DIRECTED ENHANCED SERVICE 2007/08

BENCHMARKING INFORMATION GOVERNANCE & DATA QUALITY STANDARDS IN GP PRACTICES: GUIDANCE & SPECIFICATION

1. Aim 1.1 To improve the quality of management of electronic patient records in Scottish

general practices.

2. Objectives

2.1 To benchmark current contractual requirements for information governance

and data quality and to improve both of these by systematic approaches to training,

quality checks on records, and review of current practice.

3. Rationale

3.1 Many Scottish general practices are moving towards the use of electronic

records for patient care. This includes referral letters, hospital letters and lab results

either scanned and filed or incorporated directly into the record.

3.2 This means that new approaches are needed to protect the confidentiality of

patient information, to develop mechanisms to ensure only appropriate staff have

access to the record and to ensure that the electronic data is accurate and up to

date.

3.3 Increasingly, the electronic GP patient record will replace the paper record

and be transferred in this form when the patient moves practice. It is vital that there

is consistency across Scotland in use of coding and standards in order to ensure

compatibility and inter-operability. This is necessary regardless of which clinical IT

system supplier is used by the practice.

1

3.4 The Emergency Care Summary (ECS) is an electronic extract of patient

information from GP systems. It consists of demographics, current repeat and acute

prescribing and allergies and adverse drug reactions. It is available to clinicians in

NHS 24, NHS Board Out of Hours Centres and Accident and Emergency

Departments with explicit consent from the patient. This development has highlighted

the need for this information to be accurate, up to date and as complete as possible

in the GP electronic patient record so that the ECS information is reliable.

4. Summary of DES

4.1 This DES is in 2 parts.

a) The first part brings together information governance standards which are already

covered by the GMS contract (including Quality and Outcomes Framework QOF).

Participating practices must make a declaration that they are conforming to these

requirements in order to move on to the second part of the DES.

b) The second part includes some new work, although again the GMS contractual

requirements reinforce the importance of many of the components, eg conforming to

contractual requirements if all or part of patient records are kept solely in an

electronic form; adhering to standards required for practices to go “paper light”; and

practice endorsement of the Scottish agreed SCIMP codes and the Good Practice

Guidelines for GP Electronic Patient Records (hereafter referred to as “GPG”). In

addition, practices will be required specifically to address accuracy of the ECS

patient data and to ensure that practice staff have training and appropriate clauses in

their contracts as regards information governance.

5. Guidance 5.1 This guidance aims to support practices in meeting the requirements of this

DES. Most of it is derived from guidance already available elsewhere. As

appropriate, the reference to contractual requirements is indicated for the information

of practices. The full specification for this DES is attached at Annex A.

2

5.2 Section 1 should be completed and a report sent to the NHS Board for

agreement before starting Section 2.

5.3 Practices should keep a portfolio of evidence to support compliance with

these standards.

5.4 Throughout this guidance, sections of the specification are highlighted in bold and framed by boxes.

6. Outline of DES Guidance on Section One

1. To ensure contractors are compliant with a basic list of standards for

information governance.

The contractor must comply with the following standards:

a. Be registered and conform to the provisions under the Data Protection Act 1998

6.1 This item is covered in Schedule 5, Part 8, paragraph 115 of the Regulations1,

which require contractors to comply with all relevant legislation.

6.2 Practices must be registered under the Data Protection Act 1998. The

registration should specify what data are held and what you may do with that data.

Anyone wishing to see their personal information has a right to do so within forty

days of the request. However, special rules apply to health records, including

compliance with the eight enforceable principles of good practice.

1 “Regulations” in this document refer to the National Health Service (General Medical Services Contracts)(Scotland) Regulations 2004 (SSI 2004 No 115) and can be found at: http://www.opsi.gov.uk/legislation/scotland/ssi2004/20040115.htm

3

6.3 The Data Protection Act 1998 can be accessed at:

http://www.opsi.gov.uk/acts/acts1998/19980029.htm

6.4 In this context, practices should follow the advice in the check list below:

• Do check that your registration details are correct and make sure you use the

data for the purposes you specified in the registration

• Do only disclose information to the appropriate people

• Do keep the data accurate and up to date

• Do deal with requests for personal data promptly

• Do display a notice and use other additional means such as a leaflet or

paragraph in the practice leaflet to inform patients about other health

professionals who may have access to their records such as researchers,

pharmacists etc and why they may be given access.

• Do not keep information any longer than you need

Evidence of Compliance

6.5 The Practice’s Data Protection Act registration certificate, or its reference

number, and evidence that this registration is up to date should be filed.

6.

wh

2 “Cohtt

b. Where some or all records are kept only in an electronic form, conform tothe requirements for approval by their NHS Board for such storage.

6 This item is covered in Schedule 5, Part 5, paragraph 66 of the Regulations2

ich refers to the requirements for contractors around patient records.

Regulations” in this document refer to the National Health Service (General Medical Services ntracts)(Scotland) Regulations 2004 (SSI 2004 No 115) and can be found at: p://www.opsi.gov.uk/legislation/scotland/ssi2004/20040115.htm

4

6.7 Guidance on migration to electronic record keeping and data transfer can be

found in the GPG, chapters 4 and 5 available at

http://www.scimp.scot.nhs.uk/gpg.html

Evidence of compliance

6.8 The check list at Appendix 4 of the GPG should be filed. This in turn will be

supported by documentation for each item on the checklist, many of which are

covered in the guidance below.

c. Nominate a member of the primary care team to take responsibility forpractices and procedures relating to the confidentiality of personal dataheld by the practice.

6.9 This is specified in Schedule 5, Part 5, paragraph 68 of the Regulations3.

6.10 The practice should agree the responsibilities and remit of this nominated

person. These should include ensuring all people working in the practice, both

permanent and temporary4, are aware of their responsibilities with regard to the

confidentiality of personal data held by the practice and, where appropriate, sign a

confidentiality statement. The nominated person should also be responsible for

dealing with requests for access to records (subject access requests), ensuring they

are dealt with appropriately.

Evidence of compliance

6.11 Practices should file the name of the responsible person and an outline of

their remit and responsibilities. 3 “Regulations” in this document refer to the National Health Service (General Medical Services Contracts)(Scotland) Regulations 2004 (SSI 2004 No 115) and can be found at: http://www.opsi.gov.uk/legislation/scotland/ssi2004/20040115.htm 4 To include partners, salaried and sessional clinical staff, GP registrars and locums, other employed staff, attached staff, visiting clinicians, students, researchers and any other person with access to the premises where records are available.

5

d. Have in place a business continuity plan to deal with loss of IT system (e.g.power failure, flood, theft)

6.12 This is important so that, in a crisis situation, the practice can continue to

function and see patients. It is related to the data recovery process at paragraphs

6.16- 6.20, below.

6.13 Guidance on data recovery and business continuity plans is available in

Chapter 3 of the GPG, paragraphs 3.11.7 and 3.11.8 available at

http://www.scimp.scot.nhs.uk/gpg.html

6.14 Samples of business continuity plans are attached at Annex B. However,

many NHS Boards have developed templates for practice use.

Evidence of compliance

6.15 Practices should file a copy of their business continuity plan.

e. Have in place an effective data recovery process, which is agreed with theirrespective NHS Board

6.16 If the electronic system fails for whatever reason, data could be lost. It is

important that there is a system for data recovery which minimises this loss and

allows practices to regain full functioning as soon as possible. Data recovery is

linked to business continuity as in paragraphs 6.12- 6.14 above.

6.17 This requirement relates to QOF indicator, Management 2, which covers

arrangements for backing up computer data etc. The indicator and guidance is on

pages 161-162 of the Scottish Guidance- Revision to the GMS Contract 2006/7

available at http://www.sehd.scot.nhs.uk/pca/PCA2006(M)13.pdf

6

6.18 Guidance on how to set up and maintain a system to support data recovery is

detailed in the GPG Chapter 3, paragraphs 3.11.4 and 3.11.7

http://www.scimp.scot.nhs.uk/gpg.html

6.19 The GPG gives a useful checklist for practices when developing their data

recovery plan. Where the practice is linked to a managed server, their back up

arrangements will be different and should be agreed with the NHS Board.

6.20 Arrangements in each NHS Board area for the frequency of back up tapes,

storage and frequency of a “system restore” process should be agreed between the

NHS Board and the Local Medical Committee.

Evidence of compliance

6.21 Practices should file a copy of their data recovery plan as agreed with their

NHS Board.

6

R

s

a

6

R

l

H

5

Ch

f. Ensure the practice has a leaflet which includes clear information forpatients about how the contractor uses their personal health information.

.22 Contractors are required under Schedule 5, Part 5, paragraph 69 of the

egulations5 to produce and keep up to date a practice leaflet with minimal content

pecified in Schedule 8 of the same Regulations. Item 25 of Schedule 8 refers to

ccess to and disclosure of patient information.

.23 All NHS Boards should now have made available to practices the Health

ights Information Scotland (HRIS) leaflets for patients. The wording in the practice

eaflet should reflect the standard in the HRIS leaflets. (See box for information on

RIS).

“Regulations” in this document refer to the National Health Service (General Medical Services ontracts)(Scotland) Regulations 2004 (SSI 2004 No 115) and can be found at: ttp://www.opsi.gov.uk/legislation/scotland/ssi2004/20040115.htm

7

Health Rights Information Scotland (HRIS) is a project based within the Scottish

Consumer Council, and funded by the Scottish Executive Directorate of Health and

Wellbeing. It is a joint initiative to raise the quality of information available to patients

in the NHS.

HRIS produce information for patients about their rights, about how to use NHS

services, and about what they can expect from the NHS. As this information is

relevant to all patients in Scotland the information is produced on a national basis for

use throughout the NHS. NHS boards are responsible for distributing the

publications.

The aim of the initiative is to give patients a better understanding of their rights and

choices and to make them more confident making decisions about their health and

interacting with NHS staff.

Further information about HRIS and copies of the patient information leaflets is

available at –

http://www.hris.org.uk/index.aspx?o=1113

Evidence of compliance 6.24 Practices should file a copy of their practice leaflet.

8

Guidance on Section Two

Complete and implement an action plan (agreed with the host NHS Board) on

how the contractor will improve data quality and information governance. The action plan must task the contractor with the following requirements:

g. Develop and implement a protocol for ensuring high quality management of electronic data recording in accordance with the Good Practice Guidelines for

General Practice Electronic Patient Records

6.25 The contractual framework for this item is included in Schedule 5, Part 5, Para

66 of the Regulations6, which outlines the standards for computerised records

approval, in particular in sub paragraph 4.

6.26 Guidance on migration towards paperless record keeping is provided in

Chapter 4 of the GPG with a check list at appendix 4, both available at

http://www.scimp.scot.nhs.uk/gpg.html

Evidence of compliance

6.27 Practices should file a copy of their protocol with supporting evidence for the

check list.

6

Sh

h. Have in place procedures which encourage the use of SCIMP recommendedRead codes across all members of the primary care team.

“Regulations” in this document refer to the National Health Service (General Medical ervices Contracts)(Scotland) Regulations 2004 (SSI 2004 No 115) and can be found at: ttp://www.opsi.gov.uk/legislation/scotland/ssi2004/20040115.htm

9

6.28 The QOF indicators, Records 15, 18, 19 and 20, relate to summaries and the

guidance notes recommend the use of national or locally agreed codes to facilitate

comparison or exchange of data. The indicators and guidance are on page 143

onwards of the Scottish Guidance- Revision to the GMS Contract 2006/7 available at

http://www.sehd.scot.nhs.uk/pca/PCA2006(M)13.pdf

6.29 In Scotland, the recommended codes for use in General Practice electronic

patient records have been compiled by SCIMP and are available and regularly

updated at: http://www.scimp.scot.nhs.uk/coding_readcodes.html

6.30 This link provides guidance on coding as well as links to recommended codes

both for the QOF and for general record keeping.

6.31 Practices should discuss how they will encourage practice team members to

use the recommended codes.

6.32 System specific “national codes” and/or clinical systems should not be used

for clinically important information, as they will not be captured by such systems as

SCI Gateway for referral letters or ECS for adverse drug reactions (see paragraph

6.56 below).

Evidence of compliance 6.33 Practices should keep a report on how they have addressed this item and

how they will maintain this improved coding compliance.

i. Have in place a protocol to ensure access to clinical and other patient identifiable information in the electronic record is controlled, such that only those authorised to access the record can do so.

10

6.34 The NHS Code of confidentiality is available at the following link:

http://www.confidentiality.scot.nhs.uk/publications/6074NHSCode.pdf

6.35 Further guidance on legal aspects of confidentiality and access to patient

records is found in Chapter 3, section 3.6 in the GPG to which can be found at:

http://www.scimp.scot.nhs.uk/gpg.html

6.36 Practices should agree the access needs of their practice staff to their

electronic clinical system. Some will require access to clinical information and some

will only need access to demographic information. The details of access permissions

for each member of staff should be logged and updated as needed. Each member

of staff will need a unique password and should not share passwords or user names.

These access controls should be compiled into a protocol to which all members of

the practice team sign up.

6.37 An example of a protocol is shown in the box below:

All members of staff should be allocated personal user names and passwords. The user

name should be configured so that the password requires to be altered at regular intervals

and at least every 90 days. Each person should have a different user name.

The access level for each member of staff according to their role in the practice has been

agreed. Staff should not access the system through another member of staff’s user name

and password as they may have different permissions.

All PCs should have their screen locked if the user leaves the room and a patient is present,

or the room is left unlocked. PC users should be shown how to do this.

The network, clinical system(s) and many other software programmes monitor attempts at

unauthorised access, and access should be configured so that access is denied if three

attempts fail to gain access.

The Practice is responsible for inactivating access as soon as practicable when personnel

stop working at the practice.

11

Evidence of compliance 6.38 Practices should keep a copy of their access protocol and log of agreed staff

access levels.

j. Ensure that there is a system for identification of breaches or alleged breaches of the access protocol under item i. and that those identified are investigated promptly and efficiently and included in an annual report available to the Board.

6.39 Practices must ensure that all members of the team are alert to, and report

on, any breaches of the protocol as in paragraphs 6.34 and 6.35 above, and that

they have a system for investigating any such breaches with a view to prevention of

future episodes.

6.40 The practice report should include,

1. The access protocol and log as in paragraph 6.38, above,

2. The procedure for reporting and investigating possible breaches

3. A log of any episodes where a breach was reported,

4. The outcome of investigation(s) of any breaches identified

Evidence of compliance

6.41 Practices should keep the report as at paragraph 6.40, above, updated

annually.

k. Set up a process for systematically updating staff contracts to contain clauses that clearly identify staff responsibilities for confidentiality, data protection and security.

6.42 Practices should seek legal advice on the wording of such a clause from such

sources as BMA and medical defence organisations.

12

Evidence of compliance

6.43 A specimen staff contract showing the relevant clause should be filed along

with a list of all staff contracts which comply with the requirement and, for those still

to be changed, a timetable for this action.

l. Describe a plan to ensure appropriate training for all staff on the elements of information governance (e.g. confidentiality, data protection, security) especially when inducting new staff.

6.44 Practice staff, especially new staff, will all need training to enable them to

understand and adhere to the principles of information governance related to their

role in the practice team.

6.45 The GPG, chapters 6 and Appendix 3, provide some guidance on this training

available http://www.scimp.scot.nhs.uk/gpg.html

6.46 Annex C of this guidance contains additional material for practices to use in

making and implementing a plan for training of staff on information governance

issues.

6.47 NHS Boards will give practices help with training staff. Material is also

available through the information governance team at ISD.

Evidence of compliance

6.48 Practices should keep a log of all training activity on information governance

and data quality standards.

m. Have in place a system for updating, verifying and correctly coding for drug allergies and intolerances, and current medication to support data standards for the Emergency Care Summary

13

6.49 The data extracted from the GP clinical record for the Emergency Care

Summary (ECS) is updated twice daily so practices should ensure that they take

every opportunity to ensure this information is correct. The particular items are

current medication (acute and repeats) and allergies/ adverse drug reactions.

6.50 Practices should develop a system to ensure that opportunities for update are

used by all staff as often as possible. These might be when the patient consults,

when reviews are taking place (e.g. long term condition review, medication review),

or when repeat prescriptions are being issued or hospital letters come in (see 6.52

below). Each practice should identify the opportunities they will use and gain

agreement from the whole practice team to maximise these opportunities.

6.51 Practices should ensure that drugs which have been stopped are shown as

inactivated.

6.52 Practices should add any significant drugs that have been prescribed outwith

the practice e.g. by hospitals, clinics, so that the medication record is complete. Such

drugs could include anti-TNF therapy, chemotherapy, community mental health

prescriptions, drug misuse clinic prescriptions and depot injections. It is recognised

that the practice will not be made aware of all of these prescriptions but should

ensure that they are included in the electronic record when the practice is informed

about them.

6.53 These medications may not seem to be important but potentially dangerous

interactions can occur e g methotrexate can have a fatal interaction with

trimethoprim. This is important not only for the ECS but to ensure the patient’s record

is complete and to enable the GP IT system drug alerts system to work optimally.

14

Adding medication without issuing a script

6.54 Medication can be added to the electronic record without issuing a

prescription. Details of how this is done with each of the GP IT clinical systems are

shown in the box below:

Ascribe Add to DM screen as new drug but in instructions write - 'information only -hospital

supply’.

EMIS Open ‘consultation’; add; select ‘drug and dose and quantity’; select ‘acute or

repeat’; issue, select ‘outside’; and then click OK.

GPASS Once you have added a prescription in GPASS, either acute or repeat, it shows up

on the Encounters screen (although you need to toggle between acute and repeat).

If you highlight the prescription that you want to record but not print, and then press

the SPACE bar, it crosses out the pill icon at the left of the prescription and won't

print it when you close the patient record.

INPS In Vision 3 when adding a medication the user should change the 'source of drug'

value to reflect the supplier of the medication. Any value other than 'In Practice'

prevents this from generating a paper prescription.

Users also have the option of de-selecting the 'Print Script' checkbox on the

‘Medication Add’ form.

iSOFT On the medication screen you should change the print option to ‘no prescription’,

‘handwritten’ or ‘outside’.

15

6.55 Practices should therefore verify recorded allergies and ADRs with patients

when the opportunity arises as some may not be true allergies. Details should be

recorded appropriately

6.56 Practices should ensure that allergies and sensitivities are coded

appropriately in the clinical system and not entered as free text. Only national codes

(Read Codes or Multilex) should be used as no local codes will be exported to ECS.

The list of codes currently extracted for ECS can be found on the SCIMP website.

http://www.scimp.scot.nhs.uk/coding_readcodes.html

6.57 Listed here are details of how this is done in each of the GP IT clinical

systems.

16

Ascribe Allergies should always be recorded as Read Codes. It is preferable to enter all allergies on

both the DS priority screen and the DM sensitivities section. If a precise code does not exist

for a particular drug, use the nearest applicable code and add free text details in the right

hand box.

EMIS Medical Record (MR) A-add

3- Allergy

A- Add Adverse reaction

search for drug or medication type

select correct medication from those matching search criteria

enter text as to the reaction, set date of reaction and click OK

GPASS

Allergies in GPASS are always recorded as Read Codes. They can be entered via Care

Management Screens, screening templates or added as clinical codes. If a precise code

does not exist for an adverse drug reaction, clinicians should choose the nearest applicable

code and add details in the free text extension.

GPASS 2007 As above or use the Multilex new ADR entry INPS Drug Allergies in Vision 3 should always be added using the 'Drug Allergy and Intolerances'

Structured Data Area (SDA). Access this from Consultation Manager menus using 'Add'

then 'Drug Allergy/Adverse Reaction'. You can then select an appropriate Read Code from

the drop down list if desired. You must always add the drug name for the item that caused

the adverse reaction. ECS will contain the record of allergy including the Drug Name. iSOFT Allergies and adverse reactions are recorded as Read Codes. Staff adding allergies and

sensitivities should always choose a Read code closest to the drug/allergen with additional

details attached to this in the free text field. This makes sure the data always appears in the

patients’ summary/ECS.

17

6.58 For further information about the use of the ECS, how to access the record

and print out a copy if requested, see http://www.scimp.scot.nhs.uk/documents/GPPracticeAdministratorTrainingGuideV1.3.doc

Evidence of compliance 6.59 A report of the practice’s system for updating, verifying and correctly coding

data for the ECS as agreed with their Board.

18

Annex A Benchmarking Information Governance and Data Quality Standards in GP practices: Specification

Requirements 1. To ensure contractors are compliant with a basic list of standards for information

governance.

The contractor must comply with the following standards:

a. Be registered and conform to the provisions under the Data Protection Act.

b. Where some or all records are kept only in an electronic form, conform to the

requirements for approval by their NHS Board for such storage.

c. Nominate a member of the primary care team to take responsibility for practices

and procedures relating to the confidentiality of personal data held by the

practice.

d. Have in place a business continuity plan to deal with loss of IT system (e.g.

power failure, flood, theft)

e. Have in place an effective data recovery process, which is agreed with their

respective NHS Board

f. Ensure the practice has a leaflet which includes clear information for patients

about how the contractor uses their personal health information.

2. Complete and implement an action plan (agreed with the host NHS Board) on how

the contractor will improve data quality and information governance.

The action plan must task the contractor with the following requirements:

g. Develop and implement a protocol for ensuring high quality management of

electronic data recording in accordance with the Good Practice Guidelines for

General Practice Electronic Patient Records (http://www.scimp.scot.nhs.uk/)

19

h. Have in place procedures which encourage the use of SCIMP recommended

Read codes across all members of the primary care team.

i. Have in place a protocol to ensure access to clinical and other patient identifiable

information in the electronic record is controlled, such that only those authorised

to access the record can do so.

j. Ensure that there is a system for identification of breaches or alleged breaches of

the access protocol under item (i) and that those identified are investigated

promptly and efficiently and included in an annual report available to the Board.

k. Set up a process for systematically updating staff contracts to contain clauses

that clearly identify staff responsibilities for confidentiality, data protection and

security.

l. Describe a plan to ensure appropriate training for all staff on the elements of

information governance (e.g. confidentiality, data protection, security)

especially when inducting new staff.

m. Have in place a system for updating, verifying and correctly coding for drug

allergies and intolerances, and current medication to support data standards for

the Emergency Care Summary.

Outcomes

The contractor must complete a self-assessment against items under section 1. A

report should be shared with the host NHS Board.

Where the self-assessment shows non-compliance then the contractor should give

the Board an undertaking to ensure compliance within an agreed timescale.

The contractor must meet and implement the requirements in the agreed action plan

under section 2.

Templates will be provided for both of these requirements.

20

Payments

The contractor will be paid an engagement payment on the submission of a report

that is consistent with the requirements set out in section 1.

The contractor will be paid a completion payment on meeting and implementing the

requirements in the agreed action plan under section 2.

The engagement payment will be equal to 10 per cent of projected income for each

contractor that successfully completes all the requirements of the DES.

The total payment for a contractor will be made up of a fixed element (£1,200) and a

variable element dependent on the numbers of patients. The average GP practice

would receive approximately £3,800.

Arrangements for Payment Claims

Payment to participating Contractors for the engagement and completion fees will be

made on submission of the appropriate declaration forms. Separate engagement

and completion forms will be produced by PSD. These forms should be returned to

your NHS Board who will authorise PSD to make the necessary payment if the

criteria has been met.

The Contractor should ensure that supporting evidence is available should the

information be requested for post payment verification purposes or should the NHS

Board request this as part of contract monitoring.

Timing

The enhanced service will run from 1st October 2007 to 31st March 2008. It is a one-

off arrangement.

The intention is for payments to be made to contractors by the end of April 2008.

21

22

23

Annex B Two sample business continuity plans in current use are embedded for

information below.

Benchmarking Information Gover...

Benchmarking Information gover...

24

Annex C

Benchmarking Information Governance and Data Quality Standards in GP practice DES - Guidance Notes for Item M, staff training

Rationale It is important that all staff are made aware of the relevant duties and in particular

given clear guidelines about their own individual responsibilities for maintenance of

confidentiality, data protection, information security, records management and

information quality. It is necessary that Practices put in place measures, including

protected training time, to ensure that all their staff members are fully informed of the

procedures implemented to ensure the meeting of standards across the Information

Governance agenda.

Guidance Below are links or embedded documents to a variety of materials which should help

practices in training staff.

Freedom of Information

PDF version of FIA training package:

http://www.scotland.gov.uk/Resource/Doc/47210/0025760.pdf

UK Information Commissioner - Data Protection: “ The Lights are On” (Interactive

Training DVD which can be ordered directly from the Information Commissioners

Office at http://www.ico.gov.uk/tools_and_resources/request_publications.aspx

Brief Guide to Information Governance

http://www.elib.scot.nhs.uk/SharedSpace/ig/Uploads/2007/Jun/20070608170750_V2

%20Info-governance-guide-070122.pdf

25

“Top Ten Tips to Safeguarding Personal information” (embedded below)

Top ten tips.doc (26 KB)

Information Governance e-library http://www.elib.scot.nhs.uk/portal/ig/pages/index.aspx?referer=AAS&un=nousername

NHS Code of Practice on Protecting Patient Confidentiality

http://www.confidentiality.scot.nhs.uk/publications/6074NHSCode.pdf

Appendix 6 of the SCIMP Good Practice Guidelines for General Practice Electronic

Patient Records

http://www.scimp.scot.nhs.uk/gpg/documents/appendix%206.pdf

26