-
1. Caldicott Guardians are senior people in NHS, local authority social care, and partner organisations, who are responsible for protecting the confidentiality of patient information and enabling appropriate information sharing.
2. Doctors working in a managed environment will do this largely by understanding and following corporate information governance and confidentiality policies.
3. The Data Protection Act 1998 provides for exceptions in some circumstances and allows charges to be made. You can find out more about this in guidance from the Information Commissioner’s Office and the UK health departments.
4. The NHS Code of Practice: Records Management (Department of Health, 2006), Records Management: NHS Code of Practice (Scotland) (Scottish Government, 2008), Welsh Health Circular (2000) 71: For The Record (National Assembly for Wales) and Good Management, Good Records (Department of Health, Social Services and Public Safety, 2005) all include schedules of minimum retention periods for different types of records. You should also consider any legal requirement of specialty-specific guidance that affects the period for which you should keep records. You should not keep records for longer than necessary.
5. You should follow the technical guidance of the Information Commissioner’s Office. The ISO 27001 Security Management Standard and the Code of Practice for Information Security Management in ISO 27002 give more detailed guidance, as does the Department of Health’s technical guidance for NHS organisations. NHS Connecting for Health publishes an Information Governance Toolkit for NHS organisations. It aims to bring together, in a single framework, all the requirements, standards and best practice on handling personal information, allowing implementation of Department of Health guidance and compliance with the law.
-
6. Different diseases are notifiable in different UK countries and the reporting arrangements differ. You can get advice from the Health Protection Agency in England, Public Health Wales, Communicable Disease Surveillance Centre in Northern Ireland and Health Protection Scotland.
7. See the legal annex for more information about the statutory powers of bodies regulating the provision of healthcare and healthcare professionals to require disclosure of information, and about other legal duties to disclose.
8. You may disclose information to your own legal adviser in order to take their advice.
9. Others who might form part of the healthcare team, but with whom patients might not expect information to be shared, include prescribing advisers who review patients’ medicine needs to improve safety, efficacy and efficiency in doctors’ prescribing.
10. See Good Medical Practice (2006), paragraphs 14 and 41.
11. See the supplementary guidance on Disclosing records for financial and administrative purposes and Disclosing information for insurance, employment and similar purposes. Disclosure necessary to respond to matters raised on a patient’s behalf by a Member of Parliament may be made without seeking the patient’s express consent; you should still check with the patient if you think they would not reasonably expect the information to be disclosed. See the Information Commissioner’s Technical Guidance Note on the Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002.
12. If any of the exceptions apply, you should still disclose as much of the report as you can. The Department for Work and Pensions publishes advice about reports for benefits purposes.
13. Section 251 of the NHS Act 2006 re-enacts section 60 of the Health and Social Care Act 2001. Approval under section 251 of the NHS Act 2006 allows for disclosure despite the common law requirement to obtain consent, but would not usually authorise disclosure to which a patient had objected; disclosure might still be justified in the public interest. See also the guidance in paragraphs 46 and 47 on the roles of the privacy advisory committees in Scotland and Northern Ireland.
14. See the supplementary guidance on Disclosing records for financial and administrative purposes, such as QOF reviews, and Disclosing information for education and training purposes. The Medical Research Council publishes a toolkit of practical advice on the legal and good practice requirements of using personal information in research. See www.dt-toolkit.ac.uk/home.cfm.
15. Section 251 of the NHS Act 2006 applies only to England and Wales, where doctors should seek and abide by the independent advice of the Ethics and Confidentiality Committee of the National Information Governance Board.
16. You should consider whether the work needed to anonymise or code the information or to seek patients’ consent is reasonably practicable in all the circumstances. Only if unreasonable effort is required should you go on to consider whether disclosure of identifiable information is justified in the public interest.
17. If it is not practicable to anonymise or code the information or to seek or obtain patients’ consent without unreasonable effort, and the likelihood of distress or harm to patients is negligible, disclosure for an important secondary purpose may be proportionate. You should respect patients’ objections to disclosure.
18. Disclosures covered by a regulation are not in breach of the common law duty of confidentiality.
19. The NHS Information Centre is working towards the establishment of the structures and guidance (and seeking approval under section 251 of the NHS Act 2006) for safe havens in England. The Information Services Division manages identifiable information about patients for many secondary uses in Scotland.
20. Delegation involves asking a colleague to anonymise or code the information or seek patients’ consent. Although you will not be accountable for the actions of those you delegate to, you will still be accountable for your decision to delegate. You must be satisfied that the person you delegate to is trained and understands their responsibilities and the consequences of breaching confidentiality. See paragraphs 12 to 16 on protecting information and the management of records.
21. You might seek Research Ethics Committees’ advice on the ethics of disclosing and using identifiable information for research purposes. However, they cannot authorise unconsented disclosure or determine if disclosure is justified in the public interest.
-
22. The Adult Support and Protection (Scotland) Act 2007 requires health boards in Scotland to report to local authorities if they know or believe that an adult is at risk of harm (but not necessarily incapacitated) and that action needs to be taken to protect them. The Act also requires certain public bodies and office-holders to co-operate with local authorities making inquiries about adults at risk and includes powers to examine health records for related purposes.
-
23. There is no agreed definition of serious crime. Confidentiality: NHS Code of Practice (Department of Health, 2003) gives some examples of serious crime (including murder, manslaughter, rape and child abuse; serious harm to the security of the state and public order and ‘crimes that involve substantial financial gain or loss’ are mentioned in the same category). It also gives examples of crimes that are not usually serious enough to warrant disclosure without consent (including theft, fraud, and damage to property where loss or damage is less substantial).
24. You should consider the assessment of risk posed by patients made by other professionals and by groups established for that purpose, but you must make your own assessment and decision as to whether disclosure is justified. Your assessment of risk is a matter of professional judgement in which an offender’s past behaviour will be a factor. The Royal College of Psychiatrists publishes guidance for psychiatrists about sharing information in the context of public protection, including participation in Multi-Agency Public Protection Arrangements (MAPPA) and panels.
25. In some cases disclosure will be required or necessary, for example under the provisions of mental health and mental capacity legislation.
26. This might be a welfare attorney, a court-appointed deputy or guardian or an Independent Mental Capacity Advocate. See the Adults with Incapacity (Scotland) Act 2000 and Mental Capacity Act 2005 and their respective codes of practice. There is no specific mental capacity legislation for Northern Ireland, where the common law duty to act in incapacitated patients’ best interests endures. Independent Mental Health Advocates should also be provided with the information listed in section 130B of the Mental Health Act 1983.
27. Section 7 of the Data Protection Act 1998 gives patients the right to have access to their personal information; but there are some exceptions. For example, you do not have to supply a patient with information about another person or that identifies another person as the source of the information, unless that other person consents or it is reasonable in the circumstances to supply the information without their consent. See the Information Commissioner’s technical guidance note on Dealing with subject access requests involving other people’s information.
28. The Princess Royal Trust for Carers publishes information on good practice for primary care, mental health and hospital based professionals, highlighting carers’ need for information to perform their roles.
29. For more information see Consent and confidentiality in genetic practice: Guidance on genetic testing and sharing of genetic information – A report of the Joint Committee on Medical Genetics (Royal College of Physicians, 2006). (pdf)
30. There is an obvious ethical obligation. There may also be a legal obligation: see Lewis v Secretary of State for Health [2008] EWHC 2196. Section 38 of the Freedom of Information (Scotland) Act 2002 includes a deceased person’s medical records within the definition of personal information, which is exempt from the general entitlement to information.
31. The permission of a surviving relative or next of kin is not required for, and does not authorise, disclosure of confidential information, although the views of those who were close to the patient may help you decide if disclosure is appropriate.
32. See paragraph 69 of Good Medical Practice (2006).
33. Namely, a deceased patient’s personal representative and any person who may have a claim arising out of a patient’s death. This is not a general right, and access should be limited to information of relevance to the claim. Access should be limited or refused if there is evidence that the patient would have expected that the information would not be disclosed to the applicant, if disclosure is likely to cause serious harm to anyone else, or if it would also disclose information about a third party (other than a healthcare professional involved in the deceased person’s care) who does not consent. Access must be refused to records that contain a note, made at the patient’s request, that they did not wish access to be given on an application under the Access to Health Records Act 1990.
34. You should contact your organisation’s approved place of deposit or The National Archives, the Public Record Office of Northern Ireland or the National Archives for Scotland for further advice about storage of, and access to, archives of records of ongoing research or historical value. Health records of deceased patients are exempt from the Freedom of Information (Scotland) Act 2002.