Firstly, this document deals only with the clinical aspects of information security, and not with associated business aspects such as the commercial confidentiality of purchaser and provider contract data. and the legal reliability of electronic records in court. Secondly, we do not deny that there may be security gains in computerising medical records: encrypting records in transit can provide much stronger confidentiality than the postal service; intrusion detection systems can log accesses and analyse them for suspicious patterns; and offsite data backup can provide effective and economic protection against fire and flood. However we need to understand our protection priorities before these techniques can be applied effectively, and a security policy is an important step in creating and clarifying this understanding.