B3 W3: Data protection & confidentiality

Question 1

What are the reasons for maintaining confidentiality?

Talk about them in relation to ethical principles

Answer 1

CONSEQUENTIALIST ARGUMENT:

• Impact on the patient (breach may upset them and their trust in the Dr, may be less likely to share info in the future, less likely to access healthcare, under report symptoms etc.)
• Impact on others generally (loss of public trust, less effective care for many.)

RESPECT FOR AUTONOMY:

• Self-determination about how/ whether information is shared, how it is used.

VIRTUE ETHICS:

• Promise-keeping/ trustworthiness as virtues

OTHER DUTIES

• Duty of care (data shared in healthcare teams but not beyond)
• Patient-Dr relationship

Question 2

Give some generalistic reasons for not maintaining confidentiality

Talk about the ethical principles

Answer 2

CONSEQUENTIALISM:

• Impact on specific others (harm of non-disclosure)

OTHER DUTIES:

• Duty of care (data shared in healthcare team but not outside)

Question 3

What are the types of consent?

Answer 3

Implied or explicit

Question 4

Implied consent can be sufficient if all the criteria are met……

Answer 4

i) Data is being used to support a patient’s direct care
ii) Information is available to the patient stating how it will be used & how they can object
iii) You have no reason to believe they would object
iv) Satisfied that anyone you disclose to will understand the information has been given in confidence & treat it accordingly

Question 5

When should you get explicit consent to disclose patient information?

Answer 5

If you think the patient would be surprised to learn how you were accessing or disclosing their personal information

GMC Confidentiality paragraph 29

Question 6

Give examples of secondary uses of patient information

What type of consent should be obtained?

Answer 6

• Research
• Certain types of audit (eg: financial)
• Public Health
• Education
• Health Service Planning

Explicit consent

Question 7

What does the GMC Confidentiality Paragraph 95 say?

Answer 7

Seek explicit consent to disclose personal information for purposes other than direct health care/ local clinical audit

UNLESS the information is:

Required by law, or is not appropriate or practical to obtain consent

Question 8

When may you disclose personal information for secondary purposes without breaching duties of confidentiality?

What type of information should be given- identifiable or anonymised?

Answer 8

1) Disclosure required by law, including the courts
2) Patient has given explicit consent
3) Disclosure approved through statutory process that sets aside common law duty of confidentiality
4) Disclosure can be, exceptionally, justified in public interest

Anonymised information is usually sufficient for purposes other than direct care

Question 9

When is data considered anonymised?

Answer 9

i) Does not itself directly identify any individual

ii) Unlikely to allow an individual to be identified through combination with any other data

Different types of data have different levels of re-identification risk (Small versus large data set)

Anonymised vs pseudonymised data are NOT the same

Question 10

Secondary use of data- disclosing in the public interest what must you consider?

Answer 10

i) The potential harm/distress to the patient- will they engage in further Tx/ Dr-Pt relationship
ii) The potential harm to trust in Dr’s generally
iii) The potential harm to others (specific person or public) if not discolsed
iv) The potential benefits to an individual/ society with release of information
v) Nature of the information disclosed & views expressed by the patient
vi) Can the harms be avoided or benefits gained without breaching the patient’s privacy. If not, what is the minimum intrusion?

Question 11

When disclosing information about a patient you should…..

(GMC process for disclosing patient information)

Answer 11

a) Use anoymised/ coded information if practical that will serve the purpose
b) Be satisfied that the patient:

• i) Has access to the information that their personal information may disclosed for the sake of their care, local clinical audit & they can object
• ii) Has not objected

c) Explicit consent if information is: identifiable, for purposes other than their direct care, local clinical audit, unless the disclosure is justified by law or public interest
d) Keep disclosure to minimum necessary for purpose
e) Keep up-to-date with, observe all relavent legal requirements including common law & data protection law

Question 12

Notifable disease under the Health Protection Regulations 2010

What are the Acts/ Legislations around this?

Who should be informed?

Give some examples

Answer 12

Legislation:

• Public Health (Infectious Diseases) Act 1998

Public Health England regulations

• Health Protection Regulation 2010

Hospital Infection control- duty microbiologist

PHE:

• Diagnosing clinician’s duty to report case to local health protection team
• Form
• Notify urgent cases by phone in 24 hours

Eg: Tb, Acute Poliomyelitis, Acute infectious hepatitis, anything the may present significant risk to human health (meningitis, meningococcal septicaemia, measles mumps rubella, scarlet fever, infectious bloody diarrhoea).

Question 13

What are the General Data Protection Regulation (GDPR) 6 key principles?

GDPR = new data protection framework that applies in all EU member states

New data protection act (2018) enacted to supplement GDPR, two laws considered together.

Answer 13

Data must be:

1) Processed fairly, lawfully & in transparent manner
2) Collected for specified, explicit, legitimate purpose & not further processed for other purposes incompatible with those purposes
3) Adequete, relavant & limited to what is necessary
4) Accurate and kept up to date
5) Kept in a form that permits identification of data subjects for no longer than is necessary for the purpose of which the data is processed

“Allows identifcation of data so that it is not kept longer that needed for the purpose it is being used for”

6) Processed in a way that ensures appropriate security of personal data including protection against unauthorised/ unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Question 14

What act allows people to see the health records of deceased people?

Answer 14

Access to Health Records Act 1990

Question 15

Under what are you allowed to access the health records for all living people?

Answer 15

GDPR- general data protection regulation:

allows access to health records for all living individuals, NHS trust have 1 month to respond

Question 16

Who can access health records?

Answer 16

• Patients
• Persons with parental responsibility- if not contrary to competent child’s wishes
• POA (power of attorney if patient lacks capacity)
• Executor of Will/ Dependants for deceased patients’ records
• IMHAs/ IMCAs (Independant MH/ Mental Capacity Advocates)
• Police- by court order
• Solicitors- with consent of data subject

Question 17

When may there be no access to health records?

Answer 17

Acess likely to cause serious harm- mentally or physically to data subject OR other person

When the data would reveal identity of another person

(Does not apply to HCP involved in care of the data subject- unless disclosure would cause them serious harm)

Question 18

If a disclosure is made for research what needs to happen?

Answer 18

• Disclosures of identifiable information for the sake of research needs o be approved by a research ethics committee