Our standards of conduct, performance and ethics say that:
You must treat information about service users as confidential (5.1)
You must keep records secure by protecting them from loss, damage or inappropriate access (10.3)
This means that you need to take all reasonable steps to protect information about service users. By ‘reasonable steps’, we mean that you need to take sensible, practical measures to make sure that you keep the information safe.
For example, you could store paper records in a lockable cabinet or room. If you run your own practice, you could develop a clear policy for your practice and provide training for your members of staff. Or, you might make sure that you avoid having conversations about service users in public areas where other people might be able to hear.
If you are employed by an organisation, your employer will normally have policies and guidelines on how you should store, handle and share information. In most circumstances, following these policies will allow you to meet our standards comfortably. However, you still need to think about your own practice to make sure that you are protecting confidentiality at all times.
As a responsible professional, it is important that you take action if you become aware that information about a service user has been lost, damaged or inappropriately accessed, or if there might be a risk of this happening. You should tell your employer (if you have one) and take steps to try to make sure that the problem does not happen again.
The General Data Protection Regulation (GDPR), supported by the Data Protection Act 2018 (DPA) governs how personal data (information), including service user records, should be handled. It outlines a number of data-protection principles. You can find more information on this page and on the Information Commissioner’s Office website.
Electronic records
Health and care records are increasingly being held electronically, rather than on paper. We do not provide any specific guidelines about the types or features of computer-based systems which registrants should use. This is partly because technology changes quickly and we would not want to prevent you from using new technologies. It is also because the type of electronic record system you use will depend on your practice, the type of setting you work in and other factors.
If you are employed, you should follow your employer’s policies and procedures for electronic record-keeping and keeping information secure. If you are self-employed and need to set your own policies and procedures, you must make sure that you continue to meet our standards. This means making sure you keep electronic records secure and that they can only be accessed by the appropriate people. You should have an effective system in place for restricting access to the records – for example, personal logins and effective passwords.