[Skip to content]

East Midlands Strategic Health Authority
Search our Site
.

Transportation of Records Procedure

Introduction

The seventh principle of the Data Protection Act 1998 states that” Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” This includes the transportation of records both inside and outside of an organisation.

The NHS document Information Security: NHS Code of Practice requires that there are adequate controls to secure any ‘media in transit’ (This document is based on an international standard in Information Security known as ISO 27001:2005.).

This procedure has been produced to provide guidance for employees and agents to ensure they do not breach the requirements of the Data Protection Act 1998, the NHS Information Security Code of Practice and existing policies and procedures which deal with security and confidentiality of information. 

Information can be vulnerable to unauthorised access, misuse or corruption during physical transport, for instance when sending media via the postal service or via courier.  The following controls should be applied to safeguard media being transported between sites:

  • Reliable transport or couriers should be used (see Appendix 1 for more detailed guidance).  A list of authorised couriers must be agreed with management and a procedure to check the identification of couriers implemented.
  • Packaging must be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with manufacturer’s specifications.
  • Any information transferred to an encrypted memory stick, to be taken off site, must be a copy of the original information which must remain on the shared/personal drive of the file server.  This will ensure there is always a copy of the original document available when needed.

 

Special controls should be adopted, where necessary, to protect sensitive information from unauthorised disclosure or modification.  Examples include:

  • Use of locked containers
  • Delivery by hand
  • Tamper-evident packaging (which reveals any attempt to gain access)

 

Information can be transported in many ways within the NHS environment and this procedure provides guidance to NHS East Midlands employees to ensure the security and confidentiality of transporting media.

Guidance

This guidance applies to all records in whatever media they may be held (e.g. paper, electronically, email or other methods), which can identify any individual by name, number or a combination of information/data items (e.g. employee, complainant, patient, nurse, doctor). It should also be remembered that many staff/employees/agents details are contained within patient records/information when holding information about Complaints and Serious Untoward Incidents.

Records of individuals (employees, complainants, those involved with incidents) must only be taken off site if absolutely necessary.  This should normally only occur with the agreement of the Line Manager, Data Protection Lead and/or the Caldicott Guardian. 

Records must always be transported in a secure way e.g. in a sealed container, briefcase, kept in the boot of the car and not visible to the general public.

Records should be returned to the office when no longer needed off-site and in addition, paper records should be logged to reflect that they have been returned and this should be signed and dated by the person returning the records.

Taking Records Off-Site

Records should never leave the building but sometimes this has to occur. In the event that there is no choice but to take records off-site, the details outlined in the general guidance above must be adhered to and in addition the following also apply:

  • Ensure records cannot and are not seen/viewed by any other member of the household (including family, friends and neighbours and their children/parents) even if these people are employees of the same organisation. 
  • It should be noted that the terms and conditions of employment and policies and procedures concerning security and confidentiality of information apply to wherever the records are located.  Information must only be accessed on a strict need to know basis and members of the household other family/friends and/or neighbours should not have access to information of this type.
  • Information concerning the records MUST NOT be recorded on any home PC as there are issues of IT security as well as those of security and confidentiality.  If an employee needs to work at home on a PC they should be provided with one (normally a laptop) for this purpose and they should also seek advice from the IT department/experts concerning the responsibilities surrounding the use of the laptop/computer. It is vital that home PCs are not used for business work as there could be issues of viruses and information being kept on a home computer that could be accessed by other family members who have no right to see the information.  It is important to note that even when the information is deleted it is quite often possible to re-create it if someone has the technical expertise.

 

Using the Postal System

When sending records and/or letters through the postal system a recognised secure supplier/contractor should always be used.  Individual Directorates must decide if the normal postal system provided by the Royal Mail is robust enough for sending of information. For letters and some records this method is sufficient and has a proven record, but this means that the sender must ensure they follow good practice guidance when sending in this way. The following standards should be implemented:

  • Before any information is sent confirm the details of the potential recipient e.g. their name, address and postcode and in some cases also the department and job title of the person to whom the records are to be sent.
  • Transport the information in a robust secure package, e.g. this could be an envelope for letters, a jiffy bag for larger records or a secure box for larger packages.
  • Mark the envelope/package with the details of the person to whom the letter/package is being sent.
  • For sensitive records/letters also mark with the following ‘Private and Confidential to be opened by addressee only’.

 

If the information to be sent contains something that could cause embarrassment to the organisation and/or the individual if it were to be opened by the wrong person it may be necessary to send the information by recorded or registered delivery.  Special delivery should also be used where a proof of receipt is required e.g. a data protection subject access request or a freedom of information request.

If the information is very sensitive or has to arrive at the destination within a very short timescale the use of an approved courier service may be required.  If this is the chosen method of transportation the guidance in Appendix A should apply.

Specific Guidance for Removable Equipment & Media

Removable media is defined as any device that can store data / files when not plugged into a static PC, for example the following (this is not a definitive list as technology may progress between the normal reviews of this document):

  • Laptops
  • Blackberries
  • Mobile phones
  • Tapes
  • Floppy discs
  • CD ROMs
  • Memory cards
  • Memory/flash sticks
  • Removable hard drives
  • Pen drives
  • SIM cards
  • Memory cards
  • Optical discs

 

This procedure applies to all removable media for use on information systems owned and/or operated by NHS East Midlands . 

NHS East Midlands prohibits the use of non encrypted USB Memory Sticks.

Employees who have been authorised to use removable media for the purposes of their job roles are responsible for the secure use of those removable media as required by this policy. Failure to comply with this removable media procedure may result in disciplinary or criminal action. 

If posting, the media must be sent Royal Mail “Special Delivery” so it can be electronically tracked. Passwords must be communicated to the recipient by different means, i.e. not sent with the media. In addition the item must be provided with protective packing.

Removable media must only be used by staff and contractors who have an identified and agreed business need for them.

When the business purpose has been satisfied, the contents of removable media must be removed through a destruction method that makes recovery of the data impossible. Alternatively, the removable media and its data should be destroyed and disposed of beyond its potential reuse. In all cases, a record of the action to remove data from or to destroy data should be recorded in an auditable log file.  All NHS East Midlands removable media must be returned to the HQ IT Manager where it’s ‘”owners” details can be removed from the equipment asset register.

Removable media may only be used to store and share NHS information that is required for a specific business purpose.

Removable media must be physically protected against loss, damage, abuse or misuse when used, where stored and in transit.

Removable media must be encrypted to current Connecting for Health standards and password protected. This password must be communicated to the recipient by different means, i.e. not sent with the media.

All incidents involving the use of removable media must be reported in accordance with the NHS East Midlands Incident & Near Miss Policy. 

Audit spot checks will be conducted by the organisation to ensure this procedure is complied with. Any compliance issues will be reported to the line managers concerned and may be handled through staff disciplinary processes or contractual arrangements.

Appendix A – Detailed guidance regarding the use of Courier Services

(Produced by the Digital Information Policy Unit, Department of Health November 2007)

Routine Courier Services (For transfer of non-personal or non-sensitive information only)

  • Authority to use courier service is obtained from appropriate level of management.
  • Courier is selected from contracted or authorised list.
  • A telephone call is made from the despatching organisation to the intended recipient at the receiving organisation to notify despatch
  • Information for despatch is placed in sealed envelopes or wallets.
  • A signature sheet is signed by despatching and receiving organisations.

Secure Courier Process (For transfer of person identifiable or sensitive information)

  • Authority to use courier service is obtained from appropriate level of management.
  • Only authorised courier services must be used (soon to be NHS approved list)
  • A signature sheet is used to capture details of handover/takeover of the data disks
  • The data file creation is authorised (name/role/date/time)
  • The data file is created by (name/role/date/time) and is burned to DVD/CD and encrypted in accordance with Department of Health guidelines.
  • Packaging is checked to ensure it is sufficient to protect the contents from any physical damage likely to arise during transit such as exposure to heat, moisture or electromagnetic fields;
  • The identification of courier is checked before handover of media
  • The courier collects the encrypted disk and the signature sheet is signed by both parties.
  • A telephone call to notify despatch is made from the despatching organisation to a named individual in the receiving organisation.  The data disks are couriered directly to the destination. 
  • Nominated staff at the destination receive the disks and sign the signature sheet.
  • The recipients in the presence of the couriers upload the data from the disks to the secure system.
  • The couriers then notify the despatching organisation and request pass phrase is forwarded to recipient.
  • The recipient decrypts data with the received pass-phrase and confirms that the data can be used by the appropriate database applications.
  • The disks are then given back to the couriers with appropriate signatures and returned to the despatching organisation for destruction.