Skip to main content

Confidentiality audit procedure

Contents

1 Introduction

It is good practice that all organisations handling sensitive or personal confidential data put in place control mechanisms to manage and safeguard confidentiality, including mechanisms or highlighting problems such as incidents, complaints and alerts.

Documented procedures should be implemented to ensure these controls are monitored and audited.

Rotherham, Doncaster and South Humber NHS Foundation Trust (RDaSH) is required to have processes to highlight actual or potential confidentiality breaches in its systems, particularly where sensitive or personal confidential data is held. The trust should also have procedures in place to evaluate the effectiveness of controls within these systems. All systems which process sensitive or personal confidential data should have audit trails that can report details of who has viewed and accessed specific records.

Failure to ensure that adequate controls to manage and safeguard confidentiality are implemented and fulfil their intended purpose may result in a breach of confidentiality, thereby contravening the requirements of the Data Protection Legislation, the Human Rights Act 1998 and the Common Law Duty of Confidentiality.

2 Purpose

2.1 Definitions

This document defines the procedure for carrying out audits and monitoring relating to access to person identifiable data (PID) and personal confidential data (PCD) for Rotherham, Doncaster and South Humber NHS Foundation Trust.

The purpose of this procedure is to ensure that colleagues only access data for which there is a legitimate working relationship or there is a legitimate business need and to meet the requirements of the NHS care record guarantee, General Data Protection Regulation (GDPR) Data Protection Act 2018 (DPA18), data security and protection toolkit (DSPT) and any other associated legislation or professional codes of conduct.

This document sets out the appropriate procedure to monitor access to personal confidential data. This includes:

  • how access to confidential information will be monitored
  • who will carry out the monitoring or auditing of access
  • reporting and escalation processes
  • disciplinary processes

The procedure also ensures that overall responsibility for monitoring and auditing access has been assigned to appropriate senior employees, for example, senior information risk officer (SIRO) and Caldicott guardian, head of information governance (IG) or information asset owner (IAO).

Audits will focus primarily on controls within electronic records management systems but should not exclude paper record systems, the purpose being to discover instances of inappropriate access and whether confidentiality has been breached or put at risk through deliberate misuse of access or because of weak, or non-existent or poorly applied controls.

This document defines the procedure for carrying out audits relating to access to person confidential data within the trust to ensure that colleagues only access the records of individuals with whom they have a legitimate relationship where there is a legitimate business need, in line with the requirements of the NHS care record guarantee, DSPT and compliance with data protection legislation.

With advances in the electronic management of information within the NHS, the requirement to monitor access to personal confidential information has become increasingly important. Furthermore, with the increased movement of information via electronic communications, there exists an increasing threat of information being accessed by individuals who do not have a legitimate right of access to it.

3 Scope

The procedure applies to all colleagues who work for or on behalf of Rotherham, Doncaster and South Humber NHS Foundation Trust (including those on temporary or secondments, and students) and who have access to Rotherham, Doncaster and South Humber NHS Foundation Trust’s patient information systems. It also applies to relevant people who support and use these systems.

4 Responsibilities, accountabilities and duties

4.1 Senior information risk owner

The Senior Information Risk Owner will be updated with findings of the audits and will receive copies of all reports.

4.2 DPO or head of information governance

The DPO or head of information governance will be responsible for ensuring that access to PID and PCD is audited and monitored within the trust. Ensuring that reports produced from the clinical systems and other local systems are reviewed and followed-up.

4.3 Caldicott guardian

The Caldicott guardian will be responsible for monitoring incidents and complaints relating to confidentiality breaches within the trust and will work closely with the DPO or head of information governance.

4.4 Information governance group

The information governance group will be responsible for ensuring that audit and monitoring procedures are implemented throughout the trust in line with the requirements.

4.5 Information asset owners

Information asset owners will be responsible for ensuring that employees for whom they are responsible are aware of their responsibilities regarding confidentiality of information, ensuring that employees receive appropriate mandatory data security and awareness (IG) training. They will be responsible for ensuring that their employees are fully aware of the mechanisms for reporting actual or potential confidentiality breaches within the trust. They will be responsible for complying with auditing and monitoring and ensuring that subsequent recommendations are complied with within the specified timescales.

4.6 Registration authority manager

In accordance with the registration authorities operational and process guidance, the RA manager is responsible for running RA governance in the organisation. They will implement periodical audit activities across each care group. The RA manager will deliver training to RA agents and sponsors on care identity service and ensure they are competent to carry out their roles and adhere to trust policy and processes.

4.6.1 Registration authority sponsors

As part of the registration authority process, the RA sponsor will ensure that colleagues who need access to TPP SystmOne and or summary care records are given the appropriate roles and responsibilities. Colleagues are issued with a smart card by trained RA agents in the care group in a controlled manner.

4.7 Clinical Systems team

The Clinical Systems team will ensure that access appropriate to the staff member’s role including username and password depended on is granted to SystmOne. Access is disabled for end users not accessing the system in 30 days.

4.8 All employees

All staff will be responsible for ensuring that PID or PCD is not accessed either personally or by other individuals without prior authorisation and completion of the appropriate monitoring documentation.

All staff will be responsible for complying with audits and monitoring conducted within their area and complying with recommendations which are made as a result of such audits.

5 Procedure or implementation

5.1 The audit process

The DPO or head of information governance will request that a report is run of a random sample of 20 patients at least twice yearly. This report will be run by the Clinical Systems team. This will cover a period of the previous month from the date of the request. Each report will be shared with each information asset owner of the employee identified within the audit to investigate whether the access is legitimate and appropriate. The findings of these internal investigations will be fed back to the DPO or head of information governance for inclusion in the report.

If concerns are found following the internal investigation, the DPO or head of information governance will report this to the human resources department to be dealt with in accordance with the trust’s disciplinary procedures. The senior information risk owner and the Caldicott guardian will be informed immediately.

This audit process will be carried out at least twice yearly.

The information to be contained within the audit will consist of the following information:

  • unauthorised viewing or access to confidential or patient or employee records
  • failed attempts to access confidential information
  • repeated attempts to access confidential information
  • successful access of confidential information by unauthorised persons
  • if appropriate access is identified, then a further audit will be run to identify if changes were made within the record
  • evidence of shared login sessions or passwords
  • inappropriate communications with patients
  • inappropriate recording and or use of sensitive or patient information
  • inappropriate allocation of access rights to systems or other data
  • inappropriate employee access to secure or restricted physical areas

Reports of the findings from each audit will be presented to the information governance group.

5.2 Monitoring process

In order to provide assurance that access to PID or PCD is gained only by those individuals that have a legitimate right of access, it is necessary to ensure that appropriate monitoring is undertaken either when a concern regarding inappropriate access is identified or by the means of periodic audits or monitoring undertaken.

The information asset owner will be responsible for assisting with the audits in order that irregularities regarding access to confidential information can be identified, reported to the information governance and data protection department and action taken to address the situation. This will be either through disciplinary action, the implementation of additional controls or other remedial action as necessary.

Actual or potential breaches of confidentiality should be reported to the information governance and data protection department immediately and an incident report submitted in order that action can be taken to prevent further breaches taking place. This also gives the DPO or head of information governance the opportunity to assess if the incident falls within the serious incident category. The DPO or head of information governance will be responsible for ensuring that the information governance group is informed of any concerns highlighted as a result of monitoring access to confidential information. Should unauthorised access to confidential information be highlighted by any individual, this will be dealt with in accordance with the trust’s disciplinary procedures.

5.3 Requests for audits or monitoring or access to personal data

  1. Request for audit or monitoring or access to personal data to be sent through form via the IT self-service portal (located on user’s desktop).
  2. Current HR investigation? (yes, see 3. no, see 4).
  3. Appropriate legal basis confirmed with DPO? (yes, see 5. no, see 4).
  4. Confirm with DPO.
  5. DPO provide confirmation of approval to requestor to proceed if appropriate.

Once the form is complete the trust’s data protection officer will authorise or request further information in order for the audit to go ahead.

Requests for clinical record audits can be made direct to the information governance and data protection department via email: rdash.ig@nhs.net.

5.4 Investigating events and alerts

The information governance and data protection department, where required, will be responsible for liaising with HR colleagues to co-ordinate investigations into confidentiality breaches or breaches of policy, for example, social media, release of data into public domain, inappropriate access to clinical records etc.

Investigation and management of events and alerts will be in line with the trust’s disciplinary policy and IG incident management process.

5.5 Providing audit information to patients or service users

Both the national information board in ‘Personalised Health and Care 2020’ and Dame Fiona Caldicott in the ‘Report of the Caldicott 2 Review’ have reaffirmed the commitment made in the NHS care record guarantee to ensure that a record of who has accessed a service user’s health records can be made available in a suitable form to service users on request. All requests of this nature need to be directed to the information governance and data protection department.

5.6 Management of IG incidents

The IG department monitors IG-related incidents logged in the IR1 Ulysses reporting system and will follow up all IG incidents to achieve a satisfactory outcome in liaison with investigating managers.

Incidents are managed using the trust’s data security and protection breaches, IG incident reporting policy. All IG incidents are reported to the IG Group, which will escalate any unsatisfactory outcomes to the board of directors and communicate pertinent IG issues or messages to colleagues using, for example, the trust’s daily bulletin.

Trends in incidents will be monitored by the information governance group in order to learn lessons and provide continual service improvement.

6 Training implications

6.1 Data security awareness training, all colleagues or individuals given access to the trusts electronic clinical system whether trust or third party

  • How often should this be undertaken: Annual mandatory.
  • Length of training: 1 and a half hours.
  • Delivery method: E-learning or face to face.
  • Training delivered by whom: Information governance and data protection department.
  • Where are the records of attendance held: ESR.

6.2 Clinical system training

  • How often should this be undertaken: On commencement with the organisation, when system access is identified and if update training is required.
  • Length of training: Varies on the level and system specific training required.
  • Delivery method: Face to face.
  • Training delivered by whom: IT Training team.
  • Where are the records of attendance held: ESR.

7 Monitoring arrangements

7.1 Audit findings

  • How: Via report.
  • Who by: Head of information governance.
  • Reported to: Information governance group.
  • Frequency: Half Yearly.

7.2 Incidents

  • How: Review incidents for trends or patterns and impacts on controls in place.
  • Who by: Head of information governance.
  • Reported to: Information governance group.
  • Frequency: Monthly.

8 Equality impact assessment screening

To access the equality impact assessment for this policy, please email rdash.equalityanddiversity@nhs.net to request the document.

8.1 Privacy, dignity and respect

The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.

As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

8.1.1 How this will be met

This procedure will ensure that access to patient records is controlled ensuring privacy to patient information at all times.

8.2 Mental Capacity Act

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals’ capacity to participate in the decision-making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all colleagues working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005) to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.

8.2.1 How this will be met

All individuals involved in the implementation of this policy should do so in accordance with the principles of the Mental Capacity Act (2005).

10 References

11 Appendices

11.1 Appendix A Confidentiality audit request form


Document control

  • Version: 4.
  • Unique reference number: 267.
  • Date ratified: 11 June 2024.
  • Ratified by: Digital transformation CLE group.
  • Name of originator or author: DPO or head of information governance.
  • Name of responsible individual: Director of health informatics.
  • Date issued: 10 July 2024.
  • Review date: 31 July 2027.
  • Target audience: All staff.
  • Description of change: Minor changes.

Page last reviewed: October 01, 2024
Next review due: October 01, 2025

Problem with this page?

Please tell us about any problems you have found with this web page.

Report a problem