Privacy Policy

Privacy & Confidentiality Code of Practice Policy.

Document Control

A. Confidentiality Notice

This document and the information contained therein is the property of Keystone Services.

This document contains information that is privileged, confidential or otherwise protected from disclosure. It must not be used by, or its contents reproduced or otherwise copied or disclosed without the prior consent in writing from Keystone Services.

Introduction 

Keystone Service hold information about patients which must be kept private and confidential. 

In some instances patient records can be very sensitive and may contain information concerning third parties. Patient information must not be given to others unless the patient consents or the disclosure can be justified 

Scott Evans (Company Secretary) is the data controller for the company.

When the board is satisfied that information should be released, the Organisation should act promptly to disclose all relevant information. This is often essential to the best interests of the patient, or to safeguard the well-being of others 

This Code of Practice outlines how the Data Controller and all Organisations staff will deal with information about its Patients.

Patients’ right to confidentiality 

Principles 

Patients have a right to expect that information about them will be held in confidence by their clinicians. Confidentiality is central to trust between clinicians and patients. Without assurances about confidentiality, patients may be reluctant to give clinicians the information they need in order to provide good care. 

If you are asked to provide information about patients you must: 

Inform patients about the disclosure, or check that they have already received information about it; 

·  Anonymise data, where unidentifiable data will serve the purpose; 

·  Be satisfied that patients know about disclosures necessary to provide their care, or for local clinical audit of that care, that they can object to these disclosures but have not done so; 

·  Seek patients’ express consent to disclosure of information, where identifiable data is needed for any purpose other than the provision of care or for clinical audit – save in the exceptional circumstances described in this document; 

·  Keep disclosures to the minimum necessary; and 

·  Keep up to date with and observe the requirements of statute and common law, including data protection legislation. 

You must always be prepared to justify your decisions in accordance with this guidance 

This document sets out the standards outlined in the Good Medical Practice (November 2006) publication that are expected of doctors when they hold or share information about patients. 

Additional advice on how the guidance in this booklet should be put into Practice, and on the law relating to the use and disclosure of information about patients, is available through open-source media.

Protecting information 

When you are responsible for personal information about patients you must make sure that it is effectively protected against improper disclosure at all times.

Many improper disclosures are unintentional. You should not discuss patients where you can be overheard or leave patients’ records, either on paper or on screen, where they can be seen by other patients, unauthorised health care staff or the public. You should take all reasonable steps to ensure that your consultations with patients are private. 

Sharing information with patients 

Patients have a right to information about the health care services available to them, presented in a way that is easy to follow, understand and use 

Patients also have a right to information about any condition or disease from which they are suffering. This should be presented in a manner easy to follow, understand and use, and include information about: 

·  Diagnosis; 

·  Prognosis; 

·  Treatment options; 

·  Outcomes of treatment; 

·  Common and / or serious side-effects of treatment; 

·  Likely time-scale of treatments; and 

·  Costs where relevant. 

You must always give patients basic information about treatment you propose to provide, but you should respect the wishes of any patient who asks you not to give them detailed information. This places a considerable onus upon health professionals, yet, without such information, patients cannot make proper choices as partners in the health care process 

You should tell patients how information about them may be used to protect public health, to undertake research and audit, to teach or train clinical staff and students and to plan and organise health care services. See Section “Disclosing Information for Clinical Audit” for further information. 

Disclosing information about patients 

You must respect patients’ confidentiality. 

Seeking patients’ consent to disclosure of information is part of good communication between doctors, Organisations staff and patients. When asked to provide information you must follow the guidance in this document.

Sharing information within the health care team or with others providing care.

Circumstances where patients may give implied consent to disclosure.

Most people understand and accept that information must be shared within health care teams in order to provide their care. 

You should make sure that patients are aware that personal information about them will be shared within the health care team, unless they object, and of the reasons for this. 

It is particularly important to check that patients understand what will be disclosed if you need to share identifiable information with anyone employed by another organisation or agency who is contributing to their care. 

You must respect the wishes of any patient who objects to particular information being shared with others providing care, except where this would put others at risk of death or serious harm.

You must make sure that anyone to whom you disclose personal information understands that it is given to them in confidence, which they must respect. All staff members receiving personal information in order to provide or support care are bound by a legal duty of confidence, whether or not they have contractual or professional obligations to protect confidentiality.

Circumstances may arise where a patient cannot be informed about the sharing of information, for example because of a medical emergency. In these cases, you must pass relevant information promptly to those providing the patient’s care.

Disclosing information for clinical audit 

Clinical audit is essential to the provision of good care. All doctors in clinical Practice have a duty to participate in clinical audit. 

Where an audit is to be undertaken by the team which provided care, or those working to support them, such as clinical audit staff, you may disclose identifiable information, provided you are satisfied that patient: 

·  Have been informed that their data may be disclosed for clinical audit, and their right to object to the disclosure; and 

·  Have not objected. 

If a patient does object, you should explain why information is needed and how this may benefit their care. If it is not possible to provide safe care without disclosing information for audit, you should explain this to the patient and the options open to them. 

Where clinical audit is to be undertaken by another organisation, information should be anonymised wherever that is practicable. In any case, where it is not practicable to anonymise data, or anonymised data will not fulfil the requirements of the audit, express consent must be obtained before identifiable data is disclosed.

Disclosures where express consent must be sought 

Express consent is usually needed before the disclosure of identifiable information for purposes such as research, epidemiology, financial audit or administration. 

When seeking express consent to disclosure you must make sure that patients are given enough information on which to base their decision, the reasons for the disclosure and the likely consequences of the disclosure. You should also explain how much information will be disclosed and to whom it will be given. 

If the patient withholds consent, or consent cannot be obtained, disclosures may be made only where they are required by law or can be justified in the public interest. 

Where the purpose is covered by a regulation made under section 60 of the Health and Social Care Act 2001, disclosures may also be made without patients’ consent. 

You should make a record of the patient’s decision, and whether and why you have disclosed information 

Where doctors have contractual obligations to third parties, such as companies or organisations, they must obtain patients’ consent before undertaking any examination or writing a report for that organisation. Doctors should offer to show patients the report, or give them copies, whether or not this is required by law. 

Disclosure in connection with judicial or other statutory proceedings 

Disclosures required by law 

You must disclose information to satisfy a specific statutory requirement, such as notification of a known or suspected communicable disease. You should inform patients about such disclosures, wherever that is practicable, but their consent is not required 

Disclosures to courts or in connection with litigation 

You must also disclose information if ordered to do so by a judge or presiding officer of a court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appear to you to be irrelevant matters, for example matters relating to relatives or partners of the patient, who are not parties to the proceedings 

You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s express consent, except in the circumstances described below. 

Disclosures to statutory regulatory bodies 

Patient records or other patient information may be needed by a statutory regulatory body for investigation into a health professional’s fitness to practice. 

If you are referring concerns about a health professional to a regulatory body, you must seek the patient’s consent before disclosing identifiable information, wherever that is practicable.

Where patients withhold consent or it is not practicable to seek their consent, you should contact the GMC, or other appropriate regulatory body, which will advise you on whether the disclosure of identifiable information would be justified in the public interest or for the protection of other patients. 

Wherever practicable you should discuss this with the patient. There may be exceptional cases where, even though the patient objects, disclosure is justified. 

The Public Interest 

Disclosures in the public interest 

Personal information may be disclosed in the public interest, without the patient’s consent, and in exceptional cases where patients have withheld consent, where the benefits to an individual or to society of the disclosure outweigh the public and the patient’s interest in keeping the information confidential. 

In all cases where you consider disclosing information without consent from the patient, you must weigh the possible harm (both to the patient, and the overall trust between doctors and patients) against the benefits which are likely to arise from the release of information 

Before considering whether a disclosure of personal information ‘in the public interest’ would be justified, you must be satisfied that identifiable data are necessary for the purpose, or that it is not practicable to anonymise the data. 

In such cases you should still try to seek patients’ consent, unless it is not practicable to do so, for example because: 

·  The patients are not competent to give consent; or 

·  The records are of such age and / or number that reasonable efforts to trace patients are unlikely to be successful; or 

·  The patient has been, or may be violent; or obtaining consent would undermine the purpose of the disclosure (e.g. Disclosures in relation to crime); or 

·  Action must be taken quickly (for example in the detection or control of outbreaks of some communicable diseases) and there is insufficient time to contact patients 

In cases where there is a serious risk to the patient or others, disclosures may be justified even where patients have been asked to agree to a disclosure, but have withheld consent. 

You should inform patients that a disclosure will be made, wherever it is practicable to do so. You must document in the patient’s record any steps you have taken to seek or obtain consent and your reasons for disclosing information without consent 

Ultimately, the ‘public interest’ can be determined only by the courts; but the GMC may also require you to justify your actions if a complaint is made about the disclosure of identifiable information without a patient’s consent. 

The potential benefits and harms of disclosures made without consent are also considered by the Patient Information Advisory Group in considering applications for Regulations under the Health and Social Care Act 2001. 

Disclosures of data covered by a Regulation 4 are not in breach of the common law duty of confidentiality.

Disclosures to protect the patient or others.

Disclosure of personal information without consent may be justified in the public interest where failure to do so may expose the patient or others to risk of death or serious harm. 

Where the patient or others are exposed to a risk so serious that it outweighs the patient’s privacy interest, you should seek consent to disclosure where practicable. If it is not practicable to seek consent, you should disclose information promptly to an appropriate person or authority. 

You should generally inform the patient before disclosing the information. If you seek consent and the patient withholds it you should consider the reasons for this, if any are provided by the patient. 

If you remain of the view that disclosure is necessary to protect a third party from death or serious harm, you should disclose information promptly to an appropriate person or authority. Such situations arise, for example, where a disclosure may assist in the prevention, detection or prosecution of a serious crime, especially crimes against the person, such as abuse of children.

Problems may arise if you consider that a patient lacks capacity to give consent to treatment or disclosure. 

If such patients ask you not to disclose information about their condition or treatment to a third party, you should try to persuade them to allow an appropriate person to be involved in the consultation. 

If they refuse and you are convinced that it is essential, in their medical interests, you may disclose relevant information to an appropriate person or authority. In such cases you should tell the patient before disclosing any information, and where appropriate, seek and carefully consider the views of an advocate or carer. You should document in the patient’s record your discussions with the patient and the reasons for deciding to disclose information.

Disclosures where a patient may be a victim of neglect or abuse 

If you believe a patient to be a victim of neglect or physical, sexual or emotional abuse and that the patient cannot give or withhold consent to disclosure, you must give information promptly to an appropriate responsible person or statutory agency, where you believe that the disclosure is in the patient’s best interests. 

If, for any reason, you believe that disclosure of information is not in the best interests of an abused or neglected patient, you should discuss the issues with an experienced colleague. If you decide not to disclose information, you must be prepared to justify your decision.

Disclosure after a patient’s death 

You still have an obligation to keep personal information confidential after a patient dies. 

The extent to which confidential information may be disclosed after a patient’s death will depend on the circumstances. If the patient had asked for information to remain confidential, his or her views should be respected. 

Where you are unaware of any directions from the patient, you should consider requests for information taking into account: 

·  Whether the disclosure of information may cause distress to, or be of benefit to, the patient’s partner or family; 

·  Whether disclosure of information about the patient will in effect disclose information about the patient’s family or other people; 

·  Whether the information is already public knowledge or can be anonymised; 

·  The purpose of the disclosure 

If you decide to disclose confidential information you must be prepared to explain and justify your decision

Glossary 

This defines the terms used within this document. These definitions have no wider or legal significance.

Anonymised data 

Data from which the patient cannot be identified by the recipient of the information. The name, address, and full post code must be removed together with any other information which, in conjunction with other data held by or disclosed to the recipient, could identify the patient. Unique numbers may be included only if recipients of the data do not have access to the ‘key’ to trace the identity of the patient 

Clinical Audit 

Evaluation of clinical performance against standards or through comparative analysis, to inform the management of services. Studies that aim to derive, scientifically confirm and publish generalizable knowledge constitute research and are not encompassed within the definition of clinical audit in this document 

Consent 

Agreement to an action based on knowledge of what the action involves and its likely consequences 

Express consent 

Consent which is expressed orally or in writing (except where patients cannot write or speak, when other forms of communication may be sufficient) 

Identifiable data 

Data from which a patient can be identified. Name, address and full postcode will identify patients; combinations of data may also do so, even where name and address are not included 

Implied consent 

Agreement to disclosure where patients have been informed about the information to be disclosed, the purpose of the disclosure, and that they have a right to object to the disclosure, but have not done so 

Health care team 

The health care team comprises the people providing clinical services for each patient and the administrative staff who directly support those services 

Patients 

Used throughout the guidance to mean competent patients. Parents of, or those with parental responsibility for, children who lack maturity to make decisions for themselves, are generally entitled to make decisions about disclosures on behalf of their children 

Personal information 

Information about people which doctors learn in a professional capacity and from which individuals can be identified 

Public interest 

The interests of the community as a whole, or a group within the community or individuals 

Some of the key judgements in recent cases are: 

Common law 

A-G v Guardian Newspapers [1988] 3 All ER 545 

A general summary of the law on confidence 

W v Egdell [1990] 1 All ER 835 and X v Y [1998] 2 All ER 648 

The application of the law of confidence to doctors 

R v Department of Health exparte Source Informatics Ltd [2000] 1 All ER 786 

The effect of anonymisation on confidentiality 

Legislation 

Access by patients 

Two pieces of legislation give patients, or their authorised representatives, access to information about themselves: 

Data Protection Act 1998 

Rights of access for patients to their medical records 

Right to know about what data is used for 

Advice on how the guidance applies in clinical care and in research, epidemiology etc. is available from the Office of the Information Commissioner (http://www.dataprotection.gov.uk/). The Data Protection Act 1998 also places a duty on those who process data to do so lawfully (in accordance with relevant legislation or case law) and fairly (keeping people informed about how their personal information is being used) 

Access to Medical Reports Act 1988 

Provides for patients to see reports written about them for insurance or education purposes by a doctor who has provided their clinical care

Access by others 

Disclosure in relation to a court order 

The courts, both civil and criminal, have power by virtue of the various pieces of legislation that govern their operation, to order disclosure of information. A court order will generally explain the basis on which disclosure is being ordered, so we have not listed the legislation here 

Access to Health Records Act 1990 

Access to records of deceased persons 

Abortion Act 1967 and Abortion Regulations 1991 (SI 1991 No 499) 

Disclosure of information on abortion for purposes specified in the Regulations 

Audit Commission Act 1998 

Information required to allow the Audit Commission to carry out its functions under the Act 

Criminal Appeal Act 1995 

Information required by the Criminal Cases Review Commission to assist in the exercise of their functions 

Health and Social Care Act 2001 

Gives the Secretary of State for Health the power to make Regulations specifying information to be disclosed in the public interest, or in the interest of improving patient care, for England and Wales only 

Health (Community Health and Standards) Act 2003 

Gives Commission for Healthcare Audit and Inspection right of access to fulfil its statutory functions 

Human Fertilisation and Embryology Act 1990 (as amended by the Human Fertilisation (Disclosure of Information) Act 1992) 

Disclosure of information to the HFEA 

Medical Act 1983 

Disclosure of information to the GMC in respect of its powers to investigate complaints 

NHS (Venereal Diseases) Regulations 1974 (SI 1974 No 29) 

Emphasises the importance of confidentiality but provides for limited sharing of information between doctors 

Police and Criminal Evidence Act 1984 

Gives power to the police to apply to a court for access to records to assist in an investigation 

Prevention of Terrorism (Temporary Provisions) Act 1989 

Requires anyone to inform the police of information about terrorist activity 

Public Health (Control of Disease) Act 1984 and SI 1988 No 1546 

Notification of specified diseases and food poisoning incidents 

Road Traffic Act 1988 

Gives powers to police to require doctors to provide information which might identify a driver alleged to have committed a traffic offence.