Skip to Content Skip to navigation
Digital & Information
Una Hill
Una Hill
C. Bowring
01 December 2008
20 June 2012
01 December 2015


 “Safe Haven” is a term recognised throughout the NHS to describe the system of safeguarding the confidential transfer of person or patient-identifiable information between organisations or sites in accordance with current legislation and guidelines.

Although ‘Safe Haven’ was initially used in the context of information transmission by fax machine, it now also includes data held and used with:

  • Photocopiers
  • Voice Mail & Answer phones
  • Message Pads & Notebooks
  • Computers & Emails
  • Unopened Post
  • Desks
  • Dictation Equipment
  • Visitor Books
  • Photographic /Video media
  • In tray/out tray; Post trays
  • Confidential waste disposal
  • Healthcare Records



1.1 This policy supersedes policy F1 The Use of Facsimile Transmission for Transfer of Personal Health Information.

1.2 To ensure that the confidentiality of ‘personal information’, ‘patient health information’ and ‘confidential business information’ is maintained when sending/receiving such information.

1.3 All Safe Haven Procedures relate to the parent policy – NHS Fife Data Protection (GP/D3)



2.1 This Policy and associated procedures are applicable to all staff and contractors working within NHS Fife.  It is offered as advice to independent GP, Dental, Pharmacy and Optometry Contractors.  It is acknowledged that the accountability arrangements of these independent contractors differ from those of NHS Fife employees, and therefore this policy must be seen as good practice guidance and used in conjunction with the requirements of their own professional body.



3.1 All members of staff who, in the course of their duties, may transfer personal or confidential information have a responsibility to comply with this policy.

3.2 This policy is particularly  relevant to all staff who handle and transfer patient or person identifiable information.

3.3 The responsibility for ensuring compliance rests with line managers.



4.1 Staff must handle all information with care, and ensure that person and patient-identifiable information is not made available inappropriately or to unauthorised persons.

4.2 Person or patient-identifiable information is any data which can, by itself, or with other data, permit an individual to be identified.  However, care should also be taken to avoid unwittingly identifying people when referring to situations or events.  The following list is not meant to be exhaustive, but patient identifiable information will include:

Surname Initials
Forename Date of Birth
Telephone Number Postcode
Address Email address
Religion Sex
National Insurance Number Occupation
NHS/CHI Number Casenote Record Number
Any other local identifier Unusual Medication/Conditions

4.3 Although ultimate responsibility for the safe transfer of person and patient identifiable information lies with the organisation (its procedures, policies and equipment), the sender must comply with these policies and procedures and use the equipment for the purposes provided.

4.4 Staff are individually accountable for their actions and, if under any doubt, guidance should be sought from the relevant supervisor or line manager before transmitting personal or patient-identifiable information. 

4.5 Staff must familiarise themselves with the relative procedures.  These are listed in 6. Related Documents.

4.6 Information on how to send confidential information by email is covered under NHS Fife Email Policy (GP/E6).



Risks identified as a result of the implementation of this policy must be assessed and managed in accordance with the NHS Fife Risk Assessment and Risk Register Policies.  Any incident should be reported in line with NHS Fife Incident Management System Policy (GP/I2)

5.1 Control of Risk

5.1.2 Line managers must be made aware of the updated policy and must bring this to the attention of relevant staff.

5.1.3 It is intended that details of new policies will be placed on the front page of the Intranet.  Managers are encouraged to check this on a daily basis and inform staff of any new policies relevant to their area of responsibility.

5.1.4 Include Safe Haven in induction training.


5.2 Management of Risk

5.2.1 In a situation where an incident has occurred which could have or did lead to unintended or unexpected harm, loss or damage, staff must complete an NHS Fife Incident/Near Miss Reporting Form.  This is the first stage in a series of steps recording such incidents.  The NHS Fife Incident Management Policy (GP/I2) describes the procedures for incident reporting and follow up. 

5.2.2 Follow up will be as described in the Incident Management Policy and logged in the Risk Management Information System (Datix).  NHS Fife Incident Management Policy (GP1) should be referred to. 

5.2.3 Existing systems/working practices will be reviewed and amended where necessary.  Lessons learned as a result of such an approach will be shared.  

5.2.4 Amendments to this policy by improved working methodologies will be published on the Intranet and brought to the attention of staff via 1, 2 and 3 above.



6.1 The following operational procedures must be referred to:

  • GP-D3-3 Fax Machines (Position & Access Controls)
  • GP-D3-4 Fax Machines (Operating Procedure & Fax Cover Sheet)
  • GP-D3-5 Action to be taken in event of fax sent/received in error
  • GP-D3-6 Good Practice Guide for Office Equipment and Machinery



  • Data Protection Act (1998)
  • Human Rights Act (1998)
  • Freedom of Information Act (2002) 
  • Privacy and Electronic Communication Regulations (2003)
  • Common Law
  • Caldicott Report
  • MEL (2000) 17 Data Protection Act 1998 – (Guidance to the service on the Data Protection Act 1998)
  • MEL (1997) 45 Guidance on use of fax for transfer of personal health information within NHSS
  • MEL 1992(14)Safeguarding Confidentiality Identifiable data in the Contracting Process
  • NHS 1990 (GEN)22 – Confidentiality of Personal Health Information – A Code of Practice
  • NHS/DGM (1992)20 – Security of Health Records


NHS Fife Policies including:

  • NHS Fife Data Protection Policy (GP/D3)
  • NHS Fife Risk Register & Risk Assessment Policy (GP/R7)
  • NHS Fife Incident Management Policy (GP/I2)
  • NHS Fife IT Security Manual (GP/I5)
  • NHS Fife Email Policy (GP/E6)
  • NHS Fife Hand Held & Peripheral Devices Policy (GP/H2)
  • Non-NHS Fife Equipment Policy (GP/E7)
  • NHS Fife Confidentiality Policy (GP/C9)


An Equality & Diversity Rapid Impact Assessment has been completed for  this procedure  No negative impacts have been identified.