Rule 5: Organisations should put policies, procedures and systems in place to ensure the confidentiality rules are followed

Organisations should ensure that they have the appropriate organisational and technical systems security, policies, processes and staff training and education to ensure that
confidential  information is held and shared securely³⁹ and appropriately, as set out in this guide. Every organisation should:

An identified  senior individual within each health and social care organisation should be appointed as being responsible for ensuring the organisation continues to meet its requirements as set out in this guide. This individual will be responsible for ensuring the organisation complies with the law in relation to confidentiality.  This should be the Caldicott Guardian⁴⁰ or other senior member of staff responsible for information risk. The guide will be an evolving document and organisations should review their compliance and update their policies and procedures in line with any changes to the guide, at least annually.
 

The IGT defines and draws together many of the information governance requirements that apply in different circumstances. One way to demonstrate that appropriate policies, procedures and systems are in place is for organisations to comply with relevant IGT requirements41. Examples of key requirements include:
⦁    access should be limited to those authorised, with a need to know
⦁    confidential information should be held and distributed securely
⦁    some confidential information should not be retained indefinitely and should be securely disposed of at the appropriate time⁴²
⦁    staff should be trained and educated appropriately to discharge relevant duties

There is an important obligation on the organisation sharing the confidential information to ensure that recipients can demonstrate that they can be trusted to handle it in accordance with the confidentiality rules.

For high volumes and high sensitivity information, an appropriate information sharing agreement or contract is required to provide clarity on expected practice and any specific restrictions for example prohibition of onward sharing of information without permission.⁴³

A Privacy Impact Assessment (PIA) is an invaluable tool when assessing the impact on an individual’s privacy of using the information and what control measures are necessary and proportionate whilst placing the privacy of individuals at the forefront of all decisions.⁴⁴

For organisations outside health and social care (for example the police), some of the specific organisational controls in rule 5 will not apply, but it is expected that their own organisational confidentiality and privacy controls will provide equivalent assurance.

Organisations should have processes in place to encourage people to report concerns that the confidentiality rules are not being followed. If they feel their concerns about confidentiality and safe and effective sharing of information have not been appropriately dealt with by the organisation they should have easy access to the organisation’s whistle- blowing procedure.

Staff need to know that they can safely share information with a particular body. Therefore, they must be informed of serious concerns so they know when they should assess the risk and perhaps not share information with a particular organisation.