Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

GMC Good Practise > GMC Confidentiality > Flashcards

GMC Confidentiality Flashcards

1
Q

Not sure how the law applies in a particular situation? What do you do?

A

Consult a Caldicott or data guardian, a data protection officer, your defence body or professional association, or seek independent legal advice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The eight principles of managing patient information:

A
  1. Use minimum necessary personal information. Use anonymised information if practicable
  2. Manage and protect information. Make sure any personal information you hold or control is effectively protected at all times against improper access, disclosure or loss.
  3. Be aware of your responsibilities.
  4. Comply with the law.
  5. Share relevant information for direct care in line with the principles in this guidance unless the patient has objected.
  6. Ask for explicit consent to disclose identifiable information about patients for purposes other than their care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest.
  7. Tell patients about disclosures of personal information you make that they would not reasonably expect, or check they have received information about such disclosures, unless that is not practicable or would undermine the purpose of the disclosure. Keep a record of your decisions to disclose, or not to disclose, information.
  8. Support patients to access their information. Respect, and help patients exercise, their legal rights to be informed about how their information will be used and to have access to, or copies of, their health records.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When you can disclose a patients personal information:

A

Confidentiality is an important ethical and legal duty but it is not absolute. You may disclose personal information without breaching duties of confidentiality when any of the following circumstances applies.

  1. The patient consents, whether implicitly or explicitly, for the sake of their own care or for local clinical audit
  2. The patient has given their explicit consent to disclosure for other purposes.
  3. The disclosure is of overall benefit4 to a patient who lacks the capacity to consent
  4. The disclosure is required by law, or the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality
  5. The disclosure can be justified in the public interes

When disclosing information about a patient you must:

  1. use anonymised information if it is practicable to do so and if it will serve the purpose
  2. be satisfied the patient:
    • has ready access to information explaining how their personal information will be used for their own care or local clinical audit, and that they have the right to object
    • has not objected
  3. get the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their own care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest
  4. keep disclosures to the minimum necessary for the purpose
  5. follow all relevant legal requirements, including the common law and data protection law.

When you are satisfied that information should be disclosed, you should act promptly to disclose all relevant information. You should keep a record of your decision and actions.

You should tell patients about disclosures you make that they would not reasonably expect, or check they have received information about such disclosures, unless that is not practicable or would undermine the purpose of the disclosure – for example, by prejudicing the prevention, detection or prosecution of serious crime.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Disclosing information with a patient’s consent

A

1Asking for a patient’s consent to disclose information shows respect, and is part of good communication between doctors and patients. Under the common law duty of confidentiality, consent may be explicit or implied.

  1. Explicit (also known as express) consent is given when a patient actively agrees, either orally or in writing, to the use or disclosure of information.
  2. Implied consent refers to circumstances in which it would be reasonable to infer that the patient agrees to the use of the information, even though this has not been directly expressed.

You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so. For example, this might be because:

  1. the disclosure is required by law
  2. you are satisfied that informed consent has already been obtained by a suitable person
  3. the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent
  4. you have reason to believe that seeking consent would put you or others at risk of serious harm
  5. seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime
  6. action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient
  7. seeking consent is not feasible given the number or age of records, or the likely traceability of patients h you have already decided to disclose information in the public interest

If you disclose personal information without consent, you must be satisfied that there is a legal basis for breaching confidentiality. You must also be satisfied that the other relevant requirements for disclosing information are met

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Disclosing information when patient lacks capacity to consent

A

You may disclose relevant personal information about a patient who lacks the capacity to consent if it is of overall benefit to the patient.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Disclosures required or permitted by law

A
  1. You must disclose information if it is required by statute, or if you are ordered to do so by a judge or presiding officer of a court
  2. You should satisfy yourself that the disclosure is required by law and you should only disclose information that is relevant to the request. Wherever practicable, you should tell patients about such disclosures, unless that would undermine the purpose, for example by prejudicing the prevention, detection or prosecution of serious crime.
  3. Laws and regulations sometimes permit, but do not require, the disclosure of personal information. If a disclosure is permitted but not required by law, you must be satisfied that there is a legal basis for breaching confidentiality. You must also be satisfied that the other relevant requirements for disclosing information are met
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Disclosures under a legal process

A
  1. You may disclose personal information without consent if permitted or has been approved under section 251 of the National Health Service Act 2006 (England and Wales); allows common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymised information and where seeking consent is not practicable.
  2. If you know that a patient has objected to information being disclosed for purposes other than their own care, you should not usually disclose the information unless it is required under the regulations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Disclosures in the public interest

A

Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information if the benefits to an individual or society outweigh both the public and the patient’s interest in keeping the information confidential. For example, disclosure may be justified to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime. You can find guidance on disclosing information in the public interest to prevent death or serious harm in paragraphs

There may also be circumstances in which disclosing personal information without consent is justified in the public interest for important public benefits, other than to prevent death or serious harm, if there is no reasonably practicable alternative to using personal information. The circumstances in which the public interest would justify such disclosures are uncertain, however, so you should seek the advice of a Caldicott or data guardian or a legal adviser who is not directly connected with the use for which the disclosure is being considered before making the disclosure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Flowchart for decision making

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Using and disclosing patient information for direct care

A

Sharing information for direct care

  • Appropriate information sharing is an essential part of the provision of safe and effective care. Patients may be put at risk if those who provide their care do not have access to relevant, accurate and up-to-date information about them.
  • Multidisciplinary and multi-agency teamwork is also placing increasing emphasis on integrated care and partnership working, and information sharing is central to this, but information must be shared within the framework provided by law and ethics.

Implied consent and sharing information for direct

  1. Most patients understand and expect that relevant information must be shared within the direct care team to provide their care.
  2. You should share relevant information with those who provide or support direct care to a patient, unless the patient has objected
  3. The usual basis for sharing information for a patient’s own care is the patient’s consent, whether that is explicit or implied
  4. You may rely on implied consent to access relevant information about the patient or to share it with those who provide (or support the provision of) direct care to the patient if all of the following are met.
    • You are accessing the information to provide or support the individual patient’s direct care, or are satisfied that the person you are sharing the information with is accessing or receiving it for this purpose.
    • Information is readily available to patients, explaining how their information will be used and that they have the right to object. This can be provided in leaflets and posters, on websites, and face to face. It should be tailored to patients’ identified communication requirements as far as practicable.
    • You have no reason to believe the patient has objected.
    • You are satisfied that anyone you disclose personal information to understands that you are giving it to them in confidence, which they must respect.
  5. If you suspect a patient would be surprised to learn about how you are accessing or disclosing their personal information, you should ask for explicit consent unless it is not practicable to do so. For example, a patient may not expect you to have access to information from another healthcare provider or agency on a shared record.

Patient objections to sharing information for their own care

  1. If a patient objects to particular personal information being shared for their own care, you should not disclose the information unless it would be justified in the public interest,or is of overall benefit to a patient who lacks the capacity to make the decision. You can find further guidance on disclosures of information about adults who lack capacity to consent in paragraphs
  2. You should explain to the patient the potential consequences of a decision not to allow personal information to be shared with others who are providing their care. You should also consider with the patient whether any compromise can be reached. If, after discussion, a patient who has capacity to make the decision still objects to the disclosure of personal information that you are convinced is essential to provide safe care, you should explain that you cannot refer them or otherwise arrange for their treatment without also disclosing that information.

If a patient cannot be informed

  • Circumstances may arise in which a patient cannot be informed about the disclosure of personal information, for example in a medical emergency. In such cases, you should pass relevant information promptly to those providing the patient’s care.
  • If the patient regains the capacity to understand, you should inform them how their personal information was disclosed if it was in a way they would not reasonably expect.

Sharing information with those close to the patient

  1. You must be considerate to those close to the patient and be sensitive and responsive in giving them information and support, while respecting the patient’s right to confidentiality.

Establishing what the patient wants

  1. The people close to a patient can play a significant role in supporting, or caring for, the patient and they may want or need information about the patient’s diagnosis, treatment or care. Early discussions about the patient’s wishes can help to avoid disclosures they might object to.Such discussions can also help avoid misunderstandings with, or causing offence or distress to, anyone the patient would want information to be shared with.
  2. You should establish with the patient what information they want you to share, with whom, and in what circumstances. This will be particularly important if the patient has fluctuating or diminished capacity or is likely to lose capacity, even temporarily. You should document the patient’s wishes in their records.

Abiding by the patient’s wishes

  1. If a patient who has capacity to make the decision refuses permission for information to be shared with a particular person or group of people, it may be appropriate to encourage the patient to reconsider that decision if sharing the information may be beneficial to the patient’s care and support. You must, however, abide by the patient’s wishes, unless disclosure would be justified in the public interest
  2. If a patient lacks capacity to make the decision, it is reasonable to assume the patient would want those closest to them to be kept informed of their general condition and prognosis, unless they indicate (or have previously indicated) otherwise.

Listening to those close to the patients

  1. In most cases, discussions with those close to the patient will take place with the patient’s knowledge and consent. But if someone close to the patient wants to discuss their concerns about the patient’s health without involving the patient, you should not refuse to listen to their views or concerns on the grounds of confidentiality. The information they give you might be helpful in your care of the patient.
  2. You should, however, consider whether your patient would consider you listening to the views or concerns of others to be a breach of trust, particularly if they have asked you not to listen to specific people. You should also make clear that, while it is not a breach of confidentiality to listen to their concerns, you might need to tell the patient about information you have received from others – for example, if it has influenced your assessment and treatment of the patient.You should also take care not to disclose personal information unintentionally – for example, by confirming or denying the person’s perceptions about the patient’s health.

Disclosures about patients who lack capacity to consent

  1. You must work on the presumption that every adult patient has the capacity to make decisions about the disclosure of their personal information. You must not assume a patient lacks capacity to make a decision solely because of their age, disability, appearance, behaviour, medical condition (including mental illness), beliefs, apparent inability to communicate, or because they make a decision you disagree with.
  2. You must assess a patient’s capacity to make a particular decision at the time it needs to be made, recognising that fluctuations in a patient’s condition may affect their ability to understand, retain or weigh up information, or communicate their wishes.
  3. We give detailed advice on assessing a patient’s mental capacity in our guidance Consent: patients and doctors making decisions together. Practical guidance is also given in the Adults with Incapacity (Scotland) Act 2000 and Mental Capacity Act 2005 codes of practice.14

Considering the disclosure

  1. You may disclose personal information if it is of overall benefit to a patient who lacks the capacity to consent. When making the decision about whether to disclose information about a patient who lacks capacity to consent, you must: a make the care of the patient your first concern b respect the patient’s dignity and privacy c support and encourage the patient to be involved, as far as they want and are able, in decisions about disclosure of their personal information.
  2. You must also consider:
    • whether the patient’s lack of capacity is permanent or temporary and, if temporary, whether the decision to disclose could reasonably wait until they regain capacity
    • any evidence of the patient’s previously expressed preferences
    • the views of anyone the patient asks you to consult, or who has legal authority to make a decision on their behalf, or has been appointed to represent them
    • the views of people close to the patient on the patient’s preferences, feelings, beliefs and values, and whether they consider the proposed disclosure to be of overall benefit to the patient
    • what you and the rest of the healthcare team know about the patient’s wishes, feelings, beliefs and values.
  3. You might need to share personal information with a patient’s relatives, friends or carers to enable you to assess the overall benefit to the patient. But that does not mean they have a general right of access to the patient’s records or to be given irrelevant information about, for example, the patient’s past healthcare.
  4. You must share relevant information with anyone who is authorised to make health and welfare decisions on behalf of, or who is appointed to support and represent, a patient who lacks capacity to give consent. This might be a welfare attorney, a court-appointed deputy or guardian, or an independent mental capacity advocate. You should also share information with independent mental health advocates in some circumstances.

If a patient who lacks capacity asks you not to disclose

  1. If a patient asks you not to disclose personal information about their condition or treatment, and you believe they lack capacity to make that decision, you should try to persuade them to allow an appropriate person to be given relevant information about their care. In some cases, disclosing information will be required or necessary, for example under the provisions of mental health and mental capacity laws
  2. If the patient still does not want you to disclose information, but you consider that it would be of overall benefit to the patient and you believe they lack capacity to make that decision, you may disclose relevant information to an appropriate person or authority. In such cases, you should tell the patient before disclosing the information and, if appropriate, seek and carefully consider the views of an advocate or carer. You must document in the patient’s records your discussions and the reasons for deciding to disclose the information.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Disclosures for the protection of patients or others

A

Disclosing information to protect patients

  1. All patients have the right to a confidential medical service. Challenging situations can however arise when confidentiality rights must be balanced against duties to protect and promote the health and welfare of patients who may be unable to protect themselves.

Disclosing information about children who may be at risk of harm

  1. For specific guidance on confidentiality in the context of child protection, see our guidance Protecting children and young people: the responsibilities of all doctors.16 For general advice on confidentiality when using, accessing or disclosing information about children and young people, see our guidance 0–18 years: guidance for all doctors.

Disclosing information about adults who may be at risk of harm

  1. As a rule, you should make decisions about how best to support and protect adult patients in partnership with them, and should focus on empowering patients to make decisions in their own interests. You must support and encourage patients to be involved, as far as they want and are able, in decisions about disclosing their personal information.

Legal requirements to disclose information about adults at risk

  1. There are various legal requirements to disclose information about adults who are known or considered to be at risk of, or to have suffered, abuse or neglect.You must disclose information if it is required by law.

You should:

  1. satisfy yourself that the disclosure is required by law
  2. only disclose information that is relevant to the request, and only in the way required by the law
  3. tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so.

Disclosing information to protect adults who lack capacity

  1. You must disclose personal information about an adult who may be at risk of serious harm if it is required by law. Even if there is no legal requirement to do so, you must give information promptly to an appropriate responsible person or authority if you believe a patient who lacks capacity to consent is experiencing, or at risk of, neglect or physical, sexual or emotional abuse, or any other kind of serious harm, unless it is not of overall benefit to the patient to do so.
  2. If you believe it is not of overall benefit to the patient to disclose their personal information (and it is not required by law), you should discuss the issues with an experienced colleague. If you decide not to disclose information, you must document in the patient’s records your discussions and the reasons for deciding not to disclose. You must be able to justify your decision.

The rights of adults with capacity to make their own decisions

  1. As a principle, adults who have capacity are entitled to make decisions in their own interests, even if others consider those decisions to be irrational or unwise. You should usually ask for consent before disclosing personal information about a patient if disclosure is not required by law, and it is practicable to do so. You can find examples of when it might not be practicable to ask for consent in paragraph
  2. If an adult patient who has capacity to make the decision refuses to consent to information being disclosed that you consider necessary for their protection, you should explore their reasons for this. It may be appropriate to encourage the patient to consent to the disclosure and to warn them of the risks of refusing to consent.
  3. You should, however, usually abide by the patient’s refusal to consent to disclosure, even if their decision leaves them (but no one else) at risk of death or serious harm. You should do your best to give the patient the information and support they need to make decisions in their own interests – for example, by arranging contact with agencies to support people who experience domestic violence.Adults who initially refuse offers of assistance may change their decision over time.

Disclosing information to protect others

Doctors owe a duty of confidentiality to their patients, but they also have a wider duty to protect and promote the health of patients and the public

Legal requirements to disclose information for public protection purposes

  1. Some laws require disclosure of patient information for purposes such as the notification of infectious diseases and the prevention of terrorism. You must disclose information if it is required by law, including by the courts Disclosing information with consent
  2. You should ask for a patient’s consent to disclose information for the protection of others unless the information is required by law or it is not safe, appropriate or practicable to do so. You should consider any reasons given for refusal.

Disclosing information in the public interest

  1. Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime.
  2. If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. The benefits to an individual or to society of the disclosure must outweigh both the patient’s and the public interest in keeping the information confidential.
  3. Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of seriouscrime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk.
  4. Other examples of situations in which failure to disclose information may expose others to a risk of death or serious harm include when a patient is not fit to drive, or has been diagnosed with a serious communicable disease,or poses a serious risk to others through being unfit for work.
  5. Before deciding whether disclosure would be justified in the public interest you should consider whether it is practicable or appropriate to seek consent. You should not ask for consent if you have already decided to disclose information in the public interest but you should tell the patient about your intention to disclose personal information, unless it is not safe or practicable to do so. If the patient objects to the disclosure you should consider any reasons they give for objecting.
  6. When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider:
    • the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health
    • the potential harm to trust in doctors generally – for example, if it is widely perceived that doctors will readily disclose information about patients without consent
    • the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosedthe potential benefits to an individual or to society arising from the release of the information
    • the nature of the information to be disclosed, and any views expressed by the patient
    • whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion.

If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority.

  1. You must document in the patient’s record your reasons for disclosing information with or without consent. You must also document any steps you have taken to seek the patient’s consent, to inform them about the disclosure, or your reasons for not doing so.
  2. Decisions about whether or not disclosure without consent can be justified in the public interest can be complex. Where practicable, you should seek advice from a Caldicott or data guardian or similar expert adviser who is not directly connected with the use for which disclosure is being considered. If possible, you should do this without revealing the identity of the patient.

Responding to requests for information

  1. You must consider seriously all requests for relevant information about patients who may pose a risk of serious harm to others. For example, you must participate in procedures set up to protect the public from violent and sex offenders, such as multi-agency public protection arrangements (MAPPA) in England, Wales and Scotland and public protection arrangements in Northern Ireland (PPANI).You must also consider seriously all requests for information needed for formal reviews (such as inquests and inquiries, serious or significant case reviews, case management reviews, and domestic homicide reviews) that are established to learn lessons and to improve systems and services.
  2. If you disclose personal information without consent, you must be satisfied that there is a legal basis for breaching confidentiality. You must also be satisfied that the other relevant requirements for disclosing information are met

Disclosing genetic and other shared information

  1. Genetic and some other information about your patient might also be information about others with whom the patient shares genetic or other links. The diagnosis of a patient’s illness might, for example, point to the certainty or likelihood of the same illness in a blood relative.
  2. Most patients will readily share information about their own health with their children and other relatives, particularly if they are told it might help those relatives to:
    • get prophylaxis or other preventative treatments or interventions
    • make use of increased surveillance or other investigations
    • prepare for potential health problems.
  3. If a patient refuses to consent to information being disclosed that would benefit others, disclosure might still be justified in the public interest if failure to disclose the information leaves others at risk of death or serious harm If a patient refuses consent to disclosure, you will need to balance your duty to make the care of your patient your first concern against your duty to help protect the other person from serious harm.
  4. If practicable, you should not disclose the patient’s identity in contacting and advising others about the risks they face.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Using and disclosing patient information for secondary purposes

A
  1. Many important uses of patient information contribute to the overall delivery of health and social care. Examples include health services management, research, epidemiology, public health surveillance, and education and training. Without information about patients the health and social care system would be unable to plan, develop, innovate, conduct research or be publicly accountable for the services it provides.
  2. There are also important uses of patient information that are not connected to the delivery of health or social care, but which serve wider purposes. These include disclosures for the administration of justice, and for purposes such as financial audit and insurance or benefits claims.
  3. Anonymised information will usually be sufficient for purposes other than the direct care of the patient and you must use it in preference to identifiable information wherever possible. If you disclose identifiable information, you must be satisfied that there is a legal basis for breaching confidentiality.
  4. You may disclose personal information without breaching duties of confidentiality when any of the following circumstances apply.
    • The disclosure is required by law, including by the courts
    • The patient has given explicit consent
    • The disclosure is approved through a statutory process that sets aside the common law duty of confidentiality
    • The disclosure can, exceptionally, be justified in the public interest

Anonymised information

  1. The Information Commissioner’s Office anonymisation code of practice (ICO code) considers data to be anonymised if it does not itself identify any individual, and if it is unlikely to allow any individual to be identified through its combination with other data.Simply removing the patient’s name, age, address or other personal identifiers is unlikely to be enough to anonymise information to this standard.
  2. The ICO code also makes clear that different types of anonymised data pose different levels of re-identification risk. For example, data sets with small numbers may present a higher risk of re-identification than large data sets. The risk of re-identification will also vary according to the environment in which the information is held. For example, an anonymised data set disclosed into a secure and controlled environment could remain anonymous even though the same data set could not be made publically available because of the likelihood of individuals being identified.
  3. You should follow the ICO code, or guidance that is consistent with the ICO code, or seek expert advice, if you have a role in anonymising information or disclosing anonymised information.

The process of anonymising information

  1. Information may be anonymised by a member of the direct care team who has the knowledge, skills and experience to carry out the anonymisation competently, or will be adequately supervised
  2. If it is not practicable for the information to be anonymised within the direct care team, it may be anonymised by a data processor under contract, as long as there is a legal basis for any breach of confidentiality (see paragraph 80), the requirements of data protection law are met (see the legal annex) and appropriate controls are in place to protect the information

Disclosing anonymised information

  1. If you decide to disclose anonymised information, you must be satisfied that appropriate controls are in place to minimise the risk of individual patients being identified. The controls that are needed will depend on the risk of re-identification, and might include signed contracts or agreements that contain controls on how the information will be used, kept and destroyed, as well as restrictions to prevent individuals being identified. You should refer to specialist advice or guidance when assessing risk, or considering what level of control is appropriate.

Disclosures required by statutes or the courts

Disclosure required by statute

  1. There are a large number of laws that require disclosure of patient information – for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism and the investigation of road accidents.
  2. You must disclose information if it is required by law. You should:
    • a satisfy yourself that personal information is needed, and the disclosure is required by law
    • only disclose information relevant to the request, and only in the way required by the law
    • tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so
    • abide by patient objections where there is provision to do so.
  3. You can find advice about disclosures that are permitted but not required by law in paragraph

Disclosing information to the courts, or to obtain legal advice

  1. The courts, both civil and criminal, have powers to order disclosure of information in various circumstances. You must disclose information if ordered to do so by a judge or presiding officer of a court.
  2. You should only disclose information that is required by the court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appears to you to be irrelevant information, such as information about a patient’s relative who is not involved in the proceedings. You should also tell the judge or the presiding officer if you think disclosing the information might put someone at risk of harm.
  3. If disclosure is ordered, and you do not understand the basis for this, you should ask the court or a legal adviser to explain it to you. You should also tell the patient whose information the court has asked for what information you will disclose in response to the order, unless that is not practicable or would undermine the purpose for which disclosure is sought.
  4. You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s explicit consent, unless it is required by law, or ordered by a court, or can be justified in the public interest. You may disclose information without consent to your own legal adviser to get their advice.
  5. In Scotland, the system of precognition means there can be limited disclosure of information in advance of a criminal trial, to both the Crown and defence, without the patient’s explicit consent. You should cooperate with precognition, but the disclosure must be confined solely to the nature of injuries, the patient’s mental state, or pre-existing conditions or health, documented by the examining doctor, and their likely causes. If they want further information, either side may apply to the court to take a precognition on oath. If that happens, you will be given advance warning and you should seek legal advice about what you may disclose.

Consent

  1. You should ask for consent to disclose personal information for purposes other than direct care or local clinical audit unless the information is required by law, or it is not appropriate or practicable to obtain consent (see paragraph for examples of when this might be the case).

Disclosures for health and social care secondary purposes

Clinical audit

  1. All doctors in clinical practice have a duty to participate in clinical audit and to contribute to clinical outcome review programmes. If an audit is to be carried out by the team that provided care, or those working to support them, such as clinical audit staff, you may disclose personal information on the basis of implied consent, as long as you are satisfied that it is not practicable to use anonymised information and that the patient:
    • a has ready access to information that explains that their personal information may be disclosed for local clinical audit, and they have the right to object
    • has not objected
  2. If a patient does object to personal information about them being included in a local clinical audit related to their care, you should explain why the information is needed and how this may benefit their current and future care. If the patient still objects, you should remove them from the audit if practicable. If that is not practicable, you should make sure this is explained to the patient, along with any options open to them.
  3. If a clinical audit is to be carried out, but not by the team that provided care or those working to support them, the information should be anonymised. If this is not practicable, or if personal information is essential to the audit, you should disclose the information only if you have the patient’s explicit consent or if there is another legal basis for breaching confidentiality (see paragraph 80). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

Disclosures for financial or administrative purposes

  1. If you are asked to disclose information about patients for financial or administrative purposes, you should give it in an anonymised form, if that is practicable and will serve the purpose. If identifiable information is needed, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 80).You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

The professional duty of candour and confidentiality

  1. All doctors have a duty of candour – a professional responsibility to be honest with patients when things go wrong. As part of this duty, doctors must tell the patient when something has gone wrong, and explain the short- and long-term effects of what has happened.
  2. If the patient has died, or is unlikely to regain consciousness or capacity, it may be appropriate to speak to those close to the patient. When providing information for these purposes, you should still respect the patient’s confidentiality. If a patient has previously asked you not to share personal information about their condition or treatment with those close to them, you should abide by their wishes. You must still do your best to be considerate, sensitive and responsive to those close to the patient, giving them as much information as you can.

Openness and learning from adverse incidents and near misses

  1. A number of reporting systems and schemes exist around the UK for reporting adverse incidents and near misses. Organisations also have policies for reporting and responding to adverse incidents and near misses and in some cases organisational duties of candour have been written into law.39 If the law requires personal information to be disclosed for these purposes, you should follow the guidance in paragraph 87. If the law does not require it, you should ask for consent to disclose personal information unless it is not appropriate or practicable to do so (see paragraph 14). In exceptional cases, disclosure may be justified without consent in the public interest (see paragraphs 106–112).

Disclosures with specific statutory support

  1. In England, Wales and Northern Ireland, statutory arrangements are in place for considering whether disclosing personal information without consent for health and social care purposes would benefit patients or the public sufficiently to outweigh patients’ right to privacy. Examples of these purposes include medical research, and the management of health or social care services. There is no comparable statutory framework in Scotland.
  2. Section 251 of the National Health Service Act 2006 (which applies in England and Wales) and the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 allow the common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymised information and where seeking consent is not practicable. You can find more detail about these statutory arrangements in the legal annex.
  3. You may disclose personal information without consent if the disclosure is permitted or has been approved under regulations made under section 251 of the National Health Service Act 2006 or under the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016. If you know that a patient has objected to information being disclosed for purposes other than direct care, you should not usually disclose the information unless it is required under the regulations.

Public interest disclosures for health and social care purposes

  1. In exceptional circumstances, there may be an overriding public interest in disclosing personal information without consent for important health and social care purposes if there is no reasonably practicable alternative to using personal information and it is not practicable to seek consent. The benefits to society arising from the disclosure must outweigh the patient’s and public interest in keeping the information confidential.
  2. You should not disclose personal information without consent in the public interest if the disclosure falls within the scope of any of the regulations described in paragraphs 103–105, and the disclosure is not permitted, or has not been approved, under those regulations.
  3. If the regulations described in paragraphs 103–105 do not apply, you may need to make your own decision about whether disclosure of personal information without consent is justified. The circumstances in which the public interest would justify such disclosures are uncertain, however, so you should seek the advice of a Caldicott or data guardian or a legal adviser who is not directly connected with the use for which the disclosure is being considered before making the disclosure.
  4. Before considering whether disclosing personal information without consent may be justified in the public interest, you must satisfy yourself that it is either necessary to use identifiable information or not reasonably practicable to anonymise the information. In either case, you must be satisfied that it is not reasonably practicable to seek consent.
  5. When considering whether disclosing personal information without consent may be justified in the public interest, you must take account of the factors set out in paragraph 67. You must also be satisfied that:
    • a the disclosure would comply with the requirements of data protection law and would not breach any other legislation that prevents the disclosure of information about patients (see the legal annex for examples)
    • the disclosure is the minimum necessary for the purpose
    • the information will be processed in a secure and controlled environment that has the capabilities and is otherwise suitable to process the information (see paragraph 86)
    • information is readily available to patients about any data that has been disclosed without consent, who it has been disclosed to, and the purpose of the disclosure.
  6. If you know that a patient has objected to information being disclosed for purposes other than their own care, you should not disclose information in the public interest unless failure to do so would leave others at risk of death or serious harm (see paragraphs 63–70).
  7. You must keep a record of what information you disclosed, your reasons, and any advice you sought.

Ethical approval for research

  1. You should only disclose personal information for research if there is a legal basis for the disclosure and the research has been approved by a research ethics committee.
  2. If you are applying for ethical approval for research, you should let the research ethics committee know if personal information will be disclosed without consent and tell them the legal basis for the disclosure

Requests from employers, insurers and other third parties

  1. Third parties, such as a patient’s insurer or employer, or a government department, or an agency assessing a claimant’s entitlement to benefits, may ask you for personal information about a patient, either following an examination or from existing records. In these cases, you should:
    • be satisfied that the patient has sufficient information about the scope, purpose and likely consequences of the examination and disclosure, and the fact that relevant information cannot be concealed or withheld
    • obtain or have seen written consent to the disclosure from the patient or a person properly authorised to act on the patient’s behalf. You may accept an assurance from an officer of a government department or agency, or a registered health professional acting on their behalf, that the patient or a person properly authorised to act on their behalf has consented
    • only disclose factual information you can substantiate, presented in an unbiased manner, which is relevant to the request. You should not usually disclose the whole record,although it may be relevant to some benefits paid by government departments and to other assessments of a patient’s entitlement to pensions or other health-related benefits
    • offer to show your patient, or give them a copy of, any report you write about them for employment or insurance purposes before it is sent, unless:
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Managing and protecting personal information

A

Improper access and disclosure

  1. Many improper disclosures of patient information are unintentional. Conversations in reception areas, at a patient’s bedside and in public places may be overheard. Notes and records may be seen by other patients, unauthorised staff, or the public if they are not managed securely. Patient details can be lost if handover lists are misplaced, or when patient notes are in transit.
  2. You must make sure any personal information about patients that you hold or control is effectively protected at all times against improper access, disclosure or loss. You should not leave patients’ records, or other notes you make about patients, either on paper or on screen, unattended. You should not share passwords.
  3. You must not access a patient’s personal information unless you have a legitimate reason to view it.
  4. You should not share personal information about patients where you can be overheard, for example in a public place or in an internet chat forum.46 While there are some practice environments in which it may be difficult to avoid conversations with (or about) patients being overheard by others, you should try to minimise breaches of confidentiality and privacy as far as it is possible to do so.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Disclosing information after a patient has died

A
  1. Your duty of confidentiality continues after a patient has died.
  2. There are circumstances in which you must disclose relevant information about a patient who has died. For example:
    • when disclosure is required by law
    • to help a coroner, procurator fiscal or other similar officer with an inquest or fatal accident inquiry
    • on death certificates, which you must complete honestly and fully
    • when a person has a right of access to records under the Access to Health Records Act 1990 or the Access to Health Records (Northern Ireland) Order 1993, unless an exemption applies
    • when disclosure is necessary to meet a statutory duty of candour.
  3. In other circumstances, whether and what personal information may be disclosed after a patient’s death will depend on the facts of the case. If the patient had asked for information to remain confidential, you should usually abide by their wishes. If you are unaware of any instructions from the patient, when you are considering requests for information you should take into account:
    • a whether disclosing information is likely to cause distress to, or be of benefit to, the patient’s partner or family
    • whether the disclosure will also disclose information about the patient’s family or anyone else
    • whether the information is already public knowledge or can be anonymised or de-identified
    • the purpose of the disclosure
  4. Circumstances in which you should usually disclose relevant information about a patient who has died include: „
    • the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality, unless you know the patient has objected (see paragraphs 103–105)
    • when disclosure is justified in the public interest to protect others from a risk of death or serious harm
    • for public health surveillance, in which case the information should be anonymised, unless that would defeat the purpose „
    • when a parent asks for information about the circumstances and causes of a child’s death „ when someone close to an adult patient asks for information about the circumstances of that patient’s death, and you have no reason to believe the patient would have objected to such a disclosure „ when disclosure is necessary to meet a professional duty of candour (see paragraphs 100 and 101)
    • when it is necessary to support the reporting or investigation of adverse incidents, or complaints, for local clinical audit, or for clinical outcome review programmes.
  5. Archived records relating to deceased patients remain subject to a duty of confidentiality, although the potential for disclosing information about, or causing distress to, surviving relatives or damaging the public’s trust will diminish over time.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

GMC Good Practise (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions