Code of Practice On

Agenda Item: 12

Ref: CM/04/10/09

BOARD MEETING –8 DECEMBER 2010

CODE OF PRACTICE ON

CONFIDENTIAL PERSONAL INFORMATION

PURPOSE

1.Section 80 of the Health & Social Care Act 2008 requires CQC to publish a Code of Practice on Confidential Personal Information. The Board is asked to approve the Code for publication.

RECOMMENDATION

2.The Board is asked to note the amendments to the Code of Practice on Confidential Personal Information (Appendix A), and to approve the Codefor implementation and publication by the Commission.

BACKGROUND

3.CQC is required under section 80 of the Health & Social Care Act 2008 to prepare and publish a Code of Practice on Confidential Personal Information, in respect of the practice it proposes to follow in relation to confidential personal information.

4.The Act requires CQC to consult with the National Information Governance Board for Health & Social Care (NIGB) and such other persons as we consider appropriate, before publishing the Code.

5.The Code (in various drafts) has been through several rounds of internal consultation with colleagues in Operations, Intelligence, Design, Registration, Legal, Information Security, RDM, and Mental Health Ops. Martin Marshall has also been consulted and involved in development of the Code, as Caldicott Guardian for CQC.

6.In addition to consultation with the NIGB, the Code has also been the subject of a targeted external consultation with standing reference groups of people who use services, carers, registered providers, and a range of organisations approved by the Audit & Risk Committee.

7.These external organisations include; the Department of Health, the Information Commissioner’s Office, Monitor, GMC, NMC, ADASS, GSCC, the Audit Commission, HPC, NPSA, PHSO, HSE, ISA, NHS Information Centre, Ofsted, SCIE, Royal Colleges, and a range of voluntary sector organisations such as Mind, Mencap and the Alzheimer’s Society.

8.The Code has been generally welcomed, and has been reviewed and amended in light of comments and suggestions that have been received.

9.The Code sets out key principles that the Commission must follow in order to ensure that legal and ethical obligations in relation to confidential personal information are met. Misuse of CQC’s powers, or misuse of confidential personal information, could result in legal challenge, criminal prosecution, and in loss of reputation of, and public trust in, CQC.

10.On 17th November, the CQC Board approved the draft Code of Practice for Confidential Personal Information for implementation and publication.

11.This approval was granted on condition of an amendment to amend Principle 2 of the Code, so as to clarify the circumstances in which CQC would, and would not, seek consent to access confidential personal information.

12.An amendment was drafted and subjected to a brief consultation with a small group of CQC staff.The draft of the relevant section was then circulated to members of the Board.

13.Responses approving the amendmenthave been received from the Board members.

14.The Code is currently being prepared for publication. This process may result in amendments to the wording of the Code in the interests of ensuring that it is in plain English and as easy to comprehend as possible. No amendments will be made to the meaning or substance of the Code during this process.

15.A full copy of the Code is attached (Appendix A). The amended sections are paragraphs 2.2 and 2.3, and Principle 2 of paragraph 2.4.

KEY ISSUES

16.The Code specifies that CQC will only seek to obtain, use and disclose the minimum of confidential personal information necessary to exercise its functions.

17.Where it is necessary to obtain, use or disclose confidential personal information for the purpose of exercising its regulatory functions, CQC will rely upon its powers under the Health & Social Care Act 2008 and provisions of the Data Protection Act 1998 that permit the processing of personal data for the exercise of statutory functions.

18.As such, CQC will not seek the consent of people who use services prior to obtaining, using or disclosing their confidential personal information.

19.However, where it is possible and practicable to do so, CQC will notify those individuals of its intention to obtain, use or disclose their confidential personal information, involve them in the decision making process, and give them an opportunity to raise any objections that they may have - and will take whatever reasonable steps it can to accommodate those objections.

20.This approach will avoid the possibility of CQC seeking consent and having it refused, and subsequently finding that it needs to access the information despite the refusal of consent, in order to be able to perform its statutory functions and responsibilities.

21.This approach has been endorsed by the NIGB.

22.CQC has also obtained counsel advice from a leading expert in the field, who has advised that this approach is compliant with Article 8 right to privacy under the Human Rights Act 1998, and that it carries a lesser risk of successful challenge under that Act than would an alternative model by which CQC may seek consent.

23.The Code is intended as a set of principles to be followed in the development of CQC policies, methodology and practice. For this reason it does not contain a significant level of detailed guidance to staff on how to implement those principles in performing their everyday roles and activities.

24.The NIGB Board expressed a view that the code should contain more detail on issues such as recording of decisions to access information, informing people of how their information will be used, appeals against CQC’s decisions, and the publication of information.

25.A number of comments from NIGB have resulted in changes being incorporated into the Code. However it would be impractical and unwieldy to incorporate the level of detail suggested by NIGB. The Code would need to include detailed guidance to cover every aspect of CQC’s activities and, as such, would likely become inaccessible to the general public.

LINK TO STRATEGIC AND CORPORATE PRIORITIES

26.The Code will help to ensure that CQC exercises its powers, and fulfils its responsibilities, in relation to obtaining, using and sharing confidential personal information in a lawful, effective and appropriate manner. As such, the Code has a key role in delivery of CQC’s strategic priorities – in particular, in ensuring that care is centred on people’s needs and protects their rights, and in acting swiftly to help eliminate poor care.

NEXT STEPS

27.The approved Code will be published on CQC’s website.

28.An easy-read version of the Code will be developed and published alongside the Code by the end of 2010. As part of the consultation process, an easy-read version of an earlier draft of the Code was developed and circulated to a range of people who use services. That version was well received by those who reviewed it.

29.Further guidance will be developed to support the code, by assisting CQC staff in applying the principles of the Code in specific circumstances (for example, guidance for staff on collecting evidence in the course of compliance monitoring is currently being developed in line with the principles of the Code).

30.The Code will be communicated to staff using the CQC intranet. The Information Governance Manager will develop and implement training and awareness raising materials.

31.The Information Governance Manager is currently making arrangements to attend Operations regional management groups, and other relevant meetings, to discuss the Code.

CONCLUSION

32.The Board is asked to note the amendments to the Code of Practice on Confidential Personal Information (Appendix A), and to approve the Code for implementation and publication by the Commission.

Simon Richardson

Information Governance Manager

1st December 2010

ANNEX A- Code of Practice on Confidential Personal Information

1 of 4