2.1.2: Maintains confidentiality in all aspect of patient care Flashcards
(APR – record which contains VCG) Indicators: Demonstrates knowledge of the data protection act (1998) and how this impacts on security, access, and confidentiality of patient records. Additional guidance: the trainee also demonstrates knowledge of EU General data protection regulations GDPR Trainee must ask for and record VCG on all their records and be aware of what to do in the event that the px refuses consent Patient encounter: all sampled anonymised patient records
What is the data protection act?
- DPA (1998) act of parliament to protect person data stored about individuals on computers/paper filling systems
- As a practitioner, your organisation is the record holder, but you still have responsibilities
- Everyone responsible for using data has to follow strict rules known as the data protection principles
How must information be treated under the act?
- Data must be secure
- Must be used in a way that is adequate, relevant, and not excessive
- Kept for no longer than necessary
- Data stored must be kept accurate & up-to-date
- Data obtained and processed lawfully
- Processed within data subject rights
- Must be obtained and specified for lawful purposes
- Not transferred to countries without adequate data protection laws
Main points for optometrists:
• Obtaining the patients explicit consent to taking and keeping a record of the consultation; the law does not state if this needs to be written consent
• Keeping accurate patient data
• Using the data for specific purposes
• Amending inaccurate data and responding to objections from patients if the use of the data causes harm or distress
• Keeping the data no longer than necessary. Suggested lengths of time for retaining records are
- Hospital Records – 10 year
- Children and Young People – until the patient’s 25th birthday or 26th if patient was 17 at conclusion of treatment; or 8 years after patient’s death
- General – 8 years
- Patients involved in Clinical Trials – 15 years
• Enabling patients, applicant acting on half of patient, to access their data for the length of time that you keep their records
• Assisting the patient to understand their records by explaining its contents
• Obtaining explicit consent if you pass clinical details to health professional/third party
• Satisfying yourself that there is no further need for the record before destroying it
• Disposing of any records securely
Noting that if you or anyone in the organisation acquire a patient records the obligations are transferred to you as the new owner
DPA (1998) was superseded by the DPA (2018)
- New regulations which supplement the EUs General Data Protection Regulations (GDPR)
- The new regulates collection, storage and use of personal data more strictly
- Under DPA 2018 – right to find out what information the government and organisations store about you, including the right to:
- Be informed about how data is being used
- Access to personal data
- Have incorrect data updated/correct personal data
- Have data erased i.e. the right to be forgotten/prevent further processing
- Stop or restrict processing of your data
- Data portability
- Object to how your data is processed in certain circumstances
GDPR – general data protection regulations
- EU regulations relating to the collecting and processing of data
- Indication for consent must be unambiguous – tick box
- Broader definition of personal data
- Higher bar for lawful processing
- More rights for individuals
- Notify of data breaches
- GDPR regulates data processors and controllers
GDPR: Broader definition of personal data
Includes any potential identifiers, also identification number, location data & IP address
GDPR: Higher bar for lawful processing
Must fall within 1 or more of the 6 permitted legal justifications
GDPR: More rights for individuals
- Right to be informed, access, rectify and erase data
- Restrict processing
- Not to be subjected to automated decision making and profiling
GDPR: Notify of data breaches
- Report a breach to information commissioner’s (ICO) office if high risk to individual within 72 hours of breach & notify individual
- Penalties to hold businesses more accountable
GDPR regulates data processors and controllers
• Data processing: any action performed on that data e.g. collecting, recording, storing, erasing (third party that processes personal data on behalf of the controller)
• Data controller – person who decides why/how personal data is processed (any employer/employee)
• Stricter rules for sharing data outside the EU
• Potential penalties for non-compliance
• Principles:
- Lawfulness, fairness & transparency
- Specific and legitimate purpose for storing data
- Data minimisation
- Accuracy – update/remove inaccurate data
- Storage limitation – delete when no longer need it
- Integrity and confidentiality – keep data safe and protect against unlawful processing
Implementing DPA
- Hidden information cannot be accessed without specific knowledge e.g. password
- No information should be left visible to the public i.e. screens turned off/no paperwork
- Regular testing of technology instore
- Test room only accessible by optoms – log out computers on shop floor after use
Implementing GDPR
- Consent to store data must be unambiguous – tick box for consent on arrival
- As px’s have the right to decide how their info is controlled – ask about contact preferences on arrival
- Confirm details on arrival as we have an obligation to ensure data is accurate and correct
- Pxs have right to access their own info so can book time out of diary to discuss records as it must be in a test room, not the shop floor; also gives evidence that you have spent time with px
Consent
- Px’s must consent before you share any info about them
- When asking for consent, should tell px: what info you want to share, who you want to share it with and how the information will be used
- VCG shows that you understand that the data recorded is the patient’s own, and consent must be given to use records
- Ask for consent to use the record & for a supervisor to check, if no consent for checking px care must be passed to another optom
- Written consent – signature
- Implied consent – chin on rest is implying consent
- Dilation i.e. informed consent – extra within normal tests i.e. out with routine
Confidentiality
- Cannot breach if failure to share would leave the px (but no one else) at risk of serious harm/death (C75)
- Confidentiality can be breached if there is a significant risk of injury or death e.g. DVLA/mum withholding info from children about their ocular health
- Confidentiality can be breached if you are required by law to provide information e.g. court
- Duty of Confidentiality is absolute – info only disclosed with px’s consent (if broken – individual can take legal action for breach against public/professional body)
- Personal info disclosed without authorisation – damage Specsavers reputation, fine from regulators and impact well-being of individuals who’s info Is disclosed
