I have worked in and with quite a lot of NHS GP practices within the last 8 years, and one thing that has struck me is the general lack of adherence to confidentiality in “written form”
From post-its and printouts to notebooks and letters, even in today’s digital world so much paper-based data exists physically and hides in plain sight - often right under our noses, and day to day staff believe this is an acceptable way to work “because we have always done it like that” is the most overrated and overused term within NHS GP practice.
What Policy states
Most Clear Desk Policies will define how desks and screens should be kept clear of sensitive printed and electronic material.
When leaving a desk for a short period of time, users must ensure printed matter containing confidential information is not left in view.
When leaving a desk for a longer period / overnight, users must ensure printed matter containing confidential information is securely locked away.
Whiteboards and flip charts should be wiped / removed of all confidential information when finished with.
When leaving the workstation for any period, the user must ensure they lock their computer session.
All users must ensure their screens cannot be overlooked by members of the public, or people without the necessary authority when confidential data and/or information is displayed. Where appropriate, privacy filters should be used to protect the information.
Court cases for NHS Employers/Employees
The ICO reports significant numbers of NHS employees gaining access to and viewing personal and sensitive information regarding patients, A recent case is one of several ICO prosecutions involving staff inappropriately accessing health records in recent months and the Head of Enforcement Steve Eckersley cites:
“Once again we see an NHS employee getting themselves in serious trouble by letting their personal curiosity get the better of them. Patients are entitled to have their privacy protected and those who work with sensitive personal data need to know that they can’t just access it or share it with others when they feel like it. The law is clear and the consequences of breaking it can be severe.”
I can not help but wonder if the wider problem is that those who work within the NHS GP practices are not adhering to data protection, confidentiality and GDPR by poorly managing the process of handling data, not least due to its complexities and workforce lack of understanding, but also because there is no time left in their working day to prioritise it equally to patient care, and developing primary care networks, and achieving service delivery targets, and meeting continuing growing unrealistic expectations. The reality that I have observed in such time, is that workers keep patient identifiable data on desks, in trays, in unlocked draws, prescriptions sitting in an open box, if lucky some practices may have printed locks installed (thanks to the compliance regime of CQC).
The workforce “obsession” with everything in paper in an age where they are all happy to have their flight tickets remote on the phones, but when it comes to handling patient data a clinicians prefers print outs. I often question staff about the “why” when it comes to the use of paper trails and transactions, and even to the point where GP practices processes and efficiencies are poor because of their hunger to keep paper. Using paper is one thing, guaranteeing the confidentiality is another, and when you can not do the latter you should not be doing the first.
The ICO Stance (which the NHS is not an exception)
For those who got swept up in thinking GDPR is an inconvenience, it is not, quite the contrary and the medical sector should take not of its responsibility not just for patient, but their record:
The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003. The General Data Protection Regulation (GDPR) is a new law that will replace the Data Protection Act 1998 and will apply in the UK from 25 May 2018.
The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
The ICO has the power to impose a monetary penalty on a data controller of up to £500,000. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:fairly and lawfully processed;processed for limited purposes;adequate, relevant and not excessive;accurate and up to date;not kept for longer than is necessary;processed in line with your rights;secure;
Simple and effective steps can you take
Create extra data security. By ensuring no sensitive documents are left on display, external parties won’t have access to them.
Help your company remain legally compliant. Reduce the risk of a data breach and potential fines from your industry’s ombudsman.
Create a professional workplace. Instructing employees to keep desks tidy will help prevent stacks of paper and other clutter from building up.
Help the environment. Print and circulate fewer documents around the office.
Adopt a Shred-it All Policy to help the planet further still.
Keep your business secure. Advocate and reiterate that passwords and confidential information is not written down on paper in the first place.
Utilise experts. Ensure that you use companies such as Shred-It, who collect your confidential waste in varying forms, and at varying times to suit the size of the business, they will come to site and assess how many confidential waste bins you require to keep your organisation safe. They will collect your confidential waste and shred it on site (in the back of a lorry), giving you certification of proof of compliance.
Your2020Vision Ltd is building MEDI-HR® to help NHS GP practices to ensure that they comply with GDPR in handling of their employee records, in a paperless system that is Cyber Essentials accredited. For More info see: https://www.your2020vision.co.uk/system
Comments