[*Note from HIFA moderator (NPW): Thanks to Richard for this message which refers to Topic 3 of our current discussion: What strategies could be used to address the potential for informal mobile phone use to undermine patients’ privacy and confidentiality and the legal implications of informal use for healthcare workers?]
I was the Data Protection Officer for a health trust a decade ago. We needed to consider the requirements of the General Data Protection requirements that were in place whilst registering health professionals to use the administrative developing digital health record system. (An analogy might be the requirements for health professionals to dispense drugs, or undertake minor surgery.)
We put Role Based Access Control cards in place for the staff’s use of a developing digital health record. (In computer systems security, role-based access control or role-based security is an approach to restricting system access to authorized users and to implementing mandatory access control or discretionary access control.)
We arranged for all staff to undertake, pass and produce a certificate to show that they had passed a simple online national data protection course before they could receive their role-based access card.
I am currently researching and writing a prospective piece about patient and service providers' use of records. The following cut and pasted pieces of regulatory advice might be useful for training health staff to manage personal health data that is stored on their phone.
1. European General Data Protection regulation – “The term ‘personal data’ is the entryway to the application of the General Data Protection Regulation (GDPR). Only if a processing of data concerns personal data, the General Data Protection Regulation applies. The term is defined in Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person.
2. NHS England – “Today NHS England advises General Practitioners that: “everyone in a health and care organisation is responsible for managing records appropriately. It is important, therefore, that all general practice staff understand their responsibilities for creating, maintaining, and disposing of records appropriately.”
3. The UK General Medical Council advises “disclosing information with a patient's consent - asking for a patient’s consent to disclose information shows respect and is part of good communication between medical professionals and patients. Under the common law duty of confidentiality, consent may be explicit or implied”.4 (Only the patient will know when and under which circumstances their health and life records are best shared.)
a. “Explicit (also known as express) consent is given when a patient actively agrees, either orally or in writing, to the use or disclosure of information.
b. “Implied consent refers to circumstances in which it would be reasonable to infer that the patient agrees to the use of the information, even though this has not been directly expressed.” 4
“You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so.”
“For example, this might be because:
a. “the disclosure is required by law
b. “you are satisfied that informed consent has already been obtained by a suitable person
c. “the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent
d. “you have reason to believe that seeking consent would put you or others at risk of serious harm
e. “seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime 4
f. “action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient
g. “seeking consent is not feasible given the number or age of records, or the likely traceability of patients.
h. “you have already decided to disclose information in the public interest
“If you disclose personal information without consent, you must be satisfied that there is a legal basis for breaching confidentiality. You must also be satisfied that the other relevant requirements for disclosing information are met.”
HIFA profile: Richard Fitton is a retired family doctor - GP. Professional interests: Health literacy, patient partnership of trust and implementation of healthcare with professionals, family and public involvement in the prevention of modern lifestyle diseases, patients using access to professional records to overcome confidentiality barriers to care, patients as part of the policing of the use of their patient data Email address: richardpeterfitton7 AT gmail.com