Ch 4 ig

Chapter 4 - Records Governance

4.1 Information governance framework

4.1.1 Introduction

The term Information Governance is used to describe the processes, which ensure the quality, security and appropriate use of information. It is concerned with the accuracy, accessibility, consistency, and completeness of information; mechanisms to manage the recording of information to maintain its provenance and ensure the attribution of authorship and changes; processes to ensure information is collected fairly, with informed consent as appropriate and used in a manner consistent with such consent as far as professional ethics and the law allows and mechanisms to protect access and ensure the security of information.

The National Information Governance Board (NIGB) has had prime responsibility for supporting improvements to information governance practice in health and social care in England[^1] (though its statutory functions will eventually be transferred to the Care Quality Commission, following Cabinet Office review in 2010). The NIGB takes the view that no system can have zero risk of loss of data through breakdown of security / confidentiality and that security has to be balanced with the risk of harm to patients due to either the difficulty of accessing records or restrictions in working practices; it is a matter of balancing risks and benefits. They recognise that it is human error, negligence or dishonesty, and not information management systems, which primarily put confidentiality at risk. Good practice supported by training is the foundation of good information governance.

The National Programme for IT (NPfIT) "spine" services such as Choose and Book and the Electronic Prescription Service use a common approach to protect the security and confidentiality of every patient\'s personal and health care details. The NHS has set out the principles that will govern how patient information is held in the NHS CRS and the way it is shared. These are outlined in the NHS Care Record Guarantee[^2] and will be reviewed at least every twelve months as the NHS Care Records Service develops.

Organisations that need to access these services set up Registration Authorities to manage this process. The Registration Authority is responsible for verifying the identity of health care professionals and workers who wish to register to use these services. Once authorised, the Registration Authority issues an NHS Smartcard to individuals^3. Individuals use their NHS Smartcard and their Smartcard Pass-code each time they log on.

NHS CRS Smartcards help control who accesses the NHS CRS and what level of access that they can have. They are similar to a chip and PIN credit or debit card, but are more secure. A user\'s Smartcard is printed with their name, photograph and unique user identity number. To register for a Smartcard, Registration Authorities are required to ask applicants for identification which satisfies the government recommended standard \'e-Gif Level 3\', providing at least three forms of ID (photo and non-photo), including proof of address. Individuals are granted access to patient information based on their work and level of involvement in patient care. Staff will also continue to be bound by professional guidance[^4], local regulations, the Data Protection Act and the NHS Code of Confidentiality.

Information Governance provides a framework for handling personal information in a confidential and secure manner to the ethical and quality standards that are appropriate in a modern health service. There are a number of tensions (such as the need to balance the requirement for communication between health professionals against a patient's right to confidentiality), which render this a complex area, but it is not an area that health professionals can afford to neglect. Public concern about the handling of personal information by public sector bodies remains high and it is essential that robust assurance is provided by all NHS organisations.

4.1.2 Rationale

NHS organisations in general and primary care teams in particular are increasingly expected to work in close collaboration with other organisations both within and without the NHS family. It is expected that NHS organisations will endeavour to ensure that services delivered are appropriate to the needs of patients and of high quality. This implies that NHS organisations and other involved bodies should communicate all relevant information between themselves in order to ensure that services delivered are both consistent and fully compatible with patient needs. However, the delivery of services to patients must remain within the legal, ethical and policy framework. This framework needs to be understood by all those involved in sharing patient information.

4.1.3 Scope

Information governance encompasses the principles that apply to the processing and protection of information in whatever form it is processed or utilised. These principles apply equally to written records, oral communications and other media (e.g. photographs and x-rays).

4.2 Legal aspects

Important elements of information governance for NHS bodies are derived from legislation and common law. Some of these elements are clear-cut but many others need interpretation. NHS service delivery requirements, an understanding of acceptable ethical practice and applicable Department of Health policy and standards will all impact on this interpretation. The relevant areas of law are listed below, with an indication of the implications of each.

4.2.1 Common law duty of confidence

The long established principle that health care professionals have a duty of confidence to their patients is supported by the common law (case law established by the Courts). Confidentiality may however be set aside in the public interest or where statute requires. (A range of bodies, including the Care Quality Commission, the Audit Commission and Primary Care Trusts has statutory powers to require disclosure of confidential information and also disclosures required for notifiable diseases and under the Abortion Act are examples).

\

Key attributes:

Confidential patient information may only be disclosed:

(i) With a patient's consent, or

(ii) Where it is required by law (statutory instrument or Court Order), or permitted under S.251 of the NHS Act 2006 or

(iii) Where the public interest served by disclosure outweighs the public (and private) interest in protecting the right to confidentiality. Disclosures in the public interest must be considered on a case-by-case basis.

Key guidance:

• Confidentiality: NHS Code of Practice^5

• GMC Confidentiality: (and supplementary guidance)[^6]

4.2.2 Computer Misuse Act 1990

The Computer Misuse Act identifies a range of offences relating to unauthorised access to or unauthorised modification of computer records. It may apply where an unauthorised third party accesses information being transferred.

Key attributes:

Where systems are used other than by authorised staff for approved purposes it is likely to be a criminal offence. It is important that all staff members are aware of and comply with a documented acceptable use policy and the security measures put in place to protect all health records.

Key guidance:

Department of Health guidelines

• Information Security Management: NHS Code of Practice^7

• NHS Information Governance -- guidance on legal and professional obligations^8

4.2.3 Access to Health Records Act 1990

The Access to Health Records Act[^9] provides the personal representatives of the deceased or those who have a claim arising from the patient's death to have access to the health records of the deceased. The Act allows individuals to add a note to their health record to negate this access right. Right of access may be partially excluded in certain circumstances^10.

Key attributes:

Provides the personal representatives of the deceased or those who have a claim arising from the patient's death to have access to the health records of deceased patients.

Key guidance:

Department of Health guidelines

• The NHS Confidentiality Code of Practice^11

• Department of Health, patient confidentiality and access to health records^12

• GMC Confidentiality (and supplementary guidance)[^13]

• NHS Information Governance -- guidance on legal and professional obligations^14

4.2.4 Data Protection Act 1998 (DPA)

The DPA[^15] sets out eight principles to be followed when processing identifiable information about living individuals. The term 'processing' includes recording, storage, manipulation and transmission of information. The Act also identifies both the sensitive nature of health information and the particular needs of health professionals to communicate that information between themselves.

The DPA provides patients with a right to have copies made available of their own personal data held in their health records, within the terms of the Act. The DPA applies to both electronic and paper-based record systems.

The eight principles are listed below.

[Schedule 1, Part I, paragraph 1 - The data protection principles]{.underline}

1. Personal data shall be processed fairly and lawfully, and in particular shall not be processed unless---

   a. at least one of the conditions in Schedule 2 is met, and

   b. In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Other relevant sections of the DPA particularly relevant to the processing of health data are:

• Schedule 2, paragraphs 5(c) and (d) and 6 -- personal data

• Schedule 3, paragraphs 7(1)(c), 8(1)(a) and (b), 8(2) and 10 -- sensitive personal data

4.2.4.1 Data Protection Issues

Data protection legislation restricts the sharing of information between legal entities without the consent of the data subject and requires that a data controller is identified for each organisation who has the duty to ensure compliance with data protection legislation. It is not clear who the data controller is for shared electronic health records. It would seem that the data controller of each participating organisation has a role and the idea of a "data controller in common" has been proposed, where the data controllers of each participating organisation have a shared responsibility for the total contents of the shared electronic health record. However, it is not clear how current legislation supports it or how it could be organised in practice.

When people use the NHS, they expect a confidential relationship with the members of the care team they see. But it may be misleading to discuss this relationship in isolation. Patients expect that a practice or NHS Trust will take corporate responsibility for their care and to collaborate with other organisations around a care pathway that provides a package of complementary elements managed to suit the patient\'s individual circumstances. This might also reasonably include regulators and others responsible for detecting unsafe or ineffective practice^16.  This creates a tension between the need to share health data for legitimate corporate reasons and preserving patient confidentiality.

Patients do not in practice expect everything to come to a stop (until they consent) at each step when a new individual has to take part in organising a package of high quality care. They want the high quality care. There is no contradiction in recognising that they also want an effective mechanism when some particular information is especially sensitive and they have a right to object to uses that could be harmful to them.

The DPA does make the bridge between the health professional\'s duty of confidentiality and the corporate duty to protect personal information, which falls on the organisation. The reconciliation of clinical confidentiality with the corporate duty comes when:

• The uses are within the reasonable expectation of the patient, given what he/she has been told about the purposes necessary for the provision of appropriate care (the \"legitimate interests of the data controller\" in this case), and when

• The uses do not prejudice the rights and freedoms or legitimate interests of the patient; and when

• The care record can be viewed so that particular people use the parts of it they need for their role, and the staff or others who use the information for these purposes are bound to keep it confidential.

The care team is not an entity recognised by legislation. Anyone who uses sensitive information for medical purposes has to be under a suitable duty of confidence. That is one of the conditions that apply to the corporate responsibility of a data controller using personal information relating to a person\'s \"physical or mental health or condition\".

The concept of locally held data will probably gradually disappear and there will be a number of data controllers sharing responsibility in common for each data subject.

The Care Record Guarantee, published by the NIGB[^17] underpins the relationship between patients and those who will have access to their NHS records.

Key attributes:

The first principle of the Act requires that data are processed \'fairly\' and \'lawfully\'. This means that patients must be informed about how and why information about them is used and who will have access to their information.  It also means that the data must be processed in accordance with all relevant laws, including the common law duty of confidentiality, which requires consent for disclosure to third parties.    

The key principles are that data must be;

• Obtained for a specified and lawful purpose

• Not be excessive for the purpose

• And (for sensitive personal data for medical purposes) must be processed by a health professional or an individual with an equivalent duty of confidentiality.   

The DPA 'identifies the particular needs' of communication with health professionals and 'a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional', which may be particularly important as health and social care become more integrated.

The proper use (and sharing) of sensitive personal information for medical purposes depends:

• First on using it to the extent necessary for the purpose, and

• Second on limiting the use to people who will keep it confidential.

N.B. The common law duty of confidentiality must be satisfied in order for confidential information to be processed lawfully under principle one of the DPA.

Key guidance:

• Data Protection Act 1998: Further Guidance^18

• The NHS Confidentiality Code of Practice^19

• Department of Health guidance on patient confidentiality and access to health records ^20

• NHS Information Governance -- guidance on legal and professional obligations^21

4.2.5 Human Rights Act 1998

The Human Rights Act (HRA)[^22] incorporates the European Convention of Human Rights into UK law. The Act identifies 15 human rights in Schedule one and requires 'public authorities' to ensure that their activities do not violate these rights. GP Practices working within the NHS are public authorities under the HRA and are therefore required to observe the Convention rights in their decision-making, and demonstrate that they have done so.

Key attributes:

The Act provides a right to respect for privacy (article eight) that can only be set aside in accordance with the law when considered necessary in a democratic state. The advice from government is that this right is respected fully where the requirements of the Data Protection Act 1998 and the common law duty of confidence are complied with.

Key guidance:

• NHS Information Governance -- guidance on legal and professional obligations^23

• GMC Confidentiality (and supplementary guidance)[^24]

4.2.6 Freedom of Information Act 2000 (FOI)

The Freedom of Information Act[^25] gives a general right of public access to information held by public authorities (including GP Practices). The Act also places a number of obligations on public authorities. There are a number of exemptions within the Act, which must be considered before supplying information requested.

The FOI is not intended to allow people to gain access to private sensitive information about themselves or others, such as information held in health records. Those wishing to access personal information about themselves should apply under the DPA. The Information Commissioner has provided guidance to the effect that health records of the deceased are exempt from the provisions of FOI due to their sensitive and confidential content.

There are specific exemptions in the FOI Act to stop disclosure of personal health information. The following two sections of the FOI Act are the most relevant:

Section 40 -- Information which constitutes 'personal information' under the Data Protection Act 1998 (DPA) is exempt from the provisions of FOI if its disclosure would contravene any of the DPA principles. The DPA only applies to living individuals, (However there may be some cases where information about a deceased patient is also personal information relating to or identifying a living individual).

Section 41 -- Information that has been provided in confidence is exempt from the provisions of the FOI. There is a general agreement that information provided for the purpose of receiving healthcare is held under a duty of confidence. This exemption applies with regards to access to deceased patient records.

Key attributes:

Whilst there are a number of exemptions, the main one that will apply in a primary care setting relates to confidential patient information. Requests have to be dealt with within 20 working days.

Key guidance:

• Freedom of Information Act -- Freedom of Information Act^26

• NHS Information Governance -- guidance on legal and professional obligations^27

• Guidance for Access to Health Records Requests February 2010, page 16, para 54 published by DH^28

4.2.7 The National Health Service Act 2006

Section 251 of the National Health Service Act 2006 (formerly known as section 60 of the Health and Social Care Act 2001), provides the power to ensure that in specific circumstances, patient identifiable information needed to support essential NHS activity can be used without the consent of patients. The power can only be used to support medical purposes that are in the interests of patients or the wider public, where consent is not a practicable alternative and where anonymised information will not suffice. In effect it sets aside the common law duty of confidentiality. The Secretary of State for Health is required to consult with the statutory National Information Governance Board (Ethics and Confidentiality Commttee) before making any regulations under section 251 (See also Chapter 4.8.1 below).

Key attributes:

The power provided under s251 of the NHS Act 2006 can be used to provide exemption from the common law duty of confidence requirement for consent. It provides no exemption from the Data Protection Act 1998. To date these powers have not been used in a way that would override patient dissent which must be respected.

Key guidance:

• Department of Health confidentiality website The NHS Confidentiality Code of Practice^29

• Department of Health, patient confidentiality and access to health records^30

• GMC Confidentiality (and supplementary guidance)[^31]

{#section .ListParagraph}

4.2.8 Electronic Communications Act 2000

This Act[^32] sets in place an approval scheme for businesses providing cryptography services, such as electronic signatures and confidentiality services and the processes under which electronic signatures are generated, communicated or verified. An NHS order made under the Act allows for the creation and transmission of prescriptions by electronic means in cases where specified conditions are met.

Key attributes:

An NHS order made under the Act allows for the creation and transmission of prescriptions by electronic means in cases where specified conditions are met.

Key guidance:

• NHS Information Governance -- guidance on legal and professional obligations^33

4.2.9 The NHS (General Medical Services Contracts) Regulations 2004[^34], the NHS (Personal Medical Services Agreements) Regulations 2004[^35] and the APMS Directions[^36]

These Regulations, which came into force in support of the GP contract, provide Primary Care Trusts (PCTs) with the power to require patient, and other, information to be provided by practices where this is necessary in order for PCTs to discharge their responsibilities with regard to wider functioning of the NHS.

These regulations make explicit existing legal and ethical obligations of confidentiality, placing them in the context of primary care contractual arrangements. It does not cover in detail all circumstances in which contractor-held information may be requested, but sets out principles of good practice for contractors of primary medical services and Primary Care Trusts (PCTs) who commission services from them.  It also describes circumstances in which Strategic Health Authorities (SHAs) or the Department of Health (DH) may request access to certain contractor-held information. PCTs are required by Directions to comply with the provisions of this Code when exercising certain functions. PCTs should normally seek actively to involve and engage Local Representative Committees in relation to the Code where there are any potential issues of contention or where contractors may require additional support.

Key attributes:

The Regulations provide PCTs with a right of access to patient records in an identifiable form for key purposes, without patient consent, where it is impracticable to anonymise the records or to obtain express patient consent.

Key guidance:

Department of Health publication:

• Confidentiality and Disclosure of Information: General Medical Services (GMS), Personal Medical Services (PMS), and Alternative Provider Medical Services (APMS) Code of Practice 2005^37

4.3 Standards

In addition to the requirements of law, there are a range of standards that contribute to the information governance framework. An information standard is a formal document approved and issued by the Information Standards Board for Health and adult Social Care[^38]. It defines a technical specification, content, methods, processes and practices for mandatory implementation across health and social care in England. An example of an information standard is the use of the NHS Number[^39] in primary care or the introduction of the International Classification of Diseases (ICD) into the NHS[^40].

The General Medical Council is represented on the Information Standards Board, ensuring that there is appropriate regulatory input before standards are approved. In addition, the developers of information standards will be encouraged to have the guidance reviewed by the GPC & RCGP Joint GP IT Committee.

Information standards will usually be implemented in the IT systems funded by the Primary Care Trust. It is important to note, however, that there may be instructions for users contained in the information standard. These should be followed by GP practice staff to ensure the IT system is used correctly. The guidance will normally be issued by the PCT or directly by the supplier. An example would be the guidance that accompanied the NHS Number standard that the patient is routinely asked their NHS Number.

GP practices should therefore act upon guidance issued by the PCT or suppliers that is endorsed by an information standard.

{#section-2 .ListParagraph}

4.3.1 ISO/IEC27001:2005 and ISO/IEC27002:Information Security Standards

The NHS has adopted the ISO/IEC 27000 series of international security standards[^41]. ISO/IEC27001 defines the Information Security Management System (ISMS) approach to compliance and ISO/IEC27002 describes the code of practice for information security management and a range of generally accepted good practice security controls.

Although these standards provide a robust and comprehensive approach to the management of information security, compliance may be beyond the resources of many GP Practices. However, it is essential that practices establish the most secure working practices that they can and key elements of information security are outlined and supported within the NHS Information Governance toolkit[^42]. Increasingly network and database security will not be in the hands of individual GP practices but important aspects of information security management will remain a local responsibility.

Key attributes:

Information security needs to be based upon an assessment of risk and covers issues such as access controls, physical security (doors and locks etc), business continuity planning and disaster recovery, capacity management, and the storage and disposal of records

Key guidance:

• Information Security Management: NHS Code of Practice

• www.dh.gov.uk/en/publicationsandstatistics/publications/publicationspolicyandguidance/dh_074142

• Information Governance toolkit:

• nww.igt.connectingforhealth.nhs.uk

  • (requires an N3 connection for access to downloadable copies of the published ISO standards)

• British Standards Institute www.bsi-global.com/index.xalter

{#section-3 .ListParagraph}

4.4 Other relevant publications

4.4.1 Caldicott Report 1997

The Caldicott review was commissioned to examine the ways in which information was used by the NHS. The report[^43] lists 6 principles to apply to indicate the appropriateness of a proposed communication (see below).

1. Justify the purpose(s) of every proposed use or transfer

2. Don\'t use it unless it is absolutely necessary, and

3. Use the minimum necessary

4. Access to it should be on a strict need-to-know basis

5. Everyone with access to it should be aware of their responsibilities, and

6. Understand and comply with the law.

The report also carries 16 recommendations for changes in communication processes and practices employed by the NHS.

The recommendations focus on the adoption of a strict 'need to know' approach to the transmission of identifiable information and the establishment of an educational and supervisory framework to ensure its implementation.

Although much of the work recommended by the Caldicott Committee has been superseded by the NHS Information Governance initiative, the underlying Caldicott principles and the requirement for senior clinical involvement in confidentiality management remain highly relevant[^44].

4.4.2 Building the Information Core: A Confidentiality Strategy for the NHS[^45]

This document, published in December 2001, set out the Government's strategic approach to managing the confidentiality of patient information. The key elements of this strategy now underpin the approach adopted by NHS CFH. The strategy called for the adoption of a broad based information governance approach, emphasised the importance now placed upon informed consent, advocated far greater reliance upon technology to secure data and proposed a major public awareness campaign.

4.4.3 Confidentiality: NHS Code of Practice[^46]

Published in November 2003 with the endorsement of the Information Commissioner, the BMA and the General Medical Council (GMC), this Department of Health publication established an agreed set of guidelines for the NHS.

The Code of Practice sets out individual and organisational responsibilities in a clear and coherent way, covering both confidentiality and aspects of the Data Protection Act 1998. It includes a decision support tool for disclosure of patient information.

4.5 Governance issues particular to shared electronic patient records

The PHCSG[^47] has identified a number of areas that require detailed examination and guidance that particularly relate to shared electronic patient record systems. These are discussed below (see also Chapter 5).

4.5.1 Data ownership and control

GPs act as data controllers with their patients the data subjects. Debates about 'who owns the data' occur when a party wants to gain access to information held in patient records and there is uncertainty or disagreement about what category of information should be provided, whether the enquirer has any right of access, whether patient safety and/or privacy is at risk, or whether patient consent is required. It is generally more important to resolve these issues than the question of ownership as such and important to remember that "ownership" does not give rights of access to or control over personal data.

Clinical responsibility for each aspect of current care should be clear in a shared record. This might be done by identifying responsibility against items in a problem list or care plan. Careful consideration also needs to be given to developing mechanisms which enable the transfer of such responsibility (these may differ between transfers within an organisation and transfers between organisations). Patients may wish to be involved in these decisions (see also Chapter 5.3)

A community using a shared electronic health record needs to develop governance rules and processes that ensure the clear allocation of responsibility and define the rules and mechanisms by which responsibility can be transferred.

4.5.2 Data and record quality

Maintaining good quality records that are complete, accurate and up-to-date requires significant effort both in their creation and ongoing maintenance. Those using records need education and training to understand the value in making this effort and to equip them with the skills to do so (see Chapter 5). In General Practice electronic records have been the norm in most practices for 15-20 years and there is a good understanding of the value of maintaining record quality, both in terms of the benefits to patient care and for the health of the practice as a business. There is considerable concern from general practice that a shift to shared electronic health records will result in the quality of the records on which they rely being significantly undermined by users with a poor understanding of the issues and little motivation to maintain record quality. The more people that have write access to a record, the more difficult it becomes to police compliance with good record keeping practice and to identify individuals with a clear responsibility for maintaining the quality of the entire record (see Chapters 5 & 6).

Data migration presents particular hazards in terms of patient safety and data/record quality. The NHS CfH Clinical Safety Group receive annually a significant number of safety incident reports relating to issues encountered during the migration of practices from one clinical system supplier to another. This is key area of clinical risk.

Typical incidents include:

• *Reactivation of archived prescriptions *

• *Mapping errors resulting in different unrelated medications being linked (Quinine/Quinadine) *

• Issues with preservation of units of measure due to how different systems interpret decimal points and so forth (see Chapter 8c).

4.6 Records and record keeping -- guidance from health professional bodies

4.6.1 Doctors

The General Medical Council's^48 (GMC) Good Medical Practice guidance for doctors[^49] makes it clear that patients have a right to expect that their doctors will hold information about them in confidence. Confidentiality is central to the trust between patients and doctors, without which patients may be reluctant to seek medical care or to disclose information needed to support their care. But appropriate information sharing is essential to the efficient provision of safe, effective care, both for the individual patient and to the wider population of patients[^50].

The GMC requires doctors to make information available to patients about disclosures of their personal information for purposes of their own care. In the absence of any objection, patients' consent to information being shared in this way may be implied. But it is not always clear to patients that others who support the provision of care might also need access to their personal information. Patients may not be aware of disclosures to others for purposes such as health service planning or research and must be informed about disclosures for purposes they would not reasonably expect. Doctors must obtain patients' express consent to disclosure of identifiable information for purposes other than the provision of care, unless the disclosure is required by law or justified in the public interest (and wherever possible, patients should be informed of such disclosures made without consent).

Doctors must make sure that any personal information about patients that they hold or control is effectively protected against improper disclosure at all times. Where doctors are responsible for the management of patient records or other patient information, they must ensure that it is held securely. Doctors should use their professional expertise in the selection and development of systems to record, access and send electronic data. However, doctors are not generally expected to assess the security standards of large-scale computer systems, provided for their use by the NHS or other health service providers, but are expected to understand and adhere to corporate information governance and confidentiality policies.

Patients may give implied consent to disclosure of personal information when sharing information in the healthcare team or with others providing care. Most people understand and accept that information must be shared within a healthcare team to provide care. Doctors should make information readily available to patients explaining that their personal information will be shared within the healthcare team including administrative and other staff who support the provision of care, unless they object. This information can be provided in leaflets, posters and websites as well as face-to-face. Doctors must respect the wishes of any patient who objects to particular information being shared with others providing care, except where disclosure is in the public interest or required by law. Doctors must ensure that anyone to whom they disclose personal information understands that it is provided in confidence, which they must respect.

Using live patient records to support the testing of clinical systems is also considered poor practice unless the patient has been asked and has specifically consented to this use.

As a general rule, doctors should seek patients' express consent for the disclosure of identifiable information for purposes other than the provision of care or local clinical audit.

4.6.2 Nurses

The Nursing and Midwifery Council^51 (NMC) Guidelines for records and record keeping[^52] (advice sheet) supports the principle of shared records in which all members of the health care team involved in the care and treatment of an individual, make entries in a single record and in accordance with an agreed local protocol. However, the ability to obtain information whilst respecting patient and client confidentiality is regarded as essential. The NMC also emphasises the professional duty of confidentiality to the patient and states that information from health records should only be released with the consent of the patient.

4.6.3 Allied Health Professionals

The Health Professions Council's^53 (HPC) publication Standards of conduct, performance and ethics^54 states that registrants must treat information about service users as confidential and use it only for the purposes they have provided it for. Registrants must not knowingly release any personal or confidential information to anyone who is not entitled to it, and should check that people who ask for information are entitled to it. The need to keep proper records is a professional requirement and records must be protected from being lost, damaged or accessed by someone without appropriate authority.

4.6.4 Summary of guidance

Trust is central to the delivery of healthcare. Patients expect information about their health to be treated as confidential and only shared as far as is necessary for the administration and delivery of their care and for such other purposes for which they have specifically consented (or where required by law or in the public interest). Healthcare professionals need to be able to explain to patients how their data will be used, shared and protected and need to be confident that promises they make will be respected by the systems they use and the governance arrangements that control them. If this trust breaks down, the result is likely to be an increasing reluctance by patients to share sensitive data and by healthcare professionals to record it, with consequent clinical risk.

Overall, the guidance from professional regulatory and representative bodies clearly supports the sharing of appropriate health information between health professionals for the process of clinical care and audit. However, there is also a consistent emphasis on obtaining appropriate consent and informing patients how their health data may be used.

4.7 Consent

4.7.1 Consent and confidentiality

Informed consent transactions are typically used to waive important ethical, legal and other requirements in limited ways in particular contexts and for specific purposes[^55]. The duty of confidentiality seeks to regulate types of action (e.g. communication or disclosure) rather than the processing of types of data[^56] and is a way of protecting the content of many types of communications that can only be waived by seeking consent from the patient.

4.7.2 Consent and NHS Care Records

The issue of consent has proved controversial for the NHS particularly in relation to patient Summary Care Records (SCRs) being uploaded to the Spine (PSIS) on an implied consent basis and the possible implications for the confidential relationship between patient and health professional. The SCR consent model has now been modified to include a "consent to view" option, following the recommendations of the SCR evaluation report[^57] (See also Chapter 8e.2 for a more detailed explanation).

4.7.3 Consent and Shared Records

Shared records are derived from the detailed care records of those patients attending particular healthcare organisations and requiring some form of healthcare. These patients are likely to be actively receiving services from one or more healthcare organisations and it may be that such patients could benefit from having a shared record to facilitate communication between those organisations providing care and the patient.

Patients will generally expect to have a health record kept by each organisation they attend and it is a professional requirement that such records are made. Healthcare teams, involved in a patient\'s care, can access the healthcare records within their local organisation provided the patient has not objected to this.  Such consent is implied as part of consent to treatment.  Patents may understand that personal health information will be shared (communicated) between different healthcare professional groups and organisations to facilitate that patient's care. Accessing communicated information such as referral letters, reports and laboratory tests is also usually done on an implied consent basis amongst the healthcare team providing care to the patient. Most of the "rules" governing such professional behaviours have developed through custom and practice within a national legal, ethical and moral framework.

In some areas, explicit data sharing agreements are being developed which go some way to addressing the shared record issues highlighted here (and in Chapter 5). However, this is an area still in its infancy and we are not yet able to offer any guidance here (while acknowledging that this will need to be addressed).

4.7.4 Consent, confidentiality and trust

Trust underpins the confidential relationship between patients and health professionals and cannot be replaced by other systems of accountability, including electronic systems. Deciding what information might and might not be disclosed in a shared record depends fundamentally on the relationships between patients and their health professionals.

4.8 Information governance and data disclosure

There is a growing demand in the NHS and beyond for practices to disclose clinical information from patient records to support clinical care, audit, health service planning and research. GPs have a responsibility, determined in law and professional standards to safeguard the confidentiality of the patient records that they control, whether it is stored on a practice server or hosted in a data centre. Practices should have a senior member of the practice who acts as Caldicott Guardian[^58] and is able to give advice when there is doubt about the best way to respond to a request for data disclosure.

The request may be for information from the paper or computer records, about a single named patient or a group of patients' records. The output is increasingly provided by the practice in the form of a data extraction produced by a computer query. Extractions must comply with the guidelines and the standards laid out by the relevant regulatory bodies[^59][^60][^61] including data quality and integrity standards described elsewhere in these guidelines (see Chapter 6).

+-----------------------------------------------------------------------+ | Figure 4.8 - The decision to disclose | +=======================================================================+ | As the practice is the data controller for patient records that they | | hold, they are responsible for every data disclosure and can refuse a | | request that they do not agree with, although that agreement should | | not be unreasonably withheld. In making their decision it will help | | the practice to take a number of questions into consideration: | | | | Note: the terms used in this box are defined in the body of the | | text. | | | | 1. Is there a statutory, court order or other requirement for | | disclosure? | | | | 2. Is patient consent required for the data to be disclosed? | | | | 3. If data disclosure is requested without patient consent on the | | grounds that the data extracted will be effectively anonymised or | | pseudonymised, are you confident that the data will not be | | identifiable? | | | | 4. If a third party offers to ensure effective anonymisation or | | pseudonymisation of the data after the data has left the | | practice, can they be trusted? (Is this a "safe haven"?). Do they | | have S251 approval? (see Chapter 4.8.1. below) | | | | 5. Will only the minimum necessary data be extracted and disclosed | | and will it exclude any information that is specifically | | protected at the patient's request? | | | | 6. Are the proposed use and protection of the disclosed data by the | | recipient clear and acceptable and will the data be deleted when | | the purpose of the extraction is achieved? | | | | 7. Will the data be transferred, stored and processed securely? | | | | The practice should also make a judgement about whether: | | | | 8. The data to be disclosed is accurate and complete enough for the | | purpose of the extraction | | | | 9. A record of the data disclosed and the date it was extracted | | should be retained by the practice? | +-----------------------------------------------------------------------+

4.8.1 Statutory and common law requirements to disclose data

Disclosure of confidential data generally requires the consent of the patient but there are statutory justifications for the disclosure of patient-identifiable information without consent[^62][^63]. Examples include the notification of communicable diseases[^64] and the existence of a court order demanding disclosure. Public interest is another justification but the threshold for this is high in some circumstances, for example the prevention of serious harm or serious crime[^65][^66][^67][^68]. The final decision about whether disclosure is appropriate lies with the data controller, in this case the practice. Disclosures for research and health service planning are also reasonable and examples of where the threshold for disclosure is not so high. The GMC provides excellent guidance on these issues[^69].

In certain circumstances GPs are contractually required to provide patient identifiable data to PCTs without consent where it is not feasible to anonymise the data or gain patient consent[^70] [^71].

Section 251 of the NHS Act (2006) operates in England and Wales and allows the common law duty of confidentiality "to be set aside in specific circumstances for medical purposes", where it is not possible to use anonymised information and it is not practicable to seek individual consent. The goal must be in the public interest[^72] and when the data are to be used for research, the research must have approval of a research ethics committee[^73]. Applications to use Section 251 in England are considered by the Ethics and Confidentiality Committee of the National Information Governance Board (NIGB)[^74] [^75]. If the practice receives a request for data under Section 251, it is acceptable to disclose identifiable data without patient consent but it is good practice to inform the individuals involved as soon as possible[^76]. The final decision about whether to disclose the data rests with the practice[^77] [^78].

4.8.2 Patient consent

Consent from the patient is normally required if confidential data are to be disclosed for purposes other than the provision of care. The GMC, the BMA and the MDOs offer guidance on consent to disclose records of individuals under the age of 16[^79] [^80] or adults lacking capacity to give consent[^81] [^82].

Express consent is given orally or in writing by a person who is fully informed about the purpose and nature of the data that is to be disclosed[^83]. Unless there is some other legal justification (see above), it is needed for disclosure of identifiable data that is not for direct patient care[^84] [^85] [^86] -- that is quadrant A in the diagram below (typically called "secondary uses"[^87] [^88]). Common secondary uses for data extracted by queries run against the practice patient database are; health care planning, commissioning of health services, research, education and training. Express consent or dissent should normally be recorded in the patient's record. If consent is provided in the form of a signed consent form or letter, it should be stored in the patient's record, where possible, as a scanned document attached to the electronic record.

The GMC confirms that it is reasonable to accept an assurance from an officer of a government department or agency or a registered health professional acting on their behalf that the patient or a person properly authorised to act on their behalf has consented[^89] [^90].

If the practice computer system supports access restrictions on specific elements of patients' records, such patient choices should be complied with in the extraction[^91].

+-----------------------------------+-----------------------------------+ | ### Figure 4.8.2 - The nature and | | | uses of data extracts {#figure-4 | | | .8.2---the-nature-and-uses-of-dat | | | a-extracts} | | +===================================+===================================+ | A Patient identifiable\ | B Patient identifiable\ | | data for\ | data for\ | | Secondary uses | Direct patient care | +-----------------------------------+-----------------------------------+ | D Effectively anonymised | C Effectively anonymised | | data for\ | data for\ | | Secondary uses | Direct patient care | +-----------------------------------+-----------------------------------+ | Express consent is required in | | | quadrant A. Implied consent is | | | appropriate for quadrant B. No | | | consent is required in law for | | | data in quadrant C or D. | | +-----------------------------------+-----------------------------------+

Implied consent is considered to be acceptable when identifiable information is shared with the health care team or others providing care, including administrative staff, for the purpose of provision of care to the identified patient(s) or it is used for clinical audit by the team providing health care (Quadrant B)[^92]. Consent is inferred if the patient can be expected to understand that information will be disclosed for these purposes, the extent of the disclosure and their right to opt out, but they have not objected to the disclosure. If the data are to be processed fairly[^93] the information should be made available in a number of ways. Methods of informing patients include posters and standard information leaflets, face to face discussion in the course of a consultation, information included in an appointment letter from a hospital or clinic and a letter sent to each patient's home. The Summary Care Record and local sharing of the Detailed Care Record are special examples that are discussed elsewhere in this chapter.

Express consent is not required for the disclosure of data when it is effectively anonymised (see 4.8.3 below) The Department of Health (DH) and the General Medical Council (GMC) advise that there is no legal requirement for consent or for patients to have an option to refuse consent to the use of effectively anonymised data from their records for direct patient care (Quadrant C) or other uses (Quadrant D)[^94] [^95]. The former is unusual, most commonly local clinical audit. Secondary uses are more common. The Quality and Outcomes Framework[^96] [^97], local health service planning[^98] and research[^99] are examples. Some members of the public hold strong views that patients should be able to refuse consent for their information to be used even in anonymised form[^100].

4.8.3 Patient identifiable data and effective anonymisation

Every request for data disclosure should include a full explanation of the use for the data and the purpose of the disclosure. It should also be very clear whether the data extracted may be linked to individual patients. The GMC Confidentiality guidance provides definitions for anonymised, coded information and identifiable information.[^101]

Anonymised information -- Information from which individuals cannot reasonably be identified. Names, addresses, full postcodes or identification numbers, alone or together or in conjunction with any other information held by or available to the recipient, can be used to identify patients.

Coded information -- Also known as pseudonymised information. Information from which individuals cannot be identified by the recipient, but which enables information about different patients to be distinguished or to link information about the same patients over time (for example to identify drug side effects). A key might be retained by the person or service which coded the information so that it can be reconnected with the patient.

Identifiable information - information from which a patient can be identified. Their name, address and full postcode will identify a patient; combinations of information may also do so, even if their name and address are not included. Information consisting of small numbers and rare conditions might also lead to the identification of an individual.

There are a variety of techniques that can be used, singly or in combination, to make it less likely that individuals can be recognised from the data.

Data extraction from patients' records is likely to be identifiable after it has been disclosed if:

• It contains identifiers such as name and address, full post code, date of birth or death, NHS number, a local identifier such as a practice computer system ID number, sex, ethnic origin or occupation[^102],

It could possibly be identifiable if:

• *It contains a combination of unusual features that generate small numbers of patients, allowing a specific patient's data to be identified. Even if a query extracts data from a large number of patients, it may be that only a small number of them share certain features, which allow their identity to be inferred. *

Care should be taken to ensure that the recipient of data does not have other knowledge that might allow them to infer the identity of individuals from the data. Data should also be checked to ensure that it does not contain free text entries which may directly name the patient or a third party relating to the patient. Where free text is present, it should either be removed or read by a responsible person to exclude specific patient-identifiable material.

A patient's identity is less likely to be at risk and the extracted data more likely to be effectively anonymised if it is only going to be used in controlled circumstances by a small group of users governed by an employment contract and a legal duty of confidentiality than if the data are to be published on a website.

Data can be transformed after it has been extracted in order to make it less likely that individuals can be recognised from it. This may best be done in a safe haven: a physical or electronic infrastructure that provides a high level of security and governance controls for confidential data to be processed securely. People working in safe havens should be bound by an equivalent code of conduct preventing disclosure of data as health professionals[^103] [^104] [^105] [^106].

Ways of transforming extracted data to make it less likely that individuals can be recognised include:

1. Removal all the person identifiers.

2. Pseudonymisation - also known as coding, is a process of replacing person identifiers with other values (pseudonyms) available to the data user, from which the identities of the individuals cannot be intrinsically inferred[^107] [^108]. It maintains the anonymity of extracted data while allowing the records about the same individual to be linked using the same unique label or key, often created using encryption processes, for each extraction from an individual's record. The process may be carried out by the GP computer system or by a third party immediately after extraction.

Pseudonymisation has two weaknesses: the possibility of successfully identifying patients from the rest of the data remains and access to the key or lookup tables used to pseudonymise the data allows the process to be reversed to identify the data subjects. Thus the governance around the pseudonymisation process and transparency about when and how the pseudonymisation may be legitimately reversed are very important.

Some data extraction services[^109] [^110] use a "two key process" whereby an encrypted key is added to each record before the data leaves the practice and the first recipient adds a second key before the data are used by third parties.

1. Aggregating data - so that category totals are displayed instead of individual record values. This can be combined with small number processing: extracted data that is to be published should be checked to ensure that cells containing small numbers (usually less than 5) are changed or deleted before the data are disclosed.

2. Using derivations or banding - hides the exact original values, e.g. replacing dates of birth by ages, addresses by localities, using partial postcodes.

3. Shuffling -- creates synthetic data. The data items are shuffled so that the totals and values in the data set are preserved but the links to identifiers are irreversibly broken.

This may be done in the practice or after the data has been extracted and released to a trusted third party who, working in a safe haven, will use software that requires no user to view the data[^111] [^112].

4.8.4 Practice responsibility for the data to be extracted

The practice should have the opportunity to review the data before it leaves the practice. This means that where the data extraction is controlled by an agency outside the practice there should be a period between running the query on the GP system and the disclosure of the data. It should be enough to allow the practice to check the following:

Inaccurate or incomplete data - can be misleading or affect the results of research, commissioning or other secondary purposes. Finding significant errors or omissions in the records may lead the practice to correct the data in the affected patients' records but also look at any systematic problems within practice processes that are leading to the errors.

Minimum dataset - the practice can confirm that only the minimum data required for the express purpose of the disclosure has been extracted. Ideally the data requestor should explain the requirement for every field of data in the extracted data.

Patient withheld data - if the practice clinical computer system supports a method of withholding patient information and a patient has asked for information to be hidden, that data should not be extracted in identifiable form.

Third party data - data may contain information that is confidential to another person. Information about genetic tests or illnesses may point to the illness or likelihood of the same illness in a blood relative[^113].

4.8.5 Disclosure after a patient's death

In general the duty of confidence continues after a patient has died[^114]. The GMC gives advice on circumstances where relevant information about a patient who has died should be disclosed[^115]. Examples include data extraction authorised under section 251 of the NHS Act 2006 or justified in the public interest, such as research, for National Confidential Inquiries or local clinical audit. Where possible the data should be anonymised or coded.

It is safest to treat confidential information about dead people in the same way as you treat such information about living people. If you are aware that a patient asked for their information to remain confidential, their wishes should usually be respected. If you are unaware of the patient's wishes, the GMC guidance is to consider whether disclosure is likely to cause distress or benefit to the patient's partner or family, disclose information about the patient's family or anyone else, whether it is already public knowledge and the purpose of the disclosure.

4.8.6 Data leaving the practice

Data transmission - the practice has a responsibility to ensure that all data extracted from the patents' records are processed securely[^116]. This includes making sure that the data leaves the practice securely. If it is to be carried on removable media such as USB memory devices or CD-ROMs, the data must be encrypted (and the key sent separately). If it is to be transmitted electronically, such transmissions must be secure. Once the data leaves the practice, the recipient may take over the responsibility of data controller for the data they hold, depending upon their use of the data.

Data recipients- where the data recipient becomes the data controller for the data, they will assume legal responsibility for holding and processing it securely. That includes following the key principles of the Data Protection Act (1998)[^117] for identifiable data. In particular they should only use identifiable data for the purposes for which it has been extracted and it should be deleted as soon as that purpose is complete. It is helpful for the practice to have a clear written agreement with the requestor of the data that states exactly how they will manage the data after it leaves the practice.

The practice should assure itself that the data recipient understands, and can be expected to meet, its legal responsibilities in relation to the data. It is reasonable for GPs to assume that a national government organisation will handle such data correctly[^118]. Other recipients may have trusted third party status and their data management handling may be accredited to recognised standards such as ISO 27001 and 27002. The government in their response to the Data Sharing Review accepted the notion of the approved researcher, who works under the same duty of confidentiality as health professionals[^119] [^120].

4.9 Retention of GP electronic patient records and associated audit trails when a patient is no longer registered with a practice

4.9.1 Background

An agreement was reached between the BMA and the OIC in 2004 to the effect that GP electronic patient records and their associated system audit trails should be retained by practices indefinitely pending the development of functionality to support transfer of GP EPRs and their associated audit trails between systems in a way that would enable both to be integrated into the receiving system. However, it has become clear that the functionality to transfer and integrate audit trails will not be available for the foreseeable future.

A second issue that requires clarification relates to the patient record transfer terminology. The term "GP2GP transfer" is misleading, as it is a copy of the record that is sent, not the record itself.

The OIC has made it clear that there can be no exemption to the requirement for GPs to comply with the Principles of the DPA and particularly in this context with the principles relating to not retaining records for longer than necessary and ensuring that retained records are protected by appropriate security measures. The retention of audit trails and patient records by a practice that is no longer caring for the individual concerned must be for appropriate and necessary purposes. In the absence of a lawful basis for retaining these records they should be physically deleted from systems. If there is a lawful basis for retaining records they should be protected by security measures that prevent them from being accessed inappropriately.

The Department of Health, RCGP and BMA believe that there are a number of purposes (see also Table 4.9 below) for which it is necessary to retain and access patient records when a patient is no longer registered with a practice. These considerations apply only where a patient leaving a practice subsequently requires a copy of a record to be sent between systems or locations. Different considerations will apply where a patient moves between practices that use the same remotely hosted system (e.g. TPP SystmOne) where the transfer is affected by simple access control adjustments and there is no interruption in the audit trail.

4.9.2 Clinical purposes

Patients have a tendency to return to practices. Although most returns will probably be after short periods of a few years (e.g. on returning from University) some will be later. The GP2GP project is working on a Version 2 message that depends on the \'old\' record plus its audit trail remaining intact in the original practice. That will allow the returning record to be safely merged with the old (existing) record without duplication or unnecessary degradation or disorganisation. (In this context "degradation" refers to the inability of some code terms to be safely mapped from one clinical system to another -- see chapter 8b.2)

This is important from a patient safety point of view, as there is a tendency for the structure of a record to be degraded by passage through successive different systems. Therefore, when the patient returns to Practice A, that part of the record that originally started out from Practice A will have undergone some degradations and disorganisation as it went through Practices B and C. By adopting the new Version 2 GP2GP solution it will be possible for Practice A simply to reactivate its old record and only to import subsequent additions and amendments. That should result in a better quality record at Practice A - making the record more usable and also safer.

4.9.3 Medico-legal purposes

Providing medico-legal evidence (e.g. to establish or refute negligence or poor performance) is an essential purpose of record audit trails. Poor clinical performance can only be evidenced in many cases by a review of the records made during an episode of care. Errors or delays in diagnosis, the use of outmoded tests or treatments and failure to act on the results of monitoring or testing can be established or refuted through well-maintained records and their associated audit trails.

Audit trails are physically separate chronological records held alongside the patient EPR and provide a record of the activities of system users and of changes to systems themselves. This record includes, but is not limited to, additions and amendments to patient records and by rolling back all changes it is possible to understand what a record looked like at a particular point in time, what changes were subsequently made and who made them.

Audit trails are the primary tool for supporting forensic analysis and establishing evidence about what was recorded when and by whom. They are tamper proof and intentionally have no functionality to support deletions or amendments, as these would defeat their purpose. It is not therefore possible to specify the components of an audit trail relating to a specific patient record in order, for example, to delete references. The only way to remove a record from an audit trail is to wipe the media holding the entire audit trail clean.

The audit trail in GP clinical systems is specific to each individual system and it cannot be meaningfully interpreted by a different system. It is not therefore transferred between GP systems by electronic message or copied between systems, as is the content of the patient record itself. Crucially, the audit trail retains its usefulness only so long as it can be associated with the system and the records it relates to. Physical deletion of an EPR would render the associated audit trail meaningless.

It is therefore essential that both the audit trail and the patient record that it is associated with must be retained by a Practice even when a patient is no longer registered with that Practice.

DH lawyers advise that although there is technically a time limit in respect of litigation resulting from clinical negligence, there are a number of exceptions or special circumstances which mean that this cannot be relied upon, and litigation can arise many years after the event and therefore that the evidence needed to determine what changes were made to records, by whom and at what point in time must be retained indefinitely. It is therefore necessary that both the audit trail and the associated patient record be retained indefinitely by a practice, as they are the sole source of forensic evidence.

Access controls should however prevent access to the patient record once a patient has left the practice unless there is an appropriate and necessary purpose and there should be robust governance processes to ensure that this is managed effectively.

4.9.4 Probity purposes

Health records also provide the main, and some times sole, evidence of work undertaken by a practice and are required to support claims for payment and bids for resources, both by the practice but also by organisations from which care was commissioned for patients. The financial systems require practices to retain the evidence to support claimed payments for up to 8 years and the process of ensuring that payments made through the commissioning process can also take considerable time to resolve.

4.9.5 Clinical governance purposes

There are also important clinical governance activities that require records to be available and checked and failure to include patients who have left the practice may bias reviews or obscure important evidence (why did the patient leave?). Activity to support professional appraisal and revalidation also needs to include all of a doctor's recent caseload and again it would potentially undermine the process if a proportion of patients records weren't available for review -- some practices have patient turn over of 30%+ each year.

4.9.6 Other purposes

Although not in itself a purpose that would justify record retention, the fact that records are being retained for other reasons also means that it is necessary for practices to meet the requirements relating to subject access to retained health records.

It is also likely that access to records will be sought by research interests e.g. UK Biobank and where appropriate authorisation is provided, e.g. explicit patient consent, then access may be required. In many cases this will be achieved through software solutions, e.g. GPES (the General Practice Extraction Service) provided by the Health & Social Care Information Centre.

4.9.7 Access controls

Although the purposes identified above require records and associated audit trails to be retained indefinitely, different staff will require access for these purposes and some purposes will no longer be valid after certain periods requiring changes to be made to the access rights of these staff.

Table 4.9

+-----------------------+-----------------------+-----------------------+ | Purpose | Staff Roles | Access Required | | | Requiring Access | for... | +=======================+=======================+=======================+ | Subsequent Clinical | Only designated staff | Indefinitely | | Care | involved in patient | | | | registration/re-regis | | | | tration | | | | procedures | | +-----------------------+-----------------------+-----------------------+ | Practice Management, | All staff whose roles | Three months | | completing/updating | involve record access | | | records | for registered | | | | patients | | +-----------------------+-----------------------+-----------------------+ | Medico Legal & | Only designated | Indefinitely | | Subject | clinical and | | | | administrative staff. | | | | | | | | | | | | Different staff may | | | | be designated for the | | | | different purposes | | +-----------------------+-----------------------+-----------------------+ | Probity | | Eight years | +-----------------------+-----------------------+-----------------------+ | Clinical governance | | Five years | +-----------------------+-----------------------+-----------------------+

4.10 The Information Governance Toolkit, & Information Governance Statement of Compliance (IGSoC)

All organisations that provide or support the provision of NHS services need to provide assurance that they have robust information governance and are managing patient records confidentially and securely. This is a requirement set out in the NHS Constitution^121 and in the NHS Care Record Guarantee^122 and also underpins the registration requirements overseen by the Care Quality Commission.

This assurance is provided by organizations completing a performance assessment using the NHS Information Governance Toolkit^123 and by working to make year on year improvements in their performance. The NHS Information Governance Toolkit performance assessment also provides assurance that an organisation is addressing its responsibilities as a user of national IT applications and services (e.g. N3, NHSmail etc) through an additional assurance statement (also referred to as the IG Statement of Compliance - IGSoC) that organisations need to sign annually.

Access to national IT applications and services is not a right, and assurance is needed from organisations connecting to the NHS IT infrastructure, to the effect that they will follow good information governance practice and not put national networks knowingly at risk.

[^1]: National Information Governance Board www.nigb.nhs.uk

[^2]: Care Record Guarantee www.nigb.nhs.uk/guarantee

[^4]: GMC http://www.gmc-uk.org/guidance/

[^6]: GMC Confidentiality http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp

[^9]: Access to Health Records Act 1990 www.hmso.gov.uk/acts/acts1990/Ukpga_19900023_en_1.htm

[^13]: GMC Confidentiality http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp

[^15]: Data Protection Act 1998 www.hmso.gov.uk/acts/acts1998/19980029.htm

http://www.hsj.co.uk/news/acute-care/mid-staffordshire-crisis-quality-of-care-sacrificed-in-ft-bid/2007558.article

[^17]: Care Record Guarantee www.nigb.nhs.uk

[^22]: Human Rights Act www.hmso.gov.uk/acts/acts1998/19980042.htm

[^24]: GMC Confidentiality http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp

[^25]: Freedom of Information Act www.hmso.gov.uk/acts/acts2000/20000036.htm

[^31]: GMC Confidentiality http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp

[^32]: Electronic Communications Act 2000 Electronic Communications Act 2000 (c. 7)

[^34]: S.I. 2004/291

[^35]: S.I. 2004/627

[^36]: The Alternative Provider Medical Services Directions 2004 dated 21st April 2004.

[^38]: Information Standards Board for Health & Social Care http://www.isb.nhs.uk/

[^39]: NHS Number Program http://www.connectingforhealth.nhs.uk/systemsandservices/nhsnumber/

[^40]: ICD 10 http://www.datadictionary.nhs.uk/web_site_content/supporting_information/clinical_coding/international_classification_of_diseases_%28icd-10%29.asp?shownav=1

[^41]: This series has replaced and extended the BS7799-2:2002 and BS7799-1, previously known internationally as ISO17799:2000

[^42]: IGT https://www.igt.connectingforhealth.nhs.uk/

[^43]: The Caldicott Report www.dh.gov.uk/PublicationsAndStatistics/Publications/PublicationsPolicyAndGuidance/PublicationsPolicyAndGuidanceArticle/fs/en?CONTENT_ID=4068403&chk=jsKw07

[^44]: Caldicott Manual 2010 http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_114509

[^45]: Building the Information Core A Confidentiality Strategy for the NHS

[^46]: Confidentiality: NHS Code of Practice The NHS Confidentiality Code of Practice

[^47]: PHCSG (BCS) CLICSIG conference, 31 January 2009.

[^49]: General Medical Council Good Medical Practice (2006) http://www.gmc-uk.org/guidance/good_medical_practice/duties_of_a_doctor.asp

[^50]: General Medical Council Confidentiality Guidance (2009)

[^52]: Nursing and Midwifery Council. Guidelines for records and record keeping - Record keeping advice sheet.

<http://www.nmc-uk.org/aFrameDisplay.aspx?DocumentID=4008>

[^55]: Rethinking Informed Consent in Bioethics. Neil C Manson and Onora O'Neill, p72. Cambridge University Press. Cambridge 2007.

[^56]: Rethinking Informed Consent in Bioethics. Neil C Manson and Onora O'Neill, p126. Cambridge University Press. Cambridge 2007.

[^57]: UCL SCR Independent Evaluation http://www.ucl.ac.uk/openlearning/research.htm

[^58]: Caldicott Guardian Manual 2010, Department of Health, 2010 http://www.bma.org.uk/images/confidentialitytoolkitdec2009_tcm41-193140.pdf

[^59]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^60]: Confidentiality and disclosure of health information tool kit, BMA, 2009. http://www.bma.org.uk/images/confidentialitytoolkitdec2009_tcm41-193140.pdf

[^61]: General Practice Extraction Service: Information Governance Principles, NHS Information Centre, 2010. http://www.ic.nhs.uk/webfiles/Services/in%20development/gpes/20100528%20GPES%20IG%20Principles%20paper%20v1%200.pdf

[^62]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^63]: Confidentiality and disclosure of health information tool kit, BMA, 2009. http://www.bma.org.uk/images/confidentialitytoolkitdec2009_tcm41-193140.pdf

[^64]: Confidentiality: disclosing information about serious communicable diseases, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_disclosing_info_serious_commun_diseases_2009.pdf

[^65]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^66]: Confidentiality: reporting concerns to about a patient to the DVLA or the DVA, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_reporting_concerns_DVLA_2009.pdf

[^67]: Confidentiality: reporting gunshot and knife wound, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_reporting_gunshot_wounds_2009.pdf

[^68]: Confidentiality and disclosure of health information tool kit, BMA, 2009. http://www.bma.org.uk/images/confidentialitytoolkitdec2009_tcm41-193140.pdf

[^69]: GMC Confidentiality: Disclosing records for financial and administrative purposes (2009). http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp

[^70]: Confidentiality and Disclosure of Information: General Medical Services, Personal Medical Services and Alternative Provider Medical Services Code of Practice, DH, 2005. http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4107303

Confidentiality and Disclosure of Information: General Medical
Services (GMS), Section 17c Agreements, and Health Board Primary
Medical Services (HBPMS) Directions 2005 and Code of Practice,
Scottish Executive Health Department, 2005.
<http://www.paymodernisation.scot.nhs.uk/gms/leg_guide/legislation/cop%20confidentiality%20and%20disclosure%20of%20Information.doc>

Confidentiality and Disclosure of Information: General Medical
Services and Alternative Provide Medical Services (APMS) Directions
2006 and Code of Practice, Welsh Assembly Government, 2005.
<http://www.wales.nhs.uk/sites3/Documents/480/The%5FConfidentiality%5Fand%5FDisclosure%5Fof%5FInformation%2DCode%5Fof%5FPractice131005.pdf>

Confidentiality and Disclosure of Information: General Medical
Services and Alternative Provider Medical Services Directions
(Northern Ireland) 2006 and Code of Practice, Department of Health,
Social Services and Public Safety, 2005.
<http://www.dhsspsni.gov.uk/code_of_practice_on_confidentiality.pdf>

[^71]: Confidentiality and disclosure of information to PCTs in primary care settings -- Guidance for GPs, BMA, 2007. http://www.bma.org.uk/images/Guidance+for+GP's+on+confidentiality+and+disclosure+of+information+for+secondary+uses+-+August+2007_tcm41-146813.pdf

[^72]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^73]: The Health Service (Control of Patient Information) Regulations, Department of Health, 2002 http://www.opsi.gov.uk/si/si2002/20021438.htm

[^74]: National Information Governance Board for Health and Social Care, Ethics and Confidentiality Committee. http://www.nigb.nhs.uk/ecc/about

[^75]: Confidentiality: Research and other secondary uses, GMC, 200. http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality_40_50_research_and_secondary_issues.asp

[^76]: Confidentiality NHS Code of Practice, NHS, 2003. http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/codes/confcode.pdf

[^77]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^78]: Confidentiality: Research and other secondary uses, GMC, 2009. http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality_40_50_research_and_secondary_issues.asp

[^79]: Confidentiality and disclosure of health information tool kit, BMA, 2009. http://www.bma.org.uk/images/confidentialitytoolkitdec2009_tcm41-193140.pdf

[^80]: 0-18 years guidance: Principles of confidentiality, GMC, 2007. http://www.gmc-uk.org/guidance/ethical_guidance/children_guidance_42_43_principles_of_confidentiality.asp

[^81]: Confidentiality and disclosure of health information tool kit, BMA, 2009. http://www.bma.org.uk/images/confidentialitytoolkitdec2009_tcm41-193140.pdf

[^82]: Confidentiality guidance: Disclosures about patients who lack capacity to consent, GMC, 2009. http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality_57_63_patients_who_lack_capacity.asp

[^83]: Rethinking Informed Consent in Bioethics. Neil C Manson and Onora O'Neill. Cambridge University Press. Cambridge 2007.

[^84]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^85]: Confidentiality and disclosure of health information tool kit, BMA, 2009. http://www.bma.org.uk/images/confidentialitytoolkitdec2009_tcm41-193140.pdf

[^86]: Informing Shared Clinical Care: Final Report of the Shared Record Professional Guidance project, RCGP and NHS Connecting for Health, 2009. http://www.rcgp.org.uk/PDF/Get_Involved_SRPG_final_ref_report.pdf

[^87]: Confidentiality and disclosure of health information tool kit, BMA, 2009. http://www.bma.org.uk/images/confidentialitytoolkitdec2009_tcm41-193140.pdf

[^88]: Confidentiality NHS Code of Practice, NHS, 2003. http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/codes/confcode.pdf

[^89]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^90]: Clause 450 of the standard GMS contract and the NHS (PMS) (Miscellaneous Amendments) Regs 2010 (SI 2010/578)

[^91]: The Care Record Guarantee, NHS, 2009, p16. http://www.nigb.nhs.uk/guarantee/2009-nhs-crg.pdf

[^92]: Confidentiality and disclosure of information to PCTs in primary care settings -- Guidance for GPs, BMA, 2007. http://www.bma.org.uk/images/Guidance+for+GP's+on+confidentiality+and+disclosure+of+information+for+secondary+uses+-+August+2007_tcm41-146813.pdf

[^93]: Legal Guidance on the Data Protection Act (1998), Information Commissioner's Office http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/data_protection_act_legal_guidance.pdf

[^94]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^95]: Confidentiality NHS Code of Practice, NHS, 2003. http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/codes/confcode.pdf

[^96]: Confidentiality and Disclosure of Information: General Medical Services, Personal Medical Services and Alternative Provider Medical Services Code of Practice, DH, 2005. http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4107303

Confidentiality and Disclosure of Information: General Medical
Services (GMS), Section 17c Agreements, and Health Board Primary
Medical Services (HBPMS) Directions 2005 and Code of Practice,
Scottish Executive Health Department, 2005.
<http://www.paymodernisation.scot.nhs.uk/gms/leg_guide/legislation/cop%20confidentiality%20and%20disclosure%20of%20Information.doc>

Confidentiality and Disclosure of Information: General Medical
Services and Alternative Provide Medical Services (APMS) Directions
2006 and Code of Practice, Welsh Assembly Government, 2005.
<http://www.wales.nhs.uk/sites3/Documents/480/The%5FConfidentiality%5Fand%5FDisclosure%5Fof%5FInformation%2DCode%5Fof%5FPractice131005.pdf>

Confidentiality and Disclosure of Information: General Medical
Services and Alternative Provider Medical Services Directions
(Northern Ireland) 2006 and Code of Practice, Department of Health,
Social Services and Public Safety, 2005.
<http://www.dhsspsni.gov.uk/code_of_practice_on_confidentiality.pdf>

[^97]: Confidentiality and disclosure of information to PCTs in primary care settings -- Guidance for GPs, BMA, 2007. http://www.bma.org.uk/images/Guidance+for+GP's+on+confidentiality+and+disclosure+of+information+for+secondary+uses+-+August+2007_tcm41-146813.pdf

[^98]: Confidentiality: disclosing records for financial and administrative purposes, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_disclosing_records_financial_2009.pdf

[^99]: Good practice in research and Consent to research, GMC, 2010. http://www.gmc-uk.org/static/documents/content/Research_guidance_FINAL.pdf

[^100]: Summary of Responses to the Consultation on Additional Uses of Patient Data, Research Capability Programme, NHS Connecting for Health, 2009. http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/documents/digitalasset/dh_110715.pdf

[^101]: GMC Confidentiality 2009 http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality_glossary.asp

[^102]: The Caldicott Committee Report on the Review of Patient-Identifiable Information, DH, 1997. http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digitalasset/dh_4068404.pdf

[^103]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^104]: Towards Consensus for Best Practice: use of records from general practice for research, Wellcome Trust, 2009. http://www.wellcome.ac.uk/stellent/groups/corporatesite/@policy_communications/documents/web_document/wtx055660.pdf

[^105]: Pseudonymisation Implementation Project (PIP) Reference Paper 1, Guidance on Terminology, NHS Information Centre, NHS Connecting for Health, 2009. http://www.connectingforhealth.nhs.uk/systemsandservices/sus/delivery/pseudo/pipterminologyguidancefv1ajan10.pdf

[^106]: General Practice Research Database. http://www.gprd.com/contributing/faqs.asp#confidentiality

[^107]: Confidentiality and disclosure of health information tool kit, BMA, 2009. http://www.bma.org.uk/images/confidentialitytoolkitdec2009_tcm41-193140.pdf

[^108]: Pseudonymisation Implementation Project (PIP) Reference Paper 1, Guidance on Terminology, NHS Information Centre, NHS Connecting for Health, 2009. http://www.connectingforhealth.nhs.uk/systemsandservices/sus/delivery/pseudo/pipterminologyguidancefv1ajan10.pdf

[^109]: General Practice Research Database. http://www.gprd.com/contributing/faqs.asp#confidentiality

[^110]: QResearch, a new ethical high quality general practice derived database for research, QResearch, 2003. http://www.qresearch.org/Public_Documents/QRESEARCH_protocol_May03.pdf

[^111]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^112]: Confidentiality: Research and other secondary uses, GMC, 2009. http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality_40_50_research_and_secondary_issues.asp

[^113]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^114]: The Information tribunal case of Bluck v Epsom & St Helier Trust and the case of Lewis v SS of State for Health both give some legal basis to this clear ethical argument.

[^115]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^116]: Legal Guidance on the Data Protection Act (1998), Information Commissioner's Office http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/data_protection_act_legal_guidance.pdf

[^117]: Legal Guidance on the Data Protection Act (1998), Information Commissioner's Office http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/data_protection_act_legal_guidance.pdf

[^118]: Confidentiality, GMC, 2009. http://www.gmc-uk.org/static/documents/content/Confidentiality_core_2009.pdf

[^119]: Data Sharing Review Report, 2008. http://www.justice.gov.uk/reviews/docs/data-sharing-review-report.pdf

[^120]: Response to the Data Sharing Review Report, Ministry of Justice, 2008. http://justive.gov.uk/docs/response-data-sharing-review.pdf