will comply with the law and guidance/codes of conduct laid down by their respective regulatory and professional bodies.
The following sections outline systems which will help individuals manage confidentiality.
1. Desk Top Computer System

You must log out of the system and switch off your computer at the end of your working day.

You must not store your user ID / password / authentication device near your computer.

No software can be installed onto the computer without approval from the Practice /
Computer Manager.
2. User ID / password

You must use your ID and password to access the computer network.

You must keep your password secret and never disclose them to anyone.

Your user ID / password is for your exclusive use. You must not share it or lend it to anyone else.

If you are signed on to a PC and going to leave it unattended for any time, you must sign out so that a password is needed to resume work.
3. Virus protection
[*] against an item denotes reference to another practice document
Page 2 of 5

Date published: September 2006
Last Reviewed : September 2012
Reviewed Oct 2015
Next review Sept 2015

For protection, the latest anti-virus software will be installed onto the computer network.
You must not remove this software yourself.

If the anti-virus software detects a possible virus, an on-screen warning message will be displayed. If you see this message you must report it to the Practice / Computer
Manager immediately. Do not attempt to remove the virus!

If the anti-virus software detects a possible virus and you can not report it immediately tot he Practice / Computer Manager, turn off the PC and do not use it again until the problem has been investigated by the Practice / Computer Manager.

If you suspect that a virus has bypassed the anti-virus software on your PC, report it immediately to the Practice / Computer Manager. Do not use the PC again until the
Practice / Computer Manager gives you the go ahead.
 You must virus check any files created outside the surgery’s control, particularly files / data from the internet, before you load and open them onto your PC.
4. E - Mail

E-Mail messages (internal and external) should be treated with the same care as traditional written communications. Any messages sent to other NHS Agencies etc. could be seen to represent the views and opinions of the whole practice.

All messages must be written on a professional manner with appropriate language and content. In particular, they must not contain any personal, untrue or defamatory statements about any individual within the surgery.

Because the Internet and e-mail transmissions are not always secure, you must not use them to send confidential or ‘surgery’ sensitive information to anyone other than those verified by the Practice / Computer Manager. If you are in doubt as to whether information is confidential or not, please seek guidance from the Practice / Computer
Manager.

If you receive an e-mail message that contains material that it inappropriate you must delete it immediately. Under no circumstances should such mail be forwarded to another individual or stored on surgery computers. Inappropriate material includes words or pictures that could be considered obscene, offensive, defamatory or illegal, chain mail, jokes, hate speech, pornography and messages which are inconsistent with government legislation, i.e. equal opportunity, race and harassment policies. This list is illustrative, BUT NOT EXHAUSTIVE.

All e-mails are liable to be intercepted. Where inappropriate messages originate from within the surgery, disciplinary action will be taken.

Where an intercepted e-mail is attempting to come into our system, then we will endeavour to identify the sender. Where the e-mail has come from another surgery/company, the surgery/company will be informed of the identity of the individual and the nature of the e-mail.

The dissemination of inappropriate material is strictly forbidden. It may result in dismissal and may also constitute a criminal offence.

If you receive an offensive message, you must report the incident to the Practice /
Computer Manager.

In cases of obscene and offensive e-mails, the information will be passed onto the
Police for possible prosecution.
[*] against an item denotes reference to another practice document
Page 3 of 5

Date published: September 2006
Last Reviewed : September 2012
Reviewed Oct 2015
Next review Sept 2015
5. Internet

You must not download programs from the Internet without permission from the
Practice / Computer Manager.

Use of the Internet will be monitored. In instances where the monitoring identifies the
Internet Policy has been contravened, disciplinary action will be taken.
 Where accessing the Internet employees should act in a ‘responsible manner’.
Whatever applies in spirit to use of e-mail as described in Section 4 also applies to the
Internet.

Users must not access inappropriate or offensive Internet sites that are related to gambling, pornography, jokes, criminal skills, terrorism, cults, hate speech, illegal drugs, chain mail or anything not related to work issues. This list is illustrative, NOT
EXHAUSTIVE. Failure to comply may result in dismissal and may also constitute a criminal offence.
Information disclosures:
When a decision is taken to disclose information about a patient to a third party due to safeguarding concerns/public interest, the patient will always be told and asked for consent before the disclosure unless it would be unsafe or not practical to do so.
In the circumstances that consent can not be sought, then there must be clear reasons and necessity for sharing the information.
Disclosures of confidential information about patients to a third party must be made to the appropriate person or organisation and in accordance with the principles of the Data
Protection Act 1998 (see separate document – Guide to the DP Act and the NHS
Confidentiality Code of Practice (see separate document)
Obligations for employers
The employers at the practice:
1) must ensure that confidential information can be stored securely on the premises and that there are processes in place to guarantee confidentiality;
2) must ensure that all individuals employed by the practice understands the need for, and maintains, confidentiality, have read and understood this protocol and have a signed version of this protocol enclosed within their contracts of employment;
3) have vicarious liability for the actions of those working in the practice
– including health professionals and non-clinical staff (i.e. those not employed directly by the practice but who work in the surgery).
4) must review and update this protocol on a regular basis.
Standards of confidentiality apply to all health professionals, administrative and ancillary staff- including receptionists, secretaries, practice manager, cleaners and maintenance staff who are bound by contracts of employment to maintain confidentiality. They must not reveal, to anybody outside the practice, personal information they learn in the course of their work, or due to their presence in the sur gery, without the patient’s consent. Nor will they discuss with colleagues any aspect of a patient’s attendance at the surgery in a way that might allow identification of the patient unless to do so is necessary for the patient’s care.
[*] against an item denotes reference to another practice document
Page 4 of 5

Date published: September 2006
Last Reviewed : September 2012
Reviewed Oct 2015
Next review Sept 2015
STAFF CONFIDENTIALITY AGREEMENT
I understand that all information about patients held by Grove Road Surgery is strictly confidential, including the fact of a particular patient having visited the Surgery.
I also understand that the duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person.
Matters relating to the business of Grove Road Surgery including staff and premises are also controlled under this confidentiality clause.
I will not disclose personal information learnt in the course of my work in the Surgery to anybody outside the Practice.
I understand that I am bound by a duty of confidentiality and agree to adhere to this Code of
Conduct and the requirements of the Data Protection Act 1998. Furthermore I understand that suspension / disciplinary action may ensue following a breach of confidentiality and that a custodial sentence could be served under the terms of the Data Protection Act.
PRINT NAME:
SIGNATURE:
DATE:
WITNESS / MANAGERS NAME:
ON BEHALF OF THE organisation
SIGNATURE
DATE
[*] against an item denotes reference to another practice document
Page 5 of 5