Confidentiality and Sharing Information
Confidential patient information is defined as identifiable information which is given in circumstances where the individual is owed an obligation of confidence and conveys some information about their health. The focus of confidentiality is consent. Under the common law duty of confidentiality, confidential information should not be used or shared further without the consent of the individual.
Exceptions to the requirement for consent are rare and limited to:
A legal reason to disclose information, for example, by Acts of Parliament or court orders
A public interest justification for breaching confidentiality, such as a serious crime
Decisions on whether or not to breach confidentiality should be made by senior staff, for example, your Information Governance (IG) lead, Caldicott Guardian, your manager or someone in your organisation who has responsibility for
The Caldicott Principles
Before using confidential information, you should consider the Caldicott Principles. The Caldicott Principles are intended to guide organisations on the use of confidential information within health and social care organisations and when such information is shared with other organisations or individuals. They apply to all data collected for the provision of health and social care services, where patients/service users can be identified and would expect that the data be kept private.
Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.
Confidential information should not be included unless it is necessary for the specified purpose(s) for which the information is used or accessed. The need to identify individuals should be considered at each stage of satisfying the purpose(s) and alternatives used where possible.
Where use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount of confidential information is included as necessary for a given function.
Only those who need access to confidential information should have access to it, and then only to the items that they need to see. This may mean introducing access controls or splitting information flows where one flow is used for several purposes.
Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect the confidentiality of patient and service users.
Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring that their use of and access to that information complies with legal requirements set out in statute and under the common law.
Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, greater engagement will be required.
Informing People
Patients and service users will not expect health and care professionals to look at their health records unless those professionals are involved in their care.
Wherever possible, you should inform patients and service users that you are accessing and using their information and the reason for doing so. There are specific techniques that you should use.
Sharing Information
In line with the seventh Caldicott principle, sharing information with the right people can be just as important as not disclosing to the wrong person.
You have a legal duty to share the information:
If it will assist in the care or treatment of an individual concerned and
It is reasonable to believe that the individual concerned understands the reason for sharing
Check
Check that the individual understands what information will be shared and has no concerns.
Data Protection
Ensure that the data protection, record keeping and security best practice (covered elsewhere in this session) are met.
Respect objections
Normally, if the individual objects to any proposed information sharing, you must respect their objection even if it undermines or prevents care provision.
Your Caldicott Guardian, IG lead, your manager or someone in your organisation who has responsibility for data protection will be able to advise on what to do in these circumstances.
In many cases, consent should be obtained if you want to use someone’s personal information for non-care purposes, such as commissioning and research.
However, if there is a risk of immediate harm to the patient, or service user, or to someone else and you cannot find an appropriate person with whom to discuss the information request, you should share the information.
At the first opportunity afterward, you should inform the person responsible for IG in your organisation so they can follow-up the legal basis for sharing.
National Data Guardian Standards
The National Data Guardian (NDG) advises and challenges the health and care system to help ensure that citizens' confidential information is safeguarded securely and used properly.
The Health and Social Care (National Data Guardian) Act 2018 placed the NDG role on a statutory footing and granted it the power to issue official guidance about the processing of health and adult social care data in England. Public bodies such as hospitals, GPs, care homes, planners and commissioners of services will have to take note of guidance that is relevant to them, as will organisations such as private companies or charities which are delivering services for the NHS or publicly funded adult social care. The NDG may also provide more informal advice about the processing of health and adult social care data in England.
Dame Fiona Caldicott, who had held the non-statutory NDG role since 2014, became the first statutory post holder in April 2019.
In 2016, Dame Fiona Caldicott, published her report: 'Review of Data Security, Consent and Opt-outs' in which she proposed ten standards for health and social care.
These standards are now a legal requirement and are addressed in the Data Security and Protection (DSP) Toolkit. You and your organisation must comply with these standards.
Personal confidential data
All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes.
Staff responsibilities
All staff understand their responsibilities under the NDGs, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
Training
All staff complete appropriate annual data security training and must pass a mandatory test. This is why you are asked to complete this e-learning session annually.
Managing data access
Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
Process reviews
Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
Responding to incidents
Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
Continuity planning
A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.
Unsupported systems
No unsupported operating systems, software or internet browsers are used within the IT estate.
IT Protection
A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually
Accountable suppliers
Suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s data security standard.
The National Data Opt-Out
In Dame Fiona Caldicott's 2016 review, she also recommended the introduction of a national data opt-out which allows the public to opt-out of their confidential information being used for purposes other than their individual care and treatment; for example, for research and planning purposes.
In practical terms, this means that patients can register their national data opt-out online, through a national telephone service and through the NHS App. Patients can also change their national data opt-out choice at any time.
Complying with the national data opt-out policy
The Department of Health and Social Care have set out that all health and care organisations must comply with the national national data opt-out policy. This means applying national data opt-outs when sharing confidential patient information for purposes other than individual care and treatment.
Health and adult social care organisations will need to state compliance with the National Data Opt-out Operational Policy, as part of their Data Security and Protection Toolkit submission.