Healthier Business

Information Governance
Introduction

The Caldicott Report was commissioned by the Chief Medical Officer to make recommendations to the way
in which the NHS handles and protects patient information.

The Caldicott Committee was set up to review the confidentiality of all patient-identifiable information
passing from NHS organisations in England to other NHS or non-NHS bodies for purposes other than direct
patient care, medical research or where there is a statutory requirement for information.

Everybody in the NHS has the responsibility to use personal data in a secure and confidential way. Personal
data includes information about any living individual who can be identified, such as patients, health
professionals, any other staff and suppliers.

What is confidential patient information?

Aduty of confidence arises when a patient discloses information to a healthcare professional (e.g. patient to
clinician) in circumstances where it is reasonable to expect that the information will be held in confidence.
It:

is a legal obligation that is derived from case law;
is a requirement established within professional codes of conduct; and
must be included within NHS employment contracts as a specific requirement linked to disciplinary
procedures.

Patients entrust with you, or allow you to gather, sensitive information relating to their health and any other
matters as part of their seeking treatment.They do so in confidence and they have the legitimate
expectation that staff will respect their privacy and act appropriately. It is essential, if the legal requirements
are to be met and the trust of the patients is to be retained, that the NHS provides, and is seen to provide, a
confidential service. The guiding principle is thata patient's health records are made to support that
patient's healthcare.


Disclosing and using confidential patient information

It is extremely important that patients are made aware of information disclosures that must take place in
order to provide them with high quality care.In particular, clinical governance and clinical audits might not
be obvious to patients and should be drawn to their attention. Similarly, whilst patients may understand that
information needs to be shared between members of care teams and between different healthcare
organisations, this may not always be the case and the breadth of the required disclosure should be made
clear. This is particularly important where disclosure extends to non-NHS bodies.

Patients generally have the right to object to the use and disclosure of confidential information that
identifies them, and need to be made aware of this right.Sometimes, if patients choose to prohibit
information being disclosed to other health professionals involved in providing care, it might mean that the
care provided is limited and, in extremely rare cases, that it is not possible to offer certain treatments.

Where patients have been informed of:

The use and disclosure of their information associated with their healthcare; and
the choices that theyhave and the implications of choosing to limit how information may be used or shared;

Then explicit consent is not usually required for information disclosures needed to provide that healthcare.
Even so, opportunities to check that patients understand what may happen and are content should be taken.
Special attention should be given to child consent issues.
Confidentiality Model

These are the requirements that must be met in order to provide patients with a confidential service.
Record holders must inform patients of the intended use of their information, give them the choice to give
or withhold their consent as well as protecting their identifiable information from unwarranted disclosures.
These processes are inter-linked and should be ongoing to aid the improvement of a confidential service.

The four main requirements are:

Protect - look after the patient's information
Inform - ensure that patients are aware of how their information is used;
Provide choice - allow patients to decide whether their information can be disclosed or used in
particular ways.

To support these three requirements, there is a fourth;

Improve - always look for better ways to protect, inform, and provide choice.

Caldicott Recommendations

In its Report, the Caldicott Committee made a number of recommendations. A key recommendation was
thattheneed to establish a network of Guardians information to safeguard and govern the use of patient
identifiable information.

Other recommendations included:

Restrict access to patient information by enforcing strict need to know principles;
Develop local protocols regarding the disclosure of patient information to other organisations;
Regularly review and justify the uses of patient information;
Improve organisational performance across a range of related areas not limited to database design,
staff induction, training, compliance with guidance.

Who is the Guardian?

The Guardian is:
A senior health professional;
An existing member of the management board of the organisation; or
An individual with responsibility for promoting clinical governance within the organisation.

The Guardian's role

The Guardian has responsibility for overseeing procedures and policies covering access to patient
identifiable information and their monitoring. They also have a strategic role in formulating improvement
plans.
Access Control

Accesscontrol is essential for ensuring that only authorised persons have:

physical access to computer hardware and equipment; access to computer system utilities capable of
over-riding
system and application controls; access to manual files containing confidential information about
individuals; access to computer files and databases containing confidential information about
individuals.

Information/Data "Ownership"

It is best practice for each physical set of information, e.g. paper files, or a database, to be assigned an
"owner". The information security officer should keep an up to date register of data "owners" and the
Guardian should be provided with a copy.A number of responsibilities should be associated with
ownership, including:

identifying all the information/data; identifying, and justifying to the satisfaction of the Guardian,
how the information/data can be used; agreeing with the Guardian who can access the information/
data, and
what type of access each user is permitted.
Key guidelines to follow:

Patients should be fully informed about how their information may be used.
There are strict conditions under which personal data may be disclosed.
In particular, certain disclosures are not allowed without express consent.
Individuals have the right to see what information is held about them, and to have any error corrected.
Personal data should be kept secure and confidential at all times.
Personal information should be anonymised wherever and whenever possible.
The legitimate use, disclosure or sharing of personal data does not constitute a breach of
confidentiality. Sharing between organisations can take place with appropriate safeguards.
Sometimes a judgement has to be made about the balance between the duty of confidence and
disclosure in the public interest.Any such disclosure must be justified.
Most of the requirements are common-sense precautions such as not divulging computer passwords,
keeping manual records secure, and guarding against people seeking in local policies, procedures and
guidance.
If anyone is in doubt, they should refer to documented policies and procedures, and if still in doubt ask
their line manager.
The Data Protection Act 1998

The eight principles of the Data Protection Act 1998 apply to all staff handling personal information (on
computer and manually held), and underpin all related policies and procedures.These are:

Personal data shall be processed fairly and lawfully
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be
further processed in any manner incompatible with that purpose or those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for
which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for
that purpose or those purposes.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Appropriate technical and organisational measures (ie, security measures) shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss, destruction or
damage to personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area,
unless that country or territory ensures an adequate level of protection for the rights and freedoms of
data subjects in relation to the processing of personal data.

Summary

All staff have an obligation to safeguard the confidentiality of personal information. This is governed by
law, contracts of employment and in many cases by professional codes of conduct. At a start of a placement
you should ensure that you are aware of all local policies including those relating to confidentiality.