Storage of Personal Information
Personal & Sensitive Information
All organisations have a common-law duty as well as a specific requirement under the Data Protection Act 1998 to ensure that all transfers of personal and sensitive information (correspondence, faxes, email, telephone messages, transfer of patient records and other communications containing personal or sensitive information) are conducted in a secure and confidential manner. This is to ensure that information is not disclosed inappropriately, either by accident or design, whilst it is being transferred or communicated to, within or outside of the organisation.
The loss of personal information will result in adverse incident reports which will not only affect the reputation of this organisation but, in the case of disclosing personal information intentionally or recklessly, is also a criminal offence.
Personal Information. This relates to information about a person which would enable that person’s identity to be established by one means or another. This might be fairly explicit such as an unusual surname or isolated postcode or items of different information which if taken together could allow the person to be identified. All information that relates to an attribute of an individual should be considered as potentially capable of identifying them to a greater or lesser extent.
Sensitive Information. This can be broadly defined as that which if lost or compromised could affect individuals, organisations or the wider community. This is wider than, but includes, information defined as sensitive under the Data Protection Act 1998, eg an individual’s bank account details are likely to be deemed ‘sensitive’, as are financial and security information about an organisation.
Storage & Transfer of Information
At Beehive Solutions we have strict guidelines on how staff record, store and transfer personal information; whether this represents information relates to; patients we scan with in our various NHS Ultrasound services, customers obtaining goods through our healthcare consumables and equipment websites or material obtained through any other means.
Our procedures are designed to meet the requirements of the Data Protection Act, NHS Code of the Practice - Confidentiality, and the NHS Care Record Guarantee for England.
All staff are taught to work in accordance with the Caldicott Principles.
The Caldicott Principles:
Principle 1: Justify the purpose for using the information
Principle 2: Only use identifiable information if absolutely necessary
Principle 3: Use the minimum that is required
Principle 4: Access should be on a strict need to know basis
Principle 5: Everyone must understand their responsibilities
Principle 6: Understand and comply with the law
Hard copy patient information (other than appointment letters) is not posted in the general post and appointment letters do not include any Sensitive information. Examination reports are handed direct to the patient and/or sent via surgery drop numbers.
When a patient record has to be faxed to a GP Surgery, for instance when an urgent examination report is requested, they are only faxed to the surgery fax number provided by the Clinical Commissioning Group and the fax number is confirmed by two members of staff to avoid issues as a result of input errors.
With in the Acute Hospital setting, Beehive Solutions complies with the local rules of the Trust to ensure all records are handled correctly and in strict compliance with the NHS Care Record Guarantee for England.
Email is not a secure system. All staff using email have been made aware of this during their induction training. Therefore, patient identifiable and other sensitive information is not sent by email unless it has been encrypted to standards approved by the NHS. NHS-mail accounts are encrypted to NHS-approved standards and may be used for sending patient identifiable information to recipients that also have an NHS-mail account.
Appointment lists are held on computer, but recorded details are limited to the patient name so that the patient can be identified on arrival. No other identifiable information is held.
Electronic Information related to patient examinations and other health records is held on a hard-drive completely isolated from the internet and without WiFi capabilities. The drive is password protected to the highest standard and kept in a locked location with restricted access. A back-up copy is maintained in similar circumstances in a geographically different location.
Client Payment card details are not recorded by the company and in the case of a telephone payment such details are typed directly into our Payment Provider facility with no copy being retained by the company.
In line with NHS IG recommendations; any Client records maintained on our Servers are secured under password protection, using AES 256 encryption algorithms.
All paper waste is shredded (cross-shredder) prior to being securely disposed of.
All websites, computers and Servers are password protected and have the latest antiviral software incorporated (with updates when available). Both incoming and outgoing emails are vetted through “MessageLabs” to ensure malicious content is neither received nor propagated.
As well as ensuring the accuracy and security of personal & sensitive information, we recognise our patients Rights to see the information we retain on them. in line with NHS guidance, we have therefore created policies and procedures to provide such access free of charge to our patients.
In providing such access, we would remind all patients that the information held by Beehive Solutions is only a very small section of their health record; that relating just to their Ultrasound Scan; and seen in isolation such information may lead to incorrect conclusions. It is therefore better for the patient to request access to their entire health record through the NHS, which will also provide an opportunity for the records to be fully explained by qualified personnel.