Ethics Guidance for Occupational Health Practice 9th Edition - Book - Page 39
Standards in data protection – staff and information governance
3.16. All staff working in occupational health services should have training in
confidentiality and information governance. Clinical staff working in
occupational health services must abide by the ethical code of their professional
organisation. Non-clinical staff within the team should have training in this area
and sign a confidentiality agreement as a condition of employment. External
agencies requiring access to databases, for activities such as system
maintenance, should also be subject to a confidentiality agreement.
Information security
3.17. Communication on unsecured systems may be intercepted. This includes using
unsecured Wi-Fi services, such as those found in public areas, hotels, airports or
coffee shops. Measures can be taken to secure such communication, and
specialist IT advice sought if required to ensure reasonable measures are taken
to protect sensitive data from interception.
3.18. If there is doubt about whether a network or computer is secure (such as public
Wi-Fi), it is best to assume that the system is insecure and that data may be
viewed by others without a legitimate right.
3.19. Confidential individual or corporate data should not be shared through
unsecured personal channels, such as social media platforms
(including personal messages), email or SMS (text) message.
3.20. Personal passwords to IT accounts which contain sensitive information must
not be shared. Doing so significantly increases the risk that data protected by
the password is compromised.
Occupational Health records, Security, Retention and Transfer
Standards of Occupational Health Clinical Records
3.21. Good quality clinical records, whether paper or electronic, are vital to the
practice of occupational health. Standards for record keeping should be set by
individual occupational health providers but should meet the requirements of
the professional bodies. Records should be used and stored in such a way as to
prevent unintended disclosure.
Page | 38
