Data Protection

This policy provides guidance to practice staff on the disclosure of patient information to third parties.

General Principles

Whilst it is vital for the proper care of individuals that those concerned with providing that care have ready access to the information that they need, it is also important that patients and their carers can trust that personal information will be kept confidential and that their privacy is respected.

All members of staff have an obligation to safeguard the confidentiality of personal information. This is governed by law, their contracts of employment and in many cases, professional codes of conduct. All staff should be aware that any breach of confidentiality could be a matter for disciplinary action, may be regarded as gross misconduct, and provide grounds for a complaint against them and lead to dismissal.

Where a decision is to be made whether to release information to a third party in circumstances other than those detailed below, administrative and reception staff should refer the matter to a GP for an assessment of the situation before information is divulged. Reception and administration staff should not ordinarily make confidentiality decisions where the authority is in doubt.

Although it is neither practicable or necessary to seek an individual’s consent each time that information needs to be shared or passed on for a particular purpose which is defined within this policy, this is contingent on individuals being fully informed of the ways information about them may be used.

Clarity about the ways personal information may be used is essential, and only the minimum identifiable information necessary to satisfy each purpose should be made available. Access to personal information should be on a need-to-know basis.

If an individual wants information about themselves to be withheld from someone or some agency which might otherwise have received it, the individual’s wishes should be respected unless there are exceptional circumstances. Every effort should be made to explain to the individual the consequences for care and planning, but the final decision should rest with the individual.

Any request to withhold information should ideally be put in writing to avoid any misunderstandings of the patient’s position.

The exceptional circumstances which may override the above clause arises when information is required by statute or court order; where there is a serious public health risk or harm to other individuals; or for the prevention, detection or prosecution of serious crime. The decision to release information in these circumstances, where judgment is required, should be made by the senior partner and it may be necessary to seek legal advice.

There are also some statutory restrictions on the disclosure of information relating to AIDS, HIV and other sexually transmitted diseases, assisted conception and abortion.

Where information on individuals has been aggregated or anonymised, it should still only be used for justified purposes, but is not governed by this policy. Care should be taken to ensure that individuals cannot be identified from this type of information, as it is frequently possible to identify individuals from limited data, e.g. age and post code.

Sharing Patient and Carer Information

  • Verbal permission must be obtained from patient and / or carer before divulging information. In certain cases, written consent should be obtained.
  • Clarify that the patient/carer understands to whom information will be given, and why.
  • Get positive permission to share information.
  • Verbal permission must be documented in the patient’s medical record.
  • Written permission must be filed or scanned into the patient’s notes
  • Medical information is accessed on a “need-to-know” basis in order to perform duties and no other. Please see Defining Purpose, below.
  • A staff confidentiality form is signed as part of the practice’s induction programme and is contained in employee’s contract of employment.

Mechanisms for Sharing Information

  • Clinical Meetings
  • Face-to-face discussion
  • Tasks using SystmOne
  • Memos
  • Computer data
  • Team meetings

Defining Purpose

There will be a range of justifiable purposes to be locally agreed. The following list is not exhaustive, and covers internal practice purposes only.

  • Delivering personal care and treatment
  • Assuring and improving the quality of care and treatment
  • Monitoring and protecting public health
  • Managing and planning services
  • Risk management
  • Investigating complaints
  • Teaching
  • Statistical analysis
  • Research (medical or health services)

All staff must access personal information only when there is a justifiable business reason for doing so.

Information Security

  • The practice will ensure they address the issues of security of information
  • The practice will take all reasonable care to protect both the physical security of information technology and the data contained within it
  • All information systems will be password protected
  • All personal files must be kept secure

Ownership of Information and the Rights of Individuals

Whilst written and computerised records will be regarded as shared between the agencies, an individual’s right of access to the information contained in the records differs when it has been provided by a health professional from when it has been provided by social service staff.

Any health professional’s contribution to records maintained by Social Services staff, whether a letter, a case record or report, must be clearly marked as such and, where practicable, kept in a closed part of the file. Social Services staff should not grant access to this information without written authorization.

The reverse also applies. NHS and practice staff cannot grant access to Social Services information without written authorisation.