For information to be confidential in law it must:
- not be common knowledge among lots of people, for example, the
content of a discussion between a patient and a health professional;
- and be useful and not irrelevant or trivial
Explicit consent is not required for the following purposes:
- Where patient information is used for the routine clinical care of that patient – for example between health professionals and intra NHS multidisciplinary teams
- Where patient information is used for administration and management purposes, for example, waiting list management.
- Child protection purposes (see below)
Most patients understand that their information must be shared within
the healthcare team. However, patients do not expect this to be shared
with others who will not be involved in their care.
Aggregated and management information is used to plan and monitor
progress of the organisation in its delivery of services. This is
generally outside the scope of the Data Protection Act 1998 on the
basis that a living individual could not be identified from such data.
Anonymized/coded information would normally fall outside the scope of
the Data Protection Act 1998, but care must be taken with all coded
and anonymised information as it may still be possible to identify
individuals, e.g. with rare diseases, drug treatments or statistical
analyses within a small population.
For other uses, it is your responsibility to make sure that patients
are aware of the wider uses of their information and to get their
permission. It is your responsibility to make sure that you provide
versions in any community languages or meet other accessibility
* make clear to patients when information is or may be disclosed
(shared) to others involved in their health care;
* make sure that patients are aware of the choices that are available
to them on how their information may be disclosed and used;
* check with patients to make sure that they have no concerns or
questions about how their information will be disclosed and may be
* answer any questions personally or direct patients to others who can
answer their questions; and
* respect the rights of patients and help them to access their health
records if they have asked to do this.
Intra NHS Information Sharing NHS Scotland policy
3rd party info eg family history or info coming from an identifiable
family member – may itself be confidential, even if in patient’s
record, so 3rd parties should be told if their identity might be
revealed, and given opportunity to decline.
Beware use of automated reports for insurance etc, where only minimum
necessary info is appropriate, and would be wrong to disclose more
Option to opt out of data analysis emphasized – not clear how this
would be done.
Training seen as tick box rather than education.
£100 000 fine for Aberdeen city council for a home worker accidentally uploading files regarding vulnerable children to an online file store. A fine has never been issued for formal sharing of information. “Blagging” is also an issue, where a 3rd party obtains information by ostensibly acting as a healthcare professional or family member.
Guidance from 2003 still applies – obtain confirmation of identity (or
phone number etc) from second source. If breach occurs, individual
should be informed.
See also Data Protection for Caldicott principles etc.
Scottish Government’s Sharing Information about Children at Risk: A Guide to Good Practice (2003) states:-
“If there is reasonable concern that a child may be at risk of harm this will always override a professional or agency requirement to keep information confidential. All professionals and service providers have a responsibility to act to make sure that a child whose safety or welfare may be at risk is protected from harm.”
The National Guidance for Child Protection in Scotland (2014) states:
‟Harm‟ means the ill treatment or the impairment of the health or development of the child, including, for example, impairment suffered as a result of seeing or hearing the ill treatment of another. In this context, ‟development‟ can mean physical, intellectual, emotional, social or behavioural development and ‟health‟ can mean physical or mental health.”
Recent advice has also been received from the Scottish Government, having consulted with the Information Commissioner’s Office, regarding the impact of GDPR and the Data Protection Act 2018 in this area. The Information Commissioner’s Officer has confirmed:
“It is important that those whose work brings them into contact with children and young people continue to share child protection concerns in the same way as they did previously. Child protection matters at the significant harm level equate to sharing/processing being necessary to protect the vital interests of the child where reliance on consent may be prejudicial to that purpose. The same lawful purposes are provided for in Articles 6:1(b) and 9:2(c) of the GDPR for personal and special category data so nothing has changed at that level”.
It is important to be open and transparent and make people aware that we will share information when we suspect a child or young person is at risk of harm. It is also important to record any decision to share or not to share information and reasons for doing so.
* Human Rights Act 1998
* Freedom of Information (Scotland) Act 2002
* NHSS Code of Practice on Protecting Patient Confidentiality.
* NHSS Information Governance standards 2005
Note that Scotland leads patient data protection with Fairwarning software.