NHS organisations need to take steps to ensure confidential data is handled appropriately. Sian Thomas explains

Barely a week goes by without headlines announcing that another organisation has lost confidential data. One of the most recent was an NHS organisation where personal data on thousands of staff was lost - but this was not the first, and it will almost certainly not be the last.

Apart from the significant worry that data loss causes people whose personal details may have fallen into unauthorised hands, public organisations who lose sensitive information also lose public confidence. For those providing healthcare, this has far-reaching consequences.

Following the recent data losses and lapses in data security, the Department of Health has ensured that reporting and accountability are priorities and has set out new responsibilities for NHS bodies.

These cover patient and staff data and, among other issues, include staff accountability, contractual provisions and disciplinary action arising from data security incidents. It is also likely that the DH will call for a review leading to the possible amendment of confidentiality policies and disciplinary procedures.

While it is impossible to guarantee that data losses will never happen again, patients and staff have a right to expect that their personal details will be secure. NHS organisations must do everything possible to protect confidential data and deal robustly with any incidents that compromise information security.

Steps to take

  • Ensure all new contracts of employment include a confidentiality clause, for example: "You are required to keep all patient information confidential unless disclosure is expressly authorised by your employer. Misuse of or failure to properly safeguard confidential data will be regarded as a disciplinary offence." Contracts of employment for some staff, such as clinical and research staff, may require more detailed and specific provision.

  • Ensure all disciplinary policies and procedures include reference to breaches of data security. Although these already fall within definitions of misconduct or gross misconduct, regardless of whether they are expressly referred to or not, it is advisable to include them specifically. For example: "Misuse of or failure to safeguard confidential information and/or patient data will be regarded as misconduct/gross misconduct."

  • Additionally, implied contractual terms of trust and confidence and confidentiality may encompass issues of patient and staff data regardless of whether there is an express clause in staff contracts.

Any breach of data security, whether it results in actual data loss or is a near-miss, should be taken extremely seriously by trusts. Although cases should be judged on their individual circumstances, breaches of data security can result in dismissal of the staff concerned on grounds of gross misconduct.

In addition to an organisation's own disciplinary procedures, standards relating to confidentiality form part of the requirements demanded of professional staff by their own regulatory bodies, for example, the General Medical Council and the Nursing and Midwifery Council. As a result, breaches of data security can affect the professional registration of the member of staff concerned.

It is not only permanent staff who are liable. Contract and temporary staff can also have their employment arrangements terminated as a result of breaches and trusts should ensure all contracts with non-permanent staff contain clauses referring to confidentiality. Arrangements with employment agencies for the use of locum or agency staff should also include details of confidentiality and data breaches.

Raising awareness

All NHS employers should also raise awareness among existing staff of confidentiality obligations and the disciplinary procedures that can result from breaches of data security.

In the event of data loss, trusts may be requested to report the issue to the strategic health authority. In instances when they are required to inform the SHA, employers must be aware of the Data Protection Act and their duty of confidentiality to their employees and provide the information in a form that does not allow identification of those involved.

It will never be possible to prevent every data breach, but with robust policies in place NHS organisations can protect themselves, and their data, from unnecessary risk.