Data Protection and Confidentiality

Question 1

What are the consequentialist arguments for maintaining confidentiality?

Answer 1

Impact on the patient (breach in confidentiality can cause psychological harm, affect trust and make patient less likely to disclose information in future)

Impact on others (loss of public trust if confidentiality is breached)

Impact on specific others (e.g. harm if information is not disclosed)

Question 2

What other ethical principles/ concepts apply to confidentiality?

Answer 2

Autonomy: self-determination includes how information about oneself is shared.

Virtue ethics: trustworthiness and promise keeping as virtues.

Duty of care (GMC)

Patient-doctor relationship

Question 3

When is implied consent sufficient in terms of sharing information?

Answer 3

Implied consent is sufficient if all the following are met:

• The data is being accessed to support a patient’s direct care
• Information is available to patients explaining how their data will be used and how they can object
• You have no reason to believe they would object
• You are satisfied anyone you disclose patient information to will understand it is given in confidence and will treat it accordingly

Question 4

What does the GMC state about what patients should expect regarding sharing of their data?

Answer 4

If you suspect that a patient would be surprised to learn about how their data is being accessed or used, explicit consent should be gained if it is practicable to do so.

Question 5

What does the GMC state about secondary uses of patient data?

Give examples of secondary uses of patient data.

Answer 5

You should ask for consent to disclose personal information for purposes other than direct care or local clinical audit unless the information is required by law or if it is not appropriate or practicable to gain consent.

Examples:

• Research
• Audits (certain types)
• Public health
• Education
• Health service planning

Question 6

What does the GMC state about protection of patient data?

Answer 6

“You must make sure any personal information about patients that you hold or control is effectively protected at all times against improper access, disclosure or loss.”

Question 7

Under what circumstances can patient information be disclosed without breaching duties of confidentiality?

Answer 7

• If the disclosure is required by law, including by the courts.
• The patient has given explicit consent
• The disclosure is approved through a statutory service that sets aside common law duty of confidentiality
• If it is justified in the public interest

Question 8

What does the GMC state regarding anonymisation of patient data for secondary purposes?

Answer 8

You must use anonymised information in preference to identifiable information wherever possible. If you disclose identifiable information, you must be satisfied that there is a legal basis for breaching confidentiality

Question 9

What must be considered whether deciding whether or not to disclose patient information in the public interest?

Answer 9

• The potential harm or distress to the patient arising from disclosure (e.g. their future engagement with healthcare)
• The potential harm to trust in doctors in general (loss of public trust)
• Potential harm to others (if information is not disclosed, i.e. serious communicable diseases)
• The potential benefits to an individual or society from disclosure
• The nature of the information and views of the patient
• Whether the harms can be avoided or benefits gained without breaching information or what is the minumum intrusion.

Question 10

Aside from GMC secondary uses, in what other circumstances can confidentiality be breached?

What legal framework supports these?

Answer 10

• Notifiable diseases:
  
  • Legislation= Health Protection (Notification) Regulations 2010
  • Regulations= Public Health Act
    
    • Hospital: duty microbiologist
    • Public Health England: diagnosing clinician

Question 11

Who allows access to health records for living people?

Answer 11

GDPR

Question 12

Who allows access to health records of deceased people?

Answer 12

Access to Health Records Act 1990

Question 13

Who may access health records?

Answer 13

• Patients
• Person with parental responsibility can access child’s records (if not contrary to competent child’s wishes)
• Power of attorney if patient lacks capacity
• Executor of Will / dependants for deceased patients’ records
• Independent Mental Health Advocates (IMHAs)
• Independent Mental Capacity Advocates (IMCAs)
• Police - by court order
• Solicitors - with consent of data subject

Question 14

When is access to health records not allowed?

Answer 14

When access is likely to cause serious harm to the physical or mental health or condition of the data subject or any other person.

OR

When the data would reveal the identity of another person (does not apply to healthcare professionals unless it would cause them serious harm)