To complete the Information Governance training, read each topic below and then take the quiz.
- Confidentiality is a legal requirement for the NHS and it’s staff.
What does the NHS have to do to comply with this?
- Inform Patients about how personal information relating to them will be used.
- Inform patients of their right to object to the disclosure of their confidential personal information outside of an NHS organisation.
- Seek explicit consent before disclosing patient personal information for non-healthcare purposes (unless rarely an exception applies).
- What is the Duty of Confidence
- A duty of confidence arises when sensitive information is obtained and recorded in circumstances where it is reasonable for the subject of the information to expect that the information will be held in confidence.
- Patients provide sensitive information relating to their health and other matters and they have a right to expect that we will respect their privacy and act appropriately. The duty can equally arise with some staff records, for example Occupational Health records.
- Patients have a right to be informed about how we will use their information for healthcare, the choices they have about restricting the use of their information and whether exercising this choice will impact on the services offered to them.
How does this apply to me?
- When a GP populates a patient record they have a Duty of Confidence over that information.
- The information contained within a patient record is confidential and must not be viewed or shared without the rights to do so.
Explicit Consent
- Where it is proposed that patient information is disclosed outside of an NHS organisation for purposes other than healthcare, in most cases it is necessary to ensure that the patient has explicitly consented to this happening. There are limited exceptions to this general rule.
Lets put this into a scenario…
A problem has been reported within a GP surgery, however the user has not been able to fully explain and would like you to have a look at an example.
It is proposed that screen shots are taken from a patient record and sent to you (un-edited) without seeking the patients consent, would this breach confidentiality?
Yes – Without gaining explicit consent from the patient to share their data outside of the NHS organisation for purposes other than healthcare, this would breach confidentiality.
Now lets look at another scenario…
A problem has been reported within a GP surgery, however the user has not been able to fully explain and would like you to have a look at an example.
The user has permission to share the patient record with you. Whilst looking at the problem you are able to see some of the patients medical history. Would it be a breach of confidentiality to discuss the patients medical history with your colleagues?
Yes – The information that you have seen is confidential personal information. This must not be shared with colleagues, friends, family etc.
- In 1997 the Caldicott Report was commissioned by the Chief Medical Officer. A key outcome of this report saw the appointment of Caldicott Guardians in each NHS Trust to safeguard access to Patient Identifiable Data.
The Caldicott Guardian for each organisation is responsible for:
- Reviewing, overseeing and agreeing policies governing the protection of patient or personal information
- Overseeing organisational compliance with the Caldicott Magement Principles
- From the report recommendations were made to improve the way that the NHS handles patient information.The Caldicott Six Information Management Principles:
- Justify the purpose(s) of using confidential information
- Only use it when absolutely necessary
- Use the minimum that is required
- Access should be on a strict need-to-know basis
- Everyone must understand his or her responsibilities
- Understand and comply with the law
Let’s look at theses principles in more detail…
Do you have a justified purpose for using this confidential information?
- The Purpose for using confidential information should be justified, which means making sure there is a valid reason for using it to carry out that particular purpose.
Are you using it because it is absolutely necessary to do so?
- The use of confidential information must be absolutely necessary to carry out the stated purpose.
How does this apply to me?
- Think before using confidential information!
- In the previous scenarios, could a test patient have been used? Could the patient have been anonymised in the screen shot?
Are you using the minimum amount of information required?
- If it is necessary to use confidential information, it should include only the minimum that’s needed to carry out the purpose.
Are you allowing access to this information on a strict need-to-know basis only?
- Before confidential information is accessed, a quick assessment should be made to determine whether it is actually needed for the stated purpose. If the intention is to share the information, it should only be shared with those who need it to carry out their role.
How does this apply to me?
- So you have decided that you need to use confidential information and consent has been given, how much of this information do you really need to see?
- Think about whether some of the information could be removed/anonymised.
Do you understand your responsibility and duty to the subject with regards to keeping their information secure and confidential?
- Everyone should understand their responsibility for protecting information, which generally requires that training and awareness sessions are put in place.
- If the intention is to share the information those people must also be made aware of their own responsibility for protecting information and they must be informed of the restrictions on further sharing.
How does this apply to me?
- Is it your responsibility to secure confidential information? Yes it is – for example, you have a print out showing some of a patients record. Do you leave it on your desk where it can be seen or keep it securely in a locked drawer? If you cannot keep the information safe in paper format, should you have printed it in the first place?
Do you understand the law and are you complying with the law before handling the confidential information?
- There are a range of legal obligations to consider when using confidential information. The key ones that must be complied with by law are provided by the common law duty of confidentiality and under the Data Protection Act 2018.
- If you have questions or are unsure you should read the company Information Governance Policy or ask your line manager.
How does this apply to me?
- If in doubt, check with your line manager prior to viewing or using confidential information.
- Always remember to think about whether some of the information could be removed/anonymised.
A duty of confidence arises when sensitive information is obtained and recorded in circumstances where it is reasonable for the subject of the information to expect that the information will be held in confidence.
You are on-site with a customer who has logged into their clinical system and opened a live patient record Infront of you. What would be the appropriate action to take?
Inform the member of staff that you cannot view the record as this would breach confidentiality