This site is intended for health professionals only

Five steps to making your data safer

1 Make patient identification procedures more secure

Leaving aside cases of deliberate misconduct, one of the most common causes of breaches of confidence is the failure to identify a patient correctly.  Many patients have similar names and if care is not taken, a letter relating to one patient can be delivered to another.  This is a crucial risk area for practices. 

Aside from the potential for a breach of confidence claim, such an error exposes a practice to a risk of a monetary penalty levied by the Information Commissioner.  The high-profile penalty of £70,000 imposed on the Aneurin Bevan Health Board in April is a startling reminder that a single misaddressed letter can have dire financial consequences for an organisation like a CCG.1 

The ICO was critical of the lack of a system to ensure that correspondence related to the correct patient at the correct address.  Practices should review their own arrangements.  Letters containing sensitive personal data should be checked against at least one unique identifier (such as the NHS number). 

2 Check any files transfers procedures are safe

Patient identifiable data should be encrypted to NHS standards when transferred.  NHSmail to NHSmail emails are encrypted automatically.  Be aware that there will still be a breach of the Data Protection Act if patient identifiable data is sent to the wrong NHSmail account.  Given the size of the NHS, there are many individuals with the same or very similar names – and care must be taken to distinguish between them. 

Another risk relates to the fact an individual may move from one NHS organisation to another and retain the same email address.  If news of their move is not known, emails sent to them which relate to their former organisation but which are received by them in another capacity, could also amount to a breach of confidentiality.

Some patients provide email addresses and/or mobile phone numbers.  If these are to be used to correspond with the patient, ensure that this is  with the patient’s informed consent.  Home email accounts and text messages to mobile phones are not secure, and so you must ensure that they are used appropriately.  For example, provided the patient agrees, text reminders about pre-booked consultations will be helpful.  However, unsolicited email letters regarding a patient’s treatment are not permissible. 

In order to ensure that staff understand what electronic communications with patients are acceptable, practices should set this out in a protocol. 

3 Stop sending confidential information by post if you can

Transfers of unencrypted patient identifiable information by post should not take place unless this is essential for patient care.  Many practices have to rely on unencrypted post in order to communicate with their patients.  The use of post should be risk assessed and signed off by a senior person in the practice. 

4 Train staff to protect patients

Many of the problems encountered are the result of inadequate staff training or guidance.  Staff should be aware of the obligation of confidence and that reference to patient’s records should only take place on a ‘need to know’ basis.  Contracts and practice policies should ensure an appropriate sanction for staff who fail to meet the requirements upon them.  However, in order to guard against accidental breaches of the information security requirements, practices must ensure that staff have clear guidance, including what methods of communication to use for particular types of patient information.   Phone hacking disclosures have also highlighted the use of ‘blagging’ to obtain confidential information, and staff should be trained to guard against this.

5 Share accountability in your partnership

GP partners need to ensure that the agreements they have with one another are carefully documented in the form of obligations in an up to date partnership deed. The obligations should include a requirement for all partners to comply with the law and procedures designed to protect the business in this regard.  Such provisions should specify particular responsibilities - including identifying the partner with ultimate responsibility for ensuring confidentiality and data protection compliance within the partnership - together with  any specifics which are expected from each partner in connection with any of the above requirements.

As partners are jointly and severally liable for each others’ actions a GP should be prepared to highlight to his partners any practices which expose the business to information security risks. Where these have been carefully documented and there is evidence to demonstrate each partner has agreed to be bound by the guidance and protocols, the potential for a dispute over any ‘grey area’ is minimised. 

Chris Alderson is a partner and Edwina Farrell is an associate at Hempsons.


1 BBC news. Aneurin Bevan Health Board fined £70,000 for data breach.