I am doing research towards a part-time PhD at Nottingham Trent University, part of which involves creating a fairly abstract formal model of primary healthcare and secondary healthcare and composing them to assess the impact of interacting access control security policies. So that I base my abstract models on reality, I was wondering if anyone have a detailed access based security policy which they use in their practice which I could get hold of ? Alternatively, are there standard guidelines which are available specifically for access control, privacy etc. ? Finally, a few questions to help me to understand the current state of play : If you have a security policy, does it work ? (Can you tell ?) Do you let every staff member (medical and admin) of your practice have access to all of your patient's records ? Do you record such access ? How are you preparing for the arrival of the NHS - Net ? I already have the recent BMA report but any further help would be greatly appreciated. Thanks in advance, Max Jones %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%