All healthcare service providers have an ethical, legal, and contractual duty to protect patient confidentiality. Information sharing can help to improve the quality of care and treatment, but it must be governed by the legal and ethical framework that protects the interests of patients.
Patients entrust the healthcare providers with their personal information and expect us to respect their privacy and handle their information appropriately. Everyone should seek to ensure that protection of patient confidentiality on collecting and sharing information is built into all healthcare to provide safe and effective care.
This policy outlines the guiding principles for information sharing, based on legal and ethical requirements. It aims to provide a framework for the secure sharing of patient-identifiable information between partner organisations and also covers wider issues of disclosing information to third parties.
This policy sets out the standards and practice relating to confidentiality applicable to all staff who work for a healthcare service. This policy should be read in conjunction with all J2 Medical’s policies and procedures, but in particular the Information Governance Policy.
Staff, students, volunteers and contractors, must be aware of and respect a patient’s right to confidentiality and must comply with this premise to protect patient confidentiality, which is built on best practice.
All staff members that share information are obliged to adhere to this policy and guidelines. Managers at all levels are responsible for ensuring that the staff for whom they are responsible are aware of, and adhere to, this policy. The service is also responsible for ensuring staff are updated in regard to any changes in this policy.
Personal confidential data: information that relates to an identified or identifiable individual. This data should not be processed without a clear legal basis. Personal confidential data should only be disclosed with consent or under statute, and any disclosure must always be limited and accompanied by a contractual agreement that mitigates the risk of misuse and inappropriate disclosure. The contractual agreement needs to set out, as a minimum, the legal basis for the data flow, the purposes to which the data can be put, the safeguards that should be in place to protect data and how the public are informed about these.
Patient identifiable information: all personal health information is held under strict legal and ethical obligations of confidentiality. Information given in confidence should not be used or disclosed in a form that might identify a patient without his or her consent. Patients should be involved in decisions about the use of their personal health information in most circumstances. Patient identifiable information includes:
Non-person-identifiable information: can be classed as confidential, such as confidential business information (e.g., financial reports and commercially sensitive information, e.g., contracts, trade secrets and procurement information) which should also be treated with the same degree of care.
Special categories of personal information: previously known as ‘sensitive’ personal data, defined by the Data Protection Act 2018 as refers to personal information about:
It is J2 Medical’s responsibility to make sure that we follow the measures set out below to protect the confidential information we have gained privileged access to because of our role. Our responsibility starts when we receive the information, it then continues when we use it, store it, share it with others and destroy it. This applies to both spoken and written information:
For all types of records, staff working in offices where records may be seen must:
Manual records must be:
With electronic records, staff must:
Consent to share information must be sought from patients in a sensitive manner. At all times the rights, interests and dignity of the patient must be respected. Patients must have the opportunity to discuss any aspects of information sharing that are specific to their treatment and personal circumstances, for example:
The Caldicott Guardian for J2 Medical is Julie Savanth (The Nominated Individual) The Caldicott Guardian is the officer responsible for overseeing all aspects of confidentiality and security in relation to patient-identifiable information. The Caldicott Guardian must ensure that personal health information is kept confidential and that patients are informed and involved in decisions about the use of their information. The Caldicott Guardian’s contact details will be recorded on Caldicott Guardian register, maintained by NHS Digital. The Guardian’s responsibilities include:
Senior Information Risk Owner (SIRO) and Data Protection Officer (DPO) will also be appointed to seek advice on all aspects of data protection and confidentiality. Our data protection officer is email@example.com.
Monitoring of patient confidentiality must be made by the professional responsible for the patient’s assessment, care or treatment, or on the advice of a senior professional or clinical supervisor within the service, which may include the Caldicott Guardian. The principles to which you are expected to work in relation to patient confidentiality are:
Under common law, staff are permitted to disclose personal information in order to prevent and support detection, investigation and punishment of a serious crime and/or to prevent abuse or serious harm to others where they judge, on a case-by-case basis, that the public good that would be achieved by the disclosure outweighs both the obligation of confidentiality to the individual patient concerned and the broader public interest in the provision of a confidential service.
Confidentiality must not be confused with secrecy. Consent to share information should be sought, but if this is not possible and others are at risk, it may be necessary to over-ride the requirement. It is inappropriate for staff/agencies to give assurances of absolute confidentiality in cases where there are concerns about abuse, particularly those situations where other people may be at risk.
There may be circumstances where it is not practicable to use de-identified information or to get consent and, in these cases, confidential information may be shared but only if there is a legal basis for the information sharing. Requirements for consent should be considered against each of the following criteria:
Both the Data Protection Act and professional standards specifically allow for information to be disclosed in this way.
The senior healthcare professional on duty must be prepared to balance the considerations for and against disclosure in the interests of the patient and any third party and also justify and record each decision to disclose or withhold. It will, therefore, be a matter for the healthcare professional’s best judgement, as well as legal and professional guidance. Decisions should be taken on a case-by-case basis in the light of best available information, which may include advice from the Data Protection Officer (DPO) or Caldicott Guardian. Wherever possible, the patient should be informed what information has been disclosed and to whom.
Sharing of information should, where possible, be with the consent of the patient. Patients should be informed of the purposes for which information about them may be recorded and shared. It is only with sufficient information that consent may be given. Patients should be given an opportunity to express their wishes as to how information should be used, and these wishes should be respected where possible.
Patients have a right to expect that information about them will be held in confidence and protected at all times against improper use and disclosure.
Under data protection law, you are responsible for patient data, for storing it securely and protecting it from unauthorised or unlawful processing. You must make sure any personal information about patients that you hold, or control is effectively protected at all times against improper access, disclosure or loss. You must also make sure that identifiable patient data is not improperly disclosed in any circumstances. An inadvertent breach of patient confidentiality could result in disciplinary action or an investigation.
If in doubt, seek the advice of the local SIRO or Data Protection Officer.
Confidential information needs to be shared between registered and regulated health and social care professionals who have a legitimate relationship with the individual for the purposes of the individual’s direct care. A registered and regulated health or social care professional has a legitimate relationship with the patient when any or all of the following criteria are met:
Some friends and/or family have a special relationship with the patient, in that they act as a carer. Confidential information should be shared with the carer, when the patient has given explicit, informed consent. In circumstances where the patient cannot give valid consent, confidential information should be shared with the carer subject to open dialogue with the patient, if possible. If it is not possible to engage in an open dialogue, information should be shared with the carer in the incapacitated person’s best interests, when ALL of the following criteria are met:
In some circumstances it may not be possible to obtain consent because, in the opinion of the person responsible for the patient’s care or well-being, the patient:
In such cases, J2 Medical recognise that it may be necessary to share information with other agencies so that appropriate care and treatment can be provided to the patient, or in exceptional circumstances where disclosure would be in the public interest, for instance where disclosure of the information is necessary to prevent harm coming to another individual.
Patients have the right to object to the information they provide in confidence being disclosed to a third party in a form that identifies them, even if the third party is someone who might provide essential healthcare. Where patients are competent to make such a choice and where the consequences of the choice have been fully explained, the decision should be respected. This is no different from a patient exercising his or her right to refuse treatment. A number of issues to be considered if a patient refuses to consent to information sharing are as follows:
Careful documentation of the decision-making process and the choices made by the patient must be documented in the patient’s records.
Patients (or their parents or legally appointed representative), subject to certain safeguards, have a right to access their own health records. You must comply with the requirements of the Data Protection Act 2018 in terms of requests to access personal identifiable information and should respect and help patients to exercise their legal rights to have access to, or copies of, their health records.
If an access request means disclosing information from or about a third party (someone other than the patient or staff involved in their care), the request may be refused unless third party information can be temporarily removed, the third-party consents to disclosure or ‘it is reasonable in all the circumstances’ to comply with the request without the consent of the individual.
Information needs to be provided within one month of a request staff must action requests promptly. The information should be provided free of charge. Further information can be found relating to Subject Access Requests in the Information Governance Policy and Procedure.
The duty of confidentiality continues after death and as such they cannot be released to a third party without additional checks being made. Under the Access to Health Records Act 1990, the personal representative of the deceased and people who may have a claim arising from the patient’s death are permitted access to the records. This applies to information provided after November 1991 and disclosure should be limited to that which is relevant to the claim in question.
The records should not be disclosed if it is thought that they may cause mental or physical harm to anyone, if they identify a third party or if the deceased gave the information on the understanding that it would remain private.
It is therefore essential that the requestor provides evidence that a grant of probate or letters of administration has been granted to them, or evidence that they may have a claim arising from the death, along with identification. Additionally, it is essential that a check of the health record is carried out and appropriately redacted before being released.
All staff are required to complete annual mandatory Information Governance Training. Training on confidentiality is provided regularly to staff via induction training, mandatory refresher training and specific training opportunities developed to meet particular needs identified from training needs assessments and response to incidents.
All staff must be aware where to seek support, further information and training, and be able to demonstrate that they are making every reasonable effort to comply with the relevant standards. Failure to comply will result disciplinary action.
Personal information about patients should not be disclosed unless it is necessary.
The effectiveness of this policy will be monitored through routine audit and investigation into any data breaches or breaches in the policies procedures.
Consent to Treatment – Adults Policy and Procedure
Consent to Treatment – Children Policy and Procedure
Disciplinary Policy and Procedures
Incident Management Policy and Procedures
Information Governance Policy and Procedures
Safeguarding Policy and Procedures
Access to Health Records Act 1990