Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised, with consent given by the patient, unless there are other circumstances covered by the law. There are other conditions (other than consent) that as an organisation we can use and these are listed under the General Data Protection Regulation Article 6(1)) for personal data (i.e. your name / address) and Article 9 (1)) for sensitive personal data (i.e. race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life and sexual orientation, genetic data and biometric data where processed to uniquely identify a person). Further details are available here.
Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, tell you how your information will be used, and allow you to decide if and how your information can be shared.
Access to identifiable information is strictly controlled and it is only used when it is absolutely necessary to use identifiable information. The trust will as a general rule of thumb will pseudonymise or anonymise data that is required for non-direct health care purposes. Pseudonymisation is a process that removes the NHS number and any other identifiable information such as name, date of birth or postcode, and replaces it with an artificial identifier, or pseudonym.
In the circumstances where we are required to hold or receive personal information we will only do this if:
- The information is necessary for the direct healthcare of patients
- We have received explicit consent from individuals to be able to use their information for a specific purpose (i.e. employment of staff).
- There is an overriding public interest in using the information, for example, in order to safeguard an individual, or to prevent a serious crime
- There is a legal requirement that will allow us to use or provide information (e.g. a formal court order or legislation, dealing with employee details)
- We have permission to do so from the Secretary of State for Health to use certain confidential patient information when it is necessary for our work and whilst changes are made to our systems that ensure de-identified information is used for all purposes other than direct care.
NHS Digital has published a guide to confidentiality in health and social care that explains the various laws and rules about the use and sharing of confidential information.