Scroll down

Coronavirus staff guidance University Hospitals Birmingham NHS Foundation Trust

Information governance

Last updated: 22 December 2021 at 15:39

Due to the increased importance of remote consultation and remote working, some standard information governance rules have been temporarily relaxed.

The guidelines below follow the national guidance and that of the Information Commissioner’s Office.

General rules

  • When undertaking work-related activities, wherever you have access to the Trust VPN virtual desktop, you must use this to login remotely to the Trust system. If you have a Trust device, you should use this, but you may use your own device if you do not have access to a Trust one
  • You must not retain any work-related information on a non-Trust device. If you need to download a document to work on it outside of the VPN network, you must permanently delete it once you have finished
  • This guidance is applicable only during the Trust’s response to COVID-19. It will be reviewed on or before 31 May 2022 and may be extended

Email communication

Staff must ensure that no-one else in the househould has access to the email account. The preference is to communicate via email using Trust email or

Please take the following precautions when using Trust email (

  • For sending external emails (outside of the Trust’s email) from your Trust email address, avoid sending identifiable sensitive data unless it is absolutely necessary (i.e. clinically urgent)
  • If the email is absolutely necessary, use the ‘encrypt’ button
  • Alternatively, transfer the identifiable data into a document, then password protect the document. The password must be shared via separate medium (via phone or text)
  • Where possible, send the data in limited numbers (e.g. do not send long lists of patients, and consider using unique identifiers instead of patient names)

Sending secure emails from

  • Emails sent between accounts do not require the encryption of personal data
  • However, if staff receive a confidential email into an account, this should not be forwarded to a Trust email address without the necessary encryption. This is particularly important to note when staff are using shared accounts
SenderRecieverSecurity status Secure Any other email address (not confirmed as being secure) Encrytion will be needed. Type [secure] at the start of the message subject* Secure Secure Secure Secure Any other email address Encrypt button must be used or password protect the document (as described above) Any other email address Encrypt button must be used or password protect the document (as described above)

* Please note that the person you are sending the email to may need to read the NHS Digital guidance to understand how to access the email.

Mobile messaging

  • Staff can use mobile messaging such as WhatsApp to communicate with colleagues as needed
  • Please limit as much as possible the use of personal confidential data
  • Communicate with patients using this type of platform, only where there is no practical alternative and the benefits outweigh the risk
  • Consent from the patient can be taken verbally and by patient sending back the information and/or accepting the invite

Video conferencing

The Trust encourages the use of video conferencing to carry out consultations with patients and service users, using Vidyo, DrDoctor and Microsoft Teams. This could help to reduce the spread of COVID-19.

The consent of the patient or service user is implied by them accepting the invitation and entering the consultation. But you should safeguard personal/confidential patient information in the same way you would with face to face consultation.

Using your own device

You can use your own devices to support video conferencing for consultations, mobile messaging and home working, only where there is no practical alternative.

Reasonable steps to ensure this is safe include:

  • setting a strong password
  • using secure channels to communicate (e.g. VPN)
  • not storing personal/confidential patient information on the device unless absolutely necessary and appropriate security is in place such as:
    • save documents to an encrypted USB
    • password protect each document where possible – office documents or PDF allow password protection
    • create a folder to contain all sensitive data and password protect this folder
  • transferring information safely to Trust systems as soon as it is practical to do so
  • taking care to always delete any temporary files

Handling physical records

Outpatient clinics at Good Hope, Heartlands and Solihull hospitals require patient clinical notes. Clinicians can start using Oceano PAS and Clinical Portal on VPN.

For clinicians working at home:

  • dictate letters onto the Oceano PAS/Clinical Portal systems
  • notes can also be typed on emails on VPN and send to secretaries to include in patients notes if needs be
  • if needed, notes can also be taken on paper, dictated into a letter and then the notes securely disposed of. Please see the following advice on secure disposal of paper notes

Taking health records home

Health records may be taken home in order to conduct a video or telephone clinic as long as the key requirements below are met:

  • health records should only be taken off site when ‘absolutely necessary’ and with line manager approval
  • record what information you are taking off site, why and where you are taking it. For health records please ensure any removal/return is tracked electronically including the location code
  • health records must be transported in a secure/tamper proof bag
  • never leave health records unattended (e.g. in the boot of a car)
  • while at home, ensure health records are kept secure and confidential (i.e. locked away and out of sight from other family members, friends and colleagues)
  • return health records as soon as possible
  • always dispose of any paper notes using the most secure confidential method (i.e. bring it to the site for confidential waste). Alternatively, use a cross cut shredder with minimum security level four (produces cross-cut strips of 16mm) and split the shred waste to different waste bags or to compost bin

Please remember, the person handling/moving the health records has responsibility for their safety and ensuring they are kept secure at all times.

Communication with GPs

The safest route to communicate with GPs is via the PICS system where information should be saved into the ‘treatment note’ and ‘in clinic GP letters’. The information will be routed automatically to GPs via email.

Back to top