Confidentiality is a fundamental part of health care and crucial to the trust between doctors and patients. Patients entrust their practice with sensitive information relating to their health and other matters in order to receive the treatment and services they require. They should be able to expect that this information will remain confidential unless there is a compelling reason why it should not. All staff in the NHS have legal, ethical and contractual obligations of confidentiality and must ensure they act appropriately to protect patient information against improper disclosure.
Some patients may lack the capacity to give or withhold their consent to disclosure of confidential information but this does not diminish the duty of confidence. The duty of confidentiality applies to all patients regardless of race, gender, social class, age, religion, sexual orientation, appearance, disability or medical condition.
Information that can identify individual patients must not be used or disclosed for purposes other than healthcare unless the patient (or appointed representative) has given explicit consent, except where the law requires disclosure or there is an overriding public interest to disclose. All patient identifiable health information must be treated as confidential information, regardless of the format in which it is held. Information which is effectively anonymised can be used with fewer constraints.
The confidentiality of other sensitive information held about the practice and staff must also be respected.
Obligations for all staff
All staff must:
§ always endeavour to maintain patient confidentiality
§ not discuss confidential information with colleagues without patient consent (unless it is part of the provision of care)
§ not discuss confidential information in a location or manner that allows it to be overheard
§ handle patient information received from another provider sensitively and confidentially
§ not allow confidential information to be visible in public places
§ store and dispose of confidential information in accordance with the Data Protection Act 1998 and the Department of Health’s Records Management Code of Practice (Part 2)
§ not access confidential information about a patient unless it is necessary as part of their work
§ not remove confidential information from the premises unless it is necessary to do so to provide treatment to a patient, the appropriate technical safeguards are in place and there is agreement from the information governance lead or Caldicott Guardian
§ contact the information governance lead or Caldicott Guardian if there are barriers to maintaining confidentiality
§ report any loss, inappropriate storage or incorrect disclosure of confidential information to the information governance lead or Caldicott Guardian
§ if applicable, document, copy, store and transfer information in the ways agreed with other providers
§ It is expected that members of staff will comply with the law and guidance/codes of conduct laid down by their respective regulatory and professional bodies
When a decision is taken to disclose information about a patient to a third party due to safeguarding concerns/public interest, the patient should always be told and asked for consent before the disclosure unless it would be unsafe or not practical to do so.
In the circumstances that consent can not be sought, then there must be clear reasons and necessity for sharing the information.
Disclosures of confidential information about patients to a third party must be made to the appropriate person or organisation and in accordance with the principles of the Data Protection Act 1998 (Annex 1), the NHS Confidentiality Code of Practice (see below) and the GMC’s Good Medical Practice.
Obligations for employers:
The employers at the practice must:
§ ensure that confidential information can be stored securely on the premises and that there are processes in place to guarantee confidentiality
§ make sure that all individuals to whom this protocol is relevant have read, understood and signed the staff confidentiality agreement
§ review and update this protocol on a regular basis