Communitybaptistpa Logo Search the register Communitybaptistpa Online
  1. Home
  2. Ethical guidance
  3. Ethical guidance for doctors
  4. Confidentiality
  5. Using and disclosing patient information for secondary purposes

Confidentiality: good practice in handling patient information

Using and disclosing patient information for secondary purposes

77

Many important uses of patient information contribute to the overall delivery of health and social care. Examples include health services management, research, epidemiology, public health surveillance, and education and training. Without information about patients the health and social care system would be unable to plan, develop, innovate, conduct research or be publicly accountable for the services it provides.

78

There are also important uses of patient information that are not connected to the delivery of health or social care, but which serve wider purposes. These include disclosures for the administration of justice, and for purposes such as financial audit and insurance or benefits claims.

79

Anonymised information will usually be sufficient for purposes other than the direct care of the patient and you must use it in preference to identifiable information wherever possible. If you disclose identifiable information, you must be satisfied that there is a legal basis for breaching confidentiality.

80

You may disclose personal information without breaching duties of confidentiality when any of the following circumstances apply.

  1. The disclosure is required by law, including by the courts (see paragraphs 87 - 94).
  2. The patient has given explicit consent (see paragraph 95).
  3. The disclosure is approved through a statutory process that sets aside the common law duty of confidentiality (see paragraphs 103 - 105).
  4. The disclosure can, exceptionally, be justified in the public interest (see paragraphs 106 - 112).

You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

87

There are a large number of laws that require disclosure of patient information – for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism and the investigation of road accidents.

88

You must disclose information if it is required by law. You should:

  1. satisfy yourself that personal information is needed, and the disclosure is required by law
  2. only disclose information relevant to the request, and only in the way required by the law
  3. tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so
  4. abide by patient objections where there is provision to do so.32 
89

You can find advice about disclosures that are permitted but not required by law in paragraph 19.

90

The courts, both civil and criminal, have powers to order disclosure of information in various circumstances. You must disclose information if ordered to do so by a judge or presiding officer of a court.

91

You should only disclose information that is required by the court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appears to you to be irrelevant information, such as information about a patient’s relative who is not involved in the proceedings. You should also tell the judge or the presiding officer if you think disclosing the information might put someone at risk of harm.

92

If disclosure is ordered, and you do not understand the basis for this, you should ask the court or a legal adviser to explain it to you. You should also tell the patient whose information the court has asked for what information you will disclose in response to the order, unless that is not practicable or would undermine the purpose for which disclosure is sought.

93

You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s explicit consent, unless it is required by law, or ordered by a court, or can be justified in the public interest. You may disclose information without consent to your own legal adviser to get their advice.

94

In Scotland, the system of precognition means there can be limited disclosure of information in advance of a criminal trial, to both the Crown and defence, without the patient’s explicit consent. You should cooperate with precognition, but the disclosure must be confined solely to the nature of injuries, the patient’s mental state, or pre-existing conditions or health, documented by the examining doctor, and their likely causes. If they want further information, either side may apply to the court to take a precognition on oath. If that happens, you will be given advance warning and you should seek legal advice about what you may disclose.33 

95

You should ask for consent to disclose personal information for purposes other than direct care34  or local clinical audit unless the information is required by law, or it is not appropriate or practicable to obtain consent (see paragraph 14 for examples of when this might be the case).

103

In England, Wales and Northern Ireland, statutory arrangements are in place for considering whether disclosing personal information without consent for health and social care purposes would benefit patients or the public sufficiently to outweigh patients’ right to privacy. Examples of these purposes include medical research, and the management of health or social care services. There is no comparable statutory framework in Scotland.

104

Section 251 of the National Health Service Act 2006 (which applies in England and Wales) and the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 allow the common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymised information and where seeking consent is not practicable. You can find more detail about these statutory arrangements in the legal annex.

105

You may disclose personal information without consent if the disclosure is permitted or has been approved under regulations made under section 251 of the National Health Service Act 2006 or under the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016. If you know that a patient has objected to information being disclosed for purposes other than direct care, you should not usually disclose the information unless it is required under the regulations.40 

106

In exceptional circumstances, there may be an overriding public interest in disclosing personal information without consent for important health and social care purposes if there is no reasonably practicable alternative to using personal information and it is not practicable to seek consent. The benefits to society arising from the disclosure must outweigh the patient’s and public interest in keeping the information confidential.

107

You should not disclose personal information without consent in the public interest if the disclosure falls within the scope of any of the regulations described in paragraphs 103 - 105, and the disclosure is not permitted, or has not been approved, under those regulations.

108

If the regulations described in paragraphs 103 - 105 do not apply, you may need to make your own decision about whether disclosure of personal information without consent is justified. The circumstances in which the public interest would justify such disclosures are uncertain, however, so you should seek the advice of a Caldicott or data guardian or a legal adviser who is not directly connected with the use for which the disclosure is being considered before making the disclosure.41 

109

Before considering whether disclosing personal information without consent may be justified in the public interest, you must satisfy yourself that it is either necessary to use identifiable information or not reasonably practicable to anonymise the information. In either case, you must be satisfied that it is not reasonably practicable to seek consent.42 

110

When considering whether disclosing personal information without consent may be justified in the public interest, you must take account of the factors set out in paragraph 67. You must also be satisfied that:

  1. the disclosure would comply with the requirements of data protection law and would not breach any other legislation that prevents the disclosure of information about patients (see the legal annex for examples)
  2. the disclosure is the minimum necessary for the purpose
  3. the information will be processed in a secure and controlled environment that has the capabilities and is otherwise suitable to process the information (see paragraph 86)
  4. information is readily available to patients about any data that has been disclosed without consent, who it has been disclosed to, and the purpose of the disclosure.
111

If you know that a patient has objected to information being disclosed for purposes other than their own care, you should not disclose information in the public interest unless failure to do so would leave others at risk of death or serious harm (see paragraphs 63 - 70).

112

You must keep a record of what information you disclosed, your reasons, and any advice you sought.

10

When disclosing information about a patient you must:

  1. use anonymised information if it is practicable to do so and if it will serve the purpose
  2. be satisfied the patient:
    1. has ready access to information explaining how their personal information will be used for their own care or local clinical audit, and that they have the right to object
    2. has not objected
  3. get the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their own care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest
  4. keep disclosures to the minimum necessary for the purpose
  5. follow all relevant legal requirements, including the common law and data protection law.5 

Anonymised information

81

The Information Commissioner’s Office anonymisation code of practice (ICO code) considers data to be anonymised if it does not itself identify any individual, and if it is unlikely to allow any individual to be identified through its combination with other data.29  Simply removing the patient’s name, age, address or other personal identifiers is unlikely to be enough to anonymise information to this standard.30 

29

You can find the Information Commissioner’s Office (ICO) Anonymisation: managing data protection risk code of practice (2012) on the .

30

Other potential identifiers include the patient’s initials, postcode, NHS or CHC number, local identifiers (such as hospital numbers), national insurance number, and key dates (such as birthdate, date of diagnosis or date of death).

82

The ICO code also makes clear that different types of anonymised data pose different levels of re-identification risk. For example, data sets with small numbers may present a higher risk of re-identification than large data sets. The risk of re-identification will also vary according to the environment in which the information is held. For example, an anonymised data set disclosed into a secure and controlled environment could remain anonymous even though the same data set could not be made publically available because of the likelihood of individuals being identified.

83

You should follow the ICO code, or guidance that is consistent with the ICO code, or seek expert advice, if you have a role in anonymising information or disclosing anonymised information.

The process of anonymising information

84

Information may be anonymised by a member of the direct care team who has the knowledge, skills and experience to carry out the anonymisation competently, or will be adequately supervised.

85

If it is not practicable for the information to be anonymised within the direct care team, it may be anonymised by a data processor under contract, as long as there is a legal basis for any breach of confidentiality (see paragraph 80), the requirements of data protection law are met (see the legal annex) and appropriate controls are in place to protect the information (see paragraph 86).

80

You may disclose personal information without breaching duties of confidentiality when any of the following circumstances apply.

  1. The disclosure is required by law, including by the courts (see paragraphs 87 - 94).
  2. The patient has given explicit consent (see paragraph 95).
  3. The disclosure is approved through a statutory process that sets aside the common law duty of confidentiality (see paragraphs 103 - 105).
  4. The disclosure can, exceptionally, be justified in the public interest (see paragraphs 106 - 112).

You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

Disclosing anonymised information

86

If you decide to disclose anonymised information, you must be satisfied that appropriate controls are in place to minimise the risk of individual patients being identified. The controls that are needed will depend on the risk of re-identification, and might include signed contracts or agreements that contain controls on how the information will be used, kept and destroyed, as well as restrictions to prevent individuals being identified. You should refer to specialist advice or guidance when assessing risk, or considering what level of control is appropriate.31 

31

See endnote 29 for the reference to ICO guidance.

Disclosures required by statutes or the courts

Disclosure required by statute

87

There are a large number of laws that require disclosure of patient information – for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism and the investigation of road accidents.

88

You must disclose information if it is required by law. You should:

  1. satisfy yourself that personal information is needed, and the disclosure is required by law
  2. only disclose information relevant to the request, and only in the way required by the law
  3. tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so
  4. abide by patient objections where there is provision to do so.32 
32

The NHS Constitution for England and NHS Scotland’s The Charter of Patient Rights and Responsibilities both set out the rights of a patient to object to how their information is used. Under data protection law, a data subject has a right to object to processing if it causes unwarranted and substantial damage or distress. For more information, see the Guide to Data Protection on the .

89

You can find advice about disclosures that are permitted but not required by law in paragraph 19.

19

Laws and regulations sometimes permit, but do not require, the disclosure of personal information.8  If a disclosure is permitted but not required by law, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 9). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

Disclosing information to the courts, or to obtain legal advice

90

The courts, both civil and criminal, have powers to order disclosure of information in various circumstances. You must disclose information if ordered to do so by a judge or presiding officer of a court.

91

You should only disclose information that is required by the court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appears to you to be irrelevant information, such as information about a patient’s relative who is not involved in the proceedings. You should also tell the judge or the presiding officer if you think disclosing the information might put someone at risk of harm.

92

If disclosure is ordered, and you do not understand the basis for this, you should ask the court or a legal adviser to explain it to you. You should also tell the patient whose information the court has asked for what information you will disclose in response to the order, unless that is not practicable or would undermine the purpose for which disclosure is sought.

93

You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s explicit consent, unless it is required by law, or ordered by a court, or can be justified in the public interest. You may disclose information without consent to your own legal adviser to get their advice.

94

In Scotland, the system of precognition means there can be limited disclosure of information in advance of a criminal trial, to both the Crown and defence, without the patient’s explicit consent. You should cooperate with precognition, but the disclosure must be confined solely to the nature of injuries, the patient’s mental state, or pre-existing conditions or health, documented by the examining doctor, and their likely causes. If they want further information, either side may apply to the court to take a precognition on oath. If that happens, you will be given advance warning and you should seek legal advice about what you may disclose.33 

33

The gives some guidance for solicitors on precognition in criminal cases, which you can find in the rules and guidance section of its website.

Consent

95

You should ask for consent to disclose personal information for purposes other than direct care34  or local clinical audit unless the information is required by law, or it is not appropriate or practicable to obtain consent (see paragraph 14 for examples of when this might be the case).

14

You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so.

For example, this might be because:

  1. the disclosure is required by law (see paragraphs 17 - 19)
  2. you are satisfied that informed consent has already been obtained by a suitable person7 
  3.  the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent (see paragraphs 41 - 49)
  4. you have reason to believe that seeking consent would put you or others at risk of serious harm
  5. seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime
  6. action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient
  7. seeking consent is not feasible given the number or age of records, or the likely traceability of patients.
  8. you have already decided to disclose information in the public interest (see paragraphs 63 - 70).
34

See endnote 10 for the definition of ‘direct care’ in this guidance. Guidance on sharing information for direct care purposes is given in paragraphs 26–33.

Disclosures for health and social care secondary purposes

Clinical audit

96

All doctors in clinical practice have a duty to participate in clinical audit35  and to contribute to clinical outcome review programmes.36  If an audit is to be carried out by the team that provided care, or those working to support them, such as clinical audit staff, you may disclose personal information on the basis of implied consent, as long as you are satisfied that it is not practicable to use anonymised information and that the patient:

  1. has ready access to information that explains that their personal information may be disclosed for local clinical audit, and they have the right to object
  2. has not objected.
35

In this guidance ‘clinical audit’ means the evaluation of clinical performance against standards or through comparative analysis, to inform the management of services.

36

See Medical practice (2013), paragraph 22. Formerly known as national confidential inquiries, clinical outcome review programmes are systematic reviews that are carried out with the aim of supporting changes that can help improve the quality and safety of healthcare delivery. You can find more information on the website of the . You can find all Communitybaptistpa guidance on professional standards and ethics, available on our website.

97

If a patient does object to personal information about them being included in a local clinical audit related to their care, you should explain why the information is needed and how this may benefit their current and future care. If the patient still objects, you should remove them from the audit if practicable. If that is not practicable, you should make sure this is explained to the patient, along with any options open to them.

98

If a clinical audit is to be carried out, but not by the team that provided care or those working to support them, the information should be anonymised. If this is not practicable, or if personal information is essential to the audit, you should disclose the information only if you have the patient’s explicit consent or if there is another legal basis for breaching confidentiality (see paragraph 80). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

80

You may disclose personal information without breaching duties of confidentiality when any of the following circumstances apply.

  1. The disclosure is required by law, including by the courts (see paragraphs 87 - 94).
  2. The patient has given explicit consent (see paragraph 95).
  3. The disclosure is approved through a statutory process that sets aside the common law duty of confidentiality (see paragraphs 103 - 105).
  4. The disclosure can, exceptionally, be justified in the public interest (see paragraphs 106 - 112).

You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

10

When disclosing information about a patient you must:

  1. use anonymised information if it is practicable to do so and if it will serve the purpose
  2. be satisfied the patient:
    1. has ready access to information explaining how their personal information will be used for their own care or local clinical audit, and that they have the right to object
    2. has not objected
  3. get the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their own care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest
  4. keep disclosures to the minimum necessary for the purpose
  5. follow all relevant legal requirements, including the common law and data protection law.5 

Disclosures for financial or administrative purposes

99

If you are asked to disclose information about patients for financial or administrative purposes, you should give it in an anonymised form, if that is practicable and will serve the purpose. If identifiable information is needed, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 80).37  You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

80

You may disclose personal information without breaching duties of confidentiality when any of the following circumstances apply.

  1. The disclosure is required by law, including by the courts (see paragraphs 87 - 94).
  2. The patient has given explicit consent (see paragraph 95).
  3. The disclosure is approved through a statutory process that sets aside the common law duty of confidentiality (see paragraphs 103 - 105).
  4. The disclosure can, exceptionally, be justified in the public interest (see paragraphs 106 - 112).

You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

10

When disclosing information about a patient you must:

  1. use anonymised information if it is practicable to do so and if it will serve the purpose
  2. be satisfied the patient:
    1. has ready access to information explaining how their personal information will be used for their own care or local clinical audit, and that they have the right to object
    2. has not objected
  3. get the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their own care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest
  4. keep disclosures to the minimum necessary for the purpose
  5. follow all relevant legal requirements, including the common law and data protection law.5 
37

Commissioners have limited rights to request personal information held by general practices for defined purposes, although they should usually respect patients’ objections. See the directions on confidentiality and disclosure of information and the code of practice for the relevant country for more information. Confidentiality and Disclosure of Information (General Medical Services, Personal Medical Services, Alternative Provider Medical Services) Directions 2013 and Code of Practice (Department of Health, 2013); Confidentiality and Disclosure of Information: General Medical Services and Alternative Provider Medical Services Directions (Northern Ireland) 2006 and Code of Practice (Department of Health, Social Services and Public Safety, 2006); Confidentiality and Disclosure of Information: General Medical Services (GMS), Section 17c Agreements, and Health Board Primary Medical Services (HBPMS) Code of Practice and Directions; Confidentiality and Disclosure of Information: General Medical Services and Alternative Provider Medical Services Directions 2006 and Code of Practice (Welsh Assembly Government, 2005).

The professional duty of candour and confidentiality

100

All doctors have a duty of candour – a professional responsibility to be honest with patients when things go wrong. As part of this duty, doctors must tell the patient when something has gone wrong, and explain the short- and long-term effects of what has happened.38 

38

We give guidance on professional and organisational duties of candour in Openness and honesty when things go wrong: the professional duty of candour (Communitybaptistpa and Nursing and Midwifery Council, 2015). You can find all Communitybaptistpa guidance on professional standards and ethics, available on our website.

101

If the patient has died, or is unlikely to regain consciousness or capacity, it may be appropriate to speak to those close to the patient. When providing information for these purposes, you should still respect the patient’s confidentiality. If a patient has previously asked you not to share personal information about their condition or treatment with those close to them, you should abide by their wishes. You must still do your best to be considerate, sensitive and responsive to those close to the patient, giving them as much information as you can.

Openness and learning from adverse incidents and near misses

102

A number of reporting systems and schemes exist around the UK for reporting adverse incidents and near misses. Organisations also have policies for reporting and responding to adverse incidents and near misses and in some cases organisational duties of candour have been written into law.39  If the law requires personal information to be disclosed for these purposes, you should follow the guidance in paragraph 87. If the law does not require it, you should ask for consent to disclose personal information unless it is not appropriate or practicable to do so (see paragraph 14). In exceptional cases, disclosure may be justified without consent in the public interest (see paragraphs 106 - 112).

87

There are a large number of laws that require disclosure of patient information – for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism and the investigation of road accidents.

14

You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so.

For example, this might be because:

  1. the disclosure is required by law (see paragraphs 17 - 19)
  2. you are satisfied that informed consent has already been obtained by a suitable person7 
  3.  the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent (see paragraphs 41 - 49)
  4. you have reason to believe that seeking consent would put you or others at risk of serious harm
  5. seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime
  6. action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient
  7. seeking consent is not feasible given the number or age of records, or the likely traceability of patients.
  8. you have already decided to disclose information in the public interest (see paragraphs 63 - 70).
106

In exceptional circumstances, there may be an overriding public interest in disclosing personal information without consent for important health and social care purposes if there is no reasonably practicable alternative to using personal information and it is not practicable to seek consent. The benefits to society arising from the disclosure must outweigh the patient’s and public interest in keeping the information confidential.

107

You should not disclose personal information without consent in the public interest if the disclosure falls within the scope of any of the regulations described in paragraphs 103 - 105, and the disclosure is not permitted, or has not been approved, under those regulations.

108

If the regulations described in paragraphs 103 - 105 do not apply, you may need to make your own decision about whether disclosure of personal information without consent is justified. The circumstances in which the public interest would justify such disclosures are uncertain, however, so you should seek the advice of a Caldicott or data guardian or a legal adviser who is not directly connected with the use for which the disclosure is being considered before making the disclosure.41 

109

Before considering whether disclosing personal information without consent may be justified in the public interest, you must satisfy yourself that it is either necessary to use identifiable information or not reasonably practicable to anonymise the information. In either case, you must be satisfied that it is not reasonably practicable to seek consent.42 

110

When considering whether disclosing personal information without consent may be justified in the public interest, you must take account of the factors set out in paragraph 67. You must also be satisfied that:

  1. the disclosure would comply with the requirements of data protection law and would not breach any other legislation that prevents the disclosure of information about patients (see the legal annex for examples)
  2. the disclosure is the minimum necessary for the purpose
  3. the information will be processed in a secure and controlled environment that has the capabilities and is otherwise suitable to process the information (see paragraph 86)
  4. information is readily available to patients about any data that has been disclosed without consent, who it has been disclosed to, and the purpose of the disclosure.
111

If you know that a patient has objected to information being disclosed for purposes other than their own care, you should not disclose information in the public interest unless failure to do so would leave others at risk of death or serious harm (see paragraphs 63 - 70).

112

You must keep a record of what information you disclosed, your reasons, and any advice you sought.

39

The obligations associated with the statutory duty of candour in England are contained in regulation 20 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014. In Scotland they are contained in section 22 of the Health (Tobacco, Nicotine etc. and Care) (Scotland) Act 2016.

Disclosures with specific statutory support

103

In England, Wales and Northern Ireland, statutory arrangements are in place for considering whether disclosing personal information without consent for health and social care purposes would benefit patients or the public sufficiently to outweigh patients’ right to privacy. Examples of these purposes include medical research, and the management of health or social care services. There is no comparable statutory framework in Scotland.

104

Section 251 of the National Health Service Act 2006 (which applies in England and Wales) and the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 allow the common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymised information and where seeking consent is not practicable. You can find more detail about these statutory arrangements in the legal annex.

105

You may disclose personal information without consent if the disclosure is permitted or has been approved under regulations made under section 251 of the National Health Service Act 2006 or under the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016. If you know that a patient has objected to information being disclosed for purposes other than direct care, you should not usually disclose the information unless it is required under the regulations.40 

40

Disclosures permitted under regulations 2 and 3 of the Health Service (Control of Patient Information) Regulations 2002 may, in some circumstances, be required rather than permitted. The Confidentiality Advisory Group of the Health Research Authority will not usually authorise disclosures under regulation 5 to which the patient has objected. See the legal annex to this guidance for more detail on the regulations.

Public interest disclosures for health and social care purposes

106

In exceptional circumstances, there may be an overriding public interest in disclosing personal information without consent for important health and social care purposes if there is no reasonably practicable alternative to using personal information and it is not practicable to seek consent. The benefits to society arising from the disclosure must outweigh the patient’s and public interest in keeping the information confidential.

107

You should not disclose personal information without consent in the public interest if the disclosure falls within the scope of any of the regulations described in paragraphs 103 - 105, and the disclosure is not permitted, or has not been approved, under those regulations.

103

In England, Wales and Northern Ireland, statutory arrangements are in place for considering whether disclosing personal information without consent for health and social care purposes would benefit patients or the public sufficiently to outweigh patients’ right to privacy. Examples of these purposes include medical research, and the management of health or social care services. There is no comparable statutory framework in Scotland.

104

Section 251 of the National Health Service Act 2006 (which applies in England and Wales) and the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 allow the common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymised information and where seeking consent is not practicable. You can find more detail about these statutory arrangements in the legal annex.

105

You may disclose personal information without consent if the disclosure is permitted or has been approved under regulations made under section 251 of the National Health Service Act 2006 or under the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016. If you know that a patient has objected to information being disclosed for purposes other than direct care, you should not usually disclose the information unless it is required under the regulations.40 

108

If the regulations described in paragraphs 103 - 105 do not apply, you may need to make your own decision about whether disclosure of personal information without consent is justified. The circumstances in which the public interest would justify such disclosures are uncertain, however, so you should seek the advice of a Caldicott or data guardian or a legal adviser who is not directly connected with the use for which the disclosure is being considered before making the disclosure.41 

103

In England, Wales and Northern Ireland, statutory arrangements are in place for considering whether disclosing personal information without consent for health and social care purposes would benefit patients or the public sufficiently to outweigh patients’ right to privacy. Examples of these purposes include medical research, and the management of health or social care services. There is no comparable statutory framework in Scotland.

104

Section 251 of the National Health Service Act 2006 (which applies in England and Wales) and the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 allow the common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymised information and where seeking consent is not practicable. You can find more detail about these statutory arrangements in the legal annex.

105

You may disclose personal information without consent if the disclosure is permitted or has been approved under regulations made under section 251 of the National Health Service Act 2006 or under the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016. If you know that a patient has objected to information being disclosed for purposes other than direct care, you should not usually disclose the information unless it is required under the regulations.40 

41

In Scotland, the Public Benefit and Privacy Panel for Health and Social Care scrutinises requests for access to some (but not all) NHS Scotland originated data. You may disclose personal information if the disclosure has been approved by the Public Benefit and Privacy Panel for Health and Social Care.

109

Before considering whether disclosing personal information without consent may be justified in the public interest, you must satisfy yourself that it is either necessary to use identifiable information or not reasonably practicable to anonymise the information. In either case, you must be satisfied that it is not reasonably practicable to seek consent.42 

42

The Confidentiality Advisory Group (CAG) of the Health Research Authority publishes a range of guidance for CAG applicants, which you may find helpful. It is available at .

110

When considering whether disclosing personal information without consent may be justified in the public interest, you must take account of the factors set out in paragraph 67. You must also be satisfied that:

  1. the disclosure would comply with the requirements of data protection law and would not breach any other legislation that prevents the disclosure of information about patients (see the legal annex for examples)
  2. the disclosure is the minimum necessary for the purpose
  3. the information will be processed in a secure and controlled environment that has the capabilities and is otherwise suitable to process the information (see paragraph 86)
  4. information is readily available to patients about any data that has been disclosed without consent, who it has been disclosed to, and the purpose of the disclosure.
68

When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider:

  1. the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health
  2. the potential harm to trust in doctors generally – for example, if it is widely perceived that doctors will readily disclose information about patients without consent
  3. the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed
  4. the potential benefits to an individual or to society arising from the release of the information
  5. the nature of the information to be disclosed, and any views expressed by the patient
  6. whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion.

If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority.

86

If you decide to disclose anonymised information, you must be satisfied that appropriate controls are in place to minimise the risk of individual patients being identified. The controls that are needed will depend on the risk of re-identification, and might include signed contracts or agreements that contain controls on how the information will be used, kept and destroyed, as well as restrictions to prevent individuals being identified. You should refer to specialist advice or guidance when assessing risk, or considering what level of control is appropriate.31 

111

If you know that a patient has objected to information being disclosed for purposes other than their own care, you should not disclose information in the public interest unless failure to do so would leave others at risk of death or serious harm (see paragraphs 63 - 70).

63

Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime.23 

64

If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. The benefits to an individual or to society of the disclosure must outweigh both the patient’s and the public interest in keeping the information confidential.

65

Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk.

66

Other examples of situations in which failure to disclose information may expose others to a risk of death or serious harm include when a patient is not fit to drive,24 or has been diagnosed with a serious communicable disease,25  or poses a serious risk to others through being unfit for work.26 

68

When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider:

  1. the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health
  2. the potential harm to trust in doctors generally – for example, if it is widely perceived that doctors will readily disclose information about patients without consent
  3. the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed
  4. the potential benefits to an individual or to society arising from the release of the information
  5. the nature of the information to be disclosed, and any views expressed by the patient
  6. whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion.

If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority.

68

If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority. You should inform the patient before disclosing the information, if it is practicable and safe to do so, even if you intend to disclose without their consent.

70

Decisions about whether or not disclosure without consent can be justified in the public interest can be complex. Where practicable, you should seek advice from a Caldicott or data guardian or similar expert adviser who is not directly connected with the use for which disclosure is being considered. If possible, you should do this without revealing the identity of the patient.

69

You must document in the patient’s record your reasons for disclosing information with or without consent.  You must also document  any steps you have taken to seek the patient’s consent, to inform them about the disclosure, or your reasons for not doing so.

112

You must keep a record of what information you disclosed, your reasons, and any advice you sought.

Ethical approval for research

113

You should only disclose personal information for research if there is a legal basis for the disclosure and the research has been approved by a research ethics committee.

114

If you are applying for ethical approval for research, you should let the research ethics committee know if personal information will be disclosed without consent and tell them the legal basis for the disclosure.

Requests from employers, insurers and other third parties

115

Third parties, such as a patient’s insurer or employer, or a government department, or an agency assessing a claimant’s entitlement to benefits, may ask you for personal information about a patient, either following an examination or from existing records. In these cases, you should:

  1. be satisfied that the patient has sufficient information about the scope, purpose and likely consequences of the examination and disclosure, and the fact that relevant information cannot be  concealed or withheld
  2. obtain or have seen written consent to the disclosure from the patient or a person properly authorised to act on the patient’s behalf. You may accept an assurance from an officer of a government department or agency, or a registered health professional acting on their behalf, that the patient or a person properly authorised to act on their behalf has consented
  3. only disclose factual information you can substantiate, presented in an unbiased manner, which is relevant to the request. You should not usually disclose the whole record,43  although it may be relevant to some benefits paid by government departments and to other assessments of a patient’s entitlement to pensions or other health-related benefits
  4. offer to show your patient, or give them a copy of, any report you write about them for employment or insurance purposes before it is sent, unless:
    1. they have already indicated they do not wish to see it
    2. disclosure would be likely to cause serious harm to the patient or anyone else
    3. disclosure would be likely to reveal information about another person who does not consent.44, 45 
43

Disclosure of the whole record may breach the principles of data protection law, as the full record may contain information that is excessive and not relevant for the purpose.

44

If any of the exceptions set out in paragraph 115(d) of this guidance apply, you should still disclose as much of the report as you can. The Department for Work and Pensions publishes advice about .

45

In some circumstances, patients are entitled to see a report that has been written about them under the provisions of the Access to Medical Reports Act 1988. For more details see the Confidentiality: key legislation factsheet which you can find on the our confidentiality guidance page, available on our website.

116

If a patient refuses or withdraws consent, or if it is not practicable to get their consent, you may still disclose information if it can be justified in the public interest (see paragraphs 63 - 70). You must disclose information if it is required by law (see paragraphs 87 - 94).

63

Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime.23 

64

If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. The benefits to an individual or to society of the disclosure must outweigh both the patient’s and the public interest in keeping the information confidential.

65

Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk.

66

Other examples of situations in which failure to disclose information may expose others to a risk of death or serious harm include when a patient is not fit to drive,24 or has been diagnosed with a serious communicable disease,25  or poses a serious risk to others through being unfit for work.26 

68

When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider:

  1. the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health
  2. the potential harm to trust in doctors generally – for example, if it is widely perceived that doctors will readily disclose information about patients without consent
  3. the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed
  4. the potential benefits to an individual or to society arising from the release of the information
  5. the nature of the information to be disclosed, and any views expressed by the patient
  6. whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion.

If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority.

68

If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority. You should inform the patient before disclosing the information, if it is practicable and safe to do so, even if you intend to disclose without their consent.

70

Decisions about whether or not disclosure without consent can be justified in the public interest can be complex. Where practicable, you should seek advice from a Caldicott or data guardian or similar expert adviser who is not directly connected with the use for which disclosure is being considered. If possible, you should do this without revealing the identity of the patient.

69

You must document in the patient’s record your reasons for disclosing information with or without consent.  You must also document  any steps you have taken to seek the patient’s consent, to inform them about the disclosure, or your reasons for not doing so.

87

There are a large number of laws that require disclosure of patient information – for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism and the investigation of road accidents.

88

You must disclose information if it is required by law. You should:

  1. satisfy yourself that personal information is needed, and the disclosure is required by law
  2. only disclose information relevant to the request, and only in the way required by the law
  3. tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so
  4. abide by patient objections where there is provision to do so.32 
89

You can find advice about disclosures that are permitted but not required by law in paragraph 19.

90

The courts, both civil and criminal, have powers to order disclosure of information in various circumstances. You must disclose information if ordered to do so by a judge or presiding officer of a court.

91

You should only disclose information that is required by the court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appears to you to be irrelevant information, such as information about a patient’s relative who is not involved in the proceedings. You should also tell the judge or the presiding officer if you think disclosing the information might put someone at risk of harm.

92

If disclosure is ordered, and you do not understand the basis for this, you should ask the court or a legal adviser to explain it to you. You should also tell the patient whose information the court has asked for what information you will disclose in response to the order, unless that is not practicable or would undermine the purpose for which disclosure is sought.

93

You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s explicit consent, unless it is required by law, or ordered by a court, or can be justified in the public interest. You may disclose information without consent to your own legal adviser to get their advice.

94

In Scotland, the system of precognition means there can be limited disclosure of information in advance of a criminal trial, to both the Crown and defence, without the patient’s explicit consent. You should cooperate with precognition, but the disclosure must be confined solely to the nature of injuries, the patient’s mental state, or pre-existing conditions or health, documented by the examining doctor, and their likely causes. If they want further information, either side may apply to the court to take a precognition on oath. If that happens, you will be given advance warning and you should seek legal advice about what you may disclose.33 

подробно

подробно

также читайте