Ethics Guidance for Occupational Health Practice 9th Edition - Book - Page 42
Electronic records
3.29. It has become common to transfer records from paper to electronic format.
Advantages include reduced storage space, cost and ease of access or transfer.
When arranging for paper files to be converted, occupational health
professionals should seek suitable and sufficient technical guidance. Secure
arrangements
should
be
agreed
for
the
transfer,
storage, scanning and subsequent destruction of paper records with a clear
audit trail of receipt and transfer. It is recommended that paper records
be retained for an agreed period before destruction to ensure any errors
are identified. The digitisation process should be in a format that cannot be
edited, with an audit trail of the creation of files.
3.30. Encryption is used to protect the confidentiality of electronic data. There are
varying levels of encryption and digital security that can be applied to data, and
occupational health professionals should seek specialist advice if their own
knowledge is inadequate. Encryption should be appropriate for the
circumstances and not become a barrier to communication.
3.31. An analogy would be that letters sent by post may be marked ‘private and
confidential’, double enveloped with a tamper-proof seal, sent by post
requiring confirmation of delivery by signature, or hand delivered, depending
upon the sensitivity of the documents contained.
3.32. In the same way, levels of encryption will depend upon the content and
potential impact of the interception of data. Password protection is strongly
advised when sending a report to a worker by email in addition to encryption
requirements.
3.33. A high degree of care needs to be exercised with electronic communication.
The consequences of a simple error can be much more significant than for
paper communication, and encryption and other security systems may not
protect against these. It is far easier to compromise the confidentiality of large
numbers of people than is normally the case with paper records. Other
examples might include sending electronic communications to the wrong
individual in an organisation where e-mail addresses are similar, or copying
people to an e-mail chain which includes information not intended for those
recipients.
Page | 41
