Toggle site contrast Toggle Contract

Information governance confidentiality code of practice


Patients entrust the NHS to gather sensitive information relating to their health and other matters as part of their seeking treatment. They do so in confidence and they have the legitimate expectation that staff will respect this trust. Therefore, if the legal requirements are to be met and the trust of patients is to be retained, it is essential that the NHS provides, and is seen to provide, a confidential service.

In September 2013, the Health and Social Care Information Centre (HSCIC) also published “A Guide to Confidentiality in Health & Social Care – Treating confidential information with respect”.

It covers the five confidentiality rules:

Confidential information about service users or patients should be treated confidentially and respectfully.
Members of a care team should share confidential information when it is needed for the safe and effective care of an individual.
Information that is shared for the benefit of the community should be anonymised.
An individual’s right to object to the sharing of confidential information about them should be respected.
Organisations should put policies, procedures and systems in place to ensure the confidentiality rules are followed.
This document is a guide to the required practice and responsibility of those who work within or under contract to Buckinghamshire Healthcare NHS Trust concerning the confidentiality of staff and patient information. See the Department of Health guidance “Confidentiality: NHS Code of Practice” – November 2003.

The principle behind this Code of Conduct is that no employee shall breach their legal duty of confidentiality, allow others to do so, or attempt to breach any of the Trust’s security systems or controls in order to do so.This document supports the Trust Information Governance Policy IG0005 and should also be read in conjunction with the Trust guidance on Information Disclosure and Sharing Decisions ref: IG0069.

Common Law Duty of Confidence

The Trust must also ensure that it complies with the consent requirements of the Common Law Duty of Confidence (Ref: IG0069 Guidance on Information Disclosure and Sharing Decisions). This means that all patient/client information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient/client.  The patient must be informed of the uses or proposed uses to which their information will be put and they must be given the option to ‘opt out’ from their information being shared for anything other than direct healthcare purposes. There must also be a clear indication within the health record that the patient has consented or dissented.


Every member of staff (including agency, bank, locums, volunteers, non-contract, contracted and student placements) may at some time in the course of their work, handle or have access to confidential person identifiable information whether relating to patients, their carers, family or friends, staff or any other individuals connected to the Trust.

Staff need to be aware that:

·         They are individually responsible for the safekeeping of that information on behalf of the   Trust, when it is in their possession.

·         They need to apply appropriate levels of information security when handling confidential or sensitive data and in particular the requirement to apply encryption software to any IT portable media used to store or transfer person identifiable data.

·         Everyone working for the Trust who records, handles, stores or comes across information that could identify a patient has a Common Law Duty of Confidence to that patient and to the Trust.

·      They will have signed a contract of employment that includes a statement of the
need to maintain absolute confidentiality of personal information.

·         Professional obligations of confidentiality must be applied.

·       Unauthorised disclosure/access or misuse of personal data or IT systems is a breach of Trust policy and may constitute a criminal offence.  All incidents of this nature will be fully investigated and may lead to disciplinary action in line with the Trust disciplinary procedure and could ultimately lead to dismissal (Ref IG0031 IT System Access Management Policy). For e.g.

–  staff accessing their own personal staff or health records or the records of colleagues, family, friends or others where there is no legitimate business relationship or where access is deemed inappropriate or is not authorised as a specific business purpose

–  sharing of personal logins e.g. passwords/ smartcards etc. or gaining access to systems via another person’s login details, whether accidental or deliberate.

–  disclosure/sharing of confidential information where there is no legitimate business relationship or specific business purpose or has not been disclosed on a “need to  know basis” e.g. selling of information for personal gain, general indiscretion or “gossip”

·         The obligations of confidentiality also apply to confidential organisation/business information

·         The Trust information systems are regularly monitored and audited for the following:

– any failed attempts to access confidential information

– repeated failed attempts to access confidential information

– successful or attempted access of confidential information where there is no legitimate business relationship and/or access is deemed inappropriate and/or is not authorised as a specific business purpose

– evidence of shared login sessions/passwords/smartcards etc.

Everyone working for the Trust has a responsibility to comply with Trust policy and the statutory acts that affect the processing and handling of information, confidentiality, the use of systems, and the protection of software and data. These are specifically:

UK General Data Protection Regulation
·       The Data Protection Act 2018

The Computer Misuse Act 1990
The Copyright, Design and Patents Act 1988
The Human Rights Act 1998
NHS Act 2006 – Section 251
NHS Care Record Guarantee 2005 (Revised 2011)
The Network and Information system Regulations (NIS Regulations)

Any breach of the Common Law Duty of Confidence, General Data Protection Regulation or Data Protection Act 2018 with specific reference to unauthorised use/disclosure of personal data or failure to safeguard personal data in accordance with Trust policy will be viewed as gross misconduct and may result in serious disciplinary action being taken, up to and including dismissal. Employees could also face criminal proceedings.


A duty of confidence arises when one person discloses information to another (e.g. patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence.  It is a:–

a)     legal obligation that is derived from case law

b)     requirement established within professional codes of conduct; and

c)     must be included within NHS employment contracts as a specific requirement linked to disciplinary procedures


Information should be considered confidential if it can be related in any way to a specific individual.

3.1 All employees are responsible for maintaining the confidentiality of information gained during their employment by the Trust. Confidential information includes:


Person Identifiable information which can include

·    Patient/staff name, initials, address, post code, date of birth, sex, telephone number.

·       NHS number, NI number and local patient identifiable codes or anything that may be used to identify a patient directly or indirectly i.e. linked with other information which together may identify an individual.

An example of this may be a rare disease, rare drug treatment or information relating to a very small numbers and within a small population area.

·     Pictures, photographs, videos, audiotapes or other images of patients