Any personal information you hold must be protected from loss, damage or unauthorised destruction, and unlawful access – you will be expected by law to implement reasonable technical and organisational measures to ensure this protection is in place.
However, POPI does make provision for the resources of your organisation, as well as the nature of the information itself, stating that this will be taken into account when deciding what technical and organisational measures are reasonable.
As a minimum, healthcare workers will be expected to identify all reasonably forseeable internal and external risks, establish appropriate safeguards, and regularly review these safeguards and update when new risks emerge. MPS recommends you carry out a risk assessment and draw up a protocol that sets out this information.
Examples of forseeable risks are:
- Access to information
- Any employee requiring access to patient information should be identified, and their employment agreements checked to ensure they have agreed in writing to treat all such information as strictly confidential.
- Individual passwords to access the information should be given, which should be updated from time to time. A generic password for all staff is not effective in preventing breaches in confidentiality.
- Accidental destruction
- ‘Crashing’ of hard drives or servers can lead to the destruction of personal information. Suitable back-up should be in place to either limit or prevent this.
- Ensure hard copies of patient information are stored securely in locked filing cabinets or rooms. Patient files should never be left unattended on the reception counter of a busy waiting room.