Neil,
I believe that it is necessary for service providers to supply their employees with suitable confidentiality and privacy training materials suitable to the employees' responsibilities, and to test, certify and record the employee's competences on a regular basis.
We did this fairly simply for role based access (RBAC) to digital health records.
Richard
HIFA profile: Richard Fitton is a retired family doctor - GP. Professional interests: Health literacy, patient partnership of trust and implementation of healthcare with professionals, family and public involvement in the prevention of modern lifestyle diseases, patients using access to professional records to overcome confidentiality barriers to care, patients as part of the policing of the use of their patient data Email address: richardpeterfitton7 AT gmail.com