Summary guidelines

1
ARGYLL AND CLYDE NHS BOARD

• Summary guidelines
• on handling
• confidential data
• THE DATA PROTECTION ACT (1998)
• CALDICOTT GUIDELINES

Aug 2002
2
Introduction

• This booklet covers important information
  relating to
• The Data Protection Act (1998)
• Caldicott Guidelines
• The Data Protection Act (1998)
• This legal Act, covering both computerised and
  manual data, concentrates on protecting the
  confidentiality of the individual and all staff
  must adhere to it. The 8 Data Protection
  Principles, which summarise the Act, are shown on
  page 2. These relate to collecting, storing,
  manipulating and transferring personal data.
• The Board is registered for the uses it makes of
  data and any changes in use must be notified to
  the Data Protection Office.
• Any surveys carried out by the Board MUST take
  full account of Data Protection Act implications.
  Check with your manager for Board procedure.
• Full information about the Act can be obtained
  from the Data Protection Website
• http//www.dataprotection.gov.uk/dprhome.htm
• The Boards Data Protection Officer is The
  Director of Information

3

• The Eight Data Protection Principles
• The Data Protection Principles state that
  personal data must be
• fairly and lawfully collected and processed.
• processed for limited purposes and not in any
• manner incompatible with those purposes.
• adequate, relevant and not excessive.
• accurate.
• not kept for longer than is necessary.
• processed in accordance with individuals rights.
• held securely.

- 2 -
4

• Storage/Access of confidential material
• Paper Records - keep in locked cabinet/drawer.
• ? Files kept on the computer network are
  protected by
• password access. A password-protected
  screensaver
• will prevent unauthorised access to your
  files should your
• computer be left switched on and unattended.
• ? Files on the C drive are not protected by
  password
• and are not automatically backed up - they
  are your
• own responsibility. No confidential data
  should be held
• on the C drive.
• ? Passwords are confidential and should never be
  passed
• to colleagues.
• - 3 -

5
Faxing
Incoming faxes- Confidential mail (e.g. named
data) should come to the Safe Haven. This is a
secure fax. Safe Haven No. 0141 848 0165
Outgoing faxes- If you are faxing named data,
request recipients Safe Haven number. Named data
should not be sent to a general fax machine.
E-Mail Ordinary, everyday e-mail is not a
secure method of sending named data. If, for
practical purposes, you must use this, any
confidential data must go in a password protected
attachment. The recipient should phone sender for
the password. X.400 e-mail is a secure e-mail
service for Health Service use. Contact your
line manager if you are unsure how to use X.400
e-mail.
- 4 -
6
Confidential Waste
Make sure that all confidential waste is
disposed of correctly. The shredding machine
should be used. Sacks are available from
Office Services staff who will arrange disposal
of bulk confidential waste.

• Laptop Security
• Never leave a laptop unattended in a car.
• Within Board premises, ensure that the laptop is
  kept in a
• secure place overnight.
• Ensure that reasonable measures are taken to
  secure the
• laptop at home.
• Never store confidential information
• on the hard disk. Use removable disks and
• keep these in a safe place. The Data
  Protection Act imposes
• a legal obligation to keep confidential
  information in a
• secure environment.
• Ensure your laptop has up-to-date virus checking
  software in
• place. If in doubt contact the Boards
  Information Technology
• Manager.

- 5 -