With greater access to records comes a greater risk of breaching confidentiality unless certain standards are adhered to, says Dr Gerard Panting of the MPS

Electronic information management systems offer considerable benefits. They provide greater access to patient information for the many healthcare professionals who may be involved in an individual’s care, better continuity of care and greater efficiency in medical treatment. They also make more medical data available for public health initiatives.

However, greater accessibility carries with it the dangers of access by unauthorised personnel for inappropriate use, and assimilation of information which may prejudice individuals when applying for life insurance, mortgages or jobs. This could, in turn, deter individuals from being completely open and honest with their doctors.

The NHS Information Authority (NHSIA) recently published four discussion papers about various aspects of patient confidentiality, a prelude to the NHS embarking on a major spending programme to improve the information systems used in patient care.

The consultation papers include a set of proposals for handling patient information called Caring for Information (a draft national patient information-sharing charter that tells people what they can expect from the NHS);1 a draft code of practice for NHS staff dealing with protecting patient confidentiality,2 and a draft script for a public information video explaining what the NHS does with patient information and patients’ rights.3

Meeting patients’ expectations

The NHSIA carried out research on patients’ expectations during May and June 2002. Encouragingly, there was a high level of trust in the NHS when it came to protecting patient confidentiality, but many patients did not know how the NHS uses patient information.

They generally accepted that GPs, hospital doctors and emergency services should have access to their data but wanted to reserve the right to limit access to very sensitive information.

The research also revealed that people considered information that was released outside the NHS or used inside the NHS for purposes other than treatment should be anonymised or the patient’s permission sought for that use.

The NHSIA aims to allow information to be shared among those in the NHS who need it to provide good quality care while at the same time recognising patients’ rights. It proposes to achieve this by implementing two principles: patient identifiable health records should only be shared for health and social care; and individuals should be given only the information they need to enable them to do their job in caring for the patient.

A code of practice

The NHSIA’s recently published draft code of practice for NHS staff on -protecting patient confidentiality2 brings together the law governing professional confidence, how a confidential service should be provided, how information should be used and various annexes dealing with more detailed requirements.

The law governing professional confidence

Medical confidentiality is a legal duty which arises when patients share information with their doctors, healthcare workers or other NHS staff in circumstances in which it is reasonable to expect that the information will be kept confidential.

That legal duty has been established by the courts in numerous cases, often reflecting the advice given to the profession by the General Medical Council. The GMC and other healthcare regulators require practitioners registered with them to follow their own guidance as well as following the general legal requirements.

The Data Protection Act 1998 and, to a lesser extent, the Human Rights Act 2000 make statutory provision for the way in which confidential information may be obtained and used. In addition, the Access to Health Records Act 1990 limits access to confidential information relating to individuals who have died.

The Data Protection Act 1998 is a complex piece of legislation with a large volume of supplementary regulations governing specific forms and uses of personal data. Despite this complexity, its requirements can be summarised as abiding by the data protection principles (Box 1, below). Providing data controllers comply with the notification requirements (previously termed ‘registration’) and the data protection principles, they should stay on the right side of the law.

Box 1: The data protection principles
  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
    (a) at least one of the conditions in Schedule 2 is met, and
    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met
  2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
  4. Personal data shall be accurate and, where necessary, kept up to date
  5. Personal data processed for any purposes shall not be kept for longer than necessary for that purpose or those purposes
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data


Providing a confidential service

The draft code of practice for NHS staff defines a confidential service as one that protects patient information, ensures that patients are informed fully so that they are not surprised by how their information is used, and provides choice to patients. It should also improve the way in which confidential information is obtained, used and protected wherever possible.

The emphasis in this section of the document is on informing patients – through posters, leaflets and in person – that the information they give may be recorded and shared with others to provide them with care, and may also be used to support clinical audit and other work to monitor the quality of care provided.

It states that in order to inform patients properly, staff must check that patients have seen information leaflets about the collection and use of confidential information, and make it clear to patients when information is recorded or health records are accessed. They must also tell patients when information will be shared with others, check that patients are aware of the choices available to them regarding how that information may be used or shared and also check that they have no concerns or queries about this.

Staff must also respect the rights of patients to have access to their records (a statutory right under the Data Protection Act 1998).

The guidance also sets out standards for maintaining the security of medical records (Box 2, below) and issues advice on their content (Box 3, below).

Box 2: Standards for maintaining the security of medical records
For all types of records, staff working in offices where records may be seen must:
  • Shut/lock doors and cabinets as required
  • Wear building passes/ID if issued
  • Query the status of strangers
  • Know who to tell if anything suspicious or worrying is noted
  • Not tell unauthorised personnel how the security systems operate
  • Not breach security themselves
Manual records must be:
  • Formally booked out from their normal filing systems
  • Tracked if transferred, with a note made or sent to the filing location of the transfer
  • Returned to the filing location as soon as possible after completion of treatment
  • Stored securely within the clinic or office, arranged so that the record can be found easily if needed urgently
  • Stored closed when not in use so that contents are not seen accidentally
  • Inaccessible to members of the public and not left even for short periods where they might be looked at by unauthorised persons
  • Held in secure storage with clear labelling. Protective ‘wrappers’ indicating sensitivity – though not indicating the reason for sensitivity – and permitted access, and the availability of secure means of destruction, e.g. shredding, are essential
With electronic records, staff must:
  • Always log out of any computer system or application when work on it is finished
  • Not leave a terminal unattended and logged in
  • Not share logins with other people. If other staff have need to access records, then appropriate access should be organised for them – this must not be by using others’ access identities
  • Not reveal passwords to others
  • Change passwords at regular intervals to prevent anyone else using them
  • Avoid using short passwords, or using names or words that are known to be associated with them (children’s or pets’ names or birthdays)
  • Always clear the screen of a previous patient’s information before seeing another
  • Use a password-protected screen-saver to prevent casual viewing of patient information by others
Box 3: NHSIA advice on the content of patient records
Patient records should:Be factual, consistent and accurate
  • Be written as soon as possible after an event has occurred, providing current information on the care and condition of the patient
  • Be written clearly, legibly and in such a manner that they cannot be erased
  • Be written in such a manner that any alterations or additions are dated, timed and signed in such a way that the original entry can still be read clearly
  • Be accurately dated, timed and signed, with the name of the author being printed alongside the first entry
  • Be readable on any photocopies
  • Be written, wherever possible, with the involvement of the patient or carer
  • Be clear, unambiguous (preferably concise), and written in terms that the patient can understand. Abbreviations, if used, should follow common conventions
  • Be consecutive
  • (For electronic records) use standard coding techniques and protocols
Be relevant and useful
  • Identify problems that have arisen and the action taken to rectify them
  • Provide evidence of the care planned, the decisions made, the care delivered and the information shared
  • Provide evidence of actions agreed with the patient (including consent to treatment and/or consent to share)
And include
  • Medical observations: examinations, tests, diagnoses, prognoses, prescriptions, other treatments
  • Relevant disclosures by the patient – pertinent to understanding cause or effecting cure/treatment
  • Facts presented to the patient
  • Correspondence from the patient or other parties
Patient records should not include:
  • Unnecessary abbreviations, jargon, meaningless phrases, irrelevant speculation and offensive subjective statements
  • Personal opinions regarding the patient (restrict to professional judgments on clinical matters)

There is very little in the document that is new, apart from the emphasis on the need to keep patients informed. However, the very fact that this guidance has been produced demonstrates the increasing complexity of the subject and seriousness with which the issue is taken by patients, politicians and regulators.


  1. NHS Information Authority. Caring for Information – Model for the Future. Birmingham: NHSIA, October 2002.
  2. Department of Health. Confidentiality: a code of practice for NHS staff. London: Department of Health, 2002.
  3. NHS Information Authority. Confidentiality of your medical records. Video script. Birmingham: NHSIA, October 2002.


Guidelines in Practice, March 2003, Volume 6(3)
© 2003 MGP Ltd
further information | subscribe