Consent Guidance for Information Sharing
Appendix C1
to the
Sussex-wide Overarching Information Sharing Protocol
Author: / Susan Morra, Julie Lee Winser, Consent Sub GroupOwner: / Local Information Sharing and Confidentiality Group LISC
Status of document / Ratified / Version 1 / 31-03-05
Date Issued: / 31-03-05
Date Effective from: / 01-04-05
Review Date: / March 2007
Contents
1.0Introduction
2.0Purpose
3.0Consent
3.1Definition of Consent
3.1.1Informed Consent
3.1.2Implied Consent
3.1.3Definition of direct continuing healthcare purposes
3.1.4Explicit or Express Consent
3.2Recording consent
3.3Keeping consent up to date
4.0What you need to know before sharing information
4.1Capacity
4.2Best interest
4.3Public Interest
4.4Notification
4.5Information held in shared databases or held in a database by an organisation hosting a service e.g. Cancer Network
5.0When you can and cannot share information
5.1Information sharing using implied consent for direct continuing healthcare purposes
5.2Information sharing that requires Explicit Consent
5.3Legislation Enabling Information Sharing in the Public Interest
5.4Legislation that Requires Information to be Shared when requested to do so
5.5Legislation Restricting Information Sharing
6.0Anonymisation and Pseudonymisation
7.0Deceased persons
8.0Questions and Answers
9.0Generic Consent Form for ‘face to face’ and telephone contacts
10.0How to complete the form
1.0Introduction
The aim of this document is to provide guidance to enable personal information concerning service users (patients/clients/families/carers/staff/ employees) to be shared between organisations without compromising confidentiality unless there is an overriding need to do so.
It should be remembered that ‘confidentiality’ is a ‘duty’ everyone has when providing care, support and administration of care for service users.
As a general principle all personal information must only be collected, held and shared on a strict ‘need to know’ basis and only as much information required for the specific purpose. All decisions to share information that are not associated with the direct continuing healthcare of the service user should be recorded in the service user’s record, (refer to the Sussex-wide Overarching Information Sharing Protocol Appendix C5, The Role of the Designated Officer).
2.0Purpose
The purpose of this document is to provide specific guidance for all staff on consent and information sharing issues. This document forms an appendix to the Sussex-wide Overarching Information Sharing Protocol.
3.0Consent
Some form of consent is required in most cases of sharing service user identifiable information unless the law dictates or allows otherwise.
3.1Definition of Consent
The different aspects of consent and its meaning for the NHS is defined in Confidentiality: NHS Code of Practice (November 2003) and is soon to be adapted and issued for Social Care and the Uses and Disclosure of Health Data (Information Commissioner), as follows:
3.1.1Informed Consent
All consent should be informed. Every service user should be informed about what happens to the information they give to the NHS/other Service Providers (it is the minimum requirement under the Data Protection Act 1998). For each episode of care you should ensure that your service user is fully informed as to what will happen to their information, e.g. who will see their information and what you will be doing with it in order that they can make an informed decision as to whether they wish their information to be shared or not (unless the law dictates otherwise). Service users should be informed of the benefits to them and to the organisation(s) of sharing relevant information.
Each organisation should display posters and/or leaflets explaining:
- Who the Data Controller is (e.g. the organisation who owns the data)
- Why the information is needed
- The purposes for which the information will be processed
- Who will see the information (secretaries, administration staff)
- The benefits to service users and to the organisation(s)
- Any disclosures that may need to be made to other organisations (e.g. Acute Hospitals, Social Services, Meals on Wheels, Clinical Audit, GP Payments, Mental Health Teams, Drug Teams etc.)
- The circumstances in which information may be passed on without consent (e.g., Child Protection, and Crime and Disorder)
- Information restricted by legislation (e.g. HIV, Termination, etc.)
- Information that must be passed on because of legislation (Births, Deaths, Cancer Registries etc.)
These posters and/or leaflets should be made available in other languages for those whose first language is not English or in a different form for those with a disability.
(Refer to Appendix C7, Example Service User Information Poster, contained in the Sussex-wide Information Sharing Protocol, for guidance).
If service users have any reservations about information sharing then explain that their direct continuing care could be affected by restrictions placed on sharing. If service users still refuse to share any information then you have not gained consent for that particular information and the service user’s wishes must be respected, unless legislation dictates otherwise (refer to section 4.3, Public Interest and section 5.3, Legislation Enabling Information Sharing in the Pubic Interest, in this document).
3.1.2Implied Consent
Service user agreement that has been signalled by behaviour of an informed service user.
When you are satisfied that:
- you have properly informed the service user
- he/she understands what will happen to their information
- the service user has signalled their acceptance to the proposed information sharing uses and has not raised any objection;
then you do not have to constantly refer back to the service user for consent each time the information needs to be shared (where health data is concerned the proviso is, as long as the sharing is for the direct continuing healthcare of a service user during that episode of care, [refer to section 3.1.3, Definition of direct continuing healthcare purposes, of this document]).
You should be able to apply the same rules to other information e.g. employee information.
Any other sharing of service user information that the service user would be unaware of (and, therefore, not properly informed) during that episode of care, will need the service user’s explicit consent.
3.1.3Definition of direct continuing healthcare purposes
The Confidentiality: NHS Code of Practice (Department of Health 2003) defines Healthcare Purposes as:
All activities that directly contribute to the:
- Diagnosis
- Care and treatment of an individual
- Audit/assurance of the quality of the healthcare provided
- Social Services [only as long as the service is involved in the direct healthcare of the service user (the service user must be properly informed of the likely disclosures to non-NHS staff and to social workers), otherwise consent will be required].
Direct continuing care does not include (Department of Health 2003)
- Research (refer to section 5.2 (5))
- Teaching (refer to section 5.2 (6))
- Management activities e.g. commissioning, prescribing advisors, financial audit, resource allocation (explicit consent is required unless there is (rarely) a robust public interest or support under section 60 of the Health and Social Care Act 2001) (refer to section 5.4 (9))
The Information Commissioner (2002) further defines Care and Treatment as:
- Routine record keeping, consultation of records etc, in the course of the provision of care and treatment
- Processing of records in the event of a medical emergency
- Disclosures made by one health professional or organisation to another, e.g. where a GP refers a patient to a specialist
- Clinical audit (e.g. the monitoring of a patient care pathway against existing standards and benchmarks), and as the Patient Information Advisory Group (2004) now states: where sharing between different organisations is necessary because more than one organisation has treated that service user, (NHS Trusts only) i.e. Ambulance and Acute Trust, then sharing can take place as long as:
a)the organistion has played a part in delivering care or treatment to that individual
b)the audit is carried out in accordance with clinical governance guidelines
c)it has been approved by the medical director and Caldicott Guardian (unless one and the same person carries out these roles) for the Trust in question.
According to Confidentiality: NHS Code of Practice 2003, the use of information for management purposes requires explicit consent. However, this does not include where management requires information to make a decision for the provision of a specific service for the direct continuing healthcare of a service user e.g. information for assessments, individual care plans etc.; as long as the service user is properly informed and has not raised any objections with regard to information sharing.
3.1.4Explicit or Express Consent
Articulated service user agreement. Clear and voluntary indication of preference or choice, usually given orally or in writing and freely given in circumstances where the available options and the consequences have been made clear.
3.2Recording consent
Record in the service user’s record if the service user has been provided with and understands the poster and/or leaflet regarding information sharing. Record whether the service user has signalled their acceptance, at the beginning of each episode of care, to information sharing and has not raised any objection.
If the service user has not understood or cannot read the poster and/or leaflet ensure that a detailed explanation of their contents is discussed and acceptance signalled as above (in some cases an interpreter may be required).
Where a service user has refused to share information this should be recorded in the service user’s record, dated and time stamped. That information must not be shared (unless the law dictates otherwise).
It will be necessary to recognise the different communication needs of particular service users. Difficulty in communicating does not remove the obligation to help people understand.
The form in section 9 may be used by all those who need to record consent. Instructions on how to complete the form are in section 10 and the form and instructions can be printed on one sheet of A4.
3.3Keeping consent up to date
- Check at each new episode of care or normal review stage that service users have not changed their mind.
- It is essential that children, once they gain capacity, are asked to confirm their own choice, as a previous recorded choice regarding consent may have been made by another party, on their behalf, which may not reflect their own choice. Refer to section 4.1, Capacity.
- It may also be essential to revisit consent at other times e.g. when changes, which impact on how information is used, are introduced. This may be due to changes in service provision or government initiatives. Consent should also be reviewed whenever there are changes to information sharing/disclosure(s) during an episode of care.
4.0What you need to know before sharing information
Where information sharing decisions are not for the direct continuing healthcare of a service user, information sharing decisions should be directed to the Designated Officer/Caldicott Guardian to instigate the decision making process, (refer to the Sussex-wide Information Sharing Protocol Appendix C5, The Role of the Designated Officer).
4.1Capacity
A service user may be unable to give consent in the following instances:
- Is a minor-there is no clear guidance in UK law relating to what age defines a child. Children who have the capacity and understanding to take decisions about their own care and treatment are also entitled to make decisions about the use and disclosure of information they have provided in confidence.
Capacity is usually defined by the professional providing care, based on their professional judgement at that time, dependant upon the nature of the issue in question. Different levels of capacity may be required for different levels of decision making with regard to information sharing.
If the healthcare professional treating the child does not believe the child has capacity, then the child’s guardian who has parental responsibility, will make the decision to share or not. Where there is any doubt as to whether the decision to share information, made by those with parental responsibility, is in the child’s best interests, the matter may need to be referred to the courts to decide. Refer to Section 8, Question 4.
- Is unconscious-any decision to share information will be taken by the healthcare professional treating the service user at that time in the patient’s best interests. The decision to share information must be justified and documented in the service user’s record.
- Where it is evident (according to the professional treating the service user) that the service user does not have the mental capacity for making a specific decision him/herself as to whether or not to share his or her personal/sensitive information, refer to Tier 2 Appendix A1, Mental Health, for further specific guidance on assessing mental capacity
Healthcare professions should, when deciding to share information belonging to those who do not have the mental capacity, as described above, take account of a variety of factors. For example:
- To only share in the patient’s best interests, (refer to section 4.2 Best interests)
- Take account of the safety of staff treating the service user, relatives of the service user and the public interest, (refer to section 4.3 Public interest).
- Be aware of the Data Protection and Caldicott Principles.
- Be aware of the common law rules of confidentiality (including the Gillick case)
4.2Best interest
According to the General Medical Council (2004), the following should be considered when deciding what is in the best interests of a service user who is considered by the healthcare professional treating the service user, to lack mental capacity to make choices regarding information sharing:
- options for treatment or investigation which are clinically indicated;
- any evidence of the service user's previously expressed preferences, including an advance statement;
- your own and the health care team's knowledge of the service user's background, such as cultural, religious, or employment considerations;
- views about the service user’s preferences given by a third party who may have other knowledge of the service user, for example the service user's partner, family, carer, tutor-dative (Scotland), or a person with parental responsibility;
- which option least restricts the service user's future choices, where more than one option (including non-treatment) seems reasonable in the service user’s best interest.
- where there is conflict or doubt, legal advice should be taken
Although this guidance is geared towards treatment the same principles should be applied to information.
4.3Public Interest
According to the ‘Confidentiality: NHS Code of Practice’ (2003), the public interest is:
‘where exceptional circumstances justify overruling the right of an individual to confidentiality in order to serve a broader societal interest’.
Decisions about the public interest are complex and must take account of both the potential harm that disclosure may cause and the interest of a free and democratic society in the continued maintenance of an individual’s right to confidentiality. Before deciding to share information those making public interest decisions should consult the Designated Officer/Caldicott Guardian, if appropriate, and any appropriate health professional concerned.
The service user should be notified where a decision to disclose in the greater public interest, is to be made or has been made, outlining the reasons for doing so unless there are strong reasons not to do this.
4.4Notification
If you disclose information to another organisation, or undertake processing on behalf of another organisation, ensure your Notification is updated. Refer to the Sussex-wide Information Sharing Protocol Appendix C2, Example Training Manual, the section on Data Protection Principles, for information on Notification.
4.5Information held in shared databases or held in a database by an organisation hosting a service e.g. Cancer Network
All data owners (these may be data owners from many organisations) must be registered as one of a number of joint Data Controllers and each Data Controller will retain control over their own information.
Organisations may give written authority delegating the ‘assigning of access’ to one Caldicott Guardian to act on their behalf although the data owners will still be responsible and accountable for their own data. The process may vary in different organisations but whatever system is used the Caldicott Guardian should sign off all accesses to service-user identifiable information.
Caldicott Guardians may find they are asked to allow various groups (e.g. analysts) access to the information held in the database for one of a number of purposes. Caldicott Guardians must ensure the purposes are lawful and comply with the guidance contained in this document. Where the delegated Caldicott Guardian cannot make a judgment alone he/she should consult all Caldicott Guardians concerned and/or seek expert advice.
5.0When you can and cannot share information
5.1Information sharing using Implied consent for direct continuing healthcare purposes
Note:The Single Assessment Process (SAP) is an exception to the following rule. Sharing information for SAP is only permitted with explicit consent unless legislation or guidance dictates otherwise. Refer to your SAP Protocol or guidance and section 5.2(1) of this document, for further information.
However, for all other health and social care information you must ensure you have informed the service user (refer to section 3.1.1 Informed Consent and 3.1.2 Implied Consent) of the uses and disclosures of their person identifiable information. If you are satisfied that this has been done, the service user has signalled their agreement to information sharing and has not objected, then you may assume ‘implied consent’ to share the service user’s information for the direct continuing healthcare of the service user, during that episode of care.
5.2Information sharing that requires Explicit Consent
The Department of Health has identified certain situations where Explicit Consent is required for information sharing that does not directly contribute to direct continuing healthcare of a service user. In these instances, Explicit Consent will always be required unless there is a robust public interest in favour of releasing information without consent (refer to section 4.3, Public Interest).
For most information sharing issues that are not for the direct continuing care of a service user you should consult your Designated Officer/Caldicott Guardian. Information sharing for purposes that are not for the direct continuing healthcare of a service user (this list may not be exhaustive) (with the exception of the Single Assessment Process), are as follows: