Confidentiality -

An Overview

Confidentiality is a key tenant of our professional obligations to our patients. It is the basis upon which trust is maintained between clinician and patient. This duty to protect our patients rights to confidentiality can be traced back to the hippocratic oath:

“Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought to be noised abroad, I will keep silence thereon, counting such things to be sacred secrets.”

This is also reflected in the GMC guidance on confidentiality (Confidentiality) which states in Principles 1 and 2:

1. “Trust is an essential part of the doctor-patient relationship and confidentiality is central to this. Patients may avoid seeking medical help, or may under-report symptoms, if they think their personal information will be disclosed by doctors without consent, or without the chance to have some control over the timing or amount of information shared. 

2.  Doctors are under both ethical and legal duties to protect patients’ personal information from improper disclosure. But appropriate information sharing is an essential part of the provision of safe and effective care. Patients may be put at risk if those who are providing their care do not have access to relevant, accurate and up-to-date information about them.”

Confidentiality: A Legal Perspective:

The duty of confidentiality in the UK is entrenched in common law and dictates that when information is disclosed in certain circumstances, such as in medical practice, it would be unethical for that information to be shared.

This is also highlighted in Article 8 of the European Convention on Human Rights: Right to respect for private and family life, home and correspondence (https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf):

1. “Everyone has the right to respect for his private and family life, his home and his correspondence. 

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

In UK law the Data Protection Act 2018 and the General Data Protection Regulation outline how data must be kept and stored (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/) . GDPR Principle 5 highlights seven key principles which must be followed:

“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’); 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’); 

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); 

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); 

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’); 

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” 

Article 5(2) adds that: 

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

The above can be summarised to highlight the following core principles of:

• Lawfulness, fairness and transparency

• Purpose limitation

• Data minimisation

• Accuracy

• Storage limitation

• Integrity and confidentiality (security)

• Accountability

  
  

Article 9 of the GDPR also highlights a category of data called Special Category Data which includes:

“• personal data revealing racial or ethnic origin;

• personal data revealing political opinions;

• personal data revealing religious or philosophical beliefs;

• personal data revealing trade union membership;

• genetic data;

• biometric data (where used for identification purposes);

• data concerning health;

• data concerning a person’s sex life; and

• data concerning a person’s sexual orientation.”

It goes onto list specific conditions for processing special category data:

“Article 9 lists the conditions for processing special category data:

(a) Explicit consent

(b) Employment, social security and social protection (if authorised by law)

(c) Vital interests

(d) Not-for-profit bodies

(e) Made public by the data subject

(f) Legal claims or judicial acts

(g) Reasons of substantial public interest (with a basis in law)

(h) Health or social care (with a basis in law)

(i) Public health (with a basis in law)

(j) Archiving, research and statistics (with a basis in law)”

To ensure the implementation of GDPR practices and NHS organisations are required to implement a Data Protection Officer (DPO) - you can find out more about this position by following the link below:

https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/information-governance-alliance-iga/general-data-protection-regulation-gdpr-guidance

If you wish to share patient notes you need a patient’s consent to do so. There are some instances when you can disclose patient information without patient consent.

• When ordered to do so by a court

• When ordered to do so by a coroner

• To protect the best interests of the public

• For a medical research project which has been given ethical approval by an ethics board. 

• For the identification of a deceased patient

Resources:

https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/a-guide-to-confidentiality-in-health-and-social-care

https://www.youtube.com/watch?v=41LWsjVAeMY

https://www.youtube.com/watch?v=uEuFGzXVY8s

https://www.gmc-uk.org/-/media/documents/gmc-guidance-for-doctors---confidentiality-good-practice-in-handling-patient-information----70080105.pdf?la=en&hash=08E96AC70CEE25912CE2EA98E5AA3303EADB5D88

https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality 

https://www.theddu.com/guidance-and-advice/guides/confidentiality-your-obligations

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

https://www.health-ni.gov.uk/sites/default/files/publications/dhssps/confidentiality-code-of-practice0109.pdf

https://standards.gdc-uk.org/pages/principle4/principle4.aspx

https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/information-governance-alliance-iga/general-data-protection-regulation-gdpr-guidance