The Health Centre & Heaton Avenue Surgery’s Confidentiality Code of Practice

The Health Centre & Heaton Avenue Surgery’s Confidentiality Code of Practice

Confidentiality Code of Practice Policy

 

Version

Edited by

Date issued

Next review date

2

Janet Butcher

17.02.2026

17.02.2027

 

Position

Named individual

Caldicott Guardian

Dr Naseem Saheecha

Information Governance Leads

Dr Naseem Saheecha/Janet Butcher

Practice Manager

Janet Butcher

 

Overview for all staff 

·         All staff must understand their individual and collective responsibilities, including when and how information may be disclosed, and ensure compliance with current data protection law.

·         The Eight Caldicott Principles apply to all identifiable health and social care data and must always be adhered to by all staff.

·         Staff must ensure any information they hold or have access to is effectively protected, whilst adhering to the Practice’s data protection policies.

·         All staff are bound by a legal duty of confidence to protect personal information encountered in their work, under both contractual obligations and common law.

Table of contents

1     Introduction   3

1.1       Policy statement 3

1.2       Status  3

2     Patients’ rights to confidentiality  3

2.1       Principles  3

2.2       Disclosing information  3

2.3       Maintaining confidentiality  4

2.4       Training  4

Annex A – Disclosure guidance  5

1       Introduction

1.1      Policy statement

This Code of Practice has been written in conjunction with the General Medical Council (GMC) Confidentiality: good practice in handling patient information core guidance, which provides a framework for considering when to disclose patients’ personal information. 

All staff must be aware of their individual and collective responsibilities, ensuring they understand when it is appropriate to disclose information and the considerations required before disclosing information, whilst always complying with extant data protection law.

1.2      Status

In accordance with the Equality Act 2010, we have considered how provisions within this policy might impact on different groups and individuals. This document and any procedures contained within it are non-contractual, which means they may be modified or withdrawn at any time. They apply to all employees and contractors working for the Practice.

2       Patients’ rights to confidentiality

2.1      Principles

 

The National Data Guardian (NDG) explains that good information sharing is essential for providing safe and effective care. There are also important uses for information for purposes other than individual care that contribute to the overall delivery of health and social care and serve wider public interests. 

The Eight Caldicott Principles apply to all data collected for the provision of health and social care service where patients and service users can be identified and they would expect that it will be kept private. All staff must always adhere to the Caldicott Principles. 

The NHS Confidentiality Policy and the NHS Confidentiality Code of Practice state that all staff working in the NHS are bound by a legal duty of confidence to protect personal information they may encounter during their work. This is not purely a requirement of their contractual responsibilities; it is also a requirement within the common law duty of confidence.

2.2      Disclosing information

 

All staff are to adhere to the principles of confidentiality outlined in the NHS Confidentiality Code of Practice:

·         Person-identifiable or confidential information must be effectively protected against improper disclosure when it is received, stored, transmitted or disposed of.

·         Access to person-identifiable or confidential information must be on a need-to-know basis.

·         Disclosure of person-identifiable or confidential information must be limited to the purpose for which it is required.

·         Recipients of disclosed information must respect that it is given to them in confidence.

·         If the decision is taken to disclose information, that decision must be justified and documented.

·         Any concerns about the disclosure of information must be discussed with the Practice Manager.

·         Patients are to be informed of the intended use of their information

 

When considering disclosing information, the hyperlinked guidance at Annex A is to be consulted. Given the complexities associated with the use and disclosure of personal information, the Practice’s Caldicott Guardian (CG) or Information Governance (IG) lead must be satisfied that it is appropriate to disclose the relevant information.

 

To further support the decision-making process, the GMCs interactive confidentiality decision tool should be used.

2.3      Maintaining confidentiality

 

To ensure confidentiality is always maintained, staff must adhere to the Practice’s Caldicott and Confidentiality Policy and the Confidentiality and Data Protection Handbook. 

Any queries regarding the confidentiality of or the sharing of information should be directed to the Practice’s CG, IG lead or the Practice Manager.

2.4      Training

 

All staff are required to complete mandatory information governance and data security awareness training.

 

·         Caldicott and Confidentiality

·         Consent

·         Information Governance and Data Security

·         UK General Data Protection Regulation (UK GDPR)

 

Annex A – Disclosure guidance

Framework reference

Topics covered

Disclosing patients’ personal information

 

Paragraphs 9 – 25

·         When you can disclose personal information

·         Disclosing information with a patient’s consent

·         Disclosing information when a patient lacks the capacity to consent

·         Disclosures required or permitted by law

·         Disclosures approved under a legal process

·         Disclosures in the public interest

·         Disclosures prohibited by law

·         Data protection law

Using and disclosing patient information for direct care

 

Paragraphs 26 - 49

 

·         Sharing information for direct care

·         Sharing information with those close to the patient

·         Disclosures about patients who lack capacity to consent

Disclosures for the protection of patients and others

 

Paragraphs 50 - 76

 

·         Disclosing information to protect patients including those at risk of harm

·         Disclosing information to protect others

Using and disclosing patient information for secondary purposes

 

Paragraphs 77 - 116

·         Anonymised information

·         Disclosures required by statutes or the courts

·         Consent

·         Disclosures for health and social care secondary purposes including financial information

·         Requests from employers, insurers and other third parties

 

 

Managing and protecting personal information

 

Paragraphs 117 - 138

·         Improper access and disclosure

·         Knowledge of information governance and raising concerns

·         Processing information in line with data protection laws

·         Records management and retention

·         The rights of patients to access their own records

·         Communicating with patients

·         Disclosing information after a patient has died

GMC guidance reference

Topics covered

Disclosing information about serious communicable diseases

 

 

·         Protecting information against improper disclosure

·         Control and surveillance of serious communicable diseases

·         Protecting patients from risks posed by your health or your colleagues’ health

·         Disclosing information about patients who are diagnosed with a serious communicable disease to those providing direct care

·         Disclosing information in response to injuries to colleagues and others

·         Informing people at risk of infection from serious communicable disease

·         Disclosing information when children and young people are at risk of a serious communicable disease

·         Recording serious communicable diseases on death certificates

Patients’ fitness to drive and reporting concerns to the DVLA or DVA

·         Fitness to drive: medical professionals and patients’ responsibilities

·         Assessing a patient’s fitness to drive

·         Reporting concerns to the DVLA or DVA

·         Responding to requests for information from the DVLA or the DVA

Disclosing information for employment, insurance and similar purposes

·         When do dual obligations arise?

·         How much information should you disclose?

·         Writing reports

·         Disclosing a report about a patient

·         Disclosures required by law

·         Disclosures in the public interest

Disclosing information for education and training purposes

·         General principles

·         Teaching and training of medical students, doctors in training and other healthcare students and trainees

·         Patients who lack capacity

·         Disclosing information to secondary school and college students

·         Training records and case studies

Reporting gunshot and knife wounds

·         Reporting gunshot and knife wounds

·         Making the report

·         Make the care of the patient your first concern

·         Disclosing personal information without consent

·         Children and young people

Responding to criticism in the media

·         Responding to criticism

CQC guidance reference

Overview

Notifications to the Care Quality Commission (CQC)

·         This Practice must notify the CQC about certain changes, events and incidents that affect the service or the people who use it. For detailed guidance, refer to the complete list of notifications

 

Page last reviewed: 23 March 2026
Page created: 05 September 2024