Protecting sensitive information in OneFile

Guidance for trainees about sensitive information in OneFile evidence.


Protecting patients is a primary responsibility within professional practice. ‘The Professional Standards of Behaviour and Practice for the Healthcare Science Workforce’, also known as ‘Good Scientific Practice’, includes standard 1.1.3:

“You respect patients’ privacy and only use and disclose confidential information about their care in accordance with legal, ethical and data protection requirements.”

Trainees receive training on wider Information Governance as part of their employers’ statutory and mandatory training.

Three key messages about sensitive information and OneFile evidence are:

  1. Trainees are expected to maintain their OneFile portfolios in accordance with the principles of information governance and standards of professional practice and to be able to make judgements about what information they need to redact, if necessary, with the support of their supervisor.
  2. Where required, Trainees should FULLY redact information to ensure it is not retained in files uploaded to OneFile (even though it might not be immediately visible)
  3. Where patient identifiable information is found in a candidate’s submissions on OneFile it may result in an automatic assessment fail.
text text

Reflective practice and sensitive information

All aspects of a scientist’s professional work, including interactions with colleagues and patients, should be reflected upon. It is equally important that all scientists are open to reflect on critical incidents and complaints. Trainees must do this in discussion with their supervisors and provide evidence of this activity as part of demonstrating their development. This is no different to the expectation that all scientists reflect for their annual appraisal and continued professional development, similar to doctors collecting evidence to revalidate.

However, it is important that scientists in training should be mindful that their reflections are carefully written and focus on the learning gained from such events. In order to comply with professional standards and the expectations of information governance, there must be no patient identifiable information contained within written reflections. Therefore, it is important that trainees keep reflective notes and submissions as fully anonymised as possible. Advice from the Academy of Medical Royal Colleges on entering information on e-portfolios states:

“Other practitioners, patients, parents, carers and staff should not be named or be readily identifiable as far as is possible from the information you provide.”


Anonymising information

The anonymisation code of practice published by the Information Commissioner’s Office considers data to be anonymised if it does not itself identify any individual, and if it is unlikely to allow any individual to be identified through its combination with other data. You can describe a situation without including identifiable data. For example, use ‘patient X’ or ‘Dr Y’ instead of names or patient numbers.


Redacting information from files

Trainees’ submissions to OneFile don’t just include reflective submissions authored by the trainee. They also include substantiating evidence from other sources and in many formats, including word-processed documents, PDFs, spreadsheets, images, videos and more. Consideration has to be given to the redacting of information from these formats too.

It is important that the trainee takes responsibility for effectively removing sensitive information from the files they upload. This includes situations where files and other information have been embedded in a document.


Two illustrative examples of incomplete data redaction

Example 1

A trainee inserts an image into a Word document as part of their OneFile Submission. The image is of a patient report and contains the patient details. Once the image is inserted into the Word document the trainee crops the image within Word, so the patient details are no longer visible. Once the submission is complete the trainee uploads the Word document to OneFile. The trainee understands the need not to disclose patient information and thinks they have removed the patient details.

However, the patient information is still accessible. When the file is opened the viewer can click on the image and un-crop the image to reveal the patient details.

The best way to avoid this would be to crop the image before inserting it into the document so the patient information never enters the submitted file.

Example 2

A trainee wants to evidence that they were a participant in an MDT meeting. They have the minutes of the meeting and save them as a PDF. They edit the pdf to put black boxes over information they wished to redact before uploading the file to OneFile.

Now when the file is opened the viewer can highlight the text in the pdf behind the black boxes and cut and paste it into a word document to reveal the information.

Alternate approaches here would be to have screenshot the redacted pdf and saved the information as an image. Or to use software that appropriately flattens the PDF file.

resources resources

Last updated on 11th March 2024