David Fildes wrote:

"From the view of unauthorised access:
Category #1 are covered by both various Codes of Ethics, Professional
Rules, etc. Category #1 and #2 should be covered by appropriate clauses
in their employment contracts. Category #3 should be covered by
appropriate, and enforceable, clauses in the contracts between the
hospital & the contractors. Category #4 - not sure, but maybe put
something on their Admission Sheet when they book-in for treatment?
Category #5 - not sure, but put notices up advising that they should not
be curious!"

Yeah, but I'm a fan of Mr Poke Yoke when it comes to preventing things
from happening. To wave a contract of employment at the horse as it
careers off down the track might not cut it with the Information
Commissioner. My reading of Schedule 1 Part II "measures that ensure"
would have to go beyond words in a contract. On that basis I think
Gartnavel may have got it right.

"Coincidently, I have been visiting a person in Gartnavel General
Hospital in Glasgow this week - Gartnavel do not have any notes at the
end of beds as all such information is held at the ward's nursing
station. This ensures security from one point in the ward, all
information for a patient in one place, with 24hour access for health
professionals whether in person or by phone."

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^