This site is intended for health professionals only
Thursday 27 October 2016
Share |

High-risk areas for confidentiality and data protection

Quality Matters


Independent Consultant in Practice Management

Fiona is an experienced primary care trainer and facilitator. She is the national RCGP QPA Adviser and has advised on both the original and the review of the Quality and Outcomes Framework of the 2004 GP contract

Confidentiality – it's an enormous part of our working day: relatives of patients phoning to check when an appointment is, as they're picking them up; the elderly lady phoning for her husband's results (he's in the room but gets breathless when he walks and, anyway, he doesn't like using the phone); the previous patient's records clearly visible on the screen when the next patient sits down to speak to the GP; a queue at the front desk while the receptionist gives the patient at the desk her results.

I am sure at least one of these scenarios will be familiar to every practice manager reading this article. We all have systems in place to manage confidentiality but lots of minor, and some more major, breaches are made on a routine basis. And we haven't even mentioned the Data Protection Act 1998 (DPA) yet!

For the purposes of this article, I make the assumption that basic measures such as confidentiality clauses in contracts of employment, notification under the DPA, staff training, policies for data protection, etc, are in place. If you are uncertain whether you do have everything in place, initial advice may be forthcoming from your defence union and further references are available below.

Some websites produce draft policies you can edit to make your own and suit your practice. Managing the risk of breaches of confidentiality and of the DPA is a continuing responsibility for every practice manager.

However, because of the complexities both of managing a practice and dealing with patient behaviour, our understanding of the rules of confidentiality and the DPA is often inadequate for the scenario with which we are presented. What are some of the most common situations that cause confusion, and how should we manage them in order to minimise the risk of breaches of confidentiality?

Young people and confidentiality
Mrs Victoria Gillick, a mother of 10 children, five of whom were daughters, had a considerable impact on our understanding of how we should protect the confidentiality of young people.

In 1983, Mrs Gillick appeared at the High Court. She was trying to ensure that none of her daughters could either be given advice on birth control or prescribed any birth-control methods until they reached the age of 16. She also sought to prevent the Department of Health and Social Security from distributing a circular that advised doctors they could give contraception to under-16s without the consent of their parents.

Mrs Gillick lost the initial case, but continued to pursue her cause until the Law Lords settled it in 1985. The consequence of this was that a child under 16 may be considered to be "Gillick competent" – ie, able to prevent their parents from having access to their medical records without their (the child's) consent.

Lord Scarman's test of competency states:

"A child could consent if they fully understood the medical treatment proposed. As a matter of law, the parental right to determine whether or not their minor child below the age of 16 will have medical treatment terminates if and when the child achieves sufficient understanding and intelligence to understand fully what is proposed." (Lord Scarman)

What is the impact of this when managing confidentiality of young people in the practice? The General Medical Council's (GMC) new guidelines, Confidentiality – Guidance for Doctors, came into effect on 12 October 2009 and describes the responsibilities of a doctor in relation to this.(1)

Further specific guidance on young people is also available for doctors from the GMC.(2) This guidance states that, in relation to assessing the capacity to consent of a young person, the doctor must decide whether the patient can understand the treatment or investigation, its possible consequences, and the possible consequences of not having the treatment. The doctor must also ensure that the patient can understand this information, consider the options and communicate their decision on the options to others. If this is so, then the patient is capable of consenting.

The recent case of Melissa Smith, widely reported in the press, illustrates this point. She was 14 when she had an abortion, having discussed it with a school health visitor and at least two doctors. The health professionals involved had judged the girl to be "Gillick competent", and so protected her confidentiality. Health professionals should encourage the young person to discuss their circumstances with their parents, but must respect their confidentiality if they refuse to do so, as in this case.

What action should we take to ensure we do not compromise the rights of a young person to confidentiality?

  • Avoid policies that state patients under 16 should be accompanied by an adult.
  • Ensure you have the right person on the phone when giving out results. Remember that name, date of birth and address may not be enough in the case of sensitive results.
  • Inform young patients of their right to confidentiality.
  • Ensure staff are properly trained and understand the background to this policy.

Access to patient data by "outsiders"
Under the terms of the DPA, practices process "sensitive personal data" belonging to the data subject (in this case, the patient), alongside their processing of "personal data". "Sensitive personal data" include racial or ethnic origin, religious beliefs (or beliefs of a similar nature), physical or mental health or condition, and sexual history, among others.

The British Medical Association (BMA) has published a code of practice for GPs in relation to the DPA (see Resources). Under the first principle of the DPA (that data shall be processed fairly and lawfully), patients need to be informed about why certain information is required, the purposes for which it is held, and to whom it will be disclosed.

The Information Commissioner (see Resources) recommends that merely using a practice leaflet to tell patients about this may not be considered adequate. This is because processing sensitive personal data only satisfies the terms of the DPA if the patient has been given a chance "actively and positively to signify their consent to the data processing" (from the BMA's Guidance for GPs). Many practices rely on fairly brief statements in the practice leaflet to inform patients and it may be useful to review this. For example, patients should be informed of the following:

  • Care and treatment.
    • Records of consultations.
    • Disclosing records in an emergency.
    • Disclosures from one health professional to another.
    • Clinical audit.
  • Administration.
    • Disclosure for payment purposes.
    • Disclosure for payment verification.
    • Administrative audit.
  • Research and teaching.
    • Disease registers.
    • Clinical trials.
    • Practice-based teaching.
  •  Non-clinical.
    • The police and courts.

In addition, many practices take part in research, including research for historical and statistical purposes. Although the DPA does state that processing personal data for research may be acceptable, the principle remains that patients need to be informed of this and given an opportunity to object.

The GMC's guidance is that research is an important ("secondary") use of patient data and can serve important public interest, though nonpatient-identifiable information is preferable. Where patient-identifiable data are used, the doctor must be reassured that the patient is aware their data may be used for research purposes, has had a chance to object and has not objected.

The GMC goes on to say that patient consent to the processing is required for any purpose other than patient care or local clinical audit. However, getting consent may not be practical for a practice – for example, in order to recruit sufficient patients for an approved clinical research project or a clinical trial. In this case, someone undertaking the research may be regarded as a temporary member of the practice team. This individual would be subject to the same legal and contractual commitment to confidentiality and would then be in a position to seek patient consent or otherwise process the data (for example, anonymise it).

Access to records is also given to third parties such as benefits agencies, employers and insurers. The doctor must be satisfied that the patient has consented to the data being released. This is generally done with the use of a consent form, though doctors can accept the word of a registered health professional that the patient has consented to them disclosing the data.

The doctor must not disclose:

  • Information the patient has explicitly asked to be withheld (except where it is relevant to the purpose of the report).
  • Information about a third party (eg, a family member of the patient).
  • Information likely to cause serious harm to the patient or to someone else.

The doctor needs to offer the patient a chance to see the report, or give them a copy, before it is sent.

Two important points emerge from this and they are both in relation to copying records requested by solicitors:

1. When copying records, many practices do not have a system in place to check that information that must not be disclosed has been removed.

  • Practices should review their procedure for dealing with requests for records to ensure this check is undertaken before the copy is sent off.

2. Solicitors frequently request a copy of the full record. In many cases, the patient is unaware that the full record has been requested, or is unaware what this may mean for them and what their rights are. For example, the full record is not required if a patient is pursuing a claim for compensation for a wrist injury that happened recently at work. It may be that the record may include other information they do not wish disclosed, such as a previous mental illness that is not relevant to the claim.

  • Practices should ensure that, in the case of requests for full sets of notes, not only is non-disclosable information removed, but that they check with the patient that they really are happy for the full record to be disclosed.

The risk management of confidentiality is an enormous area and we are only able to offer guidance on a few significant risk areas in this article. Most defence organisations have a helpline that managers can phone for advice and guidance, either on specific matters or more generally. Excellent information is also available on the websites of the Information Commissioner, the BMA, the Royal College of GPs and the GMC (see below). The GMC site additionally offers interactive scenarios on ethical issues, some of which relate to confidentiality.

Staff training on confidentiality and the DPA can help staff to recognise high-risk situations and support them in identifying when they should not disclose information without having checked first. Updated procedures developed in discussion with the whole team will also mean that potential for risky situations is minimised and the risk of inadvertent disclosure is reduced.

1. General Medical Council. Confidentiality – Guidance for Doctors. London: GMC; 2009. Available from:
2. General Medical Council. 0-18 Years: Guidance for All Doctors. London: GMC; 2007. Available from:


General Medical Council

Information Commissioner's Office

Consent form – releasing health records under the Data Protection Act 1998

The Data Protection Act 1998 – Guidance for GPs

The NHS Confidentiality Code of Practice (2003)