written by Maree Stuart
As we head into the silly season we are delighted to present:
The MAS Management Systems 12 Days of a Lab Christmas!
On the seventh day of Christmas, one of our test reports appeared in the newspaper
when it was leaked to a journalist by a staff member
You might regard this as a good thing. After all, all publicity is good publicity, right!? But that might not be the case, especially if your clients didn’t want details about them and their business in the media.
So, what can we do when faced with this situation?
Step 1: Find out how and why
Unless you and your clients are after a situation of ‘full disclosure’, then this is not the situation you want to find yourself in.
Kathryn Flynn, a researcher in Medicare fraud, public policy and the media, writes that “Civic-minded people who encounter what they believe to be corrupt and illegal conduct in the workplace may take it upon themselves to release relevant confidential information”. This insight reveals the motivation for a staff member to breach any confidentiality obligations. They feel it is their civic duty.
But just because there is motivation doesn’t mean that there should be opportunity! In any criminal act, one needs both actus reus (the performance of the activity) and mens rea (the mental element of conscious planning and intent of doing an act) to prove guilt. Episodes of non-criminal acts, like disclosure of private information are no different.
It’s therefore equally important to examine the ‘how’ of the disclosure.
How was confidential information able to be accessed and distributed? Once we have the answer to these details there is an important follow-up question: Do we need to do anything to prevent dissemination to people who should not have that confidential information?
What should you do to protect confidential information?
The measures put in place must ensure that confidential information is well protected within the lab.
Keep paper documents and records in a secure location that can’t be accessed by personnel who are not a part of your organisation or who should not be accessing those records once they have been created. Shred confidential paper documents when they’re no longer required.
Store electronic documentation on a secure network and only view them on secure devices. Share this information with other personnel only when necessary and if authorised. Think about this now that a lot of information is stored in the Cloud.
Make all lab personnel aware of the lab’s confidentiality requirements and train them in the lab’s policies and procedures.
Training in confidentiality should be part of the lab’s induction process or completed within a reasonable timeframe once new staff begin working in the lab.
The approach to confidentiality is often a part of the culture of an organisation. If there is a culture of allowing ‘loose lips’, then you could be in danger of breaching any confidentiality policy. Remember those loose lips sink ships! A good idea is to restate and remind staff of these policies and procedures in regular staff meetings and in annual management reviews. Encourage employees to ask questions about the policies and raise scenarios for clarification if required.
The ISO/IEC 17025 standard states that the lab is responsible through legally enforceable commitments for confidentially managing the information it obtains. For this reason, labs could also have personnel sign a formal confidentiality or non-disclosure agreement.
This is standard practice for many businesses and can remain in effect indefinitely, protecting the lab even after personnel leave. It allows for legal recourse if there is a breach to employee obligations of confidentiality while they work for you and after they leave the lab.
Other issues to consider
Printing: you may have a procedure in place for filing and securing documents. But we’ve all had that moment when you printed a document, got distracted, and hit the print button again. If your printer is in a busy area, this could lead to an inadvertent breach of confidentiality. Check before you print or consider using password protected printing options.
Mobile phones: all smartphones have the capacity to take photos and video. While this is useful for those Instagram moments, in a lab setting it could lead to a serious breach. Labs must consider how they will manage the use of mobile phones by staff and visitors. Banning phones could be unreasonable but regular reminders about appropriate use is an important step.
Computer training: when assessing lab staff competency, employers may look primarily at their technical abilities. Providing staff training on lab specific software will help mitigate instances of accidental deletion or corruption of information. Assessing their abilities on email and document creation software would also be useful.
Not sure what to do to ensure your lab is kept out of the media for all the wrong reasons?
As we always say, you don’t have to do this alone! You can call Maree on 0411 540 709, or email email@example.com to talk through the options. Sometimes it is as simple as documenting your policy and have people signed up to adhering to the policy. Other times it is a matter of culture that should be finessed.
Either way, we’re here to support you!