Tips for hospital doctors and managers, from defence body MDU, on using modern communication technology responsibly in the NHS:
1. Ensure you are familiar with up-to-date and relevant guidance, such as that provided by the GMC, the Information Commissioner and the NHS, as well as your legal requirements.
2. Do not store professional data on your personal computer (it could lead to breaches of confidentiality and could contravene local NHS policies and procedures) and do not store patient identifiable data on personal mobile devices and unencrypted memory sticks.
3. Nominate a person to be responsible for procedures for handling confidential data.
4. Prevent unauthorised access to confidential information, for example by using password protection, restricting access to clinical records on your intranet and providing members of staff, including locums, with unique passwords.
5. Make sure patients have “opted-in” to receiving information electronically.
6. Ensure you have a written contract, outlining confidentiality requirements, with the company that repairs and maintains your IT systems.
7. Take professional advice before connecting your computer to a network and keep a record of the advice.
8. Ensure that hard disks are properly erased, removed or destroyed before disposing of any of the hospital’s computers.
9. Before agreeing to exchange emails with patients, inform them that no email exchange can ever be 100% secure and ensure the patient is happy to proceed on that basis. Seek assurance from the patient that the email address supplied by them is secure and cannot be accessed by unauthorised third parties, such as work colleagues or family members.
10. Where possible, use NHS mail services that include encryption where clinical matters are discussed.
11. Be aware of the GMC’s advice that you must take reasonable steps to ensure information is transmitted securely. In particular, ensure that you follow Department of Health guidance on the use of encryption when transmitting information about patients electronically or using memory sticks or discs.
12. Doctors should ensure patients are “aware that personal information about them will be shared within the healthcare team, unless they object, and the reason for this.” (GMC, Confidentiality: Protecting and Providing Information (2009), paragraph 10).
13. A patient’s “express consent is usually needed before disclosure of identifiable information for purposes such as research, epidemiology, financial audit or administration”. (GMC, Confidentiality: Protecting and Providing Information, paragraph 16).
14. If using the internet to research symptoms, make sure you are using trusted sites and that the information is not inaccurate or misleading.
