Confidentiality - NHS Code of Practice - GOV.UK

1 September 2003 Conf identialityNHS code of PracticeNovember 2003 Conf identialityNHS code of PracticeNovember 2003iiREADER INFORMATIONP olicyEstatesHR/WorkforcePerformanceManag ementIM & TPlanningFinanceClinicalPartnership WorkingDocument PurposeBest Practice GuidanceROCR Ref:Gateway Ref:1656 TitleNHS Confidentiality code of PracticeAuthorDH/IPU/Patient ConfidentialityPublication dateASAPT arget AudienceCaldicott Guardians and Data ProtectionOfficersCirculation listPCT CEs, NHS Trusts CEs, Care Trusts CEs,Directors of HR, Communications Leads,WDC CEs, Voluntary OrganisationsDescriptionPurpose is to provide guidance to the NHSand NHS related organisations on patientinformation Confidentiality issues. BMA,GMC and OIC have endorsed thedocument. This will help send a consistentmessage across the Service onconfidentiality and issues around theprocessing of patient RefHSG(96)18/LASSL(96)5 The Protectionand Use of Patient InformationSuperseded DocHSG(96)18/LASSL(96)5 The Protectionand Use of Patient InformationAction requiredMinisterial approval to publishTimingN/AContact DetailsDavid MartinDepartment of HealthConfidentiality Unit, IPUQ uarry 254 6267 For recipient use1 Introduction and Glossary3 Confidentiality7 What is Confidential Patient Information?

2 7 Disclosing and Using Confidential Patient Information7 Patient Consent to Disclosing 8 Obligations on Individuals Working in the NHS8 Providing a Confidential Service10 The Confidentiality Model10 Using and Disclosing Confidential Patient Information13 Legal Considerations13 Key Questions for Confidentiality Decisions15 Annex A Providing a Confidential Service: Detailed Requirements16A1 Protect Patient Information16A2 Inform Patients Effectively No Surprises21A3 Provide Choice to Patients23A4 Improve Wherever Possible24 Annex B Confidentiality Decisions25 Disclosure Models26Is it Confidential?29 Health Records are for Healthcare29 Consent Issues30 Informing Patients33 Common Law and the Public Interest34 Administrative Law35 Data Protection Considerations36 Human Rights Act 199836 Health & Social Care Act 2001: Section 6037 Legal Restrictions on Disclosure37 Legally Required to Disclose38 Legally Permitted to Disclose38 Annex C index of Confidentiality decisions in practice39 Model B1: Healthcare Purposes40 Model B2: Medical Purposes other than Healthcare41 Model B3: Non-medical Purposes43 Contents2 The ' Confidentiality : NHS code of Practice ' has been published by the Department of Health followinga major public consultation in 2002/2003.

3 The consultation included patients, carers and citizens; theNHS; other health care providers; professional bodies and regulators. The guidance was drafted anddelivered by a working group made up of key representatives from these from the Information Commissioner, General Medical Council, British MedicalAssociation and Medical Research Council can be found on the Department of Health's Confidentialitywebsite This document is a guide to required Practice for those who work within or under contract to NHSorganisations concerning Confidentiality and patients consent to the use of their health records. Itreplaces previous guidance, HSG (96)18/LASSL (96) 5 The Protection and Use of Patient Informationand is a key component of emerging information governance arrangements for the NHS. 2. For the purposes of this document, the term staff is used as a convenience to refer to all those to whomthis code of Practice should apply.

4 Whilst directed at NHS staff, the code is also relevant to any oneworking in and around health. This includes private and voluntary sector This document the concept of Confidentiality ; what a confidential service should look like; a high level description of the main legal requirements; a generic decision support tool for sharing/disclosing information; examples of particular information disclosure scenarios. 4. A summary of the key Confidentiality issues can be gained by reading the main body of the document(pages 1-12), while the supporting Annexes provide detailed advice and guidance on the delivery of aconfidential This is an evolving document because the standards and Practice covered continue to change. Whereappropriate, it is supplemented by additional guidance on the Department of Health web-site 6.

5 All parts of the NHS need to establish working practices that effectively deliver the patientconfidentiality that is required by law, ethics and policy. The objective must be NHS managers need to be able to demonstrate active progress in enabling staff to conform to thesestandards, identifying resource requirements and related areas of organisation or system assessment and management arrangements in support of information governance in theNHS facilitate and drive forward the required change. Those responsible for monitoring NHSperformance, strategic health authorities and the Commission for Health Audit and Inspection(CHAI) play a key role in ensuring effective systems are in place. Introduction and Glossary8. The NHS are provided with support to deliver change through the: a. Information Governance Toolkit which will manage and maintain up-to-date confidentialitypolicy and guidance and, more generally; b.

6 Information Governance teams within the Information Policy Unit of the Department ofHealth and the NHS Information 1 The NHS is committed to the delivery of a first class confidential service. This means ensuring that allpatient information is processed fairly, lawfully and as transparently as possible so that the public: understand the reasons for processing personal information; give their consent for the disclosure and use of their personal information; gain trust in the way the NHS handles information and; understand their rights to access information held about : NHS code of Practice5 Key identifiable information includes: patient s name, address, full post code , date of birth; pictures, photographs, videos, audio-tapes or other images ofpatients; NHS number and local patient identifiable codes; anything else that may be used to identify a patient directly orindirectly.

7 For example, rare diseases , drug treatments orstatistical analyses which have very small numbers within asmall population may allow individuals to be is information which does not identify an individual directly, andwhich cannot reasonably be used to determine identity. Anonymisationrequires the removal of name, address, full post code and any otherdetail or combination of details that might support identification. This is like anonymised information in that in the possession of theholder it cannot reasonably be used by the holder to identify anindividual. However it differs in that the original provider of theinformation may retain a means of identifying individuals. This will oftenbe achieved by attaching codes or other unique references to informationso that the data will only be identifiable to those who have access to thekey or index.

8 Pseudonymisation allows information about the sameindividual to be linked in a way that true anonymisation does AuditThe evaluation of clinical performance against standards or throughcomparative analysis, with the aim of informing the management ofservices. This should be distinguished from studies that aim to derive,scientifically confirm and publish generalisable knowledge. The first isan essential component of modern healthcare provision, whilst thelatter is research and is not encompassed within the definition ofclinical audit in this means articulated patient agreement. The terms areinterchangeable and relate to a clear and voluntary indication ofpreference or choice, usually given orally or in writing and freely givenin circumstances where the available options and the consequenceshave been made consentThis means patient agreement that has been signalled by behaviour ofan informed or ExpressConsentPseudonymisedInformationAn onymisedInformationPatient identifiableinformationGlossary of TermsDisclosureThis is the divulging or provision of access to data.

9 Healthcare PurposesThese include all activities that directly contribute to the diagnosis,care and treatment of an individual and the audit/assurance of thequality of the healthcare provided. They do not include research,teaching, financial audit and other management activities. Documented rules and procedures for the disclosure and use of patientinformation, which specifically relate to security, Confidentiality anddata destruction, between two or more organisations or agencies. Medical PurposesAs defined in the Data Protection Act 1998, medical purposes includebut are wider than healthcare purposes. They include preventativemedicine, medical research, financial audit and management ofhealthcare services. The Health and Social Care Act 2001 explicitlybroadened the definition to include social InterestExceptional circumstances that justify overruling the right of anindividual to Confidentiality in order to serve a broader societal about the public interest are complex and must take accountof both the potential harm that disclosure may cause and the interest ofsociety in the continued provision of confidential health CareSocial care is the support provided for vulnerable people, whetherchildren or adults, including those with disabilities and sensoryimpairments.

10 It excludes pure health care (hospitals) and communitycare ( district nurses), but may include items such as respite is therefore, no clear demarcation line between health and socialcare. Social care also covers services provided by others where these arecommissioned by CSSRs (Councils with Social ServiceResponsibilities).Information SharingProtocols6 Confidentiality : NHS code of Practice7 What is confidential patient information? duty of confidence arises when one person discloses information to another ( patient to clinician)in circumstances where it is reasonable to expect that the information will be held in confidence. It a legal obligation that is derived from case law; a requirement established within professional codes of conduct; andc. must be included within NHS employment contracts as a specific requirement linked todisciplinary Patients entrust us with, or allow us to gather, sensitive information relating to their health and othermatters as part of their seeking treatment.