The Guide to Confidentiality distinguishes between information that is used for direct care and information that is used for purposes other than care (indirect care).
The term ‘direct care’ is defined as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals (all activities that directly contribute to the diagnosis, care and treatment of an individual). It includes
It does not include research, teaching, financial audit, service management activities or risk stratification (see note below on borderline cases).
Sharing for direct care can take place across departmental and organisational boundaries. For example, the direct care team may include physiotherapists, nurses, midwives, occupational therapists and others on regulated professional registers. For direct care of an individual, registered and regulated social workers must also be considered part of the care team and covered by implied consent when the social worker has a legitimate relationship to the individual concerned.
The term ‘indirect care’ is defined as activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of indirect care activities include risk prediction and stratification (see note below on borderline cases), service evaluation, needs assessment, and financial audit.
The key reason for distinguishing between purposes in this way is that it is generally possible to imply consent for the use of confidential information for direct care purposes but not for other purposes.
There are some exceptions and some tricky borderline cases on which specific guidance is provided.
The searching of patient or service user records for potential research subjects can be done legally by fulfilling any of the following criteria
The main exception relates to essential activity that aims to quality assure the care that has been provided. People receiving care should understand that, for their own safety and to improve care provided to others in the future, it is essential that their records are checked. This helps to ensure that the care they received was optimal and that lessons can be learned where necessary. It is generally accepted that consent can be implied for activity concerned with the quality assurance of care, but only when the audit is undertaken by those who are part of the direct care team. An argument could be made that this activity is sufficiently in the public interest that the duty of confidentiality can be overridden. When exceptionally, an individual has objected to records being looked at for these purposes, this should be respected unless there are such strong concerns about the care that has been provided that the public interest must take priority.
Some activities can appear to sit within a grey area where the relationship of the activity to direct care is not clear.
An important activity that some feel falls within this borderline is that of risk stratification, also known as predictive risk modeling, where records are reviewed to establish a cohort who might then be invited to receive a particular type of care or intervention. However, whilst this activity might eventually result in direct care being provided to a sub-set of those whose records are reviewed, the risk stratification stage falls into one of two separate categories:
1. Rare cases, where professionals have access to confidential information to make decisions about their own patient/service user, which can be done on the basis of implied consent as it is considered to be direct care.
2. When commissioning organisations (e.g. Clinical Commissioning Groups) are making commissioning decisions, which is indirect care and so requires explicit consent or a legal basis
NHS England guidance on how to lawfully conduct risk stratification is available: Information Governance and Risk Stratification: Advice and Options for CCGs and GPs31.
The Information Governance Review concluded that from an information governance perspective there is a need to ensure that the process of identifying individuals or groups of people for early intervention or help (as well as the interventions themselves) is properly underpinned by meeting all the following criteria
Any organisation deciding whether to share information or not should first consider three key questions
Last edited: 9 February 2022 8:47 am