Confidentiality of Patient Data


Confidentiality of Patient Data Protocol 


Document control sheet

Document Title

 Confidentiality of Patient Data  







Hannah Lawrence


18 April 2016

Document history







18 April 2016

Hannah Lawrence

Review April 17



June 2018

Hannah Lawrence

Unchanged Review June 2019


10th June 2019

Leah Lawther

Unchanged Review Review June 2020


20th December 2021

Leah Lawther

Unchanged Review Review December 2022


10th January 2023

Leah Lawther

Unchanged Review Review January 2024



Contact details

Main point of contact

Telephone number

Email address

Postal address

Leah Lawther

01932 875001

3 Bousley Rise


KT16 0JX







This document sets out the arrangements in the practice for the confidentiality of patient data.


The Practice’s Responsibilities


The practice will ensure that employees fully understand all their responsibilities with regard to confidential data, by ensuring employees undertake Information Governance training and sign a written statement of the responsibilities they are undertaking towards the security of all data within the surgery.  Competency will be assessed as an ongoing process and as part of the appraisal process.


The practice will continue to complete and submit the IG Toolkit self-assessment on an annual basis.


The practice will also ensure that arrangements are in place for the confidential disposal of any paper waste generated at work.


The practice strictly applies the rules of confidentiality and will not release patient information to a third party (other than those involved in the direct care of a patient) without proper valid and informed consent, unless this is within the statutory exempted categories such as in the public interest, or if required by law, in which case the release of the information and the reasons for it will be individually and specifically documented and authorised by the responsible clinician.


The practice follows the Health and Social Care Information Centre document “A Guide to Confidentiality in Health and Social Care, Sept 2013”.



Leaflet Wording (Patient Information Leaflet or Poster)


All patient information is considered to be confidential and we comply fully with the Data Protection Act 1998 and Caldicott principles.  All employees in the practice have access to this information in relation to their role, have confidentiality clauses in their contracts of employment and have signed a confidentiality agreement. All staff members adhere to the Confidentiality: NHS Code of Practice 2003.


Where appropriate, patient information may be shared with other parties within the care team.  However, they must be involved in the direct care of patients, based on implied consent.  This will be on a “need to know” basis only and in order to ensure the safe, effective care of patients. Where a patient wishes information not to be shared within the team providing direct care, then they must discuss this with their GP.


Patient information will not be shared outside of the direct care team without consent being sought.  An individual has the right to refuse to have their information disclosed, although this may have an impact on their care, and their wishes will be complied with.


It is imperative that when it  is right to release details to 3rd parties that the information only includes what has been asked for and not necessarily the full record.


There are currently two national data extractions from which patients may wish to “opt out”:


1.              Summary Care Record


The SCR enables healthcare staff providing care for patients in an emergency and from anywhere in England to be made aware of any current medications or allergies the patient may suffer from.  This information from every patient record is sent electronically up to the Spine in order for this to happen. If patients wish their information to be withheld from the SCR, they can “opt out”.  Please ask at reception for the SCR Opt Out Form or download one at:


2.    programme


In order to improve health services, NHS England has commissioned a modern data service from the Health and Social Care Information Centre (HSCIC) known as the “ programme” The aim of the service is to create a complete picture of care provided to patients by social care, GP practices and hospitals, and it will make use of patient information extracted from GP medical records.


Once this information has been linked to the data taken from hospitals, a new record will be created. This new record will not contain information that identifies you. The type of information that is then shared, and how it is shared, is controlled by law and strict confidentiality rules.


If you wish to “opt out” and prevent an extraction of information from your record being taken please ask for further information at reception.



At present, the proposed national roll-out of the care data program has been postponed and, rather than an immediate national roll-out, the HSCIC will be working with a number of “Pathfinder GP practices” that will test, evaluate and refine all aspects of the data collection process before it is applied nationally.


Protection against Viruses


Data is vulnerable to loss or corruption caused by viruses. Viruses may be introduced from floppy discs, CDROM/DVDROM, other storage media and by direct links via e-mail and web browsing.


Precautions to be taken


·         Virus protection software is installed on ALL computer equipment.

·         The supplier of our clinical software manages the anti-virus software version control and regular updates.

·         New programmes should not be downloaded without the permission of the IT or practice manager. This reduces the risk of malware being downloaded and affecting the computer.

·         Mobile phones should never be charged using PC USB sockets.