promote good practice in handling information in health and social care settings

166

For Unit HSC 038What are you fi nding out?It seems impossible to open a newspaper or turn on the television without reading about some incident involving bad practice in handling information. For example, since 2007:

�� HM Revenue & Customs has lost two CDs containing the personal records and bank details of 25 million people.

�� The MoD has lost a laptop containing the passport details, National Insurance numbers, drivers’ licence details, family details, doctors’ addresses and National Health Service numbers of 600,000 people.

�� Hundreds of documents containing sensitive personal data such as details of benefi t claims, passport photocopies and mortgage payments were found dumped on a roundabout in Devon.

�� Zurich Insurance has lost the personal details of 46,000 of its customers.

�� The health and social care sector is far from immune to bad practice. For example:

�� A USB memory stick containing information on hundreds of NHS mental

health patients was found by a member of the public in Teesdale.

�� A 12-year-old boy found a USB memory stick containing sensitive information about staff and patients at a hospital in Scotland in a supermarket.

�� The personal details of 9,000 school pupils, including their names, date of birth, addresses, phone numbers and school attainment, were stolen from the home of a Barnet Council worker.

Breaches of security and confi dentiality are extremely serious. Not only do they destroy confi dence in organisations in which the public has entrusted its personal details, they also cause anxiety for the individuals concerned.

The reading and activities in this chapter will help you to:

Understand requirements for handling information in health and social care settings

Be able to implement good practice in handling information

Be able to support others to handle information.

Promote good practice in handling information in health and social care settings

9

LO1 Understand requirements for handling information in health and social care settings

1.1 Identify legislation and codes of practice that relate to handling information in health and social careThis UK government is committed to protecting civil liberties and personal privacy.

9: Promote good practice in handling information

167

The Information Security

Management: NHS Code of Practice

The Human Rights Act 2000

Data Protection Act 1998

Code of Practice: Mental Health Act

1983

General Social Care Council

(GSCC) Codes of Practice

The Nursing and Midwifery Council

(NMDC) code

The Health and Social Care Act

2001

Records management: NHS

code of practice

Legislation and Codes of Practice

that relate to information

handling in health and social care

Figure 9.1 Legislation and Codes of Practice that relate to information handling in health and social care

Evidence activity

1.1 Legislation and codes of practice related to information handling This activity gives you an opportunity to demonstrate your knowledge of legislation and codes of practice that relate to information handling in health and social care.

Choose three different care settings, for example an early years setting, a GP practice and a day care centre for people with learning diffi culties. Make a list of the laws and codes of practice that govern how information must be handled within each area.

1.2 Summarise the main points of legal requirements and codes of practice for handling information in health and social care

The Human Rights Act 2000 Article 8: the right to respect for private and family life

Everyone has the right to respect from others for their private and family life, home and correspondence. The right to a private life includes the right to have information about us, such as offi cial records, photographs, letters, diaries and medical information kept private and confi dential. Unless there is a very good reason, public authorities should not collect or use information like this; if they do, they need to make sure the information is accurate.

The Information Security Management:

Article 8 of the Human Rights Act is a qualifi ed right. This means that in certain situations, for example where public safety, security or health is at risk, or the protection of other people’s rights

Level 3 Diploma Health and Social Care

168

competent, the person appointed by a court to manage their affairs has the authority to give or withhold consent.

www.patient.co.uk

When might a request to see information be refused?Types of information held about an individual that might not be given to them include:

records that contain information about other people, unless they have given their permission

information that has been received from third parties, unless they have given their permission

information that could affect their or somebody else’s emotional or mental stability

records relating to work where legal proceedings have taken place

records where disclosure could affect crime prevention, detection, apprehension or prosecution of offenders.

www.dwp.gov.uk

Anyone who handles personal or sensitive data must comply with the Data Protection Act 1998 and the eight Data Protection Principles.

Data Protection PrinciplesThe 8 Data Protection Principles require that personal or sensitive information is:

1. processed fairly and lawfully – for example, don’t collect and use someone’s personal information unless they have given you permission or you are confi dent that you are entitled to handle it

2. only used for the purpose for which it was obtained

3. adequate, relevant and not excessive – only collect and use as much information as you need

4. accurate, up to date and necessary – correct errors promptly and never handle personal or sensitive information that you do not need for your work contd

and freedoms is at risk, personal information can be disclosed to a relevant authority.

A Guide to the Human Rights Act 1998, Third Edition, DCA 2006; www.justice.org.uk

Data Protection Act 1998The Data Protection Act 1998 became effective in 2000 and superseded the Data Protection Act 1984 and the Access to Health Records Act 1990. The purpose of the Act is to protect the rights of individuals about whom personal or sensitive data is processed (collected, used and stored), disclosed and destroyed. It applies to information that is held in paper and computerised records, imaging records such as X-rays and photographs, and recordings such as video and CCTV images, telephone calls and tape recordings.

Key termPersonal or sensitive data is information about ethnic origin, religious and political beliefs, health, disability, criminal offences or alleged offences, sexual life and trade union membership.Integrity of data is to do with its accuracy and completeness.Access means to see, obtain or retrieve.Jargon is the technical language particular to a trade or profession.An individual is deemed competent when they have a clear appreciation and understanding of the facts, and the implications and consequences of an action.

The Act requires that security measures are put in place to retain the confi dentiality and integrity of personal or sensitive data, and to ensure that it remains intact for as long as it is needed. In other words, people and organisations that handle personal or sensitive information must prevent:

�� unauthorised access, disclosure, alteration and destruction

�� accidental loss or destruction.

The Data Protection Act gives individuals the right to access information held about them except in certain situations. For this reason, any information that might be unintelligible, for example, abbreviations and jargon, must be explained. Representatives acting on behalf of individuals deemed competent to manage their affairs can see and discuss information held about the individual, provided that the individual has given consent. If an individual is deemed not

www.patient.co.uk

www.dwp.gov.uk

www.justice.org.uk


169

In 1997, Dame Fiona Caldicott carried out an investigation into the handling of patient information by health and social care service providers. As a result, six Caldicott Principles were identifi ed to help them comply with the Data Protection Act. In summary, the Caldicott Principles require that anyone who handles personal or sensitive data that can be identifi able with a particular person must:

1. be able to justify its use – for example, it would be unjustifi able to let someone’s ethnic background dictate whether to prescribe them medication for a failing memory, but it would be important to ensure that a female care worker is available to help female patients with intimate care if their religion and cultural traditions require same-sex care

2. not use it unless it is absolutely necessary – for example, it is absolutely unnecessary to know about someone’s criminal record when helping them use the toilet, unless their record includes a history of sexual offence

3. use the minimum amount of information necessary – you don’t need to know lots of information about someone’s personal life when helping them choose from a menu, but it would be an advantage to know about their health and religious beliefs as these may dictate their dietary needs

4. ensure that access to it is on a strict ‘need-to-know’ basis – on no account should you disclose information about people without their consent or proper authorisation, nor should you disclose information to anyone who does not need that information to carry out their job

5. ensure that everyone with access to it is aware of their responsibilities, including ensuring that any personal data they see or hear goes no further, either by word of mouth or by unauthorised viewing of information, for example on a computer printout or computer screen

6. understand and comply with the law – you can be prosecuted for unlawful action under the Act and be fi ned if you use or disclose information improperly.

5. only kept for as long as needed – delete or destroy information when it is no longer needed.

6. processed in accordance with the individual’s rights – for example, we have a right to know how our information is being used, to have any errors corrected, and to prevent information about us being used for advertising or marketing

7. kept secure at all times and protected from unauthorised access, disclosure, alteration and destruction

8. not transferred outside of the European Economic Area (EEA) unless the individual concerned has given consent and you are confi dent that you are entitled to transfer it.

Key termThe European Economic Area (EEA) is an economic association of European countries.

1.2 Collecting information

1. Who do you collect information about at work?

2. What information do you collect?

3. How do you know that you can collect it?

4. Why do you need the information?

Research & investigate

1.2 How would you feel if … your personal correspondence, for

example letters, emails, texts, were opened and read by other people?

someone put photographs of you on a website without asking your permission?

your GP told your employer about your medical history?

Time to refl ect��

�

� �


170

The Health and Social Care Act 2008The Health and Social Care Act gives the Secretary of State for Health the power to authorise health and social care service providers to disclose information about people in the interests of improving patient care or in the wider public interest, to monitor communicable diseases and for medical research.

Codes of Practice relating to handling information in health and social care are based on legislation, professional body standards and professional best practice.

Records Management: NHS Code of PracticeRecords are valuable because of the information they contain. However, information is only useful if it is correctly recorded in the fi rst place, regularly updated and easily accessible when needed. The Records Management: NHS Code of Practice describes different actions and responsibilities for effective collection, use and storage of all types of NHS records, and for their maintenance and disposal.

The Information Security Management: NHS Code of PracticeThis applies to all organisations, including local authorities, that handle NHS information. Its purpose is to guide them in maintaining the security of information that they handle.

Code of Practice: Mental Health Act 1983This requires that information to help them understand why they are in hospital or subject to guardianship is given to patients detained under the Mental Health Act and, unless they object, to their nearest relatives. It also states that, ‘ordinarily, information about a patient should not be disclosed without their consent. Occasionally it may be necessary to pass on particular information to professionals or others in the public interest, for instance where personal health or safety is at risk.’

1.2 Applying the Caldicott Principles

An early years setting holds information on children in order to support their development, monitor their progress, provide appropriate pastoral care and assess how well the setting as a whole is doing. This information includes contact details, attendance information, characteristics such as ethnic group, special educational needs and any relevant medical information. From time to time it is necessary to pass on some of this data to local authorities and offi cial agencies, such as QCA and Ofsted. In particular, at age fi ve an assessment is made of all children (the Foundation Stage Profi le), and this information is passed to the local authority and receiving maintained school.

How is this setting complying with the Caldicott Principles as regards:

1. justifying its use of data?

2. not using data unless it is absolutely necessary?

3. using the minimum amount of information necessary?

4. ensuring that access to data is on a strict ‘need-to-know’ basis?

5. ensuring that everyone with access to the data is aware of their responsibilities?

6. understanding and complying with the law?

Case Study

The Children Act 2004The Children Act states that organisations have a duty to safeguard and promote the welfare of children and young people. Information sharing among care agencies enables them to work effi ciently and effectively, but it must also comply with laws relating to confi dentiality, data protection and human rights. Safeguarding Children Boards use The Children Act to develop policies and procedures related to information sharing, thereby complying with legislation and ensuring the safety and well-being of the child or young person.


171

�� disclose information if they believe someone may be at risk of harm

�� keep clear and accurate records and not tamper with original records in any way

�� ensure entries in records are clearly and legibly signed, dated and timed

�� ensure all records are kept securely.

Nursing & Midwifery Council, 2008

Evidence activity

1.2 Legal requirements and codes of practice for handling information

Identify two pieces of legislation and two codes of practice that regulate the way personal and sensitive information is handled where you work. For each, sum up how they affect your work.

LO2 Be able to implement good practice in handling information

2.1 Describe features of manual and electronic information storage systems that help ensure security

Manual information storage systems Manual information storage includes:

�� paper or card health records, case notes, care plans, pupils’ fi les, assessment records, special educational needs data, staff records, registers, reports, computer printouts and administrative records such as letters, invoices and minutes from meetings

�� imaging records such as X-rays, CCTV fi lm, photographs and slides

�� audio recordings such as telephone calls and tape recordings.

1.2 Disclosing information

Who do you disclose information to?

What information do you disclose?

How do you know that you can disclose it?

Why do other people and organisations need the information you give them?


General Social Care Council (GSCC) Codes of PracticeThese set out the standards of practice that everyone who works in social care should meet. With regard to handling information, the Codes state that:

�� Social care employers must have written policies in place to help social care workers meet the GSCC’s Code of Practice for Social Care Workers, including policies on confi dentiality.

�� Social care workers must:

�� protect the rights of the people they support, including their right to privacy

�� respect confi dential information and be able to explain their workplace’s policies about confi dentiality to the people they support, their family and friends

�� not abuse the trust of the people they support or the access they have to any personal information about them

�� maintain clear and accurate records as required by procedures established for their work.

General Social Care Council, 2002

The Nursing and Midwifery Council (NMC) codeThis sets out the standards of conduct, performance and ethics that nurses and midwives must apply in their work. With regard to handling information, the code requires them to:

�� respect people’s right to confi dentiality

�� ensure that people are informed about why and how information is shared by people providing their care


172

2.1 Manual storage of information

Where is manual information stored at your workplace?

Who can have access to this information and why?


Storage facilities for medium- and high-risk information, such as fi ling cabinets, cupboards and stores should be kept under lock and key, and keys and keypad number sequences held by the designated data owner or a named key holder. Access to information should be given on a need-to-know basis and a tracking record maintained of who has had access, when and why. If information is removed from storage a record should be made of when it was returned. Tracking systems can be either paper-based or electronic, such as when records are scanned in and out of storage.

When information stored manually is no longer needed, it should be dealt with as appropriate. Closed or inactive fi les may have to be retained for some time, in which case appropriate storage facilities will be required. Some information will need to be permanently preserved by archiving, some retained for review and some destroyed. Low-security information should be recycled; medium- and high-risk information should be shredded, pulped or incinerated.

Key termArchiving means storing records, documents, or other materials of historical interest.

Electronic information storage systemsInformation can also be stored (saved) electronically on a computer’s hard disk drive, an external hard drive, USB memory stick, CD or DVD, using programmes such as Word, Excel, PowerPoint and Outlook. Programmes provide the template for creating documents such as:

�� word documents, for example letters and reports

Figure 9.2 Manual information storage systems

Manual information should be held in named folders to make fi ling and access easy. The information within a folder should, if possible, be copied, and copies stored in a separate, secure location, for example on a USB fl ash drive (memory stick), as a precaution against loss.

An authorised person or the designated ‘data owner’ should take responsibility for ensuring that manual information is secure. All information should be annotated with its level of security, and confi dential information must identify who is authorised to have access. There are three levels of security:

1. Low security means that the information can be accessed by the public, for example policies and procedures and an organisation’s website.

2. Medium security means that the information is not readily accessible but may be disclosed in certain circumstances, for example basic personal information such as class lists.

3. High security means that the information contains personal and sensitive identifi able information and access is on a ‘need-to-know’ basis only.

Secure storage requires arrangements to be in place to make sure that:

�� information remains confi dential

�� there is no risk of physical deterioration due, for example, to fi re from electronic, electric and kitchen equipment, or water from sinks, toilets, pipes, radiators.


173

Ten top tips for ensuring the security of information stored in equipment you take off site1. Follow your organisation’s home working and

portable computing policies.

2. Know and understand how to use the equipment.

3. Keep it with you at all times.

4. If you have to leave it unattended, lock it up and store it in a secure place.

5. Take great care when using it in a public place to ensure that information is not overseen.

6. When travelling on public transport, carry laptops as hand luggage.

7. If you use a car, ensure that the equipment is not left on display. Lock it in the boot but do not leave it in the boot overnight.

8. Do not modify any stored information without authorisation.

9. Sending information over the internet could be classifi ed as a breach of security, so never send identifi able information via email or devices such as Blackberries. In fact, never send information electronically that you would not put on the back of a postcard.

10. Do not use the equipment for your personal use, especially for internet access and emailing.

2.1b Portable electronic information storage systems

What portable electronic information storage systems are used at your workplace?

Describe the policies and procedures that govern the way they are used off site.


If computer equipment has to go off site for service, repair or recycling, all information should be backed up, for example on a USB memory stick, and then removed. Normal deletion doesn’t actually delete information, it simply removes the ‘address’ indicating where the fi les are stored. This means that data recovery software can be used to ‘undelete’ deleted fi les. It is better to use data destruction software or software that overwrites

�� spreadsheets, for example to record and monitor physiological measurements

�� presentations, for example for training

�� email, for sharing information.

2.1a Storage of electronic information

Where is electronic information stored at your workplace?

Who can have access to this information and why?


The documents produced using these programmes are put into folders, which are the equivalent of the manual folders stored in fi ling cabinets and cupboards. Folders containing documents that are personal and sensitive need to be stored securely.

Figure 9.3 Electronic information storage systems

Encryption is the scrambling and transforming of information from an easily readable and understandable format (plaintext) into an unintelligible format that seems to be useless (ciphertext). The Data Protection Act requires organisations that use portable electronic information storage systems, such as laptops, handheld computers and USB memory sticks, to encrypt personal and sensitive information and regularly review and update the encryption to make sure it remains effective. The Act also requires that organisations have policies regarding the use and security of portable systems and that they ensure that their staff are properly trained in these.

Taking portable electronic information storage systems off site carries a risk of theft and unauthorised access to and modifi cation of information.


174

2.1 Have you ever …Have you ever shared any of your personal ID, for example your PINs or computer usernames and passwords, with anyone else? What might be the outcome of sharing such information?


�

� �

Dos and Don’ts of using electronic information storage systems to access, store and share sensitive and personal information Do:

�� log in with your username and password.

�� position your monitor so that it cannot be overseen.

�� log out if you have to leave your computer unattended and when you have fi nished using it.

�� back up all the information you save, and store backup devices securely.

�� encrypt all the information you save on portable storage systems.

Key termTo back up means to copy saved information so that it is preserved in the event of equipment failure.

Don’t:

�� Take computer equipment off site unless you have permission. If you do, make sure you know how to use the equipment and that you follow your organisation’s homeworking and portable computing policies.

�� Store information in programmes that are connected to the internet, for example social networking websites and organisational intra- and internet web pages.

�� Send information via email unless it is encrypted.

�� Send sensitive information contained in portable storage systems, even if it is encrypted.

�� Rely on the delete button to erase information no longer needed. Use appropriate data destruction software.

everything. The same applies to when computer equipment has to be discarded – remove all sensitive data fi rst; alternatively, physically destroy the hard drive.

Computer viruses cause severe loss and destruction of information; antiviral software is highly recommended. Firewalls help prevent attacks against computers while connected to the internet, but viruses can arrive within fi les attached to emails. Some of these viruses (Trojans) contain programmes that allow an outsider to access and take control of computers over the internet. For this reason, never open fi les attached to emails from people you don’t know. If you do know the sender but have even the slightest doubt, check to confi rm that they have sent it.

2.1c Secure storage and deletion of electronic information

How does your workplace ensure that electronically stored information is:

not accidentally lost or destroyed?

securely dealt with when no longer needed?


Anyone given authority to access electronic information should have a secure username and password. Used correctly, usernames and passwords ensure the security of personal and sensitive information. If you have authority to access information on a computer:

�� Keep your username secret. Never allow anyone else to use it, and don’t allow the computer to save it, particularly if you share the computer with other people.

�� Keep your password secret. If you think someone might have watched you keying it in, change it immediately. Don’t be obvious in your choice of password, for example don’t use your name, birthday or anything else that someone might guess. Change it frequently and if you have to write it down, disguise it. Use a different password for every computer username allocated to you.

Key termA username and password are the names that someone uses for identifi cation purposes when logging on to a computer.


175

2.3 Maintain records that are up-to-date, complete, accurate and legibleGood practice in health and social care relies on multidisciplinary teamwork. To ensure that the team is able to support people effi ciently and effectively, it needs up-to-date, complete, accurate and legible records. Records that health and social care workers contribute to include health records, case notes, care plans; pupils’ fi les, assessment records and special educational needs data; staff records; registers; and correspondence with the people they support, their relatives and representatives, and other members of their team.

Evidence activity

2.1 Features of storage systems that help ensure security

Think about the manual and electronic storage systems that you use at work. Describe how each ensures security of the information it stores.

2.2 Demonstrate practices that ensure security when storing and accessing information

Practice activity

2.2 Ensuring security when storing and accessing informationComplete the following tables to show how you ensure security when storing and accessing information.

Manual information storage systems

Precautions I take to prevent unauthorised:

access to information

disclosure of information

alteration of information

destruction of information.

Precautions I take to prevent accidental loss or destruction of information.

Electronic information storage systems

Precautions I take to prevent unauthorised:

access to information

disclosure of information

alteration of information

destruction of information

Precautions I take to prevent accidental loss or destruction of information.


176

2.3 What if …

What might be the outcomes for an individual if, for example, their and their relative’s contact details, medication, consent to disclosure of personal information, and so on, were not kept up to date?

Time to refl ect�

� �

The completeness of a report can be diminished if it is tampered with or if alterations are not made properly. Mistakes or inaccuracies on electronic records should be remedied using a tracking device, and should be annotated with the date and author of the alteration.

Mistakes or inaccuracies on manual records should be remedied by adding a signed and dated note in ink. If an individual asks you to alter information about them because it is incorrect, include a note to say that you have altered it at their request. If the incorrect information would be harmful to them, delete it but insert a signed and dated note to explain what has happened and why.

In addition to ensuring that content is complete, you must ensure that records are accurate.

�� Write up notes as soon after an event as possible, before you forget exactly what was said or what happened.

�� Bear in mind that in some situations, information about an individual given by a third party, for example a relative, police offi cer or translator, may not be the same as that given to you by the individual themselves. We all see things differently and have different stories to tell as a result. Make a note of the person’s name and position in the event that information needs clarifying.

�� Subjectivity takes away from accuracy. Records must be objective, that is, based on fact, so don’t include your opinions, especially if they are likely to insult or cause distress.

Key termMultidisciplinary teamwork is when members of different professions work together.

A good record contains enough information to allow another professional to maintain continuity of care and help the individual develop and progress. It should be professionally written but, because The Data Protection Act gives individuals the right to access information held about them, it should contain explanations of information that they, their relatives or representatives might fi nd diffi cult to understand.

The content of a report should therefore be complete. It should include, so far as is relevant to the situation, up-to-date details about the individual’s:

�� age, sex, address, physical and intellectual ability; social, cultural and religious beliefs, values and preferences, life experiences and achievements.

�� health and social care needs, planned investigations or interventions, and information that they and their relatives and representatives have been given, for example details of the risks and benefi ts of different treatments and activities

�� treatment, for example the type and dosage of prescribed and complementary and alternative medicine (CAM) that they are taking, support groups they attend

�� response to different treatments and interventions

�� consent, for example, to medication or disclosure of their personal information

�� wish to refuse all or some forms of medical treatment in advance of loss of mental capacity, also known as their Living Will or Advance Directive.

www.medicalprotection.org; www.direct.gov.uk

It should also contain up-to-date contact details for relatives, friends and representatives, their Lasting Power of Attorney and contacts in the event of an emergency.

Key termComplementary and alternative medicine (CAM) is the term for health care products and practices that are not part of standard, scientifi c care.Lasting Power of Attorney is the responsibility an individual gives to someone they trust to make fi nancial and health decisions on their behalf at a time in the future when they lack the mental capacity to make decisions or no longer wish to make those decisions themselves.Tracking is a process that highlights any alterations made to a document.

www.medicalprotection.org

www.direct.gov.uk

www.direct.gov.uk


177

2.3 The truth, the whole truth and nothing but the truth

Mary lives in a sheltered housing complex. She has progressive Alzheimer’s disease but the authorities are confi dent that she is able to live in her own fl at at the present time. A neighbour frequently sees her wandering in her nightie around the gardens late at night and others, including the warden, are growing increasingly frustrated with Mary’s fast declining memory, the health and safety risks she poses to them and herself as a result, and her growing dependence on everyone for everyday support.

Figure 9.4 Mary

Mary’s neighbours and the warden have organised a meeting with social services, in order to spell out their concerns. The warden’s written report is as follows:

‘Mary X is a nuisance. She is quite doolally and it won’t be long before she blows the place up. The other residents are sick to death of having to look out for her when she does nothing for them in return. She can’t look after herself any more and should be put in an old folk’s home.’

Should the content of this report be relied on for accuracy? If not, why not?

Case StudyRecords must also be legible.

Key termLegible means clear, readable, understandable.

�� If you can’t write legibly, use a computer or have someone write on your behalf. In this situation, dictate what you want to say and sign to show that the record accurately refl ects what you have said.

�� Be careful with abbreviations and jargon. Only use them if you can explain, in words of one syllable, what they mean.

�� Sign each entry with the date, time and your status.

Practice activity

2.3 Maintain records that are up-to-date, complete, accurate and legible

This activity gives you an opportunity to demonstrate that you can maintain good and appropriate records.

Photocopy half a dozen records, making sure to anonymise them, to which you have contributed and which demonstrate your ability to ensure records are up-to-date, complete, accurate and legible.

LO3 Be able to support others to handle information

3.1 Support others to understand the need for secure handling of information Maintaining security of information at work is everyone’s responsibility.

How can you help others to understand the need to handle information securely? First and foremost, set an example. By following procedures based on relevant legislation and by


178

Encourage colleagues to become more security aware and to understand the possible consequences of failing to follow best practice. There are many ways in which workers can update their knowledge and skills in relation to secure information handling, for example through meetings and discussions, in-service training activities and attendance at professional events, and experiential, on-the-job learning. In addition, specialist journals, online information sources, e-learning and open learning programmes can provide opportunities for improving best practice.

Be aware of sources of information, referral, advice and guidance that can help you handle information securely, and share these resources with your colleagues.

Ensure that personal and sensitive information is labelled. This helps people handling it to understand the need to keep it secure and deal with it appropriately when it is no longer needed.

Encourage colleagues and the people you support to be on the alert for risks to security of information. Hazards include fi re and water, impostors and thieves, computer hackers and lack of training. Ensure that colleagues can recognise hazards and are able to deal with associated risks, such as:

�� fi re and water damage

�� requests for information from people who do not have a need to know

being seen to handle information in accordance with professional codes of ethics and good practice, you will encourage colleagues to carry out their responsibilities to consistently high standards. Secondly, monitor their handling of information, offering advice and guidance where necessary.

Make everyone aware that they have a duty under the Data Protection Act to keep personal and sensitive information confi dential. Posters on notice boards and easy access to policies and guidance documents should prompt colleagues about their responsibilities. And show respect for the right to privacy of the people you support. The experience of having our rights protected helps ensure that we fulfi l our duty to respect other people’s rights.

3.1 Respecting people’s rights

Has your private information ever been shared by someone without fi rst seeking your permission? How did or would you feel? Would you or have you ever done the same to anyone else? How do you think they would feel? Do you think it is right to share information without fi rst getting permission?


�

� �

Accusations of gross misconduct,

dismissal and possible legal action against the employee

concerned.

A damaged reputation and

legal action against the employing organisation.

Anxiety and distress for the

person concerned.

The consequences of failing to follow procedures and apply practices

relating to secure information handling.

Figure 9.5 The consequences of failing to follow procedures and apply practices relating to secure handling


179

3.2 Support others to understand and contribute to recordsYou read earlier that health and social care records need to be up to date, complete, accurate and legible. Anything else would make it diffi cult for professionals to work together to ensure continuity of care and appropriate support.

How can you support others to understand and contribute to records? Most importantly, by ensuring that you set a good example in the production and maintenance of records. Secondly, by raising their awareness of the consequences of records that are out of date, incomplete, inaccurate or illegible. Defi cient, badly written records can result in an individual being given the wrong treatment or the wrong advice and information, with disastrous, possibly fatal, results for them and a formal complaint or even court proceedings against the worker and their employer.

Support your colleagues in their understanding of how the 8 Data Protection Principles underpin the production of good records. When collecting information, make sure they can explain to the individual concerned:

�� why they need the information

�� that they will only collect information if given permission and only use it for the purpose for which it is collected

�� accidental or unauthorised loss of information due to, for example, not backing up, not encrypting information that is to leave the premises, and insecure transport and storage of equipment when off the premises

�� failure to deal with information appropriately when it is no longer needed

�� failure to report security concerns and breaches to the appropriate person without delay.

Practice activity

3.1 Support others to understand

the need for secure handling of information

This activity gives you an opportunity to demonstrate that you are able to support others to understand the need for secure handling of information.

Why is it important to handle information securely?

Make a list of the ways that you currently help colleagues and those you support to understand the need to handle information securely.

How can you develop their understanding?

Figure 9.6 The consequences of failing to maintain up-to-date, complete, accurate and legible records


180

Ten top tips to support individuals you work with to understand and contribute to their records1. Use interpersonal skills to put them at ease

while you explain your need for information and while you collect it.

Key termInterpersonal skills are the positive people skills that nurture effective communication and relationships.

2. Have regard to their age, sex, cultural and religious background as this can affect who they will speak with, especially when the subject is of a personal, intimate nature.

3. Use the method of communication with which they are most comfortable.

4. Explain that the information you collect will be stored securely.

5. Explain that others in the care team may need to see the information you collect but that you will seek their permission before you share it.

6. Explain that they have a right to see any information held about them.

7. Be patient, give them time to think about their answers and use active listening skills to show you are interested and want to understand everything they tell you.

8. Don’t interrupt and don’t put answers into their heads. Let them tell you what they want to say, not what they think you want them to say.

9. Check your understanding by asking questions, summarising what they tell you, restating it in your own words.

10. Check that they agree to you sharing the information they have given you with relevant people.

�� that the information will remain secure and not be shared with anyone except people with a need to know, for example, other professionals involved in their care and support

�� that the information will only be kept for as long as is necessary

�� that the individual has a right to see any information collected about them, to make sure it is correct.

Support your colleagues in their knowledge of how to contribute to records. Make sure that they know to:

�� only collect as much information as is needed and is relevant

�� obtain the individual’s agreement for their information to be shared with people with a need to know

�� follow security procedures when accessing and storing/saving information

�� write their contributions up promptly, before any detail is forgotten

�� write professionally but with regard for people for whom jargon and abbreviations would be diffi cult to understand

�� ensure that verbal contributions are in line with security procedures, for example made in privacy and to the appropriate person.

�� contribute information that is accurate, objective and factual – prejudices, personal values and opinions have no place in record keeping

�� consult with the appropriate people to make sure records stay up to date and free from error

�� record and report any diffi culties they have in accessing and updating records and reports.

Figure 9.7 Who’s asking?


181

Practice activity

3.2 Support others to understand and contribute to records

Why is it important to contribute to records?

Make a list of the ways that you currently help colleagues and those you support to understand and contribute to records.

How can you develop their skills and understanding?

Assessment summaryYour reading of this chapter and completion of the activities will have prepared you to be able to engage in promoting good practice in handling information.

To achieve the unit, your assessor will require you to:

Learning outcomes Assessment Criteria

Learning outcome 1: Understand requirements for handling information in health and social care settings by:

1.1 identifying legislation and codes of practice that relate to handling information in health and social care

See Evidence activity 1.1, p. 167

1.2 summarising the main points of legal requirements and codes of practice for handling information in health and social care


Learning outcome 2: Be able to implement good practice in handling information by:

2.1 describing features of manual and electronic information storage systems that help ensure security


2.2 demonstrating practices that ensure security when storing and accessing information

See Practice activity 2.2, p. 175

2.3 maintaining records that are up-to-date, complete, accurate and legible



182

Learning outcomes Assessment Criteria

Learning outcome 3: Be able to support others to handle information by:

3.1 supporting others to understand the need for secure handling of information


3.2 supporting others to understand and contribute to records


Good luck!

Web linksJustice – legal and human rights organisation www.justice.org.ukHealth information for patients www.patient.co.ukDepartment for Work and Pensions www.dwp.gov.ukMedical Protection Society www.medicalprotection.orgPublic Services website www.direct.gov.uk

www.justice.org.uk

www.patient.co.uk

www.dwp.gov.uk

www.medicalprotection.org

www.direct.gov.uk

promote good practice in handling information in health and social care settings

Documents

information handling

good practice

social care act

sensitive information

bad practice

gp practice

personal details

social care settings9lo1