It may be a source of some confusion that the NHS has five live guidance documents relating to the duty of confidentiality.
The original 2003 guidance document is the non-statutory “Confidentiality: NHS Code of Practice” issued by the Department of Health. It offered detailed guidance on:
• protecting confidential information;
• informing patients about uses of their personal information;
• offering patients appropriate choices about the uses of their personal information; and
• the circumstances in which confidential information may be used or disclosed.
Whilst of relevance to all using confidential patient data, the primary audience was data protection officers and Caldicott guardians. Its usefulness is limited by its age. It does not take into account the recommendations and implementation of the second Caldicott review, or the radical changes in NHS structure, management and technology since 2003.
In 2013 the HSCIC issued “A guide to confidentiality in health and social care”, supported by a References Document, in response to the Caldicott 2 Information Governance Review. Whilst neither mentioning nor rescinding the 2003 Code it covers practically the same ground and claims that it “… provides readers with a full picture of what they should do and why” and is written with the express intention that “readers do not have to consult multiple sources of guidance”. It is statutory guidance issued under s265 of the Health & Social Care Act 2012 and health and social care bodies have a duty to have regard to it.
The audience is wider than the 2003 Code, and it is very much a practical guide to front line staff making confidentiality and disclosure decisions. The 2003 Code remains an important document and does have some useful items such as flow charts which are not in the 2013 Guide.
The third document is a formal “Code of Practice on Confidential Information” issued in December 2014 under s263 of the same Act. Again health and social care bodies (expressly including private contractors) must have regard to it in delivering services, but the audience and aims are different. This Code is aimed at the organisational level – those responsible for “setting and implementing organisational policy, within the organisations”.
It relates to “the collection, analysis, publication or other dissemination of confidential information concerning or connected with the provision of health services or of adult social care” rather than “the direct provision of care, related record keeping or documentation facilitating the handover of care from one care provider to another” which is covered in the 2013 guidance.
Finally there is NHS “Supplementary Guidance: Public Interest Disclosures” issued to support the 2003 Code, updated in 2010. On this special topic it remains the key guidance.