Conﬁdentiality - HCPC - Health and Care Professions Council · Conﬁdentiality – guidance for registrants Contents ... issues relating to how health and care professionals handle

Confidentiality – guidance for registrants

Information for registrants

2Health and Care Professions Council Confidentiality – guidance for registrants

Contents

Section 1: About this document 3Language 3

Section 2: Key principles 4

Section 3: About us 5Who do we regulate? 5

Section 4: Introduction 6Our standards of conduct, performance and ethics 6Confidentiality and the law 7Accessing and using information 7

Section 5: What information is confidential? 8

Section 6: Keeping information safe 9What our standards say 9Electronic records 9

Section 7: Consent and confidentiality 10What our standards say 10What is consent? 10Capacity 11Children and young people 11Making decisions for people who lack capacity 12

Section 8: Disclosing information with consent 13Working with other practitioners 13Other reasons 13If a service user does not give their consent 14

Section 9: Disclosing information without consent 15If the service user is unable to give their consent 15Public interest 15

Section 10: Disclosing information by law 16Requests from service users 16Safeguarding 16

Section 11: Disclosing information to regulators 17Reporting your concerns 17Identifiable information and fitness to practise 17

Section 12: Confidentiality and accountability 19

Section 13: More information 20Contact us 20

Glossary 21

Annex A: Data protection principles 23

Glossary of terms used in annex A 26


Section 1: About this document

This document provides guidance on some of theissues relating to how health and careprofessionals handle information about serviceusers. We have written it mainly for ourregistrants, but it might also be helpful to potentialregistrants, employers and other people whowant to know how we expect professionals toapproach issues of confidentiality.

This document is not designed to replace localprocedures and is not meant to cover everysituation where problems can come up. However,it is meant to help you make informed andreasonable decisions relating to issues ofconfidentiality, in line with our standards.

If you have any questions after reading thisdocument, please see the ‘More information’section on page 20. We also explain some of theterms and phrases we use throughout thisdocument in the glossary on page 21.

LanguageIn most of this guidance, when we refer to‘service users’ we mean patients, clients andother people who are directly affected by the care,treatment or other services that registrantsprovide. The broad principles set out in thisguidance also apply to registrants who provideservices to organisations rather than individuals.

In this document, ‘you’ means a registrant and‘we’ and ‘our’ refers to the Health and CareProfessions Council.


Section 2: Key principles

This guidance cannot cover every situation whereproblems or challenges about confidentiality mightcome up. However, you should keep the followingprinciples in mind when handling information. Theguidance that follows builds on these principles toexplain more.

You should:

− take all reasonable steps to keep informationabout service users safe;

− make sure you have the service user’s consentif you are passing on their information (unlessthere are good reasons not to, for example, it isnecessary to protect public safety or preventharm to other people);

− get express consent, in writing, if you are usingidentifiable information for reasons which arenot related to providing care, treatment or otherservices for them;

− only disclose identifiable information if it isnecessary, and, when it is, only disclose theminimum amount necessary;

− tell service users when you have disclosed theirinformation (if this is practical and possible);

− keep appropriate records of disclosure;− keep up to date with relevant law and good

practice;

− if appropriate, ask for advice from colleagues,professional bodies, unions, legal professionalsor us; and

− make your own informed decisions aboutdisclosure and be able to justify them.


Section 3: About us

We are the Health and Care Professions Council(HCPC). We are a regulator and our main aim is toprotect the public. To do this, we keep a registerof professionals who meet our standards for theirtraining, professional skills, behaviour and health.

Health and care professionals on our Register arecalled ‘registrants’. If registrants do not meet ourstandards, we can take action against them. Inserious cases, this may include removing themfrom the Register so that they can no longerpractise.

Our registrants work in a variety of differentsettings and with a variety of different people. Inthis document, we refer to those who use or whoare affected by the services of our registrants as‘service users’.

Who do we regulate?We currently regulate the following professions.

− Arts therapists− Biomedical scientists− Chiropodists / podiatrists− Clinical scientists− Dietitians− Hearing aid dispensers− Occupational therapists− Operating department practitioners− Orthoptists− Paramedics− Physiotherapists− Practitioner psychologists− Prosthetists / orthotists− Radiographers− Social workers in England− Speech and language therapists


Section 4: Introduction

Confidentiality means protecting personalinformation. This information might include detailsof a service user’s lifestyle, family, health or careneeds which they want to be kept private.

Service users expect the health and careprofessionals who are involved in their care ortreatment, or have access to information aboutthem, to protect their confidentiality at all times.Breaking confidentiality can affect the care orservices you provide, as service users will be lesslikely to provide the information you need to carefor them. Doing this may also affect the public’sconfidence in all health and care professionals.

This document builds on the principles outlined insection two and provides extra guidance aboutsome of the issues which come up aboutconfidentiality. It builds on the expectations ofhealth and care professionals outlined in ourstandards of conduct, performance and ethics.

Our standards of conduct, performance andethicsThe following standards of conduct, performanceand ethics describe the professional behaviour weexpect from you. You must:

1. promote and protect the interests of serviceusers and carers;

2. communicate appropriately and effectively;3. work within the limits of your knowledge and

skills;4. delegate appropriately;5. respect confidentiality;6. manage risk;7. report concerns about safety;8. be open when things go wrong;9. be honest and trustworthy; and10. keep records of your work.

You can download copies of these standardsfrom our website, or you can ask us to send youa copy. Please see the section ‘More information’on page 20.

As our registrants work in a variety of settings androles, we have written our standards so that theyare relevant, as far as possible, to all registrantsand all professions. We have also written them in

a way that means they can take account of anychanges in the law, technology or workingpractices.

Our standards are flexible enough to allowregistrants and employers to take account of localcircumstances – such as availability of resources –to develop ways of working that are practical,effective and meet the needs of service users.

We have written this document to help you meetour standards. However, there is often more thanone way to do this. As a health and careprofessional, you need to make your owndecisions (based on your own judgement) aboutthe best way to meet our standards, takingaccount of your own practice and the needs ofyour service users. If someone raises concernsabout your practice, we will take account of anysteps you have taken, including following thisguidance, when we decide whether you have metour standards.


Confidentiality and the lawYou have a professional and legal responsibility torespect and protect the confidentiality of serviceusers at all times.

It is a professional responsibility because ourstandards are there to protect the public and saythat you should protect the confidentiality ofservice users at all times. Confidentiality issuescan affect your registration.

It is a legal responsibility because of the principlesset by law, which say that professionals have aduty to protect the confidentiality of the peoplethey have a professional relationship with. The lawalso says how you should keep, handle anddisclose information.

This guidance draws on relevant laws that affecthealth and care professionals and their serviceusers. You are not expected to be an expert onthe law, but you must keep up to date with andmeet your legal responsibilities. Where helpful, wehave referred directly to specific legislation whichcovers issues related to handling information,consent and capacity (see section 7 for moreinformation about these).

Apart from the law, there is a large amount ofguidance produced by other organisations, suchas professional bodies, which may apply to you. Ifyou are employed, your employer is also likely tohave policies about confidentiality and sharinginformation. You should keep up to date with andfollow any guidance or policies that are relevant toyour practice.

Accessing and using informationWhen we refer to ‘using’ information, we meanany way information is handled. This includesaccessing information, as well as disclosinginformation to third parties and using informationin research or teaching.

This guidance focuses mainly on disclosing orsharing information with other professionals orthird parties. However, accessing information(including care records) without good reason,permission or authorisation is considered to bebreaking confidentiality, even if you do not thenshare the information with a third party. Youshould be sure that you have a legitimate reasonfor accessing information about service users, forexample where you need it to provide care,treatment or other services. For other reasons youare likely to need specific permission from theservice user.


Section 5: What information is confidential?

Information about a service user can be‘identifiable’ or ‘anonymised’. By identifiableinformation we mean any information you holdabout a service user that could identify them. Youmust treat this information as confidential.

Identifiable information can include:

− personal details, such as names andaddresses;

− information about a service user’s health,treatment or care that could identify them;

− photos, videos or other images; and− other information that a service user, family

member or carer shares with you that is notstrictly related to the care, treatment or otherservices you provide.

Anonymised information is information about aservice user that has had all identifiableinformation removed from it and where there islittle or no risk of a service user being identifiedfrom the information available. You may be able toshare anonymised information more openly insome circumstances. However, you shouldalways consider carefully what you are sharingand who you are sharing it with.


Section 6: Keeping information safe

What our standards sayOur standards of conduct, performance andethics say that:

‘You must treat information about service users asconfidential’ (5.1)

and

‘You must keep records secure by protecting themfrom loss, damage or inappropriate access.’ (10.3)

This means that you need to take all reasonablesteps to protect information about service users.By ‘reasonable steps’, we mean that you need totake sensible, practical measures to make surethat you keep the information safe.

For example, you could store paper records in alockable cabinet or room. If you run your ownpractice, you could develop a clear policy for yourpractice and provide training for your members ofstaff. Or, you might make sure that you avoidhaving conversations about service users in publicareas where other people might be able to hear.

If you are employed by an organisation, youremployer will normally have policies and

guidelines on how you should store, handle andshare information. In most circumstances,following these policies will allow you to meet ourstandards comfortably. However, you still need tothink about your own practice to make sure thatyou are protecting confidentiality at all times.

As a responsible professional, it is important thatyou take action if you become aware thatinformation about a service user has been lost,damaged or inappropriately accessed, or if theremight be a risk of this happening. You should tellyour employer (if you have one) and take steps totry to make sure that the problem does nothappen again.

The Data Protection Act (DPA) 1998 governs howpersonal data (information), including service userrecords, should be handled. It outlines a numberof data-protection principles. You can find moreinformation in annex A at the back of thisdocument and on the Information Commissioner’sOffice website.

Electronic recordsHealth and care records are increasingly beingheld electronically, rather than on paper. We donot provide any specific guidelines about the

types or features of computer-based systemswhich registrants should use.

This is partly because technology changes quicklyand we would not want to prevent you from usingnew technologies. It is also because the type ofelectronic record system you use will depend onyour practice, the type of setting you work in andother factors.

If you are employed, you should follow youremployer’s policies and procedures for electronicrecord-keeping and keeping information secure.

If you are self-employed and need to set your ownpolicies and procedures, you must make sure thatyou continue to meet our standards. This meansmaking sure you keep electronic records secureand that they can only be accessed by theappropriate people. You should have an effectivesystem in place for restricting access to therecords – for example, personal logins andeffective passwords.


Section 7: Consent and confidentiality

Identifiable information is disclosed for a numberof reasons. It can happen when you refer aservice user to another health and careprofessional or when a service user asks forinformation to be given to a third party.

It is important that you get the service user’spermission, or ‘consent’, before you share ordisclose their information or use it for reasonswhich are not related to the care or services youprovide for them. There are some exceptions tothis and we cover these later in this document.

What our standards sayOur standards of conduct, performance andethics say that:

‘You must only disclose confidential information if:

− you have permission;− the law allows this;− it is in the service user’s best interests; or− it is in the public interest, such as if it is

necessary to protect public safety or preventharm to other people.’ (5.2)

What is consent?Consent, for the purposes of confidentiality,means that the service user understands anddoes not object to:

− the information being disclosed or shared;− the reason for the disclosure;− the people or organisations the information will

be shared with; and− how the information will be used.

For consent to be valid, it must be voluntary andinformed, and the person giving consent musthave the capacity to make the decision.

− By ‘voluntary’, we mean that the person makesthe decision freely and without being persuadedor pressurised by professionals, family, friendsor others.

− By ‘informed’, we mean that the service userhas enough information to make a decisionabout whether they give their permission fortheir information to be shared with other people.(This is sometimes called ‘informed consent’.)Service users should be fully aware of why youneed to share any information about them, howyou will do so, who you will be sharing theinformation with and how that information will

be used. You should also tell them how notgiving their permission is likely to affect the care,treatment or services they receive.

− By ‘capacity’ we mean a service user’s ability touse and understand information to make adecision and to tell you that decision. Wediscuss capacity in more detail below.

There are two types of consent for the purposesof confidentiality – express consent and impliedconsent.

− Express consent This is where you are given specific permission

to do something. You need to get expressconsent if you are using identifiable informationfor reasons which are not related to the care,treatment or other services you provide for theservice user, or in a way which they would notreasonably expect. It is also important to getexpress consent if a service user has previouslyobjected to you sharing their information withother people. Express consent can be spokenor written.

If the service user has given you their expressconsent verbally, it is good practice to keep anongoing, up-to-date record of this in their


formal record. This might include a summary ofyour discussions, the outcomes of thosediscussions and any decisions made. If you areemployed, your employer may use consentforms or have other procedures in place.

− Implied consent This is where consent from the service user is

not expressly spoken or written but can betaken as understood, for example becausethey have agreed to receive treatment, care orother services. If you are using identifiableinformation to care for a service user or provideservices to them, in most circumstances youwill have their implied consent. Most serviceusers will understand the importance of sharinginformation within the multidisciplinary team. Ifyou are not sure whether you have impliedconsent, you should always get expressconsent.

The Data Protection Act also provides a definitionof consent. You can find more information inannex A.

CapacityYou must keep up to date and follow the law inthis area. If you are employed you should alsotake account of your employer’s policies andprocesses. If you are self-employed or unsureabout a specific situation, you should speak toyour professional body or get legal advice.

Examples of reasons an adult service user mightlack capacity include:

− a mental-health condition;− dementia;− severe learning disabilities;− brain damage, for example from a stroke;− a physical or mental condition that causes

confusion, drowsiness or loss ofconsciousness; and

− the effects of alcohol or drugs.

You should assume that adult service users havesufficient capacity unless there is significantevidence to suggest otherwise.

Children and young peopleFor children under 16, you may need to getconsent from someone with parentalresponsibility. This could be:

− the child’s mother or father;− the child’s legally appointed guardian;− a person with a residence order for the child;− a local authority designated to care for the child;

or− a local authority or person with an emergency

protection order for the child.

However, some children under 16 can giveconsent if they can fully understand theinformation given to them. This is known as‘Gillick competence’.

You should treat young people (aged 16 and 17)in the same way as adults and presume they havecapacity unless there is significant evidence tosuggest otherwise.


Making decisions for people who lackcapacityThe law surrounding making decisions on behalfof a person who lacks capacity varies among theUK countries.

In England, Wales and Northern Ireland, the lawsays you must act in the ‘best interests’ of serviceusers. This includes giving service users who havecapacity enough information to make sure thatthey are able to make a decision about whetherthey will allow you to share their information withother people.

Both the Mental Capacity Act 2005 and theMental Capacity Act (Northern Ireland) 2016 setout what you should consider when making ‘bestinterests’ decisions on behalf of someone wholacks capacity. You should:

− consider all the circumstances relevant to theservice user, for example the type of mental-health condition or physical illness they have;

− consider whether they are likely to havecapacity in the near future and if the decisioncan be postponed until then;

− involve them as far as possible;− take account of the beliefs, values, wishes and

instructions they expressed when they hadcapacity; and

− be aware of the views of, for example, theirclose relatives, carers and guardians.

However, you need to balance the best interests ofthe service user against other duties. If you have alegal duty to share the information, or need toshare it to protect the public interest, you can shareit without the consent of the service user. Weexplain this in more detail later in this document.

In Scotland, the Adults with Incapacity (Scotland)Act 2000 sets out the principles you must followwhen making decisions on behalf of someonewithout capacity.

1. Any action or decision you take must benefitthe person and must only be taken when youcannot reasonably achieve that benefitotherwise.

2. Any action or decision you take should be theminimum necessary.

3. You must take account of the present and pastwishes and feelings of the person, as far aspossible.

4. You should take account of the views of otherswho have an interest in the person’s welfare.

5. You should encourage the person and allowthem to make their own decisions and managetheir own affairs as much as possible anddevelop the skills needed to do so.


Section 8: Disclosing information with consent

In most cases, you will need to make sure youhave consent from the service user before youdisclose or share any identifiable information.

Working with other practitionersOne of the most common reasons for disclosingconfidential information will be when you contactother health and care practitioners. This mightinclude discussing a case with a colleague orreferring a service user to another health and careprofessional.

Sharing information is part of good practice. Careis rarely provided by just one health and careprofessional, and sharing information within themultidisciplinary team or with other organisationsor agencies is often an important way of makingsure care can be provided effectively.

Most service users will understand theimportance of sharing information with others whoare involved in their care or treatment and willexpect you to do so, so you will normally haveimplied consent to do this.

However, when you share information with othercolleagues, you should make sure that:− it is necessary to provide the information;

− you only disclose the information that isrelevant; and

− the professional receiving the informationunderstands why you are sharing it and thatthey have a duty to keep it confidential.

If you decide not to contact other practitionerswhen you might reasonably be expected to, or if aservice user asks you not to, it is important thatyou keep clear records of this and are able tojustify your decision.

If you are concerned about a request someonemakes for information – for example, you think theinformation they have asked for is not relevant – youshould contact the person who has asked for theinformation so they can explain their request. Youmay also want to get legal advice, or advice from aunion or professional body if you are a member.

Other reasonsIt is important that you get express consent, inwriting where possible, if you plan to useidentifiable information for reasons which are notdirectly related to the service user’s care or if theywould not reasonably expect their information tobe used or shared in that way.

Examples might be where you need informationfor research, teaching or health and care servicesplanning. In many cases it will be sufficient to useinformation which does not identify the serviceuser. Where possible, it is better to use this thanto use identifiable information. You shouldconsider how much information you need tochange or remove to make sure that you areprotecting the service user’s confidentiality. Forexample, you should consider whether the areayou work in means that it might be possible toidentify the service user by their job or by theirmedical condition.

If you need to use identifiable information, youshould explain fully to the service user how youwill use their information and whether there areany risks involved in disclosing it. You shouldmake sure that their consent is clearly recorded intheir notes.

Sometimes, a third party who is not a health andcare professional may ask you for information.This might be a request to send information to aninsurance company, government agency or asolicitor. You should make sure that you haveexpress consent to provide any information.


In these situations, you should also keep a writtenrecord of the information you have disclosed andonly disclose what you have been asked to. Youshould also offer to show the service user orprovide a copy of any report you write about themfor such purposes.

If a service user does not give their consentYou should make sure that you explain to theservice user the possible effect of not sharinginformation about their care or other services youare providing.

If a service user who has capacity refuses to giveconsent for information to be shared with otherhealth and care professionals involved in providingcare, treatment or other services, you mustrespect their decision, even if it could negativelyaffect the care, treatment or other services theycan receive.

However, if the law says you must disclose theinformation or it is justified in the public interest todo so, you can do so without the consent of theservice user. We explain more about situations likethis later in this document.


Section 9: Disclosing information without consent

There are a small number of circumstances whereyou might need to pass on information withoutconsent, or when you have asked for consent butthe service user has refused it.

If the service user is unable to give theirconsentIn some circumstances it may not be possible toget consent from a service user to shareinformation. For example, in some emergencysituations, they may be unable to communicate orgive consent because they are very unwell orunconscious. In other circumstances, they maynot have capacity to give consent.

As discussed earlier, whether a service user hascapacity will depend on a number of things,including their mental capacity and age. If aservice user is unable to give consent, you mayhave to disclose information if it is in their bestinterests. We have outlined earlier in this guidancewhat you will need to consider when decidingwhether it is in their best interests.

Also, you may need to share information withthose closest to them (such as a carer or familymembers) so that you or other health and careprofessionals can decide what is in their best

interests. It is also reasonable to assume that theywould want those closest to them to be keptinformed of their condition, treatment or care,unless they have previously said otherwise.

You should speak to your employer (if you haveone) or professional body for further guidance.

Public interestYou can also disclose confidential informationwithout consent from the service user if it is in the‘public interest’ to do so.

This might be in circumstances where disclosingthe information is necessary to prevent a seriouscrime or serious harm to other people. You canfind out whether it is in the public interest todisclose information by considering the possiblerisk of harm to other people if you do not pass iton, compared with the possible consequences ifyou do. This includes taking account of howdisclosing the information could affect the care,treatment or other services you provide to theservice user.

You should carefully consider whether it is in thepublic interest to disclose the information. If youare unsure, speak to your manager or employer (if

you have one), or your union or defenceorganisation. You may also want to get legaladvice.

You need to be able to justify a decision todisclose information in the public interest (or adecision not to disclose information) so it isimportant that you keep clear records.

Even where it is considered to be in the publicinterest to disclose confidential information, youshould still take appropriate steps to get theservice user’s consent (if possible) before you doso. You should keep them informed about thesituation as much as you can. However, thismight not be possible or appropriate in somecircumstances, such as when you discloseinformation to prevent or report a serious crime.


Section 10: Disclosing information by law

Sometimes, you may be asked for informationdirectly under the law – for example, if a court hasordered you to disclose the information. You havea legal duty to keep to orders made by the court.

You should tell the service user if you have had todisclose information about them by law, unlessthere are good reasons not to – for example, iftelling them would affect how serious crime isprevented or detected. You should also onlyprovide the information you have been asked forand keep a record of this.

Keep in mind that not all requests from solicitors,the police or a court are made under a legalpower that means you must disclose information.If disclosure is not required by law, and cannot bejustified in the public interest, you must getexpress consent from the service user.

Requests from service usersService users have the right to see informationyou hold about them and it is important that yourespect this.

Safeguarding Our standards of conduct, performance andethics say that:

‘You must take appropriate action if you haveconcerns about the safety or well-being ofchildren or vulnerable adults.’ (7.3)

In these situations, the following apply.

− If you are employed, you should follow localpolicies and processes for raising asafeguarding concern. This might includeinforming the local council or the police.

− If you are self-employed and you are concernedthat someone has caused harm, or could posea risk to vulnerable groups, you should refer thematter to the Disclosure and Barring Service, orin Scotland, Disclosure Scotland. You may alsowant to inform the local council or the police.


Section 11: Disclosing information to regulators

There are a number of regulators – such as theGeneral Medical Council, the Care QualityCommission and us – who may need you to passon information to them. In some cases regulatorshave statutory powers to request information (see‘Identifiable information and fitness to practise’below). This section refers to regulators of healthand care professionals, but is relevant to othertypes of regulators as well.

Reporting your concernsRegistrants are often not sure about passing onidentifiable information because they do not knowhow this information might be used. However, sothat regulators can protect the public, it isimportant that you tell them if you have anyconcerns about whether a registered professionalis fit to practise. This is also related to your dutiesunder our standards of conduct, performanceand ethics.

When you tell a regulator about your concerns,you may need to include information about aservice user. This might be because yourconcerns are about the care or services providedto a particular service user or group of serviceusers.

If you need to disclose information about a serviceuser, make sure that the information is relevant toyour concerns. You should, if possible, remove allidentifiable information, including names andaddresses. Where it is necessary to includeidentifiable information it is good practice to tellthe service user and try to get their consent forthe disclosure. However, if the disclosure isrequired in the public interest, identifiable data canbe disclosed without consent.

You should keep an appropriate record of anydisclosures, giving reasons for disclosing theinformation and a justification for that disclosurewhere possible.

You might also want to discuss these matterswith your manager (if you have one) or aprofessional colleague.

If you are not sure whether to tell a regulator, whatinformation to provide, or how they will use theinformation, you should contact the regulator formore advice.

Identifiable information and fitness topractiseSometimes regulators make requests forinformation about service users that they need tohelp them investigate a registrant’s fitness topractise. For example, if we are looking at acomplaint about a registrant's record-keeping, wemight need to ask for copies of the records sothat we can decide whether the professional hasmet our standards.

Regulators often have powers to requireinformation from people other than the personbeing investigated. They will sometimes makethese requests using ‘statutory powers’. Theseare powers that a regulator has by law to helpthem in an investigation. You have to provide theinformation, but it is good practice to tell serviceusers (if possible) when you have disclosedinformation about them.

You should make sure that you only provide theinformation the regulator has asked for, andprovide anonymised or partly anonymisedinformation when you can.

If we ask for information using our statutorypowers, we will put this in writing and explain why


we are asking for it and how we will use it.Information we use during a hearing will usuallyhave all the identifiable information removed fromit, and we will always take appropriate steps tomake sure that we protect a service user’sconfidentiality. The law says we have to handlethis information responsibly. For example, we useterms such as ‘Service user A’ to refer toindividuals. We may also hold hearings fully orpartly in private when necessary.


Section 12: Confidentiality and accountability

As a health and care professional, you areresponsible and accountable for the decisionsyou make, including ones about confidentialityand disclosing information.

We feel that you are best placed to make practicaldecisions, taking account of the way in which youpractise. You need to make informed andreasonable decisions about your own practice tomake sure that you always respect and protectthe confidentiality of service users. It is alsoimportant that you are able to justify the decisionsyou make.

If you are employed by an organisation, they arelikely to have policies and procedures in placerelating to confidentiality. We expect you topractise in line with these.

If you are self-employed or employ other people,we expect you to put in place policies andprocedures to make sure you are holding serviceusers’ information confidentially and sharing it onlywhere lawful and appropriate.

However, if you find that the policies andprocedures relating to confidentiality in theorganisation or service where you work are not

suitable or appropriate, or do not allow you tocarry out your duties, you should raise yourconcerns. This might be to your manager or theperson with responsibility for data protectionwhere you work, or with another appropriateauthority. If you feel that your employer’s policymight mean that confidentiality is put at risk, youshould contact your union, professional body orus for advice.


Section 13: More information

If you are not sure about what you should do in aspecific situation, consider asking your employer,professional body or independent legalrepresentative for advice.

The Information Commissioner’s Office (ICO) isthe UK’s independent authority set up to upholdinformation rights and has produced guidancewhich you may find useful: https://ico.org.uk/

We also recognise the valuable role professionalbodies play in providing advice and guidance totheir members. If you are a member of aprofessional body, you may find it useful to ask foradvice about good practice on confidentiality as itrelates to your profession.

In particularly complex situations, you might alsoconsider getting independent legal advice.

Contact usYou can contact us if you have any questionsabout this guidance or what we expect withregard to confidentiality. However, we cannot offerlegal advice. Our contact details are below.

The Health and Care Professions CouncilPark House184 Kennington Park RoadLondonSE11 4BU

Phone: +44 (0)300 500 6184

You can download copies of our standardsdocuments and other publications from ourwebsite at www.hcpc-uk.org


Glossary

You may not be familiar with some of theterms we use throughout this document, sowe have explained them below.

AccountableAs an accountable health and care professional,you will be responsible for the decisions you makeand you may also be asked to justify them.

Anonymised informationInformation about a service user that has had allidentifiable information removed from it, andwhere there is little or no risk of an individual beingidentified.

AutonomousAs an autonomous health and care professional,you make your own decisions based on your ownjudgement.

Court orderAn order made by a judge or court for somethingto happen.

Disclose, disclosureWhen information is revealed, released or passedon from one person to another.

Express consentSpecific permission from the service user, givenverbally or in writing, to use or share informationabout them.

Fitness to practiseA professional is fit to practise if they have thetraining, skills, knowledge, character and health todo their job safely and effectively. We can takeaction if we have concerns about a registrant’sfitness to practise.

Identifiable informationAny information that might identify a service user,for example their name, address or details of theirhealth condition, treatment or care.

Implied consentWhen a service user is aware of the possibilitiesfor sharing information and their right to refusethis, but does not object.

Informed consentWhen a service user has enough information tomake a decision about whether they give theirpermission for information to be shared with otherpeople.

Professional bodiesOrganisations which promote or representmembers of a profession. They may also provideguidance and advice, produce curriculumframeworks, oversee post-registration educationand training, and run continuing professionaldevelopment (CPD) programmes.

Public interestDisclosures of information are made in the ‘publicinterest’ when it is necessary to prevent a seriousthreat to public health, national security, the life ofthe person concerned or another person, or toprevent or detect serious crime.

RegisterA published list of health and care professionalswho meet our standards. The Register is availableon our website at www.hcpc-uk.org

RegistrantA health and care professional who appears onour Register and meets our standards.

RegulatorAn organisation that protects the public bymaking sure people or organisations keep tocertain laws or requirements.


Service userAnyone who uses or is affected by the services ofa registrant. This includes patients and clients.

Standards of conduct, performance andethicsStandards of behaviour that we expect fromhealth and care professionals who are registeredwith us.

Statutory powersCertain organisations, such as regulators, havepowers under legislation. This sometimes includesthe power to ask for information from people.

Third partySomeone who is not the service user, a memberof their family or a carer or the professionalinvolved in their care or treatment. This couldinclude another professional or an organisationthat has requested information.


Annex A: Data protection principles

(Plain English Campaign’s Crystal Mark does notapply to Annex A or its glossary.)

The Data Protection Act (DPA) 1998 regulatesthe processing of personal data and outlines anumber of data protection principles. We haverepeated these principles in full below. TheInformation Commissioner’s Office (ICO’s)website (see section 12) includes helpfulinformation about what these principles mean.

a. personal data must be processed fairly andlawfully

b. personal data should be obtained for one ormore specified and lawful purposes andshould not be processed in any mannerincompatible with that purpose(s)

c. personal data should be adequate, relevantand not excessive in relation to the purpose(s)for which they are processed

d. personal data should be accurate and, wherenecessary, kept up to date

e. personal data should not be kept for longerthan is necessary

f. personal data should be processed inaccordance with the rights of the data subject

g. appropriate measures should be taken againstunauthorised or unlawful processing ofpersonal data and against accidental loss ordestruction of, or damage to, personal data

h. personal data should not be transferred to acountry or territory outside the EuropeanEconomic Areas unless there are adequatelevels of protection for the rights and freedomsof data subjects in relation to the processing ofpersonal data in that country or territory.

Conditions for processingIn order to satisfy principle one (to process datafairly and lawfully), one or more ‘conditions forprocessing’ must be met whenever personal datais processed. These conditions are:

a. The individual who the personal data is abouthas consented to the processing.

b. The processing is necessary: i. In relation to a contract which the individual

has entered into; or ii. Because the individual has asked for

something to be done so they can enter intoa contract.

c. The processing is necessary because of alegal obligation (except an obligation imposedby a contract).

d. The processing is necessary to protect theindividual’s ‘vital interests’. This condition onlyapplies in cases of life or death, such as wherean individual’s medical history is disclosed to ahospital’s A&E department treating them aftera serious road accident.

e. The processing is necessary for administeringjustice, or for exercising statutory,governmental, or other public functions.

f. The processing is in accordance with the‘legitimate interests’ condition.


Sensitive personal dataThe DPA outlines additional requirements for theprocessing of sensitive personal data. Sensitivedata means personal data consisting ofinformation about an individual’s:

a. racial or ethnic origin of the data subject

b. political opinions

c. religious belief or other beliefs of a similarnature

d. whether they are a member of a trade union

e. their physical or mental health condition

f. their sexual life

g. the details of any offence they havecommitted, or are alleged to have committed

h. any proceedings relating to an offence theyhave committed (or are alleged to havecommitted) including any outcome orsentence.

Sensitive personal data should be treated withgreater care than other personal data. If you areprocessing data you must satisfy one or more ofthe ‘conditions for processing’ outlined above.You must also meet at least one of the conditionsset out below:

a. the individual who the sensitive personal datais about has given explicit consent to theprocessing

b. the processing is necessary so that you cancomply with employment law

c. the processing is necessary to protect the vitalinterests of:

i. the individual (in a case where the individual’sconsent cannot be given or reasonablyobtained), or

ii. another person (in a case where theindividual’s consent has been unreasonablywithheld)

d. the processing is carried out by a not-for-profitorganisation and does not involve disclosingpersonal data to a third party, unless theindividual consents

e. the individual has deliberately made theinformation public

f. the processing is necessary in relation to legalproceedings; for obtaining legal advice; orotherwise for establishing, exercising ordefending legal rights

g. the processing is necessary for administeringjustice, or for exercising statutory orgovernmental functions

h. the processing is necessary for medicalpurposes, and is undertaken by a healthprofessional or by someone who is subject toan equivalent duty of confidentiality

i. the processing is necessary for monitoringequality of opportunity, and is carried out withappropriate safeguards for the rights ofindividuals.


ConsentConsent under the DPA follows the definition setout in the European Data Protection Directive:

‘…any freely given specific and informedindication of his wishes by which the data subjectsignifies his agreement to personal data relating tohim being processed.’

To satisfy this, consent must be:

a. given by some active communication betweenthe parties and should not be inferred(although it doesn’t have to be in writing)

b. appropriate to the age and capacity of theindividual and to the circumstances of the case

c. clear, covering the type of information, thepurposes of processing and any specialaspects which may affect the individual

d. timely – consent will not necessarily lastforever, although it will usually last for as longas the related processing continues.

For further information about DPA principles,please visit the Information Commissioner’s Officewebsite.


Glossary of terms used in annex A

Data controller (as defined by the DataProtection Act 1998)A person who (either alone or jointly or incommon with other persons) determines thepurposes for which and the manner in which anypersonal data are, or are to be, processed.

Processing (as defined by the Data ProtectionAct 1998)In relation to information or data, meansobtaining, recording or holding the information ordata or carrying out any operation or set ofoperations on the information or data. For furtherinformation please visit the InformationCommissioner’s Office website.

Personal data (as defined by the DataProtection Act 1998)Data which relate to a living individual who can beidentified from those data or from those datatogether with other information which is in thepossession of, or is likely to come into thepossession of, the data controller.

© Health and Care Professions Council 2017Publication code: 20080206dPOLPUB (revised October 2017)

To request this document in Welsh or an alternative format, email [email protected]

Park House184 Kennington Park RoadLondon SE11 4BU

tel +44 (0)300 500 6184fax +44 (0)20 7820 9684www.hcpc-uk.org

CrystalMark16780Clarity approved byPlain English Campaign

Documents

Conﬁdentiality - HCPC - Health and Care Professions Council · Conﬁdentiality – guidance for registrants Contents ... issues relating to how health and care professionals handle