Learn, Do Not Copy!

Describe and Demonstrate Security of Manual and Electronic Records When Storing and Accessing Information

This page is designed to answer the following questions:

NOTE: This page has been quality assured for 2021 as per our Quality Assurance policy.

Having secure systems for recording, storing and sharing information is essential in health and social care settings because we handle sensitive information and must ensure the confidentiality of the individuals that we care for and the colleagues that we work with.

To meet these assessment criteria, you must be able to describe the features and demonstrate the practices that ensure data security.

A secure system is a way of storing data that only allows access to information by authorised people. This could be a locked filing cabinet or password-protected computer software. Secure systems will also protect data from other risks, such as fire, flood or mechanical/electronic failure.

Manual Information Storage (Paper or Hard-Copies)

Paper documentation should be stored in a secure place according to your organisation’s policies and procedures.

This may be in a filing cabinet, drawer or folder that is only accessible by authorised persons. To restrict access, the filing cabinet should have a lock on it or the room that the paperwork resides in may only be entered using a key, electronic code, digital ID badge or biometrics (e.g. fingerprint scanner etc.). These storage areas should also be fire and water resistant to prevent damage and destruction as a result of a disaster.

Records should ideally not be removed from the secure storage location, or if they are then procedures must be followed to ensure that they are not left in an insecure area. Paperwork containing personal information should never be left unattended in public areas.

When discussing information contained in secure records, it is important that precautions are taken to ensure that nobody is able to overhear the conversation to protect confidentiality.

Information that no longer needs to be accessed on a day-to-day basis may be archived in a secure storage facility or shredded/incinerated – policies must be in place to guide the destruction of information.

Electronic Information Storage (Computer systems)

Records may be kept on computer systems and access restricted to personnel on a need-to-know basis. To comply with data protection legislation, these records may only be accessed using a password.

Granular permissions may be used so that only certain senior staff are able to amend records and a digital audit trail should be recorded to track changes – this prevents accidental or deliberate deletion of information.

It is important that a staff member’s password is not shared with others and that they log out (or lock) their computer when they leave their desk to ensure that others with physical access to their computer are not able to access unauthorised information whilst they are away.

The records may be stored on the hard drive of the local computer or, ideally, on a secure networked server or cloud-based location. Regular backups should be performed to safeguard against any potential data loss and the backups should be stored in a separate secure location.

It may be your organisation’s policy to encrypt files when they are transferred to other devices for extra layers of security. Software such as antivirus and firewalls may be used to ensure the integrity of the computers and networks being used.

Practices for ensuring security

Although we have talked about some of the practices you should follow to ensure the security of confidential information in your work setting, it is important to highlight that each organisation is different and will have different systems and ways of working. You will need to be familiar with your own organisation’s policies and procedures and ways of working to handle information correctly and securely.

For example, your organisation may have a policy that all documentation about the individuals that you support be stored on a server and not copied over to a local computer. There may be policies about the use of flash drives or installing personal software on a work-issued laptop.

For paper-based systems, information may be colour-coded (e.g. care plans are stored in black lever-arch files and financial information in green lever-arch files). You may need to seek permission before making copies of records and ensure that personal information does not leave the building.

All staff should know how to report a breach in security – this will usually be a report to your manager but some organisations may have named information officers.