Information Governance - Guidance for Training Courses
Personal Identifiable Data (PID)
This is personal data which can reveal the identity of an individual. It could include any information such as name, address, date of birth, NHS number, National Insurance number or health details.
Staff sign a code of confidentiality as part of their mandatory training. The code states the standards staff must follow in their work. It is the law. Failure to follow the standards can lead to disciplinary action. For example, staff have been dismissed for accessing computer data without a valid reason.
Staff must never save information on the 'C' drive of their work computer. This drive is not back up, so if there is a problem with the computer you may lose data. If the computer is stolen the data goes with it. Staff must use personal or shared drives instead. The information is then held centrally and backed up regularly.
Take great care of laptops. They are particularly vulnerable to theft. Staff who use laptops for work purposes must ensure they know where it is at all times and lock it away when not in use, especially at night.
All laptops should be encrypted to safeguard the data (information is 'coded' so anyone unauthorised cannot read it). Severe financial penalties have been imposed on organisations which lose laptops with personal identifiable data.
Only use memory sticks purchased through IT Services. These will be encrypted and recorded. If a Trust memory stick is lost or stolen, contact IT Services immediately as it can be disabled. For that reason, ensure memory sticks are logged with the correct owner with IT Services.
Do not use your own memory stick or 'freebies' as you may introduce a virus to your PC/laptop or the Trust network. If the memory stick is lost or stolen, someone will be able to access the data. Loss of unencrypted memory sticks which contain personal identifiable data have resulted in very large fines for organisations. You may be personally liable.
Disposal of IT Equipment
All IT equipment must be disposed of correctly to safeguard data and to meet current regulations. Old equipment is a risk, this includes PC's, laptops, printers, CD's and memory sticks. Log a disposal request with the IT Service Desk. There are Trust procedures for disposal of confidential waste, mobile phones, Blackberry's, thermal printer output, camera recordings and so on. If in doubt - take advice.
Information Commissioner's Office
The Information Commissioner's Office has the power to impose large fines on organisations which allow personal identifiable data to get into the wrong hands. This can be up to £500,000 per incident!! See the Information Commissioner's Office website for examples of security breaches and the fines www.ico.gov.uk.
For more information refer to the Data Protection Act 1998. All staff have a personal responsibility to ensure that they comply with the requirements of the Act. Staff have a legal duty, at all times, to keep personal identifiable data confidential and secure. Breach of this duty could lead to disciplinary procedure.
See the 'Best Practice Guidelines' leaflet on the Information Governance web pages for more information on handling personal identifiable data.