Code of Practice on Confidential Personal Information

Agenda item: 12 - Annex A

Ref: CM/04/10/09

Code of Practice on Confidential Personal Information

An easy read version of this document ‘Our rules for keeping your private information safe’ is available from our website [link to be included]

SECTION 1 – INTRODUCTION

About the Care Quality Commission

1.1 The Care Quality Commission (the Commission) is the independent regulator of health and adult social care services in England. We were established by the Health and Social Care Act 2008 and replace the former Commission for Social Care Inspection, Healthcare Commission and Mental Health Act Commission.

1.2 The Commission’s values are to:

· put the people who use health and social care services first, be informed by what they tell us and stand up for their rights and dignity;

· be independent;

· be expert and authoritative, basing our actions on high quality evidence;

· be a champion for joined up care across services;

· work with service providers and the professions to agree definitions of quality;

· be visible, open, transparent and accountable.

1.3 Further information about the Commission and what we do is available by calling our customer services team on 03000 616161 or by visiting our website at www.cqc.org.uk

The purpose of this Code of Practice

1.4 The Health and Social Care Act 2008 requires the Commission to prepare and publish a code in respect of the practice we propose to follow in relation to the obtaining, handling, use and disclosure of confidential personal information.

1.5 This code has been prepared to fulfill that requirement. It is our intention that the code should be used in two principal ways:

· by the Commission, to define the practice that we will follow in our work and to provide a point of reference against which our practice can be judged. The Code will guide us in the continued development of policies, processes and training which will, in turn, provide detailed guidance to our staff on issues relating to confidential personal information;

· by the Commission’s stakeholders (such as people who use services, carers, the public, providers of health and social care, and other regulatory bodies), to provide information about the principles which they can expect the Commission to follow, and to provide reassurance about our use of confidential personal information

1.6 As the regulatory body within health and social care, the Commission has a role in promoting good practice and we therefore intend that this code should contribute to that role.

The Commission’s Functions and Powers

1.7 The Commission’s functions (the jobs we were set up to do) include the registration of health and social care providers to ensure common quality standards are being met, reviewing and investigating the quality of the services they provide, and protecting the rights of people who have been detained under the Mental Health Act 1983.

1.8 Our main objective in performing our functions is to protect and promote the health, safety and welfare of people who use health and social care services.

1.9 Schedule 9 of the Health & Social Care Act 2008 allows us to provide assistance to other public authorities in the exercise of their functions. This may include sharing confidential personal information with those public authorities, where we think it is appropriate and in the public interest to do so.

1.10 The Commission has a specific range of ‘regulatory functions’ and, for the purpose of these functions, we have extensive powers to:

· Enter and inspect premises which are, or which we reasonably believe to be, ‘regulated premises’ (premises or vehicles that are used for carrying on of a regulated care activity, or which are owned or controlled by an NHS body or local authority, or are used – or proposed to be used – for the provision of NHS care or adult social services), and;

· To access or obtain documents or records (including those held on computer) in the course of the inspection, and;

· To require any information, documents or records that we consider necessary for the exercise of our regulatory functions from:

o any English NHS body

o any person providing health care commissioned by the NHS

o any English local authority

o any person providing adult social care services commissioned by an English local authority, or

o any person who ‘carries on’ or manages a health or social care activity of a type regulated by the Commission.

1.11 As defined by section 60(2) of the Health & Social Care Act 2008, these ‘regulatory functions’ are:

· The registration of health and social care activities – including:

o the registration of providers and managers,

o assessing their compliance with registration regulations,

o enforcement action and prosecutions for offences under the Act or for failure to comply with regulations,

o providing/publishing registers of registered providers, and

o receiving notifications of certain matters as required by the Act;

· Performing reviews and investigations of the provision of health and adult social care services provided or commissioned by NHS bodies and Local Authorities, and publishing reports of the assessments made;

· Undertaking studies as to the economy, efficiency and effectiveness with which NHS bodies and Local Authorities commission, manage or provide health and adult social care services, including comparing the performance of different commissioning organisations and providers, and publishing the results of these studies

· Undertaking and publishing special reviews and studies that look at themes in health and social care by focussing on services provided, pathways of care or the experience of care received by particular groups of people. These reviews and studies are designed to enable us to make recommendations for improving the provision of care or the management of NHS bodies or local authorities. Further information on these special reviews and studies is available on our website at http://www.cqc.org.uk/reviewsandstudies.cfm

1.12 We cannot use our powers under the Health and Social Care Act to inspect premises and obtain information for any other purpose.

1.13 We also have some functions and powers under other Acts.

1.14 The Commission has a function to keep the use of the Mental Health Act under review and to ensure that the Act is being used properly – in particular, the powers of detention under that Act.

1.15 For the performance of this function, we have powers under the Mental Health Act to visit and interview detained patients, and to access records relating to their detention and treatment, or to access or obtain other information that we reasonably require.

1.16 The Commission is also an ‘enforcing authority’ under the Health and Safety at Work Act in relation to the Ionising Radiation (Medical Exposure) Regulations 2000 (IR(ME)R).

1.17 Our role is to ensure that medical use of ionising radiation is carried out in accordance with the 2000 regulations (and 2006 amendment), so as to minimise the risk to patients.

1.18 In undertaking our responsibility as the ‘enforcing authority’ for the IR(ME)R regulations, we have powers under the Health and Safety at Work Act to enter premises, interview staff, and to access or obtain information for the purpose of checking compliance with the regulations, and for investigating notifications of incidents relating to medical ionising radiation (which certain care providers are required to submit to the Commission).

1.19 We will apply the same principles to the access, use and disclosure of information in relation to our functions under the Mental Health Act and the Health & Safety at Work Act/IR(ME)R as we do to the to the access, use and disclosure of information in relation to our regulatory functions under the Health & Social Care Act 2008.

What is ‘confidential personal information’?

1.20 The Health and Social Care Act defines ‘confidential personal information’ as information which ‘is obtained by the Commission in terms or circumstances requiring it to be held in confidence and relates to and identifies an individual’.

1.21 Confidential personal information is likely to include (but is not limited to) information about an individual’s:

· Physical or mental health;

· Social or family circumstances;

· Financial standing and financial details;

· Education, training and employment experience;

· Religious beliefs;

· Racial or ethnic origin;

· Sexuality; and

· Criminal convictions.

1.22 The information may relate to people who use services, their families, carers or representatives, registered providers, health and social care staff, our own staff, or any other person who has contact with the Commission. Whilst recognising that some information will be more sensitive than others (for example, information about an individual’s sexual health is more likely to be sensitive than information about a broken leg, as disclosure of that information is more likely to cause damage or distress to the person to whom it relates), the same principles and standards of care will apply to all confidential personal information held by the Commission.

1.23 It is a criminal offence under the Health and Social Care Act 2008 to disclose confidential personal information that has been obtained by the Commission, other than in certain circumstances. In addition to the purposes of this code listed above, it is intended that it will guide our staff to ensure that they only disclose confidential personal information where it is lawful to do so.

SECTION 2 – THE PRINCIPLES

2.1 The Commission has translated the various laws (see Appendix A) into a set of principles. The principles represent the Commission’s approach to the obtaining, handling, use and disclosure of confidential personal information.

2.2 The main objective of the Commission is to protect and promote the health, safety and welfare of people who use health and social care services.

2.3 The following Principles have been developed in order to ensure that we give the fullest possible consideration and protection to the privacy and dignity of individuals, without fettering our powers or restricting our ability to achieve this objective.

2.4 The Principles are that:

Principle 1: The Commission will only seek to obtain confidential personal information where it is necessary to do so for the purpose of exercising our functions.

Principle 2: In order to ensure that we are not restricted in our ability to protect and promote the health, safety and welfare of people who use health and social care services, the Commission will not seek consent where it is necessary to obtain, use or disclose confidential personal information for the purpose of exercising our regulatory functions, or for our functions under the Mental Health Act or Health and Safety at Work Act. However, in such circumstances, we will take all practicable steps to involve those individuals in any decision to access their information. When obtaining confidential personal information for other purposes, the Commission will seek consent, where it is possible and practicable to do so.

Principle 3: Wherever it is possible and practicable to do so, the Commission will keep individuals informed about how, why and when we use and disclose their confidential personal information, and we will listen and give consideration to their views and concerns when making decisions relating to this information.

Principle 4: The Commission will use only the minimum necessary confidential personal information. We will use anonymised information wherever possible, and will securely dispose of confidential personal information when it is no longer needed.

Principle 5: In all cases, the Commission will hold and handle confidential personal information securely and sensitively, and will actively seek to minimise any risk of damage or distress that may be caused to the individuals to whom the information relates.

Principle 6: The Commission will only share, disclose or publish confidential personal information where it is lawful to do so, where it is in the significant public interest to do so, and where the recipients of the information have a genuine ‘need to know’.

Principle 7: The Commission will obtain, handle, use and disclose information relating to deceased people in accordance with the same principles as applied to information about living individuals, with sensitivity to the families and friends of those persons, and with consideration of any previously recorded wishes of the deceased.

Principle 8: The Commission will comply with, and keep up to date with, the law, and have regard to changing issues of ethics and best practice regarding confidential personal information, by regularly reviewing and updating this Code of Practice.

Principle 9: The Commission will be open and transparent in our arrangements and processes for obtaining, handling, using and disclosing of confidential personal information.

SECTION 3 – HOW THE COMMISSION WILL DECIDE WHAT ACTIONS ARE ‘NECESSARY’ IN RELATION TO CONFIDENTIAL PERSONAL INFORMATION

3.1 The Commission may only use our powers to obtain confidential personal information when doing so is ‘necessary’ for the exercise of our regulatory functions, or for our functions under the Mental Health Act or Health and Safety at Work Act, as explained above (Section 1).

3.2 We also rely upon conditions under the Data Protection Act 1998 which allow the processing of personal information, where doing so is ‘necessary’ for the exercise of our functions under various Acts.

3.3 At various points within this Code we refer to making decisions as to whether various acts in relation to confidential personal information are ‘necessary’.

3.4 Therefore, it is important to establish how we will decide whether it is ‘necessary’ to obtain, use or disclose confidential personal information in any particular case.

The necessity test

3.5 In reaching a decision as to whether it is necessary to obtain, use or disclose confidential personal information, we will consider two factors:

3.6 Firstly: Whether obtaining, using or disclosing the information is a necessary step in the exercise of the particular function that we are seeking to exercise – for example, because it would not be possible or practical, or would require significant and disproportionate extra cost or effort, to perform the function without doing so. We must act in a manner which results in the least interference with the privacy and rights of people who use care services; and this requires us to ask ourselves whether there are other ways of achieving our aim which would minimise such interference, and;

3.7 Secondly: Whether the performance of the function is necessary and in the public interest in the particular circumstances. This means that the Commission will consider whether the public interest served by performing the function justifies any potential impact upon the privacy of individuals.

3.8 This second factor may require a careful balancing of multiple considerations, including:

· Whether the individual has given consent;