BMA response to consultation on the CQC’s Code of practice on confidential
personal information
Q1. The Code explains the ‘necessity test’ that the CQC uses whenever we have to make a
decision about whether we need to obtain, use or disclose confidential personal
information.
Have we explained the ‘necessity test’ properly?
Do you think that there are other things that we should take into account when deciding
whether we need to obtain, use or disclose confidential personal information?
As currently written the explanation of the necessity test is likely to cause significant
confusion, both amongst those seeking to find out how the CQC handles confidential
personal information and providers which share confidential information with the CQC.
Much greater clarity of explanation is required in order to avoid a situation where this
section could be interpreted in two very different ways. This question of interpretation is
fundamental to our response.
Interpretation 1
The necessity test is a two-stage process - both stages of the test must be applied in every
circumstance where confidential personal information might be used or disclosed. It is used
to determine whether it is appropriate to seek confidential personal information for an aim
that is legitimate for the CQC and is completely separate from the decision about whether
the collection, use or disclosure of information has a lawful basis.
The first stage is to consider whether it is actually necessary to use confidential personal
information for an action that is either a CQC statutory function under the Health and Social
Care Act 2008 (HSCA 2008) or another ‘legitimate aim’ which is outside the statutory
functions.
If the answer to this question is the affirmative then the second stage is to consider whether
the use of confidential personal information is proportionate (described as serving an
‘overall public interest’ but see the comments below on the use of this terminology). This
secondary consideration must take into account a number of factors including the ‘public
interest’ in maintaining confidentiality and the ‘public interest’ in the CQC pursuing a
statutory function or other legitimate aim.
If the decision is that the use of confidential, person information is both necessary and
proportionate to fulfil a legitimate aim of the CQC, then the question of whether there is a
legal basis for the collection, use or disclosure must be addressed.
In this interpretation, the CQC intends that such ‘public interest’ deliberations do not
amount to a judgment as to whether confidential information can or should be disclosed ‘in
the public interest’, but rather whether seeking to obtain, use or disclose confidential
personal information for the particular purpose is reasonable and serves a legitimate aim.
These preliminary considerations of ‘necessity’ and ‘reasonableness’ are therefore entirely
separate to the identification of the lawful means by which confidential information can be
disclosed - either under the CQC’s statutory powers or via another lawful basis. Matters of
disclosure are considered later in the document. In other words, whilst there might be a
general public interest in the CQC pursuing a particular aim, the CQC are not necessarily
suggesting here that there will be a justifiable ‘public interest’ in disclosure which meets
common law requirements.
The remainder of the document then deals with the lawful means by which the CQC can
obtain information or when information can be disclosed to them. This can be briefly
summarised as follows:
•
•
•
•
The CQC can use the statutory powers under the HSCA 2008 to compel providers to
disclose for ‘regulatory functions’ – as listed on page 15. Consent is not necessary in
these circumstances.
Where the CQC’s statutory powers do not apply, another lawful basis for the
disclosure must be established.
In-line with common law requirements, this means that consent must be sought
unless approval has been sought under section 251 of the NHS Act 2006 or the
disclosure can be justified in the public interest – pages 19 - 20.
The threshold for disclosure in the public interest is high (this is not stated explicitly
but on page 20 it says the public interest justification may apply where it is necessary
‘to protect people from very serious harm’ and we so assume this is also the CQC’s
understanding). A useful example as to when a disclosure might be justified in the
public interest is the protection of patients from unsafe care.
There is no difficulty with these principles as they are in-line with common law requirements
of confidentiality. Unfortunately, the lack of clarity in the description of the necessity test,
and, in particular, the language in reference to the ‘public interest’ and ‘legitimate aims’, will
lead to great confusion for providers when they are interpreting the code.
In the context of handling confidential information, the concept of the ‘public interest’ will
be interpreted by many to relate to the question of disclosure and, in particular, whether
the circumstances meet the ‘public interest’ threshold for disclosure – not the question of
legitimacy or proportionality of the aim.
Using the term ‘public interest’ in the CQC’s necessity test to determine proportionality will
lead to a misunderstanding of when the ‘public interest’ can be relied upon as a legal basis
for the disclosure of confidential information. This results in an assumption that the CQC is
applying a weaker standard of confidentiality in order to access information.
Page 2 of 8
This is illustrated by the second possible interpretation. It would be of grave concern to the
BMA should it be intended that the code should be interpreted in the following way.
Interpretation 2
The necessity test is not a two-stage test of appropriateness and proportionality which
precedes consideration of the legal basis for disclosure. In this interpretation, the ‘public
interest’ referenced in the second stage (p.12) relates to whether or not information can be
disclosed ‘in the overall public interest’ for the CQC’s ‘legitimate aims’.
Given that the common law sets out an extremely high threshold for disclosure in the public
interest, one which is relevant only in circumstances where serious harm might be
prevented, serious crime might be prevented or detected or issues of national security are
involved, the language on page 12 is of serious concern. It suggests that a more general
definition of the ‘public interest’ in disclosure of confidential information is being applied by
the CQC i.e. the fact that the CQC is pursuing an aim which it views as ‘legitimate’, such as
the ‘efficient use of public resources’, is likely to justify a disclosure in the public interest –
even where a patient has expressed an objection.
This explanation is also likely to cause providers to conflate statutory powers with ‘public
interest’ disclosures. If the disclosure is necessary for the CQC’s regulatory functions then
providers need not consider breaching confidentiality ‘in the public interest’ as disclosure is
already compelled under the HSCA 2008. If the disclosure is for an ‘aim’ which is outwith the
lawful functions set out in the Act, then a ‘public interest’ decision will have to be made.
Such common law decisions are entirely separate to statutory powers which compel
disclosure.
We assume this interpretation is not the CQC’s intention and therefore we urge a significant
re-write and restructuring of the code. The importance of clarity and avoidance of wide
ranging statements in this complex area cannot be over-stated if the CQC is to foster trust
from both the public and healthcare professionals.
A basic framework should provide clarity on the following points:
•
•
•
The CQC will always consider whether it is necessary to use confidential personal
information and whether such use is proportionate – regardless of whether the
intended purpose falls within the scope of their statutory functions or not (in other
words, the CQC will not use powers to override confidentiality if there is no need to
do so);
There are purposes which fall within the scope of disclosures required by the HSCA 1;
There may be other purposes, out of scope of the HSCA, which it may be reasonable
for the CQC to pursue but, nevertheless, another legal basis is required for disclosure,
1
The fourth bullet point on p.15 states that studying the efficiency with which NHS bodies provide health services is a
regulatory function - which falls within the scope of the powers in the HSCA 2008. The text box on page 12 suggests that
disclosures to aid ‘efficient use of public resources’ might be part of ‘public interest consideration’. This is confusing.
Page 3 of 8
•
•
such as consent or the high threshold for disclosure in the public interest has been
met;
The circumstances when the public interest test for disclosure might be engaged
with examples such as protecting patients from unsafe care. (The term ‘public
interest’ should only be used to refer to the legal threshold for disclosure; to use it in
other circumstances will cause significant confusion and could result in unlawful
disclosures of information).
The circumstances when a patient’s objections will be respected and when they
might be overridden.
On a separate point, we recognise that the definition of personal confidential information is
provided by the HSCA 2008 (page 4), however, the Act’s definition doesn’t actually explain
what is meant by ‘data held in confidence’. It might be helpful to add that the concept of
confidential information is that which is provided in circumstances which imply a duty of
confidence - and provide the doctor/patient relationship as an example of such a
circumstance.
Q2. The Code explains how the CQC uses its statutory powers to obtain confidential
personal information, including medical records and personal care records, and how it may
obtain confidential personal information in other ways.
Have we explained this process properly in the Code? Yes/No
If not, which areas are unclear?
Do you think the way we do this is unfair? Yes/No
If not, please state why.
Please see response above in relation to clarity about when the CQC can use its statutory
powers.
When the CQC is not using its statutory powers
P.20 states that there will be a lawful basis for the CQC to obtain confidential personal
information ‘to protect people from very serious harm’. Whilst this statement is true, it does
not provide the necessary information which providers might need to determine whether
they can or cannot disclose. We suggest that the Code explains that providers have the
discretion under common law to disclose to the CQC (or any other appropriate body) should
they believe that a breach of confidentiality is justified in the public interest. 2 Examples
which could be provided by way of further explanation include preventing serious criminality
and/or protecting patients from harm ie to avoid a repeat of a Harold Shipman case or to
bring to light the abuses which occurred at the Winterbourne View hospital. Such
2
Doctors must use the criteria set out in national guidance to aid their assessments of when a disclosure in the
public interest is justified. See for example Department of Health (2003) Confidentiality NHS Code of Practice
para 34; Department of Health (2010) Confidentiality: NHS Code of Practice – supplementary guidance: public
interest disclosures; and Health and Social Care Information Centre (2013) A guide to confidentiality on health
and social care p.20
Page 4 of 8
explanations should also be mirrored in the later descriptions of when the CQC itself can
disclose confidential information (see question 5).
In addition, it would be useful if the Code could clarify whether obtaining or disclosing
confidential data in relation to criminal misuse of resources would be covered by the powers
in the Act or whether such decisions fall to public interest assessments.
In this section (pp18 – 20) the emphasis should not be on the CQC’s powers to ‘obtain’
confidential personal information but rather the circumstances under which health service
providers can lawfully provide it and be satisfied that they will remain legally compliant.
Finally, it is not clear what additional lawful basis exists for the CQC ‘to obtain confidential
personal information where it is necessary for the administration of justice or other legal
proceedings’ (p.20). The fact that something is done for the purposes of legal proceedings is
not in itself a sufficient justification for sharing. Neither is it clear what relevance the
administration of justice has in this context. The legal basis for disclosure in such
circumstances needs to be explained.
Additional points
We welcome the statement on page 16 that only those within the CQC who have been
specifically authorised are allowed to use the statutory powers to obtain confidential
information. It would also be helpful to mention that when the CQC is using its powers to
access health records this does not mean that the entire record will be viewed by the CQC
inspector and that the Data Protection Act 1998 principle of relevance will continue to apply,
for example if medical records are accessed to aid an investigation into a particular service
then only information which is necessary and relevant to the service review will be viewed.
This is implied in example 1 (p.17) but could made explicit. Perhaps in example 2 ‘Mary’
could be more reassured if the inspector explained to her that he would review her care plan
only in relation to information which was relevant to the diabetes management.
There are some factual inaccuracies with regard to the final paragraph on page 19.
Applications for ‘s251 approval’ are made to the Confidentiality Advisory Group (CAG) of the
Health Research Authority (not Council). Applications for s251 approval are made to the CAG
alone, not the HSCIC. (We assume that this confusion has arisen as, under the Care Act 2014,
the HSCIC must have regard to the advice of the CAG when considering dissemination of
data – but this is separate to the seeking of s251 support for the common law of
confidentiality to be set aside).
The example in the same paragraph about the national survey is confusing. Is this intended
to mean that when the CQC wishes to carry out a national survey it will need to apply for
s251 approval in order to permit the disclosure of patients’ names and addresses from GP
practices?
Page 20 covers recording CQC’s access to records. Most (if not all) electronic record systems
automatically record all access to medical records and store this information in an audit trail.
Does the CQC envisage recording access above and beyond this automated process? Whilst
Page 5 of 8
clearly it is essential that patients are able to access an audit trail, we would be concerned if
any additional recording created an unnecessary burden on providers. One option may be to
consider giving CQC inspectors their own smart cards so it is clear that they have accessed
the record.
Q3. We have explained the different ways in which the CQC uses confidential personal
information to help us carry out our regulatory work, for example using care records to
make judgements about care services.
Have we explained this process properly in the code? Yes/No
If not, which areas are unclear?
Do you understand how this information helps us in our work? Yes/No
If not, please state which aspects are unclear.
Yes. The BMA has no comments on this section.
Q4. We have explained how the CQC handles and stores confidential personal information,
keeps it safe, and disposes of it securely when it is no longer needed.
Have we clearly explained how we handle confidential personal information in the Code?
Yes/No
If not, which areas are unclear?
Are there any information security issues that we have not included in the report, or
where we should be doing more to protect information?
We have no comments on this section other than to highlight that p.26 refers to disposal of
confidential information (penultimate bullet point), however, without some indication of a
timeframe for deletion this does not offer adequate reassurance.
Q5. Sometimes, CQC needs to disclose confidential personal information to other
organisations to protect people from harm or unsafe care.
Have we explained how we make decisions to disclose information properly in the Code?
Yes/No
If not, which areas are unclear?
Do you feel that the decision-making process for disclosing confidential personal
information is fair and appropriate? Yes/ No
If not, please state why.
No.
The list of purposes (or ‘defences’) for which the CQC can lawfully disclose under the HSCA
2008 is clear and we recognise that this list mirrors the provisions set out in section 77 of the
Act. We note that section 79(4) of the Act explicitly sets aside common law obligations of
confidentiality in relation to such disclosures.
Page 6 of 8
Publishing information p.24
This section requires more detail on the types of data which might be published and what
the law permits in terms of identification of individuals or organisations.
It is concerning that this section suggests that confidential personal information may
sometimes be published as part of the CQC’s regulatory functions. In our view, publishing
confidential information from which individuals are ‘potentially’ identifiable would be a very
serious breach of confidentiality and the Data Protection Act 1998. Any publication of
information must be in-line with the Information Commissioner’s Office (ICO) code of
practice on anonymisation. The ICO code sets out that although the DPA does not require
the risk of re-identification to be entirely eliminated the risk of re-identification must be
mitigated to the point that it is ‘remote’. 3
This is acknowledged in the CQC’s own separate guidance on anonymisation (signposted in
the appendix) therefore we suggest that the wording in the code more accurately reflects
the position which has already been set out in this separate guidance.
Sharing information pp.24 - 25
As previously mentioned, the public interest justification for disclosures is engaged when
there is a risk of serious harm to individuals or in the prevention or detection of serious
crime. This would almost invariably include protecting patients from unsafe care. The
discretion to disclose in these circumstances would apply equally to care providers and the
CQC.
The criteria for considering whether disclosure is justified is set out in numerous national
guidance documents on confidentiality, including from the Department of Health and the
Health and Social Care Information Centre. 4 This guidance is clear that, under common law,
the threshold for breaching confidentiality in the public interest is high and is applicable only
in exceptional circumstances set out above.
It is an obvious omission that the code does not set out when the CQC will share confidential
personal information in the public interest (and in-line with national guidance). It must also
be made clear when patient objections will be respected and when they might be
overridden in the public interest.
Q6. Having read the Code, how happy would you be for the CQC to hold confidential
personal information about yourself or members of your family?
Please rate your choice on a scale of 1 to 5 (with 1 being very happy and 5 not happy at
all).
If you would not feel happy, what are your concerns about CQC holding confidential
personal information about yourself or members of your family?
Information Commissioner’s Office (2012) Anonymisation: code of practice
See Department of Health (2003) Confidentiality NHS Code of Practice para p.34; Health and Social Care
Information Centre (2013) A guide to confidentiality in health and social care p.20
3
4
Page 7 of 8
This question lends itself to a response from an individual rather than an organisation. Our
concerns are set out in the responses above.
Page 8 of 8