For every patient visit to the hospital, as an inpatient or outpatient, data is stored on computer systems and added to medical records. This allows our clinicians and other medical staff to make informed decisions about each individual’s condition and treatment in respect to their healthcare history. It is vital to maintain the accuracy of this information as a record of their care if it is to be useful in the future. It is also essential that these records, both written and digital, are kept secure and access is restricted to specific staff members.

The Caldicott review and the Data Protection Act 1998 enforce strict legal guidelines to the storage, maintenance and access to patient information. The Freedom of Information Act 2000 and the Information Governance initiative both support the need to maintain the principles of effective confidential data control.

In this section, we have reproduced the guidance from the NHS Surrey Health Community with regard to these issues. Each staff member is given this guide at their induction to the Trust and this is supported by regular events to promote good practice.

·          Department of Health website: Frequently asked questions about accessing health records

What is Caldicott?

The review committee, chaired by Dame Caldicott, into the use of patient information in the NHS recommend six principles to improve the handling and protection of these records. Dr Mike Baxter is the Caldicott Guardian for Ashford and St Peter's Hospitals NHS Trust.

Whilst the information management principles are not a legal requirement, they are seen as essential to support the requirements of Data Protection Act.

The six Caldicott principles are:

·          Justify the purpose(s) of using confidential information

·          Only use it when absolutely necessary

·          Use the minimum that is required

·          Access should be on a strict need-to-know basis

·          Everyone must understand his or her responsibilities

·          Understand and comply with the law

What is the Data Protection Act 1998?

In March 2000, the Data Protection Act 1998 became law and applies to all organisations. It covers computer and manual records across all departments where patient information may be collected and used. The Act sets standards that must be satisfied when personal data is:

·          Obtained

·          Recorded

·          Held

·          Used

·          Disposed

There are eight data protection principles where personal data must be:

1)       Processed fairly and lawfully

This means that the data subject should be informed about why their information is being collected, what is going to be done with it and how it may be shared.

Ø       Be open, honest and clear

2)       Processed only for specified purposes

This is a requirement to only use the information for the purpose under which it was obtained.

Ø       Only share information if you are certain it is appropriate and necessary to do so, and if in doubt check first.

3)       Adequate, relevant and not excessive

Only collect the information you require and know how it is to be used.

Ø       Stick to the facts, avoid personal opinions and comments, record data clearly and explain any abbreviations used.

4)       Accurate and kept up-to-date

Input information carefully to ensure it is accurate and have appropriate mechanisms in place to check that it is up-to-date.

Ø       Avoid duplicating records by checking existing data sources first before creating new ones.

5)       Not kept for longer than necessary

Follow the retention and disposal guidelines as detailed in the Trust's Records Management Policy.

Ø       Check the retention guidelines for your organisation, ensure regular housekeeping procedures are in place and follow disposal guidelines correctly.

6)       Processed in accordance with the rights of data subjects

The subject of the data has rights to access, prevention of processing, and compensation if their rights are not maintained.

Ø       Subjects have the right to request an assessment of how their data is kept, processed and used and have the right to rectification/blocking/erasure if they are not satisfied.

7)       Protected by appropriate security

Each organisation needs good information management practices and guidelines on IT security. This includes staff training and confidentiality clauses in employment or other contracts where security may be an issue. Access and disposal policies should be maintained in line with existing regulations.

Ø       To ensure the nature of confidential material, these should be locked away and transported securely. Passwords should be control and kept secret. Staff should be discouraged from discussing confidential matters in public areas.

8)       Not transferred outside the European Economic Area without adequate protection

Only send personal information outside the EEA if consent has been obtained and it is adequately protected (this includes websites).

Ø       Check where your information is going and do not release until you security is assured

Summary

In conclusion, the principles stated above mean the information must be:

·          Held securely and confidentially

·          Obtained fairly and efficiently

·          Recorded accurately and reliably

·          Used effectively and ethically

·          Shared appropriately and lawfully