The health sector handles some of the most sensitive personal data, and patients have the right to expect that information will be looked after.

As part of our role in supporting the sector, the ICO’s good practice team carries out audits and advisory visits across a broad range of health organisations.

The resources below are based on those experiences. They are practical tools that data protection officers, records managers and information governance specialists can use to help educate colleagues on how to ensure they are operating in line with the Data Protection Act.

We’ll be running through several modules over the coming year, each focusing on a different aspect of data protection law.

First up is records management. Whether at large NHS hospitals or small private dentists, we often see ineffective logging, tracking or movement of manual records.

Lost or stolen paperwork

Those breaches can lead to ICO investigations. We have produced a blog which looks at some of the basic records management mistakes we’ve seen, from care home records found in a derelict garage to patient records left behind after a Trust moved premises.

ICO Good Practice Group Manager Leanne Doherty said:

“Unfortunately, our audits showed a worrying trend of health organisations failing to properly manage the records they held.

“The people we speak to want to get this right. We’ve seen first-hand the professionalism and commitment of people working in information governance in this sector, and we know some of the challenges they face. We’ve looked to create resources that offer them practical support and give them the tools to improve people’s approach to records management in their organisations.”

The resources below are focused on addressing the specific shortfalls we’ve seen.

Not sure where to start?

The ICO’s toolkit helps you to assess your compliance with the Data Protection Act and find out what you need to do. There’s a dedicated records management section, with guidance and links to further reading on:

  • Developing records management policy and procedures
  • Training
  • Outsourcing
  • Records inventories
  • Tracking and off-site storage
  • Security and disposal of data
  • Business continuity 

What we’ve seen

Staff not being vigilant when using fax machines and not checking the correct addresses before posting information to patients.

Posted or faxed to the incorrect recipient

Poster: Always check addresses and details before you press send. Click to download PDF version.
Poster: Always check addresses and paperwork before you seal and send it. Click to download PDF version.

What we’ve seen

Staff not following procedures around tracking records.

Logging, tracking movement and security

Training video: why tracking records properly matters, including tips for staff

Infographic: top tips to improve your record tracking 

Assign responsibility.
Train, train , train.Know what you've got.Log where it's going.
Check it works.What we’ve seen

Staff not sure what to do when records go missing

Infographic: top tips on when records go missing.
Identify it early.
Know what to do
Learn from your mistakes.

Keep track.
What we’ve seen

Staff not using secure storage.

Poster: When storing physical records, make sure they're secure. Click to download PDF version.

What we’ve seen

Iinformation being unsecure when taken off site.

Poster: All information you work with has value. Think before you take it out of the building. Click to download PDF version.

What we’ve seen

Errors in logging, tracking and movement of records caused by a lack of procedures and no Information Asset Register.

Information asset owners

Case studies

Read about two health organisations that have benefited from implementing Information Asset Registers.

Webinar

The most common records management errors the ICO sees in the health sector, including advice around Information Asset Registers and Information Asset Owners.