GMC Guidance:
confidentiality
Overview
Ethical and
legal duties
Main
principles
Important legal
and ethical duty
NOT absolute
Ethics
Law
Confidentiality essential to Dr-Pt relationship;
may avoid seeking help or under-report symptoms
Duty to protect pt personal information, but appropriate
sharing is needed for safe and effective care
Sharing may also be needed for audit, research, service planning, public protection
Data protection law
General Data Protection Regulations
Data Protection Act 2018
Freedom of Information Act 2000
Computer Misuse Act 1990
Health and Social Care Act 2012
Human rights law
Human Rights Act 1998
Advice from data guardian, Caldicott guardian,
data protection officer, defence body, professional association
Use minimum necessary info
Anonymise if possible
Protect info
Protect against improper access, disclosure, loss
Know responsibilities
Information governance
Comply with law
Share relevant info for direct care
Dislosing
personal info
Situations
Patient consents
Overall benefit to patient
who lacks capacity to consent
Disclosure by law
(statuate, judge/court order, regulations)
Justified in public interest
(serious harm, communicable disease)
Appropriate
disclosure
Anonymise if possible
Patient has consented and knows
how their data will be used, unless not
practicable (e.g. predjuces crime)
Consent if info needed for purpose other than
own care, audit, law or public interest
Minimum info needed
Follow legalities (common law, data protection)
Record all decisions and actions
Patient with
capacity
Gaining
consent
Consent not
required
Consent may be explicit or implied
Implied consent OK for direct care
and clinical audit
Explicit consent may be needed for others
Consent already obtained
Consent would put self or
others at risk of harm
Info required by law
Not faesible due to number/age
of records or inability to trace pt
Needed in public interest
Patient without
capacity
Justified as overall
benefit to patient
Still inform patient if possible
Using pt info
for direct care
Direct care
Next of kin
Implied consent
Most pts understand that info shared with direct team
Share with those directly supporting pt care, unless pt objects
Patient objection
Don't disclose unless justified in public interest, law, overall benefit in a patient w/o capacity
Principles
Need for safe and effective care
All carers need to know relevant info
Criteria for implied consent
Info accessed to support direct care
Patients know how their info is used
Patient has not objected
Satisfied that all team members are aware
Pt cannot be informed
Medical emergency
(inform asap once capacity regained)
Patient's views
Have early discussions about who should be involved
and what information can be shared (document these)
Abide by these if patient has capacity, unless disclosure justified
If no capacity, assume OK to inform relatives unless previously
indicated otherwise when they had capacity
Next of kin views
May want to discuss the patient w/o patient knowing - listen
May need to inform patient of information recieved if it affects tx
Patient w/o
capacity
Presume has capacity
unless demonstrated otherwise
Assess capacity at time needed
and specific to the particular decision
Considerations
for disclosure
Overall benefit
(care is first concern, respect dignity and privacy,
encourage patient to be involved)
Capacity permenant or temporary
Views of next of kin
(may share info if overall benefit)
Patients known wishes, beliefs, values
Patient refusal
Encourage them to involve an appropriate
next of kin to support their views
Consider overall benefit to patient
of disclosure
Protection of
pt and others
Secondary
purposes
Patient
Others
Vulnerable children
Guidance on protection of young people
Vulnerable adults
Discuss with patient, encouraging
involvement in decisions
Legal requirement
If needed, inform patient
Only disclose relevant info
Adults w/o capacity
If required by law or at serious risk
Discuss with senior colleague
Adults with capacity
Adults with capacity entitled to make own decisions
If refuse but needed for thieir protection, discuss
Abide by decision even if it leaves them at risk of harm
(but not others - can disclose in this case)
Public interest
Adults with capacity
Ask for consent unless needed by law or not safe
If refuse but others at risk, may be OK to disclose
(e.g. violence, unfit to drive, unfit for work, comm disease)
Document reasoning and actions
Legal requirement
Notification of communicable disease, terrorism
Harm to the patient
Public distrust
Harm to others
Benefit to society/individual
Nature of the info
Can harms be avoided/minimised
or benefits gained w/o disclosing
Seek advice (Caldicott guardian etc.)
Info requests
Multi-agency public protection
arrangements (MAPPA) e.g. offenders
Inquests/enquiries
Case reviews
Genetic info
Benefits
Treatment
Increased surveillance
Prepare for problems
Pt refusal
Justified if puts relative
at serious risk of harm/death
If possible dont confirm pt identity
Uses
Research
Epidemiology
Audit
Public health surveillance
Education
Statutes
or courts
Anonymised
information
Courts
Statute
Anonymise where possible
Does not identify patient
Information Comissioner's Office (IPO)
anonymysation code of practice
Anonymisation by appropriate member of staff
or data processor under contract
Laws regarding infectious diseases,
provision of healthcare services, prevention of terrorism, RTAs
Requirements
Inform patient if practicable
Required by law
Only relevant info
Understand rationaile for info
Disclose relevant info only
Civil and criminal courts
Do NOT disclose to third parties
e.g. solicotors, police, officer of court unless ordered
Health and
social care
Finance and
administration
Candour and
confidentiality
Adverse incidents
and near misses
Clinical audit
Duty to participate to
improve services
Often implied consent,
patient aware and not objected
If patient objects, explain and discuss;
if still object, remove from audit if possible, but if not
explain to patient why and give options
Data should be anonymised if audit carried
out outside of clinical team caring for the patient
Anonymise if possible
Honesty when things go wrong
If died, coma or no capacity, may
need to speak to next of kin
(still respect confidentiality)
Policies for reporting incidents
May be required by law
Public interest
Benefit to society>individual
Advice of Caldicott or data guardian
Is it possible to anonymise
Patient should ideally be informed
unless risk of harm
Document all consultations
and decisions made
Research
Legal basis for disclosure
Research approved by ethics committee
Third party requests
E.g. employers, insurers, government
Provide patient with info
on what will be disclosed
Obtain consent from the patient (written)
Disclose factual information relevant to request
Offer patient a copy of info you provided,
unless it may lead to harm
If patient does not consent, may still
provide if it is in the public interest
Managing and protecting
personal information
Information
processing
Information
governance
Improper access/
disclosure
Protect at all times againstimproper access, disclosure or loss;
dont leave information unattended (paper or screen)
Only access patient info if you have a legitimate
reason to view it
Healthcare records
Hadwritten notes
Electronic records
HCP correspondance
Visual/auditory recordings
Lab results
Patient comms (text, email, letters)
Do not share info where you can be overheared
e.g. public place
Appropriate training
Raise any concerns
Data Protection Act 2018
Who has access and wgy
Record management
and retention
Made, transfered, stored,
protected and disposed lawfully
Records kept securely, accurate
and up to date
Laws on how long data should
be kept and how to dispose of it
Patient access rights
Right to access, but some
safeguards may be needed
Communicating
with patients
Emails, texts, letters
Take steps to use
secure methods
Info after a
patient has died
Duty of confidentiality continues
Circumdtances
to disclose
Required by law
or statuate
Coroner or inquesr
Death certification
Right of access
If patient expressed info to
stay confidential, abide by this
If patient stance was unknown,
take into account potential distress to family, whether
other people's info will be disclosed, can it be anonymised
click to edit
Public interest
Public heath surveillance
Parent about child
Next of kin asks about cicumstances of death
and unlikely that patient would have objected
Needed to support audit or investigations