Clinics, client confidentiality and disclosure

Information should only be disclosed in circumstances importing an obligation of confidence.

• Ensure that employee and volunteer agreements are in writing and contain clear and appropriate confidentiality provisions (see the example of a clinic – volunteer confidentiality agreement below).
• Certain third parties should be required to enter into confidentiality agreements (see below). 
• It might become necessary (subject to clients’ consent) to request copies of clients’ medical records, for example from a GP or Hospital and to disclose those records or information to certain third parties. Where disclosure is for a specific, limited purpose, confidentiality may be preserved for all other purposes.

Access to information should be managed / restricted

There are a number of practical steps that clinics can take to establish and maintain confidentiality by restricting access:

• The duty of confidence should be explained to all clinic staff, including volunteers. Clinic staff should be made aware of the practical ways in which clients’ confidential information can be protected, as well as the ways in which confidence can be inadvertently breached and the consequences.
• Ensure that confidential information being held is known about, where it is held and what the consequences would be should that information be inadvertently (or otherwise) disclosed.
• Make sure that confidential information is communicated on a need-to-know basis only.
• Give employees and volunteers practical guidance about keeping information confidential, including not to discuss clinic clients outside the clinic, on public transport and to take care when using laptops or mobile devices in public places like trains or cafes.
• Secure confidential information both physically and electronically, for example (where appropriate and feasible) using firewalls, secure emails or encryption. Consider using techniques to prevent USB keys being used with clinic computers and ensure that there are appropriate restrictions or policies in place to deal with employee or volunteers using their own devices.
• Keep records that show what matters employees or volunteers have worked on.
• The way(s) in which clients may be contacted should be agreed at the time of the interview and noted on the case record.
• If confidential records are stolen in a break-in or in any other way, the theft must be reported to clinics’ coordinators and the police. The report to the police must stress the confidential nature of the records and the importance of them being returned unread if they are found.
• Remind departing employees and volunteers of their obligations of confidentiality and ask them in writing to confirm that they have returned all clinic property.
• Audit security procedures regularly.

There are a number of practical steps to establish and maintain confidentiality in respect of data processed and stored electronically:

• Know what data is held, where it is held and what the consequences would be should that data be lost or stolen.
• Access to systems which are no longer in active use and which contain personal data should be removed where such access is no longer necessary or cannot be justified.
• Passwords used to access PCs, applications, databases, etc. should be of sufficient strength. A password should include numbers, symbols, upper and lowercase letters. If possible, password length should be around 12 to 14 characters but at the very minimum 6 8 characters. Passwords based on repetition, dictionary words, letter or number sequences, usernames, or biographical information like names or dates should be avoided.
• Employees and volunteers who retire from clinics should be removed immediately from mailing lists and any access permission.
• Procedures should be put in place in relation to the disposal of files (both paper and electronic) containing personal data.
• New staff (including volunteers) should receive appropriate training before being allowed to access confidential or personal files.
• Appropriate filing procedures (including, in terms of complying with any relevant professional obligations) - both paper and electronic - should be drawn up by clinics Coordinators and followed. Client files should be systematically and regularly reviewed for confidentiality by Clinic Coordinators.
• Standard unencrypted email should ideally not be used to transmit data of a personal or sensitive nature. Such data should be shared either through file encryption or through the use of a secure email facility which will encrypt the data being sent. Check clinic’s email server as to whether and how emails can be encrypted or otherwise secured.
• Data that is accessed via remote access ideally should not be copied to home PCs or to portable storage devices, such as laptops, memory sticks, etc. that may be stolen or lost.
• Clinics should consider whether they require a bring-your-own device policy to cover whether staff are allowed to use their own devices (which may lack up to date institutional antivirus software), in what circumstances and with what safeguards?
• Memory sticks containing client information should be encrypted. Encrypted USB memory sticks are widely available and relatively inexpensive.   
• Laptops: portable devices should be password-protected to prevent unauthorised use of the device and unauthorised access to information held on the device. In the case of mobile phones, both a PIN and login password should be used.
• Private, sensitive or confidential data should not be stored on portable devices. In cases where this is unavoidable, all devices containing this type of data should usually be encrypted or otherwise secured.
• Anti-virus/Anti-spyware/Personal Firewall software must be installed and kept up to date on portable devices.
• Laptops must be physically secured if left at the clinic office overnight. When out of the office, the device should be kept secure at all times.