Ireland
Membership information 1800 932 916
Medicolegal advice 1800 936 077
Search
Membership information 1800 932 916
Medicolegal advice 1800 936 077

Confidentiality

Confidentiality is central to the trust patients place in their doctors. It is an important legal and ethical principle – doctors must abide by the principles of the 1988 and 2003 Data Protection Acts (see Box 6) and by the Medical Council’s guidance.

Box 6: The eight rules of Data Protection

  1. Obtain and process information fairly.
  2. Keep it only for one or more specified, explicit and lawful purposes.
  3. Use and disclose it only in ways compatible with these purposes.
  4. Keep it safe and secure.
  5. Keep it accurate, complete and up to date.
  6. Ensure that it is adequate, relevant and not excessive.
  7. Retain it for no longer than is necessary for the specified purpose or
    purposes.
  8. Give a copy of his/her personal data to an individual, on request.

General advice

Most breaches of confidentiality are inadvertent and stem from staff not knowing what constitutes a breach of confidence

Avoid problems by:

  • Ensuring that your registration as a data controller is renewed annually (see Appendix 2 for contact details).
  • Obtaining the patient’s consent (and recording it) before disclosing information to a third party. Make sure that the recipient of the information understands that it is given in confidence.
  • Being able to justify disclosure without the patient’s consent as being in the public’s interests.
  • Letting patients know (directly or through leaflets and posters) that information about them may be shared with other healthcare professionals. Make it clear that they have the right to withhold consent if they wish.
  • Making sure that staff who are not bound by a professional obligation to
    preserve confidentiality are similarly bound by contract, and that they are
    fully aware that they have a legal obligation over and above their contractual commitments to maintain confidentiality.
  • Training staff on information security and patient confidentiality. Most breaches of confidentiality are inadvertent and stem from staff not knowing what constitutes a breach of confidence.
  • Introducing a protocol for checking patients’ identities when telephoning them with test results, etc, and a standard message for leaving on an answering machine that won’t compromise a patient’s confidentiality.
  • Taking care (and making sure that your staff take care) not to discuss patients where others can overhear – reception areas are an obvious place where confidentiality can be breached unwittingly.
  • Placing fax machines in secure areas and checking that information you send by fax will be received in a secure place – telephone first to warn of its impending arrival and ask the recipient to let you know if they don’t receive it.
  • Using encryption software when sending emails containing patient information, and warning the patient that you are transmitting information about them by this means.

Box 7: Are you a data controller?

“A data controller can be either an individual doctor or the practice, depending on how the practice operates. If access to a patient’s record is granted to all GPs in a practice because the patient understands that when they attend they could be referred to any of the GPs, then it is likely from a registration perspective that the registration would be made in the name of the practice, assuming that the practice is a distinct legal entity.

“If, in a practice scenario, the GPs were sharing admin services and accommodation facilities only (but from a treatment perspective one GP could not access the files of other GPs) then each GP would likely be a separate data controller in respect of the information within their control and each would have to register separately with this Office.”

Advice received from the Data Commissioner’s Office (18 January 2011)

« Advance directives
Confidentiality and medical records »