Confidentiality

Confidentiality is central to the trust patients place in their doctors. It is an important legal and ethical principle – doctors must abide by the principles of the 1998 Data Protection Act (see Box 7) and by the GMC’s guidance.

As of 6 April 2010, the Information Commissioner can impose a Civil Monetary Penalty of a maximum of £500,000 if there is a serious breach of the Data Protection Act and the data controller acted deliberately, or was reckless, and the breach was of a kind likely to cause substantial distress or damages to an individual.

Box 7: Data Protection Act principles

Broadly, the Data Protection principles state that personal data must:

  • Be obtained and processed fairly and lawfully.
  • Be held for the lawful purposes described in the Data Users Register entry.
  • Be adequate, relevant and not excessive in relation to the purposes for which they are held.
  • Be accurate and, where necessary, kept up-to-date.
  • Be held no longer than is necessary for the registered purposes.
  • Be processed in accordance with the rights of the individual concerned to have information about themselves corrected or erased.
  • Be surrounded by proper security and disclosed only to those people described in the Register entry.
  • Not be transferred to countries outside the European economic area, unless that country can ensure adequate protection for the rights and freedoms of the data subject.

 

General advice

Make sure that the recipient of the information understands that it is given in confidence

Avoid problems by: 

  • Ensuring that your practice is registered as a data user with the Information Commissioner (see Appendix 2 for contact details).
  • Obtaining the patient’s consent (and recording it) before disclosing information to a third party. Make sure that the recipient of the information understands that it is given in confidence.
  • Being able to justify disclosure without the patient’s consent as being in the public’s interests.
  • Letting patients know (directly or through leaflets and posters) that information about them may be shared with other healthcare professionals. Make it clear that they have the right to withhold consent if they wish.
  • Making sure that staff who are not bound by a professional obligation to preserve confidentiality are similarly bound by contract, and that they are fully aware that they have a legal obligation over and above their contractual commitments to maintain confidentiality.
  • Training staff on information security and patient confidentiality. Most breaches of confidentiality are inadvertent and stem from staff not knowing what constitutes a breach of confidence.
  • Taking care (and making sure that your staff take care) not to discuss patients where others can overhear – reception areas are an obvious place where confidentiality can be breached unwittingly.
  • Placing fax machines in secure areas and checking that information you send by fax will be received in a secure place – telephone first to warn of its impending arrival and ask the recipient to let you know if they don’t receive it.
  • Using encryption software when sending emails containing patient information, and warning the patient that you are transmitting information about them by this means.

Confidentiality and medical records

  • Keep medical records in a secure place – do not leave them lying around in publicly accessible areas.
  • Restrict access to patient records on a “need to know” basis – not all staff need access to the whole record.
  • Dispose of records securely by shredding or incinerating them.
  • Do not use information contained in the medical records for purposes other than patient care, unless consent has been obtained or the data anonymised.
  • For research or audit, anonymise information about patients in such a way that they cannot be identified. If this isn’t possible, obtain the patient’s consent.

Tags