Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.
Bodies providing NHS services should aim to safeguard patient confidentiality and maintain data security whilst empowering staff to perform their roles using key information governance (IG) principles.
Information governance is the way in which the NHS handles all of its information, in particular personal and sensitive information relating to patients and employees.
It provides a framework to ensure that personal information is dealt with legally, securely, efficiently and effectively, in order to deliver the best possible care.
IG also offers NHS employees a clear structure to deal consistently with the many different rules about how information is handled. This includes:
Ensuring that staff and clinical leaders are suitably equipped to manage this area of work is a key priority for NHS bodies. The penalties for breaking data protection and associated laws can be significant.
Individuals responsible for breaches may be subject to disciplinary action that can result in dismissal.
Regulatory fines for non-compliance with the EU’s GDPR are much higher than under the UK’s previous Data Protection Act 1998. The previous maximum fine of £500,000 was significantly increased to fines of up to 4% of annual global turnover or €20 million – whichever is greater.
Being transparent and providing accessible, easy-to-understand information to individuals about how their personal data will be used is a key element of the Data Protection Act 1998 and GDPR.
A fair processing notice is a written statement that individuals are given when information is collected about them.
The most common way to provide this information is in a privacy notice or policy.
As a minimum, a privacy notice should inform people who the body is, what the body is going to do with their information and who it will be shared with.
The Caldicott principles were developed in the late 1990s following a review of how patient information was handled across the NHS and were revised in 2013.
They relate to patient-identifiable information and provide guidance on how and when such data should be used and shared.
Industry employees with access to patient information need to be aware of, and comply with, the principles.
The principles are:
1) Justify the purpose for using confidential information
2) Do not use personal confidential data unless it is absolutely necessary
3) Use the minimum necessary personal confidential data
4) Access to personal confidential data should be on a strict need-to-know basis
5) Everyone with access to personal confidential data should be aware of their responsibilities
6) Comply with the law
7) The duty to share information can be as important as the duty to protect patient confidentiality.
Each NHS organisation must appoint a Caldicott guardian whose role is to oversee the use and sharing of patient-identifiable information.
The main role of the Caldicott guardian is to ensure that the highest practical standards are maintained for the handling of patient-identifiable information between the NHS, councils with social services responsibilities and other partner organisations. This includes patient confidentiality.
Patients disclose sensitive information relating to their health when seeking treatment. This is done in confidence and the expectation is that staff will respect their privacy and act appropriately. This is embedded in case law, in the professional codes of conduct for health care professionals and is a requirement for an NHS contract of employment, the breaching of which leads to disciplinary measures.
The main consequence of this is that patient-identifiable information cannot be disclosed to a third party without the consent of the person concerned.
Exceptions to this include:
Individual general medical practices are not required to have a Caldicott Guardian; however, they do need to appoint an information governance lead.
The legal framework governing the use of personal confidential data in health care is complex. It includes the NHS Act 2006, the Health and Social Care Act 2012, the Data Protection Act 2018 and the Human Rights Act just to name a few.
The law allows personal data to be shared between those offering care directly to patients, but it protects patients’ confidentiality when data about them are used for other purposes. These “secondary uses” of data are essential if we are to run a safe, efficient, and equitable health service. They include:
Generally speaking, people within the healthcare system using data for secondary purposes must only use data that do not identify individual patients unless they have the consent of the patient themselves.
All of the above emphasize the need for healthcare to be secure in its management of data and care records, as well as accountable for breaches of information security.
Information on operating lists, operating room boards and patient records should not be subject to discussion outside of the hospital.
Mention of a patient's name may be heard by their relatives in hospital or surgery public places. Ensure you exercise care to uphold confidentiality.
Any patient record should be held confidentially and securely. All people who come into contact with personal health information in their work should have training in confidentiality and security issues. This includes the need to ensure that specific identifiers are given to patient records, which you and the company may keep, so that the individual cannot be identified.
Any data stored on medical devices must be erased from the device before it is removed from the hospital, so that there is no chance of inadvertent loss of confidentiality for patients.
In your work, you will be party to information about patients which is personal to them and must be treated with confidentiality. You may be privileged to be present at their surgery and must respect that you are a visitor and their situation is not for any inappropriate discussion outside of the department.
Should you need to keep a record of the patients details for company product information, this must be unidentifiable and where possible encrypted.
Should you know the patient personally, you must remove yourself from the theatre unless it is absolutely vital for the successful outcome of the surgery. This situation should never be necessary.
Whilst most of us have cameras on our smartphones, you must not take or agree to take any photographs in theatres or other clinical areas, even on someone else’s phone or camera. In most hospitals, there are professional medical photographers who have the skills to take clinical photographs.
The clinician must have asked for patient consent to take clinical photographs and there are rules and ethical guidelines for the clinician from the General Medical Council on the use of images.
For those attending operating theatres, there can be concerns that patients might be unaware that you could be present during the surgery. If you imagine that it is possible that something goes to court and the lawyers discover that you were present without consent, what might the outcome be?
Medical representatives and medical students, etc, are in some hospitals included as possible attendees on consent forms so there would be a competent defence. It is worth checking at your hospitals to see if this practice is followed.
If patient consent forms do not include “other visitors” for the patient to consent, then it would be useful to ask the clinicians if the patient could be told that you will be there and give them the reason why.
Some patients are conscious for their surgery and as part of the introductions in the “check-in” phase of the WHO Safe Surgery Saves Lives process, you should be introduced. Now is not the time to be asking the patient if you can be in the room for their surgery. They are in a compromised and vulnerable situation and this could be seen as coercive. If the patient declines, then you need to leave.
Page of - Completed