Understanding Confidentiality
and Security
Objectives
To foster an awareness of the importance of
Confidentiality and Security
To understand the main threats and counter
measures
To raise awareness of the relevant legislation
in particular the Data Protection Act 1998
To be able to secure automated and manual
data
Content
Introduction
Some recent surveys
What can go wrong?
Legal frameworks
Practical guidance
Case Study
Summary and Conclusion
Recent surveys on attitudes to
Confidentiality and Security
Patient/Client Attitudes to
Confidentiality
Survey by NHS and Consumer Association in
2002 findings:
 General happiness to share info with doctors being
trusted most;
 25% wished to exclude sensitive information from
routine sharing;
 Over 33% wanted to be consulted every time their
details were shared;
 Under 50% felt reassured that confidentiality would
be protected by NHS policies;
 Nearly 25% didn’t know what NHS did with patient
information.
 Non-English speakers were happiest to share total
record.
Who cares about data
protection?
Information Commissioner survey 2003
identified 5 groups:





The concerned (40%) very worried 
The proactive (13%:) not worried 
The self-reliant (10%) unconcerned 
The social observers (17%) Extremely worried 
The naïve (19%) unconcerned 
BMA Survey: June 2005
75% of patients would not mind their health
information being held on a central database
75% had concerns about the security of
information
81% were worried about accessibility by
people other than the healthcare professionals
providing their care
93% said the public should be fully consulted
about the proposals before they are finalised
Information Commissioner
survey November 2005
4 out of 5 concerned about their Health and
Safety if data falls into wrong hands
 52% concerned personal details may be passed to
others.
 80% expressed concerns about the use, transfer
and security of personal information.
 50% thought that bodies collecting personal
information handled the data fairly or properly.
 IC stated that “No doubt they are increasingly aware
of the dangers of identity theft and the serious
consequences if their health, financial and other
personal records fall into the wrong hands or are
otherwise misused.”
News items on Confidentiality
and Security
What do we mean by Data
Protection?
Covers:
 Confidentiality
 Integrity
 Availability
Covers the use and management of data
through organised systems of all forms,
whether based on human endeavours, paper
methods or information technology.
What do we hold?
Information about you
Information about patients/clients
Information about the Trust
Reflective Exercise 1
What do we use personal information
for?
What do use personal
information for?
Personal care and treatment
Assuring and improving the quality of care and
treatment (e.g., through clinical audit);
Monitoring and protecting public health;
Coordinating HPSS care with that of other
agencies (e.g., voluntary and independent
services);
Effective health and social care administration
Teaching/research
Statistical analysis
What can go wrong?
What can go wrong?
Incorrect input
Theft
Wilful damage
Unauthorised
access
 External
 Internal
Software Virus
Cyber crime
Security Breaches: examples
A set of patients' medical records left in a skip by retiring
doctor (real example!)
A security guard reading personal data left on an
employee’s desk overnight.
A copy of a child at risk register found on a second hand
computer (real example)
A employee using the PC of another employee (who
logged in and left PC unattended) to process data
without authorisation
A patient at a GP surgery viewing the personal data of a
previous patient on a PC screen.
Security Breaches: examples
(2)
A patient in a waiting room at a doctor’s surgery
overhearing information about another patient’s
ailments.
An employee using data for which they have
authorised access for unauthorised purposes – e.g a
police officer using the police national computer to
check out daughter’s boyfriend. (real example)
A passenger on a train was sitting next to someone
who was reading a solicitor’s brief about a person who
had been charged with murder – he happened to be a
relative of the passenger.
The Impact of the Threats
Personal privacy
Personal health and
safety
Financial
Commercial
confidentiality
Legal damages and
penalties
Disruption
Political
embarrassment
Ethical Considerations
Promote patient/client well-being
Avoid detrimental acts/omissions
Open and co-operative manner
Recognise patient/client dignity
No abuse of position
Protect confidential information
Legal Frameworks
The Computer Misuse Act
1990
Introduced three offences
Unauthorised access to computers
Unauthorised access with intent
Unauthorised modification
Case Study: Computer
Misuse Act.
A man was convicted in London (6/10/05) of hacking into a charity
website, set up after the Indian Ocean tsunami disaster, in breach of the
Computer Misuse Act. A computer consultant, was given a £400 fine and
ordered to pay £600 in costs. He fell foul of section one of the Computer
Misuse Act, the UK’s main cybercrime legislation, on New Year’s Eve last
year.
He clicked on a banner ad to donate £30 to the Disaster Emergency
Committee (DEC) appeal. However, when he did not get a confirmation or
thank you in response to his donation, he feared that he had fallen for a
phishing site, and decided to test the site to make sure. Unfortunately, in
doing so he set off the DEC protection systems, and the police were
called in.
The Judge found the accused guilty with “some considerable regret”, but
the wording of the Act made it clear that the security consultant was guilty.
"Unauthorised access, however praiseworthy the motives, is an offence,"
said the judge.
Data Protection Act 1998:
Main Provisions
Covers all HPSS records including
electronic records
Defines ‘processing’ as obtaining, holding
and disclosing data
Permits subject access to all records
Imposes considerable penalties
Data Protection ’98
Principles
The
1. Personal data shall be processed fairly and
lawfully
2. Personal data shall be obtained only for one
or more specified and lawful purpose
3. Personal data shall be adequate, necessary
and not excessive in relation to the purpose
for which it was provided
Data Protection ’98
The
Principles continued...
3. Personal data shall be accurate and up to
date
4. Personal data processed for any purpose or
purposes shall not be kept for longer than is
necessary for those purposes
5. Personal data shall be processed in
accordance with the rights of the subject
under the Act
Data Protection ’98
The
Principles continued...
7. Technical & organizational measures shall
be taken against unauthorized or unlawful
processing of personal data and against
accidental loss or damage to personal data
8. Personal data shall not be transferred to a
country outside the European Economic
Area.
Case Study 1: Data Protection
An employee of the Child Support Agency,
having read what he believed to be an
inaccurate press article derogatory of the CSA
and concerning a CSA client known to him,
decided to set the record straight by faxing the
true story to the newspaper concerned. Whilst
the fax was sent anonymously, an
investigation identified him as the author. He
was dismissed from his employment and
convicted of unlawful disclosure of personal
data.
Case Study 2: Data Protection
The complainant who was employed by a
hospital was summoned to the office of his
Personnel Manager to discuss his sickness
record. The Personnel Manager had accessed
the hospital’s clinical computer information
system in order to challenge certain aspects of
the employee’s account of events. As a result
of this complaint the hospital revised its
security arrangements and the Personnel
Manager incurred disciplinary action as a
result of the inappropriate use of confidential
clinical information for non-medical purposes.
Case Study 3: Data Protection
The complainant visited his local hospital for a
course of physiotherapy. Some months after
the therapy was complete the complainant
received a letter from the physiotherapist who
had since set up her own business. The
physiotherapist had used the complainant’s
information that had originally been given in
confidence to the hospitals for the earlier
treatment.
Personal Data
data which relates to a living individual
who can be identified from those data
and is:
 system processed or intended to be
processed automatically,or
 recorded as part of a relevant filing,or part
of an accessible record.
Scope of Data Protection
Legislation
Automated Data
Relevant filing systems (Manual data)
Accessible Records
Automated Data
On computer
Document image processing
Audio/Video
Digitized images
CCTV images
Relevant Filing System
Non-automated systems structured by
reference to individuals
 Standard manual files
 Impact of Durant case
Organised to allow ready access to
specific information about individuals
Accessible Records
Covers all Health and Social Care
records
Structured to allow access to individuals
Storage
Diaries
Computers
message books
appointments register
disks
address books
Complaints register
Legitimacy of Processing
(1998)
Principle 1: Personal data shall be
processed fairly and lawfully and,in
particular,shall not be processed unless:
 (a) at least one of the conditions in Schedule
2 is met, and
 ( b)in the case of sensitive personal data,at
least one of the conditions in Schedule 3 is
met”
Schedule 2 conditions
(1998)
1.
2.
3.
4.
5.
6.
Data Subject has given consent
Performance of a contract.
Compliance with legal obligation.
Protection of subject’s vital interest.
Crown/public functions
Legitimate interests of controller or third
party.
Sensitive Data
Racial or ethnic origin
political opinion
religious beliefs (or similar beliefs)
membership of trade union
physical or mental health or condition
sexual life
any offence or alleged offence
any proceedings or sentence
Sensitive Data - Schedule 3
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Data subject has given explicit consent
Performance of legal duty in relation to employment
Protection of subject’s or third party’s vital interests
Legitimate activities of some non-profit
organisations
The information has been made public deliberately
by the data subject
In connection with legal proceedings
Administration of justice, statutory obligations or
crown/public functions
Medical purposes
For equal opportunities monitoring
By order Secretary of State
Subject Access Requests
Right of access to personal data in computer
or manual form
Entitled to:
 Be informed whether personal data is processed
 A description of the data held, the purposes for
which it is processed and to whom the data may
be disclosed;
 A copy of the data; and
 Information as to the source of the data
There are limited exemptions
Subject Access Requests
cont’d
Responding:
 request should be in writing to the Data
Protection Coordinator,
 Data should never be read over phone,
faxed or emailed to data subject,
 Must be given in 40 days.
Practical Guidance
Securing automated data
Key areas:
Faxing
 Avoid the use of fax for sending personal
data - if there is no alternative use secure
protocols;
Passwords
 Good password management will help
protect personal data and staff
Securing automated data
(2)
Email
 Personal data should not be transmitted by email
Data can be accessed by data subjects
Email can be insecure
Survey of 800 UK companies revealed that 22% Directors had
reprimanded staff for gossiping using email and 85% considered
email to be facilitating scandalous material around office.
Portables/laptops
 Do not leave unattended; when leaving ensure that
it is locked away; be aware of others being able to
see your computer screen,
 PDA’s and Memory sticks must not contain personal
information
Securing manual data
Do not allow sensitive conversations to
be overheard
Guard against people seeking
information by deception
Message books
 Accessible to staff only; sensitive data
should not be recorded in message books
Lock filing cabinets
Securing manual data (2)
Diaries
 Patient/client data, which is held in diaries
should be given the same security as any
other record
Telephone conversations
 Staff should be careful about those within
earshot when discussing sensitive
information; check the authenticity of any
caller before divulging any information
Securing manual data (3)
Minutes of meetings
 Minutes which render the subject identifiable
should be marked confidential; stored in a secure
area; available only to the personnel concerned.
Staff Supervision records/Staff Appraisal
Sick leave records
Such information is classified as sensitive data. Care
should be taken when transferring information from
medical certificates to notification form i.e abbreviations
can lead to misinterpretation
Case Study
Questions to consider:







Type of data held on clients/patients
Who holds it?
Who shares it?
Who else has access to data?
What security surrounds it?
Any data held on others in the case study?
Is data accurate, up-to-date
Summary of key points.
Duty to PROTECT information
Duty to OBTAIN information fairly
Duty to ensure information is SECURE
Duty to JUSTIFY use and storage of personal
data
DON’T PASS ON information unless you are
sure
Remember Subject Access
BE CAREFUL WHEN YOU’RE ASKED
FOR PERSONAL DETAILS
YOU NEVER KNOW WHERE THEY’LL
END UP
*************************************
EVERY TIME YOU’RE ASKED FOR PERSONAL INFORMATION
THINK BEFORE YOU GIVE IT AWAY
*************************************
Thank you for attending