Information sharing and disclosure
In 2013, Dame Fiona Caldicott’s Information Governance Review: information to share or not to share introduced the seventh Caldicott principle:
The duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients and service users within the framework set out by the Caldicott Principles. They should be supported by the policies of their employers, regulators and professional bodies.
This principle was designed to encourage teams of professionals providing direct care for a patient or service user to share information across professional or organisational boundaries to maximise safety and quality of care. All health and social care professionals have a responsibility to protect and maintain confidentiality, but they must also be aware of situations where other considerations (such as safeguarding) take precedence and override the duty of confidentiality.
There is a complex legislative framework including common law, statute and case law that covers this area, and there may be differing legal opinion on how the law should be interpreted and applied in individual cases. The role of the Caldicott Guardian is to advise on the ethical as well as the legal considerations, following the Caldicott Principles.
Whilst the Data Protection Act and the UK GDPR only apply to living individuals, the Caldicott Principles also apply to records and information regarding the deceased. The Access to Health Records Act 1990 gives certain individuals formal rights to access the medical records of the deceased: there is no comparable legislation permitting access to their social care records, although the Caldicott principles may still be applied. After a bereavement, loved ones may have a need for information to help their grieving process and Caldicott Guardians should ensure that appropriate information is not unnecessarily withheld.
The BMA publishes guidance on access to health records.
Quality assurance
The Caldicott Guardian also has a potential role in quality assurance of information sharing, for example when a new personal data sharing system is being created, when the principles of privacy by design should be followed. This may require data protection impact assessments, information sharing agreements and protocols, and systems for consent— in all of which matters the Caldicott Guardian can provide independent advice. This in turn may lead to more fundamental changes in organisations’ policies and procedures.
Legal considerations when sharing information
Personal information may be shared legally in one of three ways:
with the consent of the individual concerned (providing that individual has mental capacity
when it is required by law (e.g. The Children’s Act 1989 requires information to be shared in safeguarding cases)
when it is in the public interest
When information sharing is legally permitted, the Caldicott Guardian may need to decide how much information it is appropriate to share, in line with the third Caldicott principle. An organisation may hold a great deal of sensitive information, and any decision to share information must be proportional and relevant.
Caldicott Guardians may on occasions be asked to advise on disclosures that may be in the public interest, for example to protect individuals or society from risks of serious harm, such as serious communicable diseases or serious crime, or to enable medical research, education or other secondary uses of information that may ultimately benefit society. Personal information may be disclosed in the public interest, without consent—and in exceptional cases where consent has been withheld— if the benefits to an individual or to society of the disclosure outweigh both the public and the patient’s interest in keeping the information confidential.
There may be occasions when information sharing is legally permitted but not required. In these circumstances there must still be a justifiable legal basis for breaching confidentiality such as consent, benefit to someone without capacity to consent, or in the public interest.
There may also be circumstances where although it is legally permissible to share information, the Caldicott Guardian may decide that it should not be shared. There may also be occasions when there is no clear legal basis, or the legal basis is disputed, when the Caldicott Guardian may nevertheless agree that information may be shared. The particular circumstances should always be considered in each case, as factors present in one may be absent in another. In all cases, the Caldicott Guardian should be able to justify their decision and provide evidence of their considerations in making the decision.
Keeping a record of decisions made
Caldicott Guardians should take care to document any advice offered, judgements or decisions made and the reasoning behind them in the interests of transparency and accountability. For example, often emails and written communications are preferable to verbal conversations as they provide Caldicott Guardians with a clear, documented history including details of the request received, how the Caldicott Principles have been considered, advice given, and how much information has been shared and with whom. Some organisations may also use a decision log as a way of monitoring and evidencing their role and impact.