45
37
3 Direct care of individuals
The Review Panel concluded that across the health and social care system, implied
consent is only applicable in instances of direct care
21
.
3.3 The limits of sharing for direct care
The Review Panel found a strong consensus of support among professionals and the
public that safe and appropriate sharing in the interests of the individual’s direct care
should be the rule, and not the exception.
However, the need to share some information does not entail the sharing of everything, for
example, a patient may tell a GP she is pregnant, but not by her husband, and she does
not consent to this information being shared with any other doctor. Or a professional in a
particular field, such as a physiotherapist treating a patient’s knee, may not need to know
about his impotence.
The Review Panel concluded that in line with the original Caldicott review principles,
only relevant
22
information about a patient should be shared between professionals in
support of their care.
3.4 Improving sharing of information for direct care
The Review Panel has found that generally, the practice of sharing personal confidential
data between those directly caring for individuals could be better. For example, The
Review Panel heard evidence from a charity worker who found herself in a dangerous
position with a man possessing a Samurai sword that could have been avoided, but the
local authority did not share personal information with voluntary groups.
The Review Panel concludes that providers in the health and social care system may
benefit from reviewing and improving their policies for sharing to ensure they are focused
on the patient or service user’s best interest, taking account of the safety of people
providing care. In doing so, organisations should seek the advice and input of the clinicians
and professionals who are required to implement these policies.
The recommendations within the NICE Guideline: Patient experience in adult NHS services:
improving the experience of care for people using adult NHS services (Clinical
Guideline138)
23
emphasise the importance of appropriate sharing (see appendix 3).
The Review Panel endorses this guideline and concludes that all provider organisations
in the health and social care system should apply the guideline to audit their
procedures and performance, addressing any procedures that may impede effective
sharing.
21 This is in line with ‘Confidentiality: The NHS Code of Practice’, 2003, http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/
PublicationsPolicyAndGuidance/DH_4069253
22 In this report, ‘relevant’ information is defined as information that may directly influence the decision over what care is given to a patient
or service user, and how that care should be given.
23 http://www.nice.org.uk/nicemedia/live/13668/58284/58284.pdf
36
38
Information: To share or not to share? The Information Governance Review
Recommendation 2
For the purposes of direct care, relevant personal confidential data should be shared
among the registered and regulated health and social care professionals who have a
legitimate relationship with the individual.
Health and social care providers should audit their services against NICE Clinical
Guideline 138, specifically against those quality statements concerned with sharing
information for direct care.
3.5 Professional regulation
Direct care is generally led by registered and regulated professionals with a duty of
confidentiality and an obligation to use information both legally and effectively. They are
answerable to regulatory bodies such as the General Medical Council, Nursing and
Midwifery Council and Health and Care Professions Council, which have the authority to
strike people off the professional register for serious dereliction of duty. These regulatory
bodies each use different language to describe the conditions when implied consent can be
relied upon. Additionally, the scope of implied consent may be interpreted differently by
different professionals.
There is universal agreement that implied consent may be used as the legal basis for
sharing relevant personal confidential data in communications such as letters and discharge
summaries. However, there is less consensus with regard to the legal basis for sharing of
whole records.
The reason is that when whole records are shared, patients do not have the ability to block
access to individual pieces of information about their care, and this does not align with the
principle of sharing only relevant information. However, in some instances e.g. tertiary
centre paediatric services, the relevant information may be the whole record, or more
commonly, when a patient transfers to a new GP, their whole GP record will need to be
transferred with them.
The Review Panel concluded that consent should be obtained before sharing a patient’s
whole care record with other registered and regulated health and social care
professionals for the purposes of direct care. Any exceptions to this guidance should be
based on professional judgement in individual cases.
To allow safe and effective inter professional and organisational sharing it is imperative
that regulators agree a consistent language to describe the common set of conditions
when implied consent can be relied upon by all parts of the health and social care
system, including professionals, commissioners and providers.
37
39
3 Direct care of individuals
Recommendation 3
The health and social care professional regulators must agree upon and publish the
conditions under which regulated and registered professionals can rely on implied
consent to share personal confidential data for direct care. Where appropriate, this
should be done in consultation with the relevant Royal College. This process should
be commissioned from the Professional Standards Authority.
3.6 Registered and regulated professionals
Professional standards and good practice
Personal confidential data needs to be shared between registered and regulated
health and social care professionals who have a legitimate relationship with the
individual for the purposes of the individual’s direct care. A registered and regulated
health or social care professional has a legitimate relationship with the patient or
client when any or all of the following criteria are met:
• The patient or client presents themselves to the professional for the purpose of
their care.
• The patient or client agrees to a referral from one registered and regulated health
or social care professional to another.
• The patient or client is invited by a professional to take part in a screening or
immunisation programme for which they are eligible and they accept.
• The patient or client presents to a health or social care professional in an
emergency situation where consent is not possible.
• The relationship is part of a legal duty e.g. contact tracing in public health.
• The patient is told of a proposed communication and does not object e.g. the
consultant in the ambulatory clinic says she will communicate with the patient’s
social worker to let them know of events in the clinic and the patient does
not object.
Sharing for direct care can take place across departmental and organisational boundaries
for example, the direct care team may include physiotherapists, nurses, midwives,
occupational therapists and others on regulated professional registers.
The Review Panel found some uncertainty among professionals as to whether social
workers should be considered part of the care team in a health context.
The Review Panel concluded that for direct care of an individual, registered and
regulated social workers must also be considered part of the care team and covered by
implied consent when the social worker has a legitimate relationship to the individual
concerned.
43
40
Information: To share or not to share? The Information Governance Review
The Review Panel found that patients and the public may not fully appreciate the extent to
which their personal confidential data could be shared within an organisation, after they
have given it to a registered and regulated professional. For example, members of the
public giving evidence to the Review Panel considered that sharing information with an
individual social worker would be acceptable, but sharing with the whole local authority
employing the social worker would not.
There is also a concern among some health and social care professionals that they are
sometimes asked to send confidential information to generic electronic email accounts or
electronic mailboxes, rather than to a named individual. Generic accounts mean there is
no clarity as to who is receiving the correspondence or whether they are a registered and
regulated health and social care professional.
The Review Panel concluded that where it is necessary for services to receive referrals
through a generic system, this must be under the direct or indirect control of a
registered and regulated health and social care professional. This is necessary in order
to comply with the individual patient’s consent to be referred to a professional.
When a patient does NOT want to share some or all of their personal confidential data with
a health and social care professional this should be noted in the person’s direct care
record. The risk of not sharing the information should be explained to them, but in
general, their wishes should be respected
24
(see section 5.5).
3.7 Non-regulated staff providing direct care
Some components of direct care may be delivered by non-registered and non-regulated
health and social care staff. Examples include a healthcare support worker going to the
home of a patient to change a catheter bag, a ‘system administrator’ inputting information
from a hospital discharge summary into an electronic GP record or porters taking request
forms and samples to the laboratory. The Review Panel found evidence that patients and
the public did not always appreciate how many non-registered staff could be part of a
person’s healthcare team.
Professional standards and good practice
The Review Panel concluded that when providing direct care, a non-regulated
individual should be able to access a proportion of a patient or service user’s
personal confidential data when any or all of the following criteria are met:
• The patient presents themselves to those individuals for the purposes of care e.g.
NHS 111.
• They are professionally supervised by a registered and regulated health or social
care professional.
• They are managerially directly responsible to a registered and regulated
professional for the lawful use of personal confidential data.
• They have only necessary and very limited access to patient and client data.
24 Reasons for not respecting the patient’s wishes include if the data flow is mandated through statute or if the public interest test can be met.
37
41
3 Direct care of individuals
Professional standards and good practice (continued)
• The patient or client has given explicit consent that this individual should access
all or part of their personal confidential data.
• The staff member is registered on a voluntary register approved by the
Professional Standards Authority.
And in all cases:
• The terms and contractual obligations of employment within an organisation have
an explicit duty of confidentiality as part of the contract with sanctions.
• The non-regulated individual is a part of the direct care team with a ‘legitimate
relationship’ to the patient or client.
Recommendation 4
Direct care is provided by health and social care staff working in multi-disciplinary
‘care teams’. The Review Panel recommends that registered and regulated social
workers be considered a part of the care team. Relevant information should be
shared with members of the care team, when they have a legitimate relationship
with the patient or service user. Providers must ensure that sharing is effective and
safe. Commissioners must assure themselves on providers’ performance.
Care teams may also contain staff that are not registered with a regulatory authority
and yet undertake direct care. Health and social care provider organisations must
ensure that robust combinations of safeguards are put in for these staff with regard
to the processing of personal confidential data.
3.8 Care homes and home care
For patients who reside in care homes, relevant clinical and social care information should
be shared with a registered and regulated professional at the care home, unless the
patient objects. This can be done on the basis of implied consent.
For example, in order to ensure continuity of care is maintained after a patient is
discharged from hospital, the care home may require relevant information about the
patient’s mobility, medication, nutritional needs and general condition.
For patients who reside in their own home with a package of care, relevant clinical and
social care information should be shared with the registered and regulated professionals
providing that care, unless the patient objects. This can also be done on the basis of
implied consent.
However, in residential care homes and for people living at home, a considerable
proportion of care is provided by staff who are not regulated by statute. It is not
reasonable to assume that patients being discharged from hospital have given implied
38
42
Information: To share or not to share? The Information Governance Review
consent for confidential personal data to be passed to these unregistered and unregulated
staff. Yet it may not be safe for people to be discharged in these circumstances without
some key information about their condition and medication accompanying them. The
situation is further complicated by the fact that individuals needing complex care packages
are more likely to lack capacity to give consent.
An increasing number of these staff are expected to be registered on a voluntary basis by
the Professional Standards Authority. This will give the public a greater assurance because
staff registered in this way who seriously breach specialist group rules can be dismissed for
serious malpractice.
Professional standards and good practice
The Review Panel concluded that appropriate communication from a regulated and
registered professional to non-regulated staff should be the norm and occur through
one of the following routes:
• The patient gives explicit consent to the sharing of their personal confidential
data.
• The contact point of the service is a registered and regulated health and social
care professional and communication is through implied consent.
• The communication is through the social worker or equivalent professional within
the local authority who has organised the package of care (‘care and support
plan’) in line with the proposed duties in the Health and Support Bill.
• The communication is given to the patient, with or without a carer being present,
and the patient makes the decision to share their copy of the communication.
• There is a specific safety concern regarding the patient, which is best resolved or
mitigated by sharing some of the patient’s personal confidential data in situations
where consent is not possible. In these situations, professional judgement and the
patient’s best interests need to apply.
3.9 Sharing information with and from friends and family
If patients and clients want their personal confidential data shared with friends or family,
they are entirely free to ask the health and social care professional to do this and the
request should not reasonably be refused. If this request is ongoing, consent for sharing
should be documented and capable of being shared between health and social care
professionals as part of their normal communications.
Health and social care professionals sometimes receive important information about a
patient from a third party, such as a partner or family member, a friend or a carer. This
information can often be relevant to a patient’s care, but may also be highly sensitive and
may have been given in confidence.
Documents you may be interested
Documents you may be interested
