Inshore Support Limited aims to ensure that the privacy and confidentiality of service users and staff are respected and that confidential personal data held about them is maintained securely and not shared without their consent. During employment staff will come into possession of information relating to service users or the personal details of employees, ex-employees or potential employees. You must regard this information as confidential, and not divulge it to anyone who does not have the right to such information. If you have any difficulty in deciding when and to whom confidential information may be disclosed your Manager will always be able to advise you.
The General Data Protection Regulation (GDPR) came into force 25th May 2018. This replaces the Data Protection Act 1998.
Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 make reference to the obligation of organizations handling personal information to have sound policies and procedures covering confidentiality and related issues.
The following applies under the CQC Fundamental standards regulation
With respect to confidentiality, Regulation 17: Good governance, applies. It states that providers must maintain securely data and records about service users.
- be complete, legible, indelible, accurate and up-to-date, with no undue delays in adding and filing information, as far as is reasonable.
- include an accurate record of all decisions taken in relation to care and treatment, including consent records and advance decisions to refuse treatment.
- be accessible to authorised people as necessary in order to deliver people’s care and treatment in a way that meets their needs and keeps them safe.
- be created, amended, stored and destroyed in line with current legislation and nationally recognised guidance.
- be kept secure at all times and only accessed, amended, or securely destroyed by authorised people.
Subject to statutory consent and applicable confidentiality requirements, providers must share relevant information, such as information about incidents or risks, with other relevant individuals or bodies
Information must, for example, be obtained fairly and lawfully, be held for specified purposes, be adequate, relevant and not excessive for the purpose for which it was gathered, be accurate and up to date, and not be held for longer than is necessary.
The company are required to satisfy service users and their relatives or representatives that their personal information is handled appropriately and that their personal confidences are respected. It also makes detailed stipulations regarding sharing information between staff and with other agencies, references to confidential information in supervision, breaches of confidentiality, and the storage and administrative handling of confidential material
To provide safe and effective high quality service to service users, the company therefore requires the need to know particular information about a service user. We cannot provide good care without access to that information. Much of this information is highly personal and sensitive. We recognise that service users have a right to privacy and dignity, and that this extends to our handling information about them in ways which cause as little as possible intrusion on those rights. We want service users to feel at ease with the staff that help to care and support them. An important element in that relationship is the capacity of a service user to be able to share information with staff, confident that it will be used with appropriate respect and only in relation to the care and support provided. As providing care and support is a complex process, it is not possible to guarantee to a service user that information they give about themselves will be handled only by the staff to whom it was first passed but we can ensure that information is seen only by staff on the basis of their need to know. We sometimes have to share information with colleagues in other agencies but we only do so, on the basis of their need to know in accordance to statutory regulations on disclosure and is in the best interest of the individual.
Inshore Support Limited believes that confidentiality and privacy is an absolute right of every service user and that breaches of confidentiality may lead to distress and harm.
In this organisation:
- Sensitive information is only shared for purpose of a service users well being by ensuring personal care, treatment and protecting from abuse and neglect.
- Information collected is recorded, stored, shared and disposed of in the best interests of the person.
- Service users (where able) and staff are aware of company policy on confidentiality.
The privacy of service users will be respected at all times by all staff and all information received about or from service users will be regarded as confidential.
- Staff will always seek to ask permission before any information about service users is shared or given to anyone else.
- Staff will not provide information to relatives, friends or advocates without the consent of the individual service user concerned. (if capacity to do so)
- All enquiries for information, even if they are from close relatives, should be referred back to the service user or the service user’s permission sought before disclosure. (if capacity to do so) if no capacity advice to be sought from the manager.
- If being asked for information over the telephone staff will obtain the caller’s details and ring them back before handing over any service user information – staff will always check the identity of callers.
- Staff should only disclose information a) with the permission of the individual in compliance with any statutory or legal obligations for the legitimate interests of a third party who has a legal right to such information e.g. where the courts have ordered such a disclosure.
- Staff will be expected to comply fully with the requirements of the The General Data Protection Regulation only relevant personal information about service users will be kept, and this will only be kept for as long as is necessary to ensure the highest standard of care for service users.
- All files or written information of a confidential nature will be stored in a secure manner – paper files will be kept in a locked filing cabinet and electronic information will be stored on password protected secure networks.
- Confidential information will only be accessed by staff that have a need and a right to access it – staff should never share passwords.
- Wherever practical or reasonable staff should fill in all care records and service users’ notes in the presence of and with the co-operation of the service user concerned.
- Staff will ensure that all care records and service users’ notes are signed and dated.
- Staff should never:
- discuss service users’ personal business in public areas where conversations might be overheard.
- discuss service users’ personal business on the phone where their call might be overheard.
- gossip about a service user or pass on information for other than professional reasons.
- have their mobile on them whilst they are on duty, they will be expected to put these away for safe keeping in the safe until end of their shift.
- discuss service users, employees on any networking site as this may breach confidentiality and bring into disrepute.
- discuss service users on training courses with other staff from other areas.
- discuss service users with other staff, volunteers or healthcare professionals who are not directly involved in the care of the service user.
- send unsecured emails, faxes or documents containing personal information pertaining to service users – any personal information must be sent via secure email, mail or fax and should be marked ‘confidential’
- save confidential information on an unsecured or unencrypted laptop or data storage device.
- save confidential information into unsecured parts of the IT network.
- dispose of documents containing personal information in standard waste streams – any confidential documents that are to be disposed of must be shredded.
- give confidential information relating to any individual, be it a service user or a staff member, to anyone over the telephone except in the case of an emergency, e.g. emergency services, to relatives and/or appropriate with the service user consent (if applicable) or to a professional involved with and is known to the service user e.g. GP, Social worker or Consultant.
- Where there is doubt regarding the right of an individual requesting the information, no information should be given and advice sought from the manager of the service.
- In exceptional circumstances a member of staff may be required to breach confidentiality in order to safeguard a service user, or another person, or protect their best interests – all such cases should be immediately reported to the manager and will be thoroughly investigated.
- Breaches of confidentiality will be regarded as serious matters – disregard of this policy may be regarded as a disciplinary offence and investigated according to the organisation’s disciplinary policy.
- New service users and prospective service users will be shown a copy of this policy at their initial assessment and staff will do everything they can to ensure that they understand the contents of the policy. (if capacity to do so)
Safeguarding and confidentiality
- Where a safeguarding issue has risen and in order to fully understand what has gone wrong, the Safeguarding team/board may ask for information to be shared. Decisions about who needs to know and what needs to be known should be taken on a case by case basis, within locally agreed policies and constraints of the legal framework: but information will only be shared on a ‘need to know’ basis when it is in the best interest of the individual. Informed consent should be obtained, if this is not possible and others are at risk of abuse or neglect, it may be possible to override this.
Managers/assistant/deputy managers and Team Leaders have a duty to:
- ensure that appropriate confidentiality policies, procedures and protocols are in place, are effectively implemented, are clearly understood by all members of staff, bank and agency staff, and are regularly reviewed and revised in light of the most recent best practice guidelines and reported incidents.
- ensure that staff are aware of procedures about what to do when staff think there is a confidentiality breach, what to do during and after an incident, and what follow-up there should be.
- monitor complaints and compliments relating to confidentiality, consent and data protection issues, taking action as required and fully investigating any complaints.
- ensure that service users, and their relatives and representatives, have adequate processes in place to be able to register queries or complaints about confidentiality or consent issues and to have their thoughts listened to and acted upon.
- report any breach related to personal data of service users or employees that pose a risk to the rights and freedoms of individuals, it will be reported to the information commissioner within 72 hours of discovery. The company will record all data breaches regardless of their effect.
- monitor carefully any incident reports, including those regarding near misses, relating to data protection and confidentiality issues in order to identify and address any trends or patterns and to identify if risks are being effectively controlled, that is, if reported incidents are reducing in number.
- ensure that adequate and suitable training programmes are carried out which includes induction training on data protection and confidentiality for new staff.
- regularly audit the use of this policy and the effectiveness of procedures to maintain confidentiality.
- Ensure that the ‘access to information’ that is in front of service users care folders are in place and are up to date with the correct names of staff and professionals who have consent to access these files for the best interest of the service user. This must be reviewed and updated on a regular basis for any leavers and new employees.
- Ensure that any confidential information that is written e.g. care plans that a professional is requesting e.g. social worker must be signed by the person requesting and receiving the information on to the controlled form QO24 (this includes telephone calls) this is to be only given if it is in the best interest of the service user.
- Ensure that care files, including care plans and medication files are locked away when not in use, this includes any financial information and communication book.
- Rota’s are not to be displayed on walls or notice boards, these must be in a folder.
- Ensure that staff personal files are locked away and for the eyes of the manager only. If support worker supervisions are completed by seniors these are to be locked in a cabinet and the manager informed when next on duty so the manager can remove and put them in the personal file of that staff member.
- Ensure that the telephone book is kept up to date with the relevant names of current staff, including bank staff. Any record of staff names and telephone numbers who no longer work for the company are to be appropriately deleted/shredded. This book is not to be on public display.
- Ensure that visitors books are used and appropriately stored.
Staff have a duty to:
- always respect the privacy of service users and their rights to have their confidentiality protected.
- treat all personal information with respect and in the best interests of the service
user to whom it relates always act in full compliance with the The General Data
Protection Regulation and with associated guidelines and best practice.
- understand the importance of obtaining consent before they divulge any confidential information and acquaint themselves with the procedures for obtaining consent.
- comply fully with organisational policies on confidentiality and data protection.
- attend appropriate training.
- to share with their manager, when appropriate, information given to them in
- pass to managers any relevant factual information about a service user with whom the colleague is also involved.
- share with colleague’s relevant information about a service user with whom the colleague is also involved.
- summarize and pass information about a service user upon hand over.
- only pass information about a service user to another person with the agreement of the service user or the service user’s advocate, after discussion with the manager, or in an emergency when it is clearly in the interests of the service user or is necessary to prevent them or someone else from serious risk.
- to pass and receive confidential information to and from colleagues on occasions
when they have to be replaced because of sickness, holidays or other reasons, in a
responsible and respectful manner.
- Senior staff - Any confidential information that is written e.g. care plans that a professional is requesting e.g. social worker must be signed by the person requesting and receiving the information on to the controlled form QO24 (this includes telephone calls)
- If support worker supervisions are completed by seniors, these are to be locked in a cabinet and the manager informed when next on duty so the manager can remove and put them in the personal file of that staff member.
- Ensure that care files, including care plans and medication files are locked away when not in use, this includes any financial information and communication book.
- Ensure that visitors books are used and appropriately stored.
- Senior staff to ensure that the ‘access to information’ that is in front of service users care folders are in place and are up to date with the correct names of staff and professionals who have consent to access these files for the best interest of the service user. This must be reviewed and updated on a regular basis for any leavers and new employees.
If staff have any difficulty in deciding when and to whom confidential information may be disclosed the Manager will advise you. This includes information covered by the The General Data Protection Regulation. Failure to comply with confidentiality rules may lead to disciplinary action
Staff may be faced with a situation where they may need to breach confidentiality, the staff member should generally try to explain the situation to the service user and obtain
their consent to disclose information. Failing that, they should consult the service users’ representatives if this is appropriate and, if possible, staff should speak with their manager or at least a senior support worker.
After the event, the support worker should always inform their manager or a senior member of staff as soon as possible. It is then the responsibility of management to consider the particular circumstances, to decide whether there are lessons to be learned from the incident and to initiate any changes in information or instructions as a result.
Employees will not identify Service Users in any communication book regarding issues that would be deemed to breach confidentiality or is inappropriate to be viewed by non -management staff.
Employees of the company will not discuss or gossip with other employees or trainers about service users on training courses.
The company will appoint the appropriate personnel, who in the course of their duties and work will need to access personal data held about employees and service users.
Employee files: Deputy managers, Assistant managers, Team leaders, Home managers, Supported living area managers, Quality manager, Quality assistants, HR, Rota Manager and Directors. External agencies who have access are Care Quality Commission for inspection purpose.
Limited access to employee files: Administration assistant, Training administrator, Receptionist. Where access is limited the limitation will be appertaining to the persons role and the purpose for which access is needed or required. The Administration assistant and Training administrator will access the files under strict supervision by HR, Director(s) or Quality Department.
Service users Files: Support Workers, Senior support workers, Deputy/Assistant managers, Team leaders, Home managers, Supported living area managers, Quality Manager, Quality Assistants, HR, Rota Systems Manager and Directors. External agencies who have access to service users files are Care Quality Commission for inspection purpose, Social workers and other health and social professionals that are involved in the service users care and support. Police if there is a safeguarding around abuse to a service user.
Limited Access to service users files: will be restricted for Financial and Safeguarding information for Support workers, bank and agency staff.
Service users would need to be assessed under the Mental Capacity Act 2005 as to the individual’s ability to agree to allow parents/family members to read the individual’s personal files such as daily records written by staff on behalf of the individual, and if it was assessed that the person lacked capacity, then a 'best interest decision ' would be made by the interdisciplinary team.
Service users may view personal information that Inshore Support hold about them. If a service user believes their right to confidentiality is being breached, they will have access to the complaints procedure.
At times when individual service users are discussed in supervision/Appraisals and staff meetings, the following precautions regarding confidentiality should be observed.
- Anyone relaying information about a service user should do so with respect and only if there is no suitable alternative method of making a point or seeking advice
- Where possible the identity of the service user should be concealed by, for example, using the terminology ‘the service user’ and not referring to initials or names.
- The supervisor should intervene to stop information being revealed if it appears inappropriate.
- In particularly sensitive instances, a support worker may need to seek a supervisor to offer a one-to-one session as an alternative forum for the discussion
- all new staff will be required to read and understand the policy on The General Data Protection Regulation, record keeping and confidentiality as part of their induction process.
- existing staff will be offered ongoing update training on confidentiality, data protection.
- staff who record, store or use personal data will be trained in the use of manual and computerised records systems.
Similar precautions to those listed above should be observed. It should indeed be possible to exercise even greater discretion since the need to produce material relating to an individual service user is usually less pressing and the range of staff participating in the training may present a greater threat to a service users’ right to privacy. If trainers or others produce in advance of a session material based on a service user, details should always be substantially altered to disguise an individuals’ identity by way of initials or service user and initial e.g. service user J. Should any employee be heard in gross breach of a service user’s confidentiality or personal details whilst attending a training session and this is reported by either another employee or trainer, this may be addressed to both the employee and his/her line manager and the employee may be subject to disciplinary action.
The legal framework requires that any use of surveillance in care services must be lawful, fair and proportionate – and used for purposes that support the delivery of safe, effective, compassionate and high-quality care. Some Residential homes and Supported living sites within Inshore Support have visible CCTV that monitors the security and safety of the external premises and properties e.g. possible crime. Where there is CCTV, a sign will be displayed stating that these are in use. A Privacy Impact assessment will be completed and reviewed on a regular basis regards to CCTV surveillance.
Confidential information must occasionally be seen by staff other than the support workers providing direct care. It is therefore the responsibility of managers to ensure that information is stored and handled in ways that limit access to those who have a need to know, and to provide the following arrangements in particular:
- to provide lockable filing cabinets to hold service user’s records and ensure that records are kept secure at all times and doors are locked at all times that hold any personal data.
- to arrange for information held in computers to be accessed only by appropriate personnel. In the event that passwords, keys or access codes are passed to staff that are not authorised to use, see or have right to view such information, disciplinary action may be taken against the employee. The office is to be locked and a senior person at the start of every shift to be nominated as the key holder
- to locate office machinery and provide shielding so that screens displaying personal data are hidden from general view.
- Managers must ensure that ALL grades of staff are to be made aware of not participating in mindless gossip and rumour, and if anyone hears anyone at all, talking unduly about a service user, any member of staff or another service, they must be stopped immediately. Refuse to listen, tell the person, not to carry on, with the discussion, and continue with their work. The person in charge of the service at this time should ensure that staff are fulfilling their duties and working with their allocated service user. If the person continues to carry on with this ‘gossip’ the line manager must stop it immediately at source, and commence the disciplinary procedure.
Management should keep the issue of confidentiality under review, and should ensure that support staff are adequately briefed, trained and supported through supervision to handle the issues that confidentiality poses.
Managers and other senior staff should consider action under the disciplinary procedure against staff who are involved in inappropriate breaches of confidentiality.
Staff who carry out assessments of the care needs of potential service users should consider carefully what parts of the information they learn in that process need to be recorded and to be communicated to the staff and should complete the care needs assessment records accordingly. Staff who participate, in a review or reassessment of care needs, in making any changes in the service provided, or in discussing service changes with a local authority which is financing a service users’ care should record and communicate only information relevant for that purpose. Every service user of Inshore Support Ltd will have their care needs thoroughly assessed before services are provided. As part of this process all staff that carry out an assessment or handle assessment material sent to the Company from other agencies is privy to confidential and sensitive information. It is the duty of such staff to retain records and pass to the allocated support workers only the information which is relevant to the person’s future care. A similar obligation applies to staff involved in a review or reassessment of care needs or in making any changes in the service provided.
The General Data Protection Regulation
It is the manager’s responsibility in the monitoring of this policy