CLIFTON MEDICAL PRACTICE – PRACTICE PROTOCOL
CONFIDENTIALITY & DATA PROTECTION
Everyone working for the NHS in a Doctor’s Surgery has a legal duty to keep information about patients and clients confidential and to protect the privacy of information about individuals. This is a core element of work in a General Practice and forms part of your contract with the Surgery.
In the course of your work you will be called on to handle and see person-identifiable information, whether it is stored on paper or on computer. You are responsible for safeguarding the confidentiality of all personal, Surgery and External Agency information, transmitted or recorded by any means. You must not discuss or disclose such information except to authorised personnel.
If you are found to have made an unauthorised disclosure of personal information it is a disciplinary offence; you could also face prosecution. If you are in doubt as to which disclosures are authorised, check with the Practice Manager.
This protocol is designed to help you understand the regulations and your responsibilities to maintain confidentiality.
All Staff
All staff are required to adhere to the regulations of the Data Protection Act 1998, irrespective of whether you belong to a professional group, and this Practice is registered with the Data Protection Agency.
If you do belong to a professional group, e.g. Nurse, Doctor, you are subject to the confidentiality clauses of your professional Code of Conduct. You should ensure that you are familiar with the specific responsibilities of your professional code.
Data Protection Act 1998
The Data Protection Act has eight Data Protection Principles, which cover the use of “personal data”.
Personal data is any information, which can be used to identify a living person or facts about them, including opinions or intentions towards them. The Data Protection Act sets standards which must be satisfied when obtaining, recording, holding, using or disposing of personal data.
Information can only be used with the person’s consent.
Personal data must be:
1.
Processed fairly and lawfully
2.
Processed for specific purposes only
3.
Adequate, relevant and not excessive
4.
Accurate and up-to-date
5.
Not kept for longer than necessary
6.
Processed in accordance with the rights of data subjects
7.
Protected by appropriate security
8.
Not transferred outside the European Economic Area
Moorhouse Page 1 11/04/2020 D:\726846801.doc

Think Before You Act
Unauthorised disclosure of information constitutes a serious breach of discipline and could lead to dismissal. There are mechanisms in place to ensure information is not used inappropriately. If you either deliberately or accidentally divulge personal information, the Act could be breached. It also means anyone contributing to personal information has a duty to ensure it is not misleading.
Could I Breach Confidentiality?
There are many ways in which confidentiality can be broken. For example:

Displaying information in a way that unauthorised people can see it

Accessing records you have no legitimate reason to see

Leaving records open or unattended

Giving out information over the telephone to inappropriate people

Holding conversations where others could overhear
The Appendix at the end of this policy sets out in greater detail exactly how patient information can be used.
How Can I Prevent Breaching Confidentiality?

Do ensure the safe storage of material containing person-identifiable or other sensitive information.
 Don’t
give out information unless you are certain that the recipient has a right to hear, see or access it.
Be especially careful on the telephone.

Do use safe haven facilities to send and receive faxes if sending patient identifiable information.
Check fax numbers yourself with the intended recipient before you send data.
 Don’t hold conversations about patients, Surgery or Trust information where you can be overheard, e.g. near another patient, in public areas, when travelling.

Do dispose of confidential waste properly – Don’t throw it in an ordinary bin – put in the shredding sack.

Do make sure that unauthorised users / the public cannot access your computer or see other patient details on the screen and Do close your computer or change user when not in use.

Treat all Practice information as confidential – not just patient information.
Remember
Everyone who uses person-identifiable information has a duty to see that it is not passed on in an unauthorised way.
You are subject to confidentiality under your contract of employment – to breach it is a disciplinary offence.
It is a criminal offence to break any of the conditions of the Act.
Ask advice .
Follow this Data Protection Protocol.
Breaches of Confidentiality
If you think that confidential information may be revealed by accident, or by any other means, it is essential that you inform the Practice Manager.
Caldicott
Fylde and Wyre CCG is required to have a Caldicott Guardian to safeguard and govern the uses made of confidential information.
The CCG Caldicott Guardian is:
Dr. Jim Gardener
Derby Road
Wesham
PR4 3AL
Moorhouse Page 2 11/04/2020 D:\726846801.doc

Appendix - Using Patient Information
Background
The patient medical record is a life-long history of consultations, illnesses, investigations, prescriptions and other treatments. The doctor-patient relationship sits at the heart of good general practice, and is based on mutual trust and confidence. The story of that relationship over the years is the medical record.
All staff who are involved in patient care are responsible for the accuracy and safekeeping of patient medical records. Patients have a responsibility to ensure that changes in their details are passed on to the
Practice and staff should follow the Practice policy in taking opportunities where they present themselves to check patient details are accurate and up to date wherever possible (see policy “Checking Patient
Information”).
If patients move to another area or change GP, medical records are sent to the NHSCB Primary Care
Support (PCS), Preston Office to be passed on to the new Practice. However, a copy of all entries in the records whilst registered with the Practice remains on the computer.
Every patient has the right to keep personal information confidential between themselves and their
Doctor. This applies to everyone over the age of 16 years, and in certain cases to those under 16. The law does impose certain exceptions to this rule, but apart from those listed in detail below, patients have a right to know who has access to their medical record and a leaflet for patients is kept in Reception.
Disclosing Patient Information
There is a balance between privacy and safety, and we will normally share patient information with others involved in patient care, unless we are asked by the patient not to. This could include doctors, nurses, therapists or technicians etc involved in treatment or investigation.
Our practice nurses, district nurses, health visitors and midwives all have access to the medical records of their patients. It is our policy to try to have a single medical and nursing record for each patient. We firmly believe that this offers the best opportunity for delivering the highest quality of care from a modern primary care team.
Practice staff also have access to medical records. We need to notify the NHSCB PCS of registration and claim details, perform tasks such as filing of letters etc, and providing information or results regarding investigations carried out. We also have access to the patient repeat prescription record in order to produce these prescriptions for signing by the GP.
All our doctors, nurses and staff have a legal, ethical and contractual duty to protect patient privacy and confidentiality .
We are required by law to notify the Government of certain infectious diseases e.g. meningitis, measles, salmonella and other similar infections (but not AIDS), for public health reasons.
The law courts can also insist that GP’s disclose medical records to them. Doctors cannot refuse to cooperate with the court without risking serious punishment. We are often asked for medical records from solicitors. These will always be accompanied by the patient’s signed consent for us to disclose information. Solicitors often ask for photocopies of the whole medical record of a patient. If a patient considers this to be unnecessary, they should discuss the reasons for this request with their solicitor, and if
Moorhouse Page 3 11/04/2020 D:\726846801.doc

necessary ask that the records be supplied between two relevant dates, rather than allowing the solicitor to have unfettered access to the whole of the record.
Limited information is shared with health authorities to help them organise national programmes for public health, such as childhood immunisations, cervical smear tests and breast screening.
GP’s must keep the NHSCB PCS up to date with all registration changes, additions and deletions. We also notify them of certain procedures that we carry out on patients (contraceptive, maternity, minor operations, night visits, some vaccinations) where we are paid separately for performing these procedures.
Social Services, the Department of Work and Pensions, the Benefits Agency and others may require medical reports from time to time. These will often be accompanied by signed consent to disclose information.
Failure to co-operate with these agencies can lead to patients’ loss of benefit or other support. However, if we have not received signed consent, we will not normally disclose information about a patient.
Insurance companies frequently ask for medical reports on prospective or current clients making a claim.
A signed consent form always accompanies these. GP’s must disclose all relevant medical conditions unless the patient asks us not to do so. In that case, we would have to inform the insurance company that we have been instructed not to make a full disclosure to them. A patient has the right, if they request it, to see the reports to insurance companies or employers before they are sent.
We are required by law to allow patients access to their medical records. Patients wishing to see their records should contact the Practice Manager for further advice. All requests to view medical records should be made in writing to the surgery. We are allowed by law to charge a fee to cover administration and costs.
We have a duty to keep patient medical records accurate and up to date. Patients are encouraged to inform us if they believe there may be an inaccuracy in their record.
What We Must Not Do
To protect patient privacy and confidentiality, we will not normally disclose any medical information over the telephone or fax or in the Practice unless we are sure that we are speaking to the patient. This means that we will not disclose information to the patient’s family, friends, colleagues etc about any medical matters at all, unless we know that we have the patient’s consent to do so. The only other exception is if the patient is under 16 and is not judged to be Gillick competent in which case the patient’s parent or legal guardian can be given the information.
This also means that we will not normally disclose test results over the phone unless we are sure we are speaking to the patient, and may wish to call back to ensure that we are speaking to the right person.
Please also see the Practice Policy “Data Protection for Staff” which summarises the dos and don’ts of staff responsibilities
Finally, if you have any further queries or comments about privacy of medical records, then please talk to the Practice Manager, Carol Foulkes who is the Practice Caldicott Guardian and Information Governance
Lead and also represents the Doctors who are the registered Practice Data Controllers.
Moorhouse Page 4 11/04/2020 D:\726846801.doc