Confidentiality

Why do I need to know about confidentiality?

  • Confidentiality is an essential requirement for the preservation of trust in the medical profession as it is pivotal in upholding respect for privacy, autonomy and the right of self-determination. As such it is subject to legal and ethical safeguards.

The content of the duty of confidentiality

Confidentiality is both a private and a public interest: private in the sense that private individuals have an interest in keeping certain information confidential, and public in the sense that there is also a general public interest in protecting confidentiality in circumstances where a reasonable person might expect information to be held in confidence.

The basic content of the duty of confidentiality is that disclosure of patient information will not occur unless:

  1. The individual is unidentifiable from the information disclosed;
  2. The individual has provided consent; or
  3. There is an overriding public interest in disclosure.

When the duty of confidentiality arises

The common law of confidentiality places an obligation on individuals to respect the confidences of others.

In the medical context, traditionally professional ethical standards have required that anything doctors learn about their patients in the course of their professional duties is confidential. This means that confidentiality covers any clinical information about an individual’s diagnosis or treatment, any images of the patient, and any other information which could be used to identify a patient.

Complying with the duty of confidentiality

While the common law does establish some core principles, it does not specify when confidential information may or may not be disclosed to others. This means that those seeking to use confidential information have to take responsibility for deciding what is justified on a case by case basis.

Practical guidance on how to maintain confidential can be found in an NHS Report from 1997. This report resulted in the appointment of Caldicott Guardians to each NHS Trust in order to safeguard patient information. The report also established the six ‘Caldicott Principles,’ against which Caldicott Guardians test proposed disclosures of information. You as a researcher should be aware of these principles and should try to justify every proposed use of confidential information in your research project against them. By doing this you are helping to ensure that you are not going to breach any obligation of confidentiality.

The principles:

  1. Justify the purpose(s) for using confidential information
  2. Only use confidential information when absolutely necessary
  3. Use the minimum amount of confidential information that is required
  4. Access to confidential information should be on a strict need-to-know basis
  5. Everyone must understand his or her responsibilities
  6. Understand and comply with the law

The duty of confidentiality after the death of the patient

The duty of confidentiality generally continues after the patient has died, and what information can be disclose after death will therefore depend on the circumstances. If the patienr has asked for their personal information to be kept confidential then their wishes should be respected.

However, according to Guidance from the General Medical Council, there are circumstances in which relevant information can and should be disclosed and this include circumstances where the disclosure is justified as being in the public interest, such as for research purposes. Where possible the information should be anonymised before disclosure.

When considering whether such information can be disclosed you should consider:

  • Whether the disclosure of the information is likely to cause distress to or benefit the family of the deceased;
  • Whether the disclosure will disclose information about the family of the deceased or anyone else;
  • Whether the information is already in the public domain or whether it can be anonymised;
  • The purpose of the disclosure.

Is it ever permissible to breach the duty of confidentiality?

In very rare circumstances it is legally permissible to breach confidence in the public interest, for example when it is necessary to do so to protect others from harm. This is a very serious decision and action and should not be taken without first seeking legal advise from your host institution, other than in cases of emergency.

SHIP Guiding Principles and Best Practice

SHIP Guiding Principles and Best Practices reflect the values which underpin the SHIP project. They are designed to act as a guide for all those involved in SHIP and data sharing. You as a researcher or data custodian should be aware of these guiding principles and best practices as they provide useful guidance as to the standards of information governance promoted and expected by SHIP.

Principles
  • Data controllers should demonstrate their commitment to privacy protection through the development and implementation of appropriate and transparent policies.
  • Every effort should be made to consider and minimise risks of identification (or re-identification) to data subjects and their families arising from all aspects of data handling.
Best Practice
  • Organisations involved in data sharing and use should have a designated officer responsible for addressing privacy matters. This might be the Data Controller or Caldicott Guardian or someone delegated to act on their behalf.
  • Assessing privacy risks is an integral component of a data controller’s responsibilities and should form a central part of their privacy policy. This process should include the identification of confidentiality, security and privacy risks of any data handling including linkages, storage and access considerations.
  • It is acknowledged that at times data controllers may not be able to fully assess privacy risks, especially prior to linkages, however they should still carry out an assessment that identifies potential risks based on the information they do have.
  • Potential data recipients should also assess the impact on privacy prior to submitting data access requests and they should highlight any identified risks in order to discuss these with the data controller.
  • Appropriate disclosure control should be applied to all outputs; this should be carried out under the authority and oversight of the designated privacy officer.

Return to top of page