Information Governance

Training Workbook
2017 - 2018

This workbook should be retained and used as a reference

document

Use the answer sheet (on last page) to submit your answers

Unique Reference / Version

Next
Primary Intranet Version
Policy Name Review Next review year
Location Number
month
Mandatory Information Governance
7 April 2018
Training Workbook
 Information Governance and you

Index To ensure compliance with the law and NHS requirements, all NHS staff
must be appropriately informed of their legal responsibility to keep
patient and staff information confidential and secure. The Department
Page 1 IG & you of Health has mandated that such Information Governance training
should be undertaken on an annual basis.
Page 2 Whats new
Put simply, Information Governance is to do with the rules that should
Page 3 What is IG? be followed when we process information. It allows organisations and
individuals to ensure information is processed legally, securely,
Page 4 Why is IG efficiently and effectively.
important?
IG applies to all the types of information which the Trust may process,
but the rules may differ according to the type of information
Page 5 Personal, concerned.
confidential &
sensitive information In this Workbook youll look at how you can make sure you follow the
right processes and procedures when you process information in
Page 6 Sharing other words, how to practise good Information Governance (IG).
information &
consent Youll find out about:
How to avoid breaching confidentiality law and guidelines
Page 7 Why protect How to comply with data protection and freedom of information
information? legislation
Good record keeping
Page 8 Caldicott Effective information security.
Report
All of the above topics will give you good knowledge and skills to
provide an effective, confidential and secure healthcare service. You
Page 9 Good Record will also find out how your contribution to IG best practice is very
Keeping important.

Page 10 Cyber
Security
Contacts
IG Support
Page 12 How to
All IG Policies, procedures and guidance documents are available on the
protect Information IG Intranet Page at http://qehkl-inet/

Page 13 Top Or contact

Information Security Phil Cottis: Information Governance and RA Manager x4965
Tips Jeannette Walsh: Information Governance & RA Officer x4976
Or email: ig.help@qehkl.nhs.uk
Page 15 Social Media Smartcard Support
Page 16 Assessment Human Resources: For all new requests for smartcards for staff
employed directly by the Trust - Ext 3591
Page 19 Assessment ICT Service Desk: If your smartcard is locked, damaged, certificates have
Answer Sheet expired or you need a replacement due to loss etc - Ext 4422
IG & RA Officer: For external staff who require a smartcard or access on
their current card eg Locums. Projects or changes to systems that
require smart card access - Ext 4976

1 | P a g e Information Governance is Everyones Responsibility

 Whats New?

Cyber Security (12/04/2017)

The Trust has seen a significant increase in the number of cyber attacks on its computer
systems. See Page 10 for how you can help protect patient, staff and your own
information from such attacks.

Handover Sheets and Theatre Lists (15/12/2016)

The loss of handover sheets and theatre lists remains a serious problem for the Trust.
Recent reported incidents include finding a handover sheet in a Kings Lynn restaurant
and a theatre list in the Springwood Estate. Fortunately, these were both found by
members of staff and had only been left unattended for 30mins to 1 hour otherwise
the consequences could have been a lot more severe for the patients concerned and
the Trust. See Page 13 for further guidance on how to prevent such incidents from
happening again.

Accessing your own Health Record (15/12/2016)

Following several recent misunderstandings when staff tried to remove their own
health record from the library, see Page 5: Abuse of Privilege for further guidance.

2 | P a g e Information Governance is Everyones Responsibility

 What is Information Governance?

Information Governance (IG) determines the ways the Trust processes or handles
information about our patients and staff. It includes aspects of the law such as the
Data Protection Act 1998, the Freedom of Information Act 2000 and the common
law duty of confidence. It also incorporates national guidance from the Department
of Health, such as the codes of practice on confidentiality, records management and
information security.
IG covers personal information, i.e. that relating to patients/service users and
employees, and corporate information, such as finance and estates records.
Information Governance provides a way for Trust staff to deal consistently with the
many different rules about how information is handled. This will ensure that
everyone can be more confident that information is:
Properly protected
Only shared when it is right and proper to do so
Accurate and up to date
Available when and where it is required
Ultimately, it means that the Trust will be able to deliver the best possible service to
our patients.
REMEMBER: Breaches of confidentiality can have not only a monetary impact, but
could also result in damaging both patient trust and our reputation.

3 | P a g e Information Governance is Everyones Responsibility

Why is Information Governance important?

The rules and procedures that make up Information Governance ensure that we
provide a confidential service to our patients and they feel safe in the knowledge that
they can trust us with their information.

NHS Standards
NHS Care Record Guarantee 2011
The NHS Care Record Guarantee for England sets out the rules that govern how patient
information is used in the NHS (ie safely and securely) and what control the patient can
have over this.
Confidentiality: NHS Code of Practice 2003
This document sets out the required standards of practice concerning confidentiality
and patients' consent to use their health records.
Data Handling Review 2008
After serious losses of personal information, including the loss in 2007 of computer
disks containing the names, addresses and bank details of 25 million child benefit
claimants, the Government conducted a Data Handling Review (June 2008). This sets
out mandatory measures for public bodies on protecting personal data such as staff
training and committed the Government to publicly reporting progress on putting
these measures into place.
NHS Constitution 2009
The NHS Constitution describes the principles of the NHS in England and the rights and
responsibilities of patients, public and staff. One such right is that patients can expect
the NHS to keep their confidential information safe and secure.
The NHS Operating Framework 2010/11
The Department of Health (DH) published an Operating Framework which set out
objectives for the NHS. Key themes included complying with all IG requirements
(including mandatory annual IG training) and the reporting of all information risk and
incidents.
The requirements of these are covered within this workbook and further guidance is
available at: www.hscic.gov.uk

Confidential Service
We must ensure that information is kept secure and reported as an incident when it is
not. From these reports we can then improve our work practices to prevent further
incidents.
Staff that have little or no contact with patients will still see and hear information
about patients that must be kept confidential. You may see a neighbour, friend or
colleague attending the hospital as a patient. This remains that individuals confidential
information. Furthermore, we are all still bound by the laws of confidentiality even
after we leave the workplace.

Patient Trust
Providing services to patients is in a position of public trust and everyone has to work
hard to avoid failures that not only could cause significant patient embarrassment or
distress but could become the next days headline and lead to fines against the Trust or
individuals.
To keep patient information confidential, secure, accurate and up to date,
EVERYONE must help.

4 | P a g e Information Governance is Everyones Responsibility

Personal, confidential & sensitive information

Personal Information Information about an individual is personal when it enables an

individual to be identified - it is non-personal when it doesnt.

This isnt always straightforward, for example, a persons name and address are clearly
personal information when presented together, but an unusual surname may itself
enable someone to be identified. This is an important distinction in law.

Confidential Information - Personal information is classed as confidential if it is

provided in circumstances where an individual could reasonably expect that it would be
held in confidence, e.g. the doctor/patient relationship.

Information is considered to be confidential if it meets three simple conditions:

1. It is private information about a person
2. It is provided to someone who has a duty of confidence (e.g. a doctor or nurse)
3. It is expected to be used in confidence

All information provided by patients to the Trust about their medical

condition is, therefore, confidential

Sensitive Information Sensitive personal information is information that is more

likely to cause a person damage or distress if the information were to be misused, ie:
Physical or mental health
Racial or ethnic origin
Sexual life
Religious beliefs
Political Opinions
Trade Union membership
Criminal record
There is other information that could also be included here. For example, if an
individuals bank details, salary, credit card details or National Insurance Number
ended up in the wrong hands it could lead to identity theft.

Abuse of Privilege
It is strictly forbidden for staff to knowingly browse, search for or look at any
information relating to themselves, their own family, friends or other persons,
without a legitimate purpose eg treating a patient. This includes accessing paper or
electronic health records, test results etc.
Action of this kind will be viewed as a breach of confidentiality, of Trust policy and of
the Data Protection Act and dealt with under the Trusts Disciplinary Policy.

5 | P a g e Information Governance is Everyones Responsibility

 Sharing information and consent
Confidential information should not normally be used (which includes sharing and
disclosing) unless one of the following criteria are met.

1. The person has given consent for the disclosure. For patients:
Consent may be implied for care purposes and related purposes that support or
check the quality of care provided.
For other purposes consent should be specifically sought.
2. There is a legal basis which permits or requires disclosure of confidential
information (e.g. a court order).
3. There are exceptional circumstances (e.g. investigation or prevention of serious
crime) where the overriding public interest outweighs the duty of confidentiality.

Duty of confidence
A duty of confidence arises when sensitive information is obtained and/or recorded in
circumstances where it is reasonable for the subject of the information to expect that
the information will be held in confidence.

Patients provide sensitive information relating to their health and other matters as part
of their seeking treatment and they have a right to expect that we will respect their
privacy and act appropriately. The duty can equally arise with some staff records, e.g.
occupational health, financial matters, etc.

Patients have a right to be informed about how we will use their information for
healthcare, the choices they have about restricting the use of their information and
whether exercising this choice will impact on the services offered to them. The Trust has
produced a patient leaflet, Your information, your rights, which informs patients of
the reasons we collect confidential information about them. This leaflet is available in
all clinical areas across the Trust.

Explicit consent
Where it is proposed that patient information is disclosed outside of the Trust for
purposes other than healthcare, in most cases it is necessary to ensure that the patient
has explicitly consented to this happening e.g. Patient identifiable information used for
research purposes.

Legal requirement
Always remember confidentiality is a legal requirement, supported by the
confidentiality clause in your contract and, where applicable, your professional code of
conduct. The Trust is required to:
Inform patients about how personal information relating to them will be used
see the patient leaflet Your information, your rights available in all clinical
areas;
Inform patients of their right to object to the disclosure of their confidential
personal information outside of the Trust; and
Seek explicit consent before disclosing patient personal information for non-
healthcare purposes (unless rarely an exception applies).

6 | P a g e Information Governance is Everyones Responsibility

 Why protect information?
There is no choice about protecting personal information. UK and European laws such
as the common law duty of confidence and the Data Protection Act 1998 demand it.

The Data Protection Act 1998: The Act sets out how the Trust should process and
handle personal data. It also details the rights of the individual in relation to the data
that is held about them. This applies to all data being held. These rules also apply to all
records an employer holds about you e.g. finance details and personnel records.
There are eight Data Protection Principles that define how organisations should look
after information. Any breaches of these principles can result in legal action being
taken against an individual and/or the organisation.

Principle 1 - Personal data should be processed fairly and lawfully: There should
be no surprises - inform patients why you are collecting their information, what
you are going to do with it and who you may share it with.

Principle 2 - Personal data should be processed for a specified purpose: Only use
personal information for the purpose(s) for which it was obtained eg Healthcare

Principle 3 - Data should be adequate, relevant and not excessive: Only collect
and keep the information you require.

Principle 4 Data should be accurate and up to date: Always check patient details
when they arrive to keep information up to date.

Principle 5 Data should not be kept for longer than necessary: The NHS Records
Management Code of Practice lists the minimum retention period for every type
of record (available in the IG intranet site).

Principle 6 Personal data should be processed in accordance with the rights of

the data subject: Individuals have the right to access their records (eg receive a
copy of their health record), the right to have inaccuracies corrected and the right
to prevent processing that may be considered to cause them harm. Should you
receive a request to access a health record, refer it to Legal Services.

Principle 7 Data must be protected by appropriate security: E.g. Locks on doors,

password protected systems. ALWAYS keep confidential papers locked away
when unattended and ensure your IG training is up to date.

Principle 8 - Not transferred outside the EEA without adequate protection: Not all
countries outside Europe have Data Protection legislation.

The Freedom of Information Act 2000

This Act allows any individual to request information from the Trust, however, this is
restricted to non-personal corporate data such as patient activity statistics, ward
refurbishment costs etc. It aims to make public sector bodies more transparent and
accountable. It also helps people to better understand how public
authorities carry out their duties, why they make the decisions they do and
how they spend public money.

All FOI requests must be responded to within 20 working days of the Trust
receiving the request. If you receive an FOI request directly, please forward
it immediately to Brian Pursglove, the Legal Services Support Officer, who can be
contacted on Ext 3429.

7 | P a g e Information Governance is Everyones Responsibility

 Caldicott Report
The Caldicott Principle Guidelines
The key message from the Caldicott Reports is that staff should justify every use of
confidential information and routinely test it against seven principles. To ensure we do
this our Caldicott Guardian (Dr. Alistair Steel) monitors the sharing of patient
information. Never disclose confidential information if you are unsure about your
response to any of these seven questions:

1. Do you have a justified purpose for using this confidential information?

The purpose for using confidential information should be justified, which means
making sure there is a valid reason for using it to carry out that particular
purpose.

2. Are you using it because it is absolutely necessary to do so?

The use of confidential information must be absolutely necessary to carry out the
stated purpose.

3. Are you using the minimum information required?

If it is necessary to use confidential information, it should include only the
minimum thats needed to carry out the purpose.

4. Are you allowing access to this information on a strict need-to-know basis

only?
Before confidential information is accessed, a quick assessment should be made
to determine whether it is actually needed for the stated purpose.
If the intention is to share the information, it should only be shared with those
who need it to carry out their role.

5. Do you understand your responsibility and duty to the subject with regards
to keeping their information secure and confidential?
Everyone should understand their responsibility for protecting information, which
generally requires that training and awareness sessions are put in place.
If the intention is to share the information, those people must also be made
aware of their own responsibility for protecting information and they must be
informed of the restrictions on further sharing.

6. Do you understand the law and are you complying with the law before
handling the confidential information?
There are a range of legal obligations to consider when using confidential
information. The key ones that must be complied with by law are provided by the
common law duty of confidentiality and under the Data Protection Act 1998.
If you have a query around the disclosure of medical or other confidential
personal information you should go to your Line Manager initially then the IG
Manager if you are still not sure. For serious and complex issues your Manager
should contact the Caldicott Guardian for advice and guidance.

7. The duty to share information can be as important as the duty to protect

patient confidentiality
Confidentiality should not be seen to be a barrier to sharing information.

8 | P a g e Information Governance is Everyones Responsibility

 Confidentiality Good Practice
We all have a legal duty to respect the privacy of our patients and service users and to
use their personal information appropriately.
Informing People
Patients and service users will not expect health and care professionals to look at their
record unless they are involved in their care. You should inform patients and service
users that you are accessing and using their information.
There are specific techniques you should use when doing so.

Explain Give choice

Clearly explain to people how you will Give people a choice about how their
use their personal information and information is used and tell them
point them to information about this whether that choice will affect the
eg: a website, in a leaflet or on a poster. services offered to them.

Meet expectations
Only use personal information in ways that people would reasonably expect.

You don't need to obtain consent every time you use or share personal information for
the same purpose, providing you have previously informed the individual they should
know what is happening and have no objections.
Sharing information for care
Sharing information with the right people can be just as important as not disclosing to
the wrong person.
Where sharing will assist the care or treatment of an individual and it is reasonable to
believe that they understand the information sharing that is needed to support that
care you have a legal duty to share the information.

Check Best practices

Check that the individual understands Ensure that the data protection, record
what information will be shared and has keeping and security best practices
no concerns. covered later in this workbook are met.

Respect objections
Normally, if the individual objects to any proposed information sharing, you must
respect their objection even if it undermines or prevents care provision.

Sharing information for non-care

In many cases, you should obtain consent if you want to use someone's personal
information for non-care purposes.
But if there is a risk of immediate harm to the patient/service user or to someone else,
and you cannot find an appropriate person with whom to discuss the information
request, you should share the information.

Ask Advice Action

Contact the IG & RA Discuss the request with Provide the information
Manager or the Caldicott this person. only when authorised to
Guardian do so.

9 | P a g e Information Governance is Everyones Responsibility

 Good Record Keeping
Records Management Code of Practice for Health & Social Care 2016
Records are a valuable resource because of the information they contain and high
quality information underpins the delivery of high-quality evidence-based healthcare.
The code sets out the required standards of practice in the management of records for
those who work within or under contract to the NHS
Accurate
Make sure that when you create a file or update a record the information you are
recording is correct and clear (ie legible). Ensure that any factual mistakes are corrected
or where appropriate, reported to your manager or a senior clinician.
Up-to-date
Ask patients to confirm their details when attending appointments and ensure changes
of address, name, next of kin details etc are updated as soon as possible.
Complete, including the NHS Number
Incomplete or inaccurate healthcare information can put patients at risk. For example,
the lack of certain information could cause a patient to be given the wrong treatment
or advice. Ensure patient records include their NHS number; as this helps ensure that
the correct record is accessed for the correct patient.
Quick and easy to locate
Make sure you comply with any procedures that aim for consistent and standardised
filing of records, and for safe and secure records storage areas. If there are no such
procedures, speak to your line manager in the first instance, then the Records Manager
or IG Lead if necessary about ways of ensuring efficient retrieval of records and the
information contained within them.
Free from duplication
Good record keeping should prevent record duplication. Before you create a new
record, make sure that one doesnt already exist. Having more than one record for the
same patient could increase risks, as there may be missing vital information in one
record. It would be pot luck which record is accessible in an emergency situation.
Written contemporaneously
Good record keeping requires that information is recorded at the same time an event
has occurred or as soon as possible afterwards. This means that records will be updated
whilst the event, care or otherwise, is still fresh in your mind.
Record retention
When a record is no longer of immediate use, then it may be considered closed. Closed
records should be kept in line with the Record Management NHS Code of Practice. This
sets out the minimum retention periods and is available on the IG Intranet page.
When deleting information in any format e.g. paper, disks or CDs, you need to do so in
a secure manner in line with the Trusts confidential waste procedures.
Consequences of poor record keeping
Poor patient care;
Lack of continuity of care;
Complaints;
Disciplinary procedures; and even
Criminal proceedings.
Above all, remember: quality information is the key to better
healthcare services.

10 | P a g e Information Governance is Everyones Responsibility

 Cyber Security

Cyberattack
sabrtak/
noun: cyberattack
An attempt by hackers to damage or destroy a
computer network or system which can lead to
information and identity theft.

Avoiding threats to data security

Some people perpetrate cyber fraud simply for the challenge, because its there.
Others may be seeking financial gain, for example extortion using ransomware
(malicious software designed to block access to a computer system until a sum of
money is paid) or theft of financial data such as staff bank accounts. Some people may
want to cause disruption or to take revenge against an organisation they perceive has
wronged them.
Social Engineering
Those who want to steal data may use tricks to manipulate people to give access to
valuable information. This is called social engineering.
They might try to employ confidence tricks or resort to the interception or theft of
devices or documents. This includes digital or physical materials, such as printed
documents or mobiles, to gain further access to more protected systems.
The goal is always to gain the trust of one or more of your employees, through a
variety of means:
On the phone
A social engineer might call and pretend to be a fellow employee or a trusted outside
authority (such as law enforcement or an auditor).
In the office
Can you hold the door for me? I don't have my swipe card on me. How often have you
heard that in your building? While the person asking may not seem suspicious, this is a
very common tactic used by social engineers.
Online
Social networking sites have opened a whole new door for social engineering scams.
One of the latest involves the criminal posing as a Facebook friend. But you can never
be certain the person you are talking to on Facebook is actually the real person.
Criminals are stealing passwords, hacking accounts and posing as friends for financial
gain.
The fake ICT department
A recent scam is for criminals call members of staff purporting to be a member of the
Trusts ICT Service Desk.
They may ask you to disclose your username, password, email address or other details
about where you work. They may also try to get you to click on a malicious web or
email link.
Our ICT department already knows a lot about you and will not need to ask these types
of questions.

11 | P a g e Information Governance is Everyones Responsibility

 Cyber Security (Contd)
Phishing
Hackers and criminals sometimes use unsolicited emails containing attachments or links
to try and trick people into providing access to information. This type of threat is
known as phishing. The aim of phishing emails is to force users to make a mistake for
example, by imitating a legitimate company's emails or by creating a time limited or
pressurised situation. Phishing email attachments or websites might ask you to enter
personal information or a password or they could start downloading and installing
malware.
The following emails were received by the Trust - would you have been fooled?

THINK TWICE!
Language a bit strained, not
business like
Whats that in front of the
sign?
and the big giveaway?

ITS NOT HIS PHONE

PROVIDER!!

THINK TWICE!
Hover the cursor over the
online link and you get the
real name of the link
thewoodelf.co.uk!!
and
ITS NOT HIS PHONE
PROVIDER EITHER!!

From: DHL Express [mailto:info@buendes-bueroservice.de]

Sent: 10 April 2017 13:19
To: Butlin, Iain
THINK TWICE!
Subject: DHL On Demand Delivery Legacy

YOUR UPDATED DELIVERY DETAILS

Looks legitimate but wait
Hello, BUTLIN, IAIN
The From email address
look a little odd for a large
You have changed or confirmed the delivery details for your DHL EXPRESS shipment with waybill number
2407600416. company like DHL!?!
The current scheduled delivery is Mon Apr 10 2017 before End of Day.
and
If you have a web-enabled mail reader, click the link below to view shipment tracking details:

HE HASNT ORDERED
http://www.dhl.co.uk/content/gb/en/express/tracking.shtml?printPage=true&position=right&brand=DHL&AWB=2
407600416. (JsReport - JavaScript based reporting platform)

Thank you for using On Demand Delivery.

ANYTHING THROUGH
DHL Express - Excellence. Simply delivered. DHL!!

DO NOT CLICK ON THE LINK - DO NOT REPLY NOTIFY THE ICT SERVICE DESK
SELECT THE EMAIL, RIGHT-CLICK IT AND MARK IT AS JUNK DELETE THE EMAIL

12 | P a g e Information Governance is Everyones Responsibility

 How to protect information
To ensure confidentiality is maintained we must protect the information with which we
are entrusted. This involves having the correct security measures in place to protect
against loss, damage, theft or inappropriate destruction.

Security measures can be divided into three groups and the table below provides some
examples.

Locked cabinets and doors Character References Passwords on Systems

Walls, Fences, Gates DBS Checks Incident Reporting System

Soundproofed Rooms Identity Checks Encryption and secure

emails

Swipe Card Access IG Training / Policies & IT Network Security

Procedures

CCTV / Alarms Security Staff Electronic Audit Trails

The key principle is to overlap security measures, whenever possible, to avoid situations
where only one measure protects against the danger. Overlapping is good practice as it
avoids total reliance upon a single measure that may fail e.g. an outside security door
(a physical measure) may be left open by staff, but security staff carrying out routine
checks (a people measure) at the end of the day discover the open door and secure it
before anything is stolen.

Reporting Incidents
Probably the worst position for any organisation is not knowing that a risk exists or
that security measures are not working or are not being reported.

You are the expert in your work area at assessing potential problems, such as doors or
windows that dont lock properly or confidential information left in public access areas.
Early intervention will help minimise any impact and ensure corrective action can be
swiftly taken to ensure that they do not reoccur for a second or third time.

We all have an obligation to act responsibly and to be aware of our local policies and
procedures for reporting incidents. All new incidents should now be reported on the
Datix system accessed via the Intranet. Full details are available on the Risk
Management Intranet page.

13 | P a g e Information Governance is Everyones Responsibility

 Top Information Security Tips
Secure Passwords
Ensure you use strong passwords, at least 6 characters long that contain a combination
of letters (both UPPER and lower case characters), numbers and symbols.
Never disclose your password to anyone
Never write your password down
Never let others see you enter your password
Change your passwords regularly
Keep your reminders in a secure place not making it obvious that they are linked to
your passwords
Smartcards
Your Smartcard provides you with a level of access to the health care information that
you need as part of your job. You have a duty to keep patient information secure and
confidential. Once you have been given a Smartcard, you must:
Ensure that you accept the terms and conditions of use (see the RA Intranet page)
Keep it safe and secure and never share your password
Never allow anyone to use your Smartcard checks on access will be made and
failure to comply with the terms and conditions can lead to disciplinary action
Never leave your Smartcard unattended
Report lost Smartcards immediately to the ICT Helpdesk or the IG & RA Officer

Lock your Screen

If you need to leave your desk, press ctrl, alt, delete, and enter to lock your screen.
Operate a Clear C: Drive Policy
No data, confidential or not, should be stored on the C drive of a computer. If your PC
crashes, this information will be lost.
Encryption
Ensure all portable media is encrypted ie laptops, memory sticks, CDs etc. Thousands of
USB sticks are lost or stolen each year causing personal, sensitive and confidential data
to be lost or, more worryingly, exposed. Our Trust policy allows ONLY the use of Trust
approved password protected sticks. Speak to your Line Manager if you need one.
Email/Internet
The internet and email are provided for Trust authorised business although reasonable
personal use is permitted provided this does not interfere with the performance of
work duties.
Always check email addresses before you press send
Only send Person Identifiable Data (PID) from an NHS.net account to an NHS.net
account and not, for example phil.cottis@qehkl.nhs.uk to another@trust.nhs.uk
Do not put any PID in the subject field
Do not open emails from unknown or suspicious addresses

Fax
When faxing confidential information:
Only send it by fax if it is absolutely necessary and there is no alternative method
Use the Confidential Fax front sheet (available from the IG Intranet site)
Make sure you double check the fax number you are using. It is best to dial from a
directory of previously verified numbers
Check that you are sending a fax to a recipient with adequate security measures in
place, for example, your fax should not be left uncollected in an open plan office
If the fax is sensitive, ask the recipient to wait by the fax machine & confirm receipt
For further guidance refer to the Safe Haven Procedure on the IG Intranet site

14 | P a g e Information Governance is Everyones Responsibility

 Top Information Security Tips (contd)
External Post
When sending confidential information by post:
Place in a robust envelope and seal appropriately
Mark Private and Confidential
Clearly address to a named individual
If sending large quantities or highly sensitive information, ensure the data is double
wrapped and sent recorded delivery or by courier
Internal Post
Do not reuse envelopes when sending patient or staff confidential information even if
the previous address has been crossed out.
Ward Handover Sheets, Theatre Lists etc
Ward handover sheets continue to be found in inappropriate locations across the Trust;
in public access areas (corridors, The Hub etc), in the grounds (car parks etc) and even
on streets outside of the Trust. These documents contain highly sensitive and
confidential information regarding our patients and should be treated exactly the
same as a health record.
Stop
You wouldnt leave a health record in one of the public toilets but
ward handover sheets have been found there! SSS
Check
THINK! - if possible do not remove ward handover sheets from the
ward and NEVER take them outside of the hospital! Bin
Telephone Security
Confirm the identity of the caller before releasing any confidential information
Put callers on hold while locating the member of staff required
Never name or discuss patients over the phone when in public access areas e.g.
corridors, restaurants, on trains etc.
Do not text patient information to colleagues
Do not use your mobile phone to photograph patients unless in an emergency
Only leave messages on answer phones if the recipient has consented to the release,
or if the clinical need outweighs their right to confidentiality
Conversations
Do not discuss a patients treatment where you can be overheard, especially in public
areas such as Corridors, Lifts, Coffee shop, The Hub etc.
Destruction of Data
When confidential, sensitive or person identifiable data is no longer required, place it
in the locked Blue Wheelie Bins.
NHS Number
Trust staff should be using the NHS number (where available) in all communications
regarding patients. Please ensure you ask the patient for their NHS Number and record
it whenever possible.
Training
Ensure you and your colleagues undertake your annual IG mandatory training.
Ignorance is no excuse you must be aware of the basic requirements and keep up to
date with the latest information and guidance to ensure a confidential service.
Support
Work with the IG Team to determine what additional measures you could take to
protect the information held in your work area.
15 | P a g e Information Governance is Everyones Responsibility
 Information Security Social Media
As previously stated the rules on confidentiality still apply even after you have left the
workplace. Therefore, the rules of confidentiality must also be followed when using
social networking sites such as Facebook and Twitter.

Do not accept patients as Facebook friends

You must not release any information on a social networking website which you
have obtained as part of your job role (e.g. Guess who I saw at the hospital
today?)

You must not discuss any aspect of patient care on a social networking website,
even if you believe you are chatting to the actual patient

You must not use social media sites or other non-work related sites when you
are supposed to be working.

Images taken on recording equipment (such as camera phones) must only be

taken and used with the explicit (written) consent of the individual(s) in the
image. Under no circumstances may these images be posted onto a social
networking website

71% of people would not want colleagues or employers to view their

social networking website without removing some material
WOULD YOU?

Defamatory remarks about the Trust or any of its employees must not be made.
What may be considered to be letting off steam about a work situation can
potentially be read by someone who may take offence at the content of a
posting

The date and time that comments or photos are posted are often visible on
these sites please bear this in mind if using them at inappropriate times (e.g.
during work hours)

Social networking sites should not be used for raising and escalating concerns
(commonly referred to as whistleblowing). For further guidance see the Trusts
Policy for Staff When Expressing Concerns about Standards of Care or Other
Trust Activities Whistleblowing

Be aware that even in your private life, what you post on Social Media may be
subject to disciplinary action

For further guidance, see the Social Media Policy available on the
Information Governance intranet page

16 | P a g e Information Governance is Everyones Responsibility

 Assessment

Users of this workbook must demonstrate that the course has been completed by
answering the following IG questions, using the assessment sheet on the last page of
this workbook and submitting their responses to their Line Manager or directly to the
IG Team who will update your Electronic Staff Record.

Question 1
Who is responsible in the hospital for the security of confidential information?
(Select one option)

A. Only Health Records Library staff

B. Everyone
C. Only clinical and nursing staff
D. Only medical Secretaries
E. Only line managers

Question 2
What are the potential consequences of a patient information security breach?
(Select four options)

A. Staff can be prosecuted

B. The Trust can be fined up to 500,000
C. Individual staff cannot be fined or prosecuted
D. Risk to patient safety
E. The ICO accepts mistakes happen and will not fine the NHS
F. Loss of patient trust

Question 3
Two healthcare assistants (HCAs) are bed-bathing a patient. One HCA starts talking
about Sarah, a nurse on the ward who was taken ill at work and admitted to the
gynaecology ward. She tells the other HCA that Sarah is a lot better. The following
week Sarah is at work and the patient asks her if she should be back at work so soon.
Did the HCAs breach the duty of confidentiality? (Select 1 option)

A. No, Sarah had not been admitted to that ward, she wasnt one of their patients
so no duty of confidentiality was owed
B. Yes, the duty to maintain confidentiality is part of the duty of care to all
patients
C. No, the HCA only mentioned that Sarah was admitted, not what was wrong
with her

17 | P a g e Information Governance is Everyones Responsibility

 Assessment (Contd)

Question 4
A young man was treated in A&E for stab wounds. Later, police enquiring about a
vicious fight nearby, ask and are given the patients name by the doctor on duty. Why
was the doctor justified in disclosing this information?
(Select 1 option)

A. The public interest in preventing serious crime

B. The doctor was part of a local scheme aimed at tackling youth violence
C. Doctors should always help the police with their enquiries

Question 5
Which of the following can you not do?
(Select 3 options)

A. Access the test results of friends or relatives you are not treating
B. Enter the hospital health records library and read your own health record
C. Apply to the hospital to have a copy of your health records sent to you
D. Access a patient information system you have not been trained in

Question 6
Which of the following is the best course of action if you receive a suspected phishing
or scam email?
(Select one option)

A. Reply to the email stating that they must have the wrong email address
B. Click on the requested link to see if it is a scam email
C. Mark the email as Junk and then delete it
D. Forward it to your line manager
E. Notify the ICT Service Desk, mark as Junk and delete

Question 7
Which of the following statements regarding the Data Protection Act 1998 is correct?
(Select one option)

A. The Act only applies to patient information

B. The Act only applies to personal information in a digital form ie: on a computer
system
C. The Act prevents the sharing of patient information between NHS organisations
D. Organisations can be fined or face legal action for breaching the principles of
the Act

18 | P a g e Information Governance is Everyones Responsibility

 Assessment (Contd)
Question 8
Which of the following is likely to increase the risk of a breach when sending personal
information?
(Select one option)

A. Using a trusted postal courier service

B. Verifying the identity of telephone callers
C. Using a secure email system such as NHSMail (NHS.net)
D. Leaving messages when calling patients
E. Encrypting any personal information

Question 9
Which of the following is typical of a strong password?
(Select one option)

A. A combination of letters numbers and symbols.

B. No more than 5 characters in length
C. Contains your username
D. Similar to previous passwords

Question 10
Which of the following should not be used to send personal information unless
absolutely necessary?
(Select one option)

A. Post
B. Fax
C. Email
D. Telephone

V.7 Authors P Cottis & J Walsh

19 | P a g e Information Governance is Everyones Responsibility

V.7 April 2017

IG Training

Answer Sheet 2017-2018

Full Name:_______________________________Department:_____________________________
First name + Surname - Please use block capitals
I confirm that I have read and understood the IG Training Workbook

Signed:________________________ Date:____________________________

The required pass mark is 80%

Question 1 A B C D E (Select 1)

Question 2 A B C D E F (Select 4)

Question 3 A B C (Select 1)

Question 4 A B C (Select 1)

Question 5 A B C D (Select 3)

Question 6 A B C D E (Select 1)

Question 7 A B C D (Select 1)

Question 8 A B C D E (Select 1)

Question 9 A B C D (Select 1)

Question 10 A B C D (Select 1)

% Achieved = _____________________

Confirmed By: _______________________________ Date:__________________

Print Name:__________________________________ Ext.:___________________

YOU WILL ONLY BE CONTACTED IF YOU DO NOT PASS

Once completed please return to: IG Team, Lower Tilney

20 | P a g e Information Governance is Everyones Responsibility