Confidentiality & Information Governance

Patient Confidentiality

1.1 – Overview

Health information is collected from patients in confidence and attracts a common law duty of confidence until it has been effectively anonymised. This legal duty prohibits information use and disclosure without consent, effectively providing individuals with a degree of control over who sees information they provide in confidence.

This duty can only be overridden if there is a statutory requirement, a court order, or a robust public interest justification.

On first contact with the organisation, all patients should be asked which relatives, friends or carers they wish to receive information regarding treatment and progress, or which they specifically do not give permission to receive information.

In cases where relatives have been heavily involved in patient care, the patient must be explicitly asked to what level these relatives can be kept informed. This is particularly important in cases where relatives are requesting information on the patient’s condition, perhaps before the patient has been informed.

In the event a patient lacks capacity to consent to information being shared, staff should check if a person is authorised by a Lasting Power of Attorney (health and welfare) or has been appointed by the court of protection to make that decision. The relevant document must be seen. This person can consent on the patient’s behalf, but must act in the patient’s best interest. If no such person has been appointed, then no one can consent on behalf of that patient.

A professional in the care team must assess if it is in the best interest of the patient to share the information. The patient’s wishes and feelings, although not determinative, should be the starting point in this assessment.

1.2 – Patients’ Right to Confidentiality

Patients have a right to expect that information about them will be held in confidence by their GP practice. Confidentiality is central to trust between staff and patients and without assurances, patients may be reluctant to give the information the staff need in order to provide good care.

  • All information about patients is confidential, from the most sensitive diagnosis, to the fact of having visited the surgery or being registered at the organisation. This includes information about patients’ families or others associated with them
  • Confidential information may not be health-related. It can include anything that is private and not public knowledge
  • Workers should discuss confidential information only with those who need to know within the organisation
  • Only the minimum amount of necessary information should be disclosed
  • The duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person
  • Workers must not, under any circumstances, disclose patient information to anyone outside the organisation, except to other health professionals on a need-to-know basis, or where the patient has provided written consent
  • Workers must not, under any circumstances, disclose confidential information about the organisation to anyone outside the organisation unless with the express consent of the Organisation Manager and/or Partners
  • All patients can expect their personal information will not be disclosed without their permission (except in the most exceptional circumstances when disclosure is required when a person is at grave risk of serious harm)
  • Where disclosure of information is required which is non-routine in nature, the patient will, where possible, be fully informed of the nature of the disclosure prior to it being made
  • Where the decision is made to disclose information, the decision to do so must be justified and documented
  • Person-identifiable information must not be used unless absolutely necessary – anonymised data should be used wherever possible
  • Workers must be aware of and conform to the requirements of the Caldicott recommendations and UK GDPR principles
  • Electronic transfer of any confidential information, once approved by the Organisation Manager and/or a Partner must be transmitted by NHS net using agreed encryption methods. Workers must take particular care that confidential information is not transmitted in error by email or over the internet
  • Workers must not take data from the organisation’s computer systems off the premises unless authorised to do so by the Organisation Manager and/or a Partner
  • Where this is the case, the information must be kept on the worker’s person at all times while travelling, and kept in a secure, lockable location when taken home or to another location
  • Workers who suspect a breach of confidentiality must inform the Organisation Manager and/or a Partner immediately
  • Any breach of confidentiality will be considered as a serious disciplinary offence and may lead to dismissal
  • Workers remain bound by a requirement to keep information confidential even if they are no longer employed at the organisation. Any breach, or suspected breach, of confidentiality after the worker has left the organisation’s employment will be passed to the organisation’s lawyers for consideration

1.3 – Sharing Information with Patients

Patients have a right to information about the healthcare services available to them, presented in a way that is easy to follow, understand and use. Patients also have a right to information about any condition or disease from which they are suffering.

Such information should be presented in a manner which is easy to follow, understand and use, and include:

  • Diagnosis
  • Prognosis
  • Treatment options
  • Outcomes of treatment
  • Common and/or serious side-effects of treatment
  • Likely time-scale of treatments
  • Costs where relevant

Patients must always be given basic information about any treatment the organisation proposes to provide, but it is important to respect the wishes of any patient who asks not to be given detailed information. Providing treatment to a patient who has requested not to be given detailed information puts a considerable onus upon health professionals, as, without such information, patients cannot make proper choices as partners in the healthcare process

Employees should advise patients how information about them may be used to protect public health, to undertake research and audit, to teach or train clinical staff and students and to plan and organise healthcare services.

Further detailed information is available within the organisation’s Access to Medical Records Policy.

1.4 – Protecting Patient Information

When staff are responsible for personal information about patients, they must ensure that it is effectively protected against improper disclosure at all times. Many improper disclosures are unintentional.

Staff are not to discuss patients where they can be overheard, or leave patients’ records, either on paper or on screen, where they can be seen by other patients, unauthorised healthcare staff or the public. Employees are to take all reasonable steps to ensure that any consultation with a patient is private.

2.1 – Disclosing Information About Patients

When staff manage any business information, they must comply with all applicable requirements of the procedures undertaken. This handbook advises all staff to manage information to the highest standards in order to ensure compliance with the appropriate standards, to secure all organisational information and to promote appropriate information access.

This organisation fully endorses the seven principles set out in the UK GDPR. The organisation and all staff who process personal information must ensure these principles are followed.

In summary these state that personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
  7. Organisations must take responsibility for the data they hold, and demonstrate compliance with the previous principles. This requires a thorough documentation of all policies that govern the collection and processing of data. To ensure compliance, organisations must be sure that every step within the UK GDPR strategy is auditable and can be used as evidence efficiently (‘accountability’).

2.2 – Sharing Information with others Providing Care

Most people understand and accept that information must be shared within healthcare teams in order to provide their care. Therefore, staff are to ensure that patients are aware that personal information about them will be shared within the healthcare team unless they object, and of the reasons for this. It is particularly important to check that patients understand what will be disclosed if it is necessary to share identifiable information with anyone employed by another organisation or agency who is contributing to their care.

Employees must respect the wishes of any patient who objects to particular information being shared with others providing care, except where this would put others at risk of death or serious harm. Furthermore, anyone to whom personal information is disclosed should understand that it is given to them in confidence, which they must respect.

All staff members receiving personal information in order to provide or support care are bound by a legal duty of confidence, whether or not they have contractual or professional obligations to protect confidentiality.

2.3 – Disclosing Information for Clinical Audit

Clinical audit is essential to the provision of good care. All clinicians who are undertaking clinical practice have a duty to participate in clinical audit. Where an audit is to be undertaken by the team which provided care, or those working to support them, such as clinical audit staff, identifiable information may be disclosed, provided that patients have both:

  • Been informed that their data may be disclosed for clinical audit, and of their right to object to the disclosure
  • Not objected

If a patient does object, then it should be explained why the information is needed and how this may benefit their care. If it is not possible to provide safe care without disclosing information for audit, then this should be explained to the patient along with any other options that are open to them.

Where clinical audit is to be undertaken by another organisation, information should be anonymised wherever that is practicable. In any case, where it is not practicable to anonymise data, or anonymised data will not fulfil the requirements of the audit, express consent must be obtained before identifiable data is disclosed.

Circumstances may arise where a patient cannot be informed about the sharing of information, for example because of a medical emergency. In these cases staff must pass relevant information promptly to those providing the patient’s care.

2.4 – Disclosure where express consent must be sought

Express consent is usually needed before the disclosure of identifiable information for purposes such as research, epidemiology, financial audit or administration.

When seeking express consent to disclosure, at this organisation staff must ensure that patients are given enough information on which to base their decision: the reasons for the disclosure and the likely consequences of the disclosure. Staff are also to explain how much information will be disclosed and to whom it will be given.

If the patient withholds consent, or consent cannot be obtained, disclosures may be made only where they are required by law or can be justified in the public interest.

Where the purpose is covered by a regulation made under Section 60 of the Health and Social Care Act 2001, disclosures may also be made without patients’ consent.

Staff should make a record of the patient’s decision, and whether and why they disclosed information.

Should there be any contractual obligation to a third-party, such as another company or organisation, then patients’ consent to disclose this information must be agreed prior to undertaking any examination or writing a report for that organisation. Clinicians should offer to show patients the report, or give them copies, whether or not this is required by law.

2.5 – Disclosure for Judicial or other statutory proceedings

The following are reasons to disclose:

  • Disclosures required by law
    At this organisation, staff must disclose information to satisfy a specific statutory requirement, such as notification of a known or suspected communicable disease. Staff should inform patients about such disclosures wherever that is practicable, but their consent is not required.
  • Disclosures to courts or in connection with litigation
    Staff at this organisation must also disclose information if ordered to do so by a judge or presiding officer of a court. However, an objection may be raised to the judge or the presiding officer if attempts are made to compel any disclosure in what appear to be irrelevant matters. This could be matters relating to relatives or partners of the patient who are not parties to the proceedings. Staff must not disclose personal information to a third-party such as a solicitor, police officer or officer of a court without the patient’s express consent, except in the circumstances described below.
  • Disclosures to statutory regulatory bodies
    Patient records or other patient information may be needed by a statutory regulatory body for investigation into a health professional’s Fitness to Practice. If a concern is being raised about a health professional to a regulatory body, then, wherever practicable, the patient’s consent must be obtained prior to disclosing any identifiable information.
    Where patients withhold consent or it is not practicable to seek their consent, the GMC, or other appropriate regulatory body may be contacted, which will advise on whether the disclosure of identifiable information would be justified in the public interest or for the protection of other patients.
    Wherever practicable this should be discussed with the patient. There may be exceptional cases where, even though the patient objects, disclosure is justified.

2.6 – Disclosure in the Public Interest

Personal information may be disclosed in the public interest without the patient’s consent, and in exceptional cases where patients have withheld consent, where the benefits of the disclosure to an individual or to society outweigh the public and the patient’s interest in keeping the information confidential.

In all cases where disclosing information without consent from the patient is considered, staff must weigh the possible harm (both to the patient, and to the overall trust between clinician and patients) against the benefits which are likely to arise from the release of information.

Before considering whether a disclosure of personal information ‘in the public interest’ would be justified, staff must be satisfied that identifiable data is necessary for the purpose, or that it is not practicable to anonymised the data. In such cases an attempt to seek patients’ consent should still be made unless it is not practicable to do so, for example because of any of the following:

  • The patients are not competent to give consent
  • The records are of such age and/or quantity that reasonable efforts to trace patients are unlikely to be successful
  • The patient has been, or may be, violent; or obtaining consent would undermine the purpose of the disclosure (e.g., disclosures in relation to crime)
  • Action must be taken quickly (for example in the detection or control of outbreaks of some communicable diseases) and there is insufficient time to contact patients

In cases where there is a serious risk to the patient or others, disclosures may be justified even where patients have been asked to agree to a disclosure, but have withheld consent. Staff are to inform patients that a disclosure will be made, wherever it is practicable to do so. Medical records must document any steps that have been taken to seek or obtain consent, and any reasons for disclosing information without consent.

Ultimately, the ‘public interest’ can be determined only by the courts; but the GMC may also require the requestee to justify their actions should a complaint be made about the disclosure of identifiable information without a patient’s consent.

The potential benefits and harms of disclosures made without consent are also considered by the Patient Information Advisory Group when reviewing applications for regulations under the Health and Social Care Act 2001. Disclosures of data covered by Regulation 4 are not in breach of the common law duty of confidentiality.

Disclosure of personal information without consent may be justified in the public interest where failure to do so may expose the patient or others to risk of death or serious harm. Where the patient or others are exposed to a risk so serious that it outweighs the patient’s privacy interest, staff are to seek consent to disclosure where practicable. If it is not practicable to seek consent, then information should only be disclosed to an appropriate person or authority.

At this organisation, staff should generally inform the patient before disclosing information. If consent is needed and the patient withholds it, then the reasons for this must be considered.

Should it still be considered that disclosure is necessary to protect a third-party from death or serious harm, then any information must be disclosed promptly to an appropriate person or authority. Such situations arise, for example, where a disclosure may assist in the prevention, detection or prosecution of a serious crime, especially crimes against the person, such as abuse of children.

2.7 – Children and other patients who may lack capacity to give consent

The following considerations must be given to the stated circumstances:

  • Disclosures in relation to treatment sought by children or others who lack capacity to give consent
    At this organisation, problems may arise if it is considered that a patient lacks capacity to give consent to treatment or disclosure. Any such patients may ask that information about their condition or treatment should not be disclosed to a third-party. In these instances, all attempts should be made to persuade them to allow an appropriate person to be involved in the consultation.
    Should the patient continue to refuse, but it is believed that, in their medical interests, the disclosure is essential, then relevant information may be disclosed to an appropriate person or authority. In such cases, staff should advise the patient before disclosing any information and, where appropriate, seek and carefully consider the views of an advocate or carer.
    All information relating to this conversation must be documented in the patient’s record, detailing both discussions with the patient and the reasons for deciding to disclose information.
  • Disclosures where a patient may be a victim of neglect or abuse
    Should it be believed that a patient may be a victim of neglect, or physical, sexual or emotional abuse and that the patient cannot give or withhold consent to disclosure, staff must give information promptly to an appropriate responsible person or statutory agency, where it is believed that the disclosure is in the patient’s best interests.
    If, for any reason, it is believed that disclosure of information is not in the best interests of an abused or neglected patient, then this is to be discussed with an experienced colleague. If it is then decided not to disclose information, this decision will then need to be justified.
  • Disclosure after a patient’s death
    Staff still have an obligation to keep personal information confidential after a patient dies.
    The extent to which confidential information may be disclosed after a patient’s death will depend on the circumstances. If the patient had asked for information to remain confidential, his or her views should be respected.Where the organisation is unaware of any directions from the patient, the following considerations for information disclosure should be taken into account:
    – Whether the disclosure of information may cause distress to, or be of benefit to, the patient’s partner or family
    – Whether disclosure of information about the patient will, in effect, disclose information about the patient’s family or other people
    – Whether the information is already public knowledge or can be anonymised
    – The purpose of the disclosureIf it is decided to disclose confidential information, then the staff member must be prepared to explain and justify their decision.

Information Governance

1.1 – What is Governance?

In short, governance is all that we do and it is essential that any organisation has robust governance to ensure that its day-to-day activities are compliant.

Here is a definition of governance that is used by various sources:

“Governance is the establishment of policies, and continuous monitoring of their proper implementation, by the members of the governing body of an organisation. It includes the mechanisms required to balance the powers of the members (with the associated accountability), and their primary duty of enhancing the prosperity and viability of the organisation”.

At this organisation, we have established robust processes to ensure that, holistically, all aspects are safe, sound and compliant.

Therefore, to meet our obligations, we are directed to have sound processes in place as stipulated by legislation, our NHS contract, our regulator, the CQC, and our commissioners. To achieve our obligations, it is a team effort, and all members of the team will therefore be required to be compliant and will always act in the best interests of both the organisation and the patient.

1.2 – Clinical Governance

Clinical governance is defined as:

A framework through which NHS organisations are accountable for continuously improving the quality of their services and safeguarding high standards of care by creating an environment in which excellence in clinical care will flourish”.

Clinical governance is crucial to improving standards of care and treatments that patients receive. It is a continuous cyclic process of improving, controlling and monitoring clinical care provided for the betterment of patients.

It is important that organisations work in partnership with patients and carers. This includes gaining a better understanding of the priorities and concerns of those who use services by involving them in the organisation’s work, including policy and planning.