Looking after information: Staff awareness

Does this apply to me?

Making sure that the public trusts us to look after information is vitally important. Everyone who works in or for NHSScotland has a role to play. This includes people working in primary, secondary and community care, administration and support staff, students, locum staff, voluntary staff and people working for companies providing services to the NHS. So, no matter what you do, this applies to you.

Why is information important?

Having the right information at the right time is vital to patient care and delivering services effectively. Managing it correctly helps us to do our jobs, protect our relationships with patients and others, and is a legal requirement on all of us. Knowing that it is being managed correctly also gives confidence to those who need to provide and share information.

What is information?

Information isn't just what is written in formal files or held in electronic records. It includes:

• documents;
• letters;
• faxes;
• emails;
• photographs;
• spoken communication on the phone or in person;
• x-rays; and
• CCTV images

We need to be particularly careful with person-identifiable information, which can be about patients or staff. Identifiable means things like names, addresses, full postcodes, or dates of birth. It can also include details about patients' health that we discuss or may overhear, for example on ward rounds or over the phone.

How does NHSScotland look after information?

Information governance ( IG) is the term we use to describe the way we make sure we use and handle information properly. IG provides a framework for safely handling information. It includes:

• confidentiality;
• data protection;
• the Caldicott principles;
• information security;
• freedom of information
• managing records; and
• quality of information

What are my responsibilities?

You are responsible for making sure you look after information correctly by doing the following.

1. Keep information and records physically and electronically secure and confidential (for example, leave your desk tidy, take care not to be overheard when discussing cases and don't ever discuss cases in public places. You also need to follow your organisation's guidance when using removable devices such as laptops, smart phones and memory sticks).
2. Keep your usernames and passwords secret and change your passwords regularly.
3. Always wear your identification badge so that patients, relatives and other health-care staff know who you are and why you might need information. Escort visiting officials at all times and make sure they clearly display their visitor badge.
4. Keep accurate, relevant records.
5. Access only the information you need.
6. Follow your organisation's guidance before sharing or releasing information (including checking who a person is and that they are allowed to have the information), and when sending, transporting or transferring confidential information.
7. Keep and destroy information appropriately, in line with local policy and national guidelines.
8. Know and follow your organisation's policies and procedures, including following the laws and codes of practice that apply to your role. Make sure you regularly carry out the correct level of IG training.
9. Know who the IG experts are in your organisation and ask for help from them, your line manager, trade union, or professional or defence organisations (such as the Medical and Dental Defence Union of Scotland), if you're not sure about anything. (The expert will be, for NHS boards, the information governance lead, data protection officer or Caldicott guardian and in general practice will be your practice manager.)
10. Always report actual and possible breaches of security or confidentiality.

Remember thatNHS organisations increasingly have electronic auditing systems in place which can identify who is looking at what, and where and when this activity takes place.

What might happen to me if I don't follow the rules?

Everyone working in NHSScotland has a legal responsibility to look after information. Not following this requirement is taken very seriously.

Each case is considered on an individual basis. In the first instance, your employer may raise the matter informally with you. This is a good way of sorting out a problem quickly. Sometimes the problem may be the result of a misunderstanding and this gives you the chance to explain your side of the situation. It also allows your employer to explain clearly what improvement in your conduct or performance may be needed, such as extra training or coaching.

A serious or persistent failure to follow your organisation's policies and procedures and codes of conduct and guidance may lead to:

• disciplinary action, up to and including dismissal;
• for professional staff, referral to your professional organisation, which may put your continued registration at risk; or
• legal proceedings.

Treating information carefully will help keep public confidence in our services and help make sure we provide the best service we can through appropriate access to information. Remember to play your part.

Where can I find out more?