Hi,
Just checked our Disciplinary Policy to make sure my assumption is right before I share it, which it is!
Upon Mr XYZ contacting us with his complaint/allegations, Mrs ABC would be informed of the complaint and asked to put her case forward. This would hopefully reveal whether she has accessed the information legitimately, and would provide information as a starting point. Audit (or whoever) would then be able to check any electronic systems to corroborate this if Mrs ABC is able to provide (rough) dates of acccess for a particular task.
If paper records, you might be lucky, and a checking out system might be in place. If the paper records were held offsite this would be true, if held in filing cabinets in the office, not so much I would imagine. Still, the legitimate purpose of access would be able to be confirmed by Mrs ABC's line manager.
Would you then need to check all systems/sources of the information? I would suggest not, as you would know that Mrs ABC does have access to the records in question and the question then would be how do you prove she did not use this information for personal reasons! Which I can't answer!
The question then is - how do you prevent this person having access in the future? In particular electronic systems in use in Children and Young People's Service we operate a "Restricted Records Policy". This policy enables us to lock down a child's record to particular names users, with the purpose of preventing staff access to protect the confidentiality of colleagues or family members or employees in cases where the child or family is related to an employee with access to the system. This is reliant on the honesty of employees, but in most cases once the case history becomes known to a social worker (for example) then this can be flagged up as names of colleagues are recognised.
I've digressed I realise, but thought it might be relevant!
Best wishes,
Michelle
Michelle Peel
CYPS Information Governance Officer
Trafford Council
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|