It is essential for clinicians to evaluate their results and practice on a regular basis in order to improve the level of care they offer. This means collecting, collating and analysing patient data. This data must be respected and treated with utmost care. Below are some excerpts from 'Confidentiality - NHS Code of Practice', DOH, Nov. 2003
Information that can identify individual patients, must not be used or disclosed for purposes other than healthcare without the individual’s explicit consent, some other legal basis, or where there is a robust public interest or legal justification to do so. In contrast, anonymised information is not confidential and may be used with relatively few constraints.
1.2 It is extremely important that patients are made aware of information disclosures that must take place in order to provide them with high quality care. In particular, clinical governance and clinical audits, which are wholly proper components of healthcare provision, might not be obvious to patients and should be drawn to their attention.
1.4 Patients generally have the right to object to the use and disclosure of confidential information "that identifies them", and need to be made aware of this right
1.6 Where the purpose is not directly concerned with the healthcare of a patient however, it would be wrong to assume consent. Additional efforts to gain consent are required or alternative approaches that do not rely on identifiable information will need to be developed.
22. Patients’ health information and their interests must be protected through a number of measures:
a. Procedures to ensure that all staff, contractors and volunteers are at all times fully aware of their responsibilities regarding confidentiality;
b. Recording patient information accurately and consistently;
c. Keeping patient information private;
d. Keeping patient information physically secure;
e. Disclosing and using information with appropriate care.
23. Consider whether patients would be surprised to learn that their information was being used in a particular way – if so, then they are not being effectively informed.
Common Law of Confidentiality:
30. This is not codified in an Act of Parliament but built up from case law where practice has been established by individual judgements. The key principle is that information confided should not be used or disclosed further, except as originally understood by the confider, or with their subsequent permission.
Data Protection Act 1998 (DPA98):
32. The DPA98 imposes constraints on the processing of personal information in relation to living individuals.
In the context of confidentiality, the most significant principles are:
• the 1st, which requires processing to be fair and lawful and imposes other restrictions, and;
• the 2nd, which requires personal data to be processed for one or more specified and lawful purposes;
• the 7th, which requires personal data to be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Human Rights Act 1998 (HRA98):
33. Article 8 of the HRA98 establishes a right to ‘respect for private and family life’. This underscores the duty to protect the privacy of individuals and preserve the confidentiality of their health records.
Patient records should not include:
• unnecessary abbreviations or jargon;
• meaningless phrases, irrelevant speculation or offensive subjective statements;
• Irrelevant personal opinions regarding the patient.
Keeping patient information physically and electronically secure:
Both manual and electronic records: Staff should not leave portable computers, medical notes or files in unattended cars or in easily accessible areas. Ideally, store all files and portable equipment under lock and key when not actually being used. Staff should not normally take patient records home, and where this cannot be avoided, procedures for safeguarding the information effectively should be locally agreed.
Share the minimum necessary to provide safe care or satisfy other purposes.
The Caldicott Principles:
i. Justify the purpose.
ii. Don’t use patient identifiable information unless it is absolutely necessary.
iii. Use the minimum necessary patient identifiable information.
iv. Access to patient identifiable information should be on a strict need to know basis.
v. Everyone should be aware of their responsibilities.
vi. Understand and comply with the law.