Confidentiality
Confidentiality is central to the trust patients place in their doctors. It is an important legal and ethical principle – doctors must abide by the principles of the 1988 and 2003 Data Protection Acts (see Box 6) and by the Medical Council’s guidance.
Box 6: The eight rules of Data Protection
- Obtain and process information fairly.
- Keep it only for one or more specified, explicit and lawful purposes.
- Use and disclose it only in ways compatible with these purposes.
- Keep it safe and secure.
- Keep it accurate, complete and up to date.
- Ensure that it is adequate, relevant and not excessive.
- Retain it for no longer than is necessary for the specified purpose or
purposes. - Give a copy of his/her personal data to an individual, on request.
General advice
Most breaches of confidentiality are inadvertent and stem from staff not knowing what constitutes a breach of confidence
Avoid problems by:
- Ensuring that your registration as a data controller is renewed annually (see Appendix 2 for contact details).
- Obtaining the patient’s consent (and recording it) before disclosing information to a third party. Make sure that the recipient of the information understands that it is given in confidence.
- Being able to justify disclosure without the patient’s consent as being in the public’s interests.
- Letting patients know (directly or through leaflets and posters) that information about them may be shared with other healthcare professionals. Make it clear that they have the right to withhold consent if they wish.
- Making sure that staff who are not bound by a professional obligation to
preserve confidentiality are similarly bound by contract, and that they are
fully aware that they have a legal obligation over and above their contractual commitments to maintain confidentiality. - Training staff on information security and patient confidentiality. Most breaches of confidentiality are inadvertent and stem from staff not knowing what constitutes a breach of confidence.
- Introducing a protocol for checking patients’ identities when telephoning them with test results, etc, and a standard message for leaving on an answering machine that won’t compromise a patient’s confidentiality.
- Taking care (and making sure that your staff take care) not to discuss patients where others can overhear – reception areas are an obvious place where confidentiality can be breached unwittingly.
- Placing fax machines in secure areas and checking that information you send by fax will be received in a secure place – telephone first to warn of its impending arrival and ask the recipient to let you know if they don’t receive it.
- Using encryption software when sending emails containing patient information, and warning the patient that you are transmitting information about them by this means.
Box 7: Are you a data controller?
“A data controller can be either an individual doctor or the practice, depending on how the practice operates. If access to a patient’s record is granted to all GPs in a practice because the patient understands that when they attend they could be referred to any of the GPs, then it is likely from a registration perspective that the registration would be made in the name of the practice, assuming that the practice is a distinct legal entity.
“If, in a practice scenario, the GPs were sharing admin services and accommodation facilities only (but from a treatment perspective one GP could not access the files of other GPs) then each GP would likely be a separate data controller in respect of the information within their control and each would have to register separately with this Office.”
Advice received from the Data Commissioner’s Office (18 January 2011)