Patient Confidentiality

People as individuals and as patients have a right to expect that, unless they give permission, a doctor, nurse or other clinician will not disclose any personal information that is learnt during the course of their professional duties. Without assurances about confidentiality, patients may be reluctant to give information that is needed in order to provide good care. Given the above context, the following principles of confidentiality apply:

Staff responsible for confidential information must make sure that the information is effectively protected against improper disclosure when it is received, stored, transmitted or disposed of.
When patients give consent to disclosure of information about themselves, staff must make sure the individual understands what will be disclosed, the reasons for disclosure and the likely consequences.
Staff must make sure that individuals / patients are informed whenever information about them is likely to be disclosed to others involved in their health care, and that they have the opportunity to withhold permission.
Staff must respect requests by patients that information should not be disclosed to third parties, save in exceptional circumstances (for example, where the health or safety of others would otherwise be at serious risk).
If confidential information is disclosed, only as much information as is necessary for the purpose must be released.
Health workers, to whom information is disclosed, must be made aware and understand that it is given to them in confidence which they must respect.
If it is decided to disclose confidential information, the decision must be capable of justification.
Confidential information must only be disclosed on a 'need to know' basis to other staff, where need to know is defined as 'such access as is needed to legitimately perform NHS duties'.

Information Systems Security & Confidentiality Policy:

The data stored in the Practice information systems represents an extremely valuable asset. It is therefore essential that all information processing systems under the Practice's responsibility must be protected to an adequate level from all likely events that may jeopardise confidentiality and threaten the security of data. Such events will include accidents as well as behaviour deliberately designed to cause difficulty and breaches of security. The purpose of the Policy is to preserve:

Confidentiality: Access to data is confined to those specifically authorised to view it.
Integrity:Data is timely and accurate and detected or amended only by those specifically authorised to do so.
Availability: Data is available to those authorised when it is needed.

Furthermore, the Policy's purpose is to raise the awareness of all Practice employees of the need to maintain and, where necessary, improve the security and confidentiality of systems and data.

Practising good systems security should minimise deliberate and accidental system breaches and in turn will assist in maximising system availability. It is recognised by the Practice that mistakes will happen and it is the intention of this Policy that staff should be supported in order to avoid such errors in the context of a 'security and confidentiality aware organisation'.

All staff are covered by a requirement to respect data confidentiality in their contract of employment with the Practice. Deliberate breaking of confidentiality and security rules is contrary to the contract of employment and this policy and is considered a disciplinary matter. In order to reinforce and support awareness and responsibility on confidentiality and security, appropriate training and guidance is given to staff.

It is recognised, that whilst the principles of confidentiality and security can be set out in a policy, some of the practical implications will change over time. Such changes may result from:

Changes in technology.
The expected legal changes accompanying the widespread use of electronic communications facilities, such as the implementation of an 'e-commerce' Act of Parliament.
Changes to organisational structures.
Changing working practices.

Protection and use of Personal Information:

People expect that information about them will be treated as confidential. "Everyone working for the NHS is under a legal duty to keep your records confidential " (Patients Charter and You (1995)).

Personal information should be anonymised wherever possible. Any personal information held on a computer system or in certain manual filing systems is safeguarded by the Data Protection Act 1984 and, from 1999, by the Data Protection Act 1998. No computerised databases holding personal information should be created without registration under this Act. The Data Protection Officer is responsible for maintaining these registrations.

The unauthorised passing on of personal information by any member of staff is a serious matter, warranting consideration of disciplinary action and possibly risking legal action by others. The Caldicott Report (1998) sets out a number of principles for the management & exchange of personally identifiable data.

Care should be taken to ensure that unintentional breaches of confidence do not occur. These are some common examples:

Leaving files / computer terminals unattended.
Providing information to the wrong person by failing to check identity.
Allowing sensitive conversations to be overheard.
Guarding against people seeking information by deception.

The principle of the Caldicott rules is that individuals should always be referred to by their NHS number in the exchange of data and information within the NHS. Even if names and addresses are removed, the combination of date of birth and postcode, for example, can allow individuals to be identified. This applies particularly to the transmission and storage of data, such as minimum data sets.

Information Systems Security in Operation:

(1) Management of Security and Confidentiality:

The management of the security of computer held data and computer systems within the Practice is the overall responsibility of the Security Officer.

Any threat or actual breach of security should be reported immediately to the Security Officer, or, if this is not possible, to one of the Practice partners.

(2) Staff Induction and Training:

Information security and confidentiality will be addressed at the recruitment induction stage and monitored during employment. This is in order to reduce the risks of human error, theft, fraud or misuse of facilities and to ensure that all staff are aware of information security threats and are equipped to support this Policy in the course of their work

(3) Individual Accountability:

Every member of staff is personally accountable for the function they perform. Furthermore, under the Data Protection Act (1998), all staff are personally responsible for their actions according to the law.

(4) Security Incidents:

All incidents causing, or likely to cause breaches of systems security or confidentiality, should be reported to the Security Officer immediately.

(5) Data Ownership:

Each set of data should be assigned an 'owner' for security purposes. The data owner is responsible for:

Identifying all the data within that area of responsibility.
Specifying how the data can be used.
Agreeing who can access the data, and what type of access each user is allowed.
Determining the classification or sensitivity level of the data.
Periodically reviewing the classification.
Approving appropriate security protection for the data, e.g. password protection, back ups.
Ensuring compliance with security controls
Ensuring, in liaison with the Security Officer, compliance with the Data Protection Acts and other relevant legislation.

(6) Exchange of Data and Software:

The exchange of information with other organisations is governed by the principles established by the Caldicott Committee and Safe Haven mechanisms.

(7) Safe Haven:

The confidentiality of patient information should be achieved, in part, through safe haven arrangements. The concept of a Safe Haven was introduced by the NHS Executive to minimise the risk of disclosure of personal data in the 'contracting' process.

(8) Risk Assessment:

To comply with Caldicott requirements, the practice is required to regularly assess the security and confidentiality of the Practice.