Code of conduct

1. Breaches of confidentiality are a serious matter. Non-compliance with this code of y person employed by the Trust may result in disciplinary action being taken. No employee shall knowingly misuse any information or allow others to do so.
2. Staff are responsible for safeguarding the confidentiality of all personal and Trust information, transmitted or recorded by any means. All staff are responsible for their decision to pass on information.
3. Personal information given or received in confidence may not be passed on or used for a purpose other that that for which it was obtained, without the consent of the provider of the information.
4. Report information/confidentiality incidents to clinical risk management
5. Information may be passed on to someone else only:
   • with the consent of the patient (Gillick competency applies)
   • where it is disclosed in the best interests of the patient (e.g. between members of a multidisciplinary team)
   • when disclosure is required by a court (or a court order)
   • when disclosure is required by statute (that is, by law)
   • where disclosure is made in the public interest as described in the defined list of circumstances in ≠Disclosure in the Public Interest≠ below
   • when required by the police in conjunction with the prevention/detection of serious crime (e.g murder, rape, kidnapping, causing death by dangerous driving)
   • do not disclose to schools, employers, DHSS, etc without explicit consent from patient.
6. Adhere to the principles of the Caldicott Report:
   • justify the purpose for each use/transfer of patient-identifiable information.
   • don≠t use patient-identifiable information unless it is absolutely necessary.
   • use the minimum necessary patient-identifiable information.
   • access to patient-identifiable information should be on a strict need-to-know basis.
   • everyone with access to patient-identifiable information should be aware of their responsibilities.
   • understand and comply with the law.
7. Adhere to the principles of the Data Protection Act 1998. Personal data must be:
   • processed fairly and lawfully
   • obtained and used for one or more specified purposes only
   • adequate, relevant and not excessive
   • accurate and kept up to date
   • not kept for longer than necessary
   • processed in accordance with the rights of data subjects
   • protect against unauthorised access, damage or destruction
   • there are restrictions on overseas transfer: obtain explicit consent.
8. Need advice? Consult the data protection intranet site or contact the Caldicott Guardian or the Information Protection Officer (ext. 22822).