Patient confidentiality

Patient confidentiality

Your doctor, nurse or any other health and social care professional needs to keep records on their interactions with you.

As information we collect about you and your health is very personal, it is important that you can be sure that such information is not passed on or used inappropriately. All information about you is kept secure and in strictest confidence. We only ever use or pass on information about you, if we have a genuine need to do so in your and everyone’s interests. We ask you for information about yourself so that you can receive proper care and treatment. We keep this information together with details about your care because it may be needed if we see you again. If we need to transfer your information we will always do this securely and where practicable remove personal details such as your name and address.

Everyone working for the NHS has a legal duty to keep information about you confidential. Anyone who receives information from us is also under a legal duty to keep it confidential. Sharing some types of very sensitive personal information is strictly controlled by law. Friends and relatives who make enquiries about you if you are an inpatient are not given specific details about your condition, unless you have agreed they can have more information

What are your rights?

Your rights related to the use of information about you are protected by the Data Protection Act, the Caldicott Committee (a group which set rules about using and protecting patient information) and the Human Rights Act. The Trust has to ensure information is used appropriately in order to meet these requirements.

Data Protection Act (2018)

The Data Protection Act (2018) means that:

  • Personal data must be used fairly, lawfully and in a transparent manner
  • Personal data can be used only for specific and explicit purposes
  • Personal data should be used in a way that is adequate, relevant and limited to only what is necessary
  • Personal data must be accurate and wherever necessary kept up to date
  • Personal data should not be kept for longer than is necessary
  • Personal data must handled in a way that ensures appropiate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

Caldicott Principles

The name Caldicott is taken from the committee, chaired by Dame Fiona Caldicott, which was set up by the Department of Health and the British Medical Association in 1997 to look at how patient identifiable information was handled in the NHS. The Committee’s report proposed that all NHS organisations should appoint a ‘Guardian’ to oversee the use and sharing of clinical information within their organisations.

The Caldicott Committee (Using and Protecting Patient Information) recommended that the use of patient identifiable information should be regularly justified and routinely tested against the principles developed in the Caldicott Report. A further Caldicott review was undertaken (Caldicott2) in 2013 the outcome of which was an additional Principle(7)

  • Principle 1 – Justify the purpose(s) for using confidential information
  • Principle 2 – Only use it when absolutely necessary
  • Principle 3 – Use the minimum that is required
  • Principle 4 – Access should be on a strict need to know basis
  • Principle 5 – Everyone must understand his or her responsibilities
  • Principle 6 – Understand and comply with the law
  • Principle 7 – The duty to share information can be as important as the duty to protect patient confidentiality

Human Rights Act (1998)

The Human Rights Act (1998) Article 8 is the “Right to respect for private and family life, home and correspondence”.

The way information about patients is updated; stored; the form it is collected in; the way it is accessed and kept confidential are relevant issues to the Act and have to be managed so that Article 8 of the Act is met.

The NHS Care Record Guarantee

The Care Record Guarantee sets out our obligations for protecting and safeguarding your information, especially if we need to share this with other organisations such as social services or education.

If we do need to share information with other services we will tell you about this and agree it with you beforehand. If you do not wish personal data that we hold about you to be used or shared in the way that is described in this leaflet, please discuss the matter with us. You have the right to object, but this may affect our ability to provide you with care or advice.

If you are not able to make decisions about sharing information, a senior health care professional involved in your care may consider it to be in your best interests to share information. This judgement will take account of the views of relatives and carers and any views you have already recorded.

What sort of information is kept and where is it kept?

Information is kept in a variety of computer and written records. At the moment most patients will have a physical paper set of case notes, and an Electronic Patient Record. The Trust is progressing towards a completely electronic system and where possible phasing out written records. The types of information held will remain the same, but will be stored electronically rather than on paper. Until this happens, the electronic record is updated, and any paper notes generated will be filed after each episode of care (eg outpatient clinic, hospital stay etc). The move to electronic records provides a number of benefits to patients and those providing care. Electronic records may be accessed immediately by many staff and access is strictly controlled and monitored.

There are a number of elements which make up the Electronic Patient Record (EPR), including the two main systems, which are called MEDITECH and SystmOne. Depending on what care you are accessing will mean your information is recorded on one or both of these systems.

These systems keep records of all patients’ clinical and administrative records. They hold information on outpatient attendances, inpatient admissions, emergency department attendances and care in the community. Records include details relating of your condition, of the clinical care provided and Patient Confidentiality 8 Patient Confidentiality correspondence with your GP. The many different types of information which are collected include:

  • Hospital number
  • NHS number
  • Name
  • Address
  • Post code
  • Telephone number
  • Date of birth
  • Age
  • Sex
  • Marital status
  • Ethnic category
  • Religion
  • General Practitioner
  • Outpatient appointments
  • Inpatient admissions
  • X-ray appointments

If you are admitted to a Trust facility, some additional information is collected. These include:

  • Ward
  • Admission date
  • Discharge date
  • Diagnosis
  • Any procedures undertaken
  • The date these were performed and by whom

Clinical staff record details of your medical history, symptoms, medication, findings on examinations, treatments and follow up information every time you are seen by a doctor. This information is needed so that it will be available the next time you are seen.

In addition to doctors, other health care professionals involved in the care of patients may write in the medical record.

Nursing records are the records of nursing care you receive during an admission to hospital.

Another type of record is a 'Care Pathway'. This is a complete patient record for a patient with a specific diagnosis and it is used for recording all the care the patient has received, by doctors, nurses, and any other health care professionals. This is filed in the medical record when the patient is discharged from hospital.

Departmental Records

Some departments keep their own records which are separate from the main medical record. Over time, most stand-alone records will be incorporated within the Electronic Patient Record.

Separate records are kept by departments such as:

  • X-ray – records of x-rays, scans along with the images and results
  • Laboratory Department – results of blood tests, microbiology specimens and pathology specimens
  • Maternity Service – records of pregnancy and childbirth are currently held in a separate file from main hospital attendances. These are being progressively moved over to the Electronic Record.
  • Integrated Sexual Health – records of patients attending Integrated Sexual Health Department. To ensure confidentiality this system is completely separate from all the other systems, and patients are only identifiable to departmental staff.
  • Other databases are kept for various reasons, such as monitoring certain conditions, and include the investigations and treatment received by that group of patients

What other purposes are patient information used for in the Trust?

We may use some patient information to see that the NHS runs efficiently, plans for the future, trains its staff, pays its bills and can account for its actions. In general, information used for any of these purposes is anonymised, but there may be occasions where patient identifiable data is required.

Management information

Information about patients is used in planning the work of the Trust, by monitoring the numbers of patients on waiting lists for outpatient appointments, for admission, and operations. It is also used to monitor the work undertaken by the Trust and assess the costs. Data is not identifiable in the majority of cases.

Complaints & untoward incidents

Patient information is used to investigate untoward incidents. This is so that problems can be identified and actions taken to ensure they do not happen again. Information is only used on a 'need to know' basis and will not be used where it is not necessary.


Patient information about specific groups of patients is used for audit purposes. The information used is information related to the specific aspects of care the audit is examining, and is carried out to ensure patients receive good quality care based on standards of good practice. All patient information used in audit is anonymised to ensure confidentiality is maintained.


Information about your health may be accessed to determine your eligibility to participate in research. Your health information may be used in research with appropriate consent. This may be in observational studies investigating patients with the same or similar health problems or it may be in formal drug or treatment trials. In both cases you will have been notified and provided your consent.


Information may also be needed to help to educate future clinical staff and to carry out medical and other health research for the benefit of everyone. We shall remove details that identify you. If any pictures of you are required for use, you will be asked to give your consent.

Medical information about you may be used for education in a number of ways. The management of some patients may be discussed at specialty meetings to obtain opinions of colleagues, or where there has been a problem, to ensure lessons are learned so this does not happen again.

Information may be used in teaching medical students, junior doctors and other healthcare professionals about health problems and treatments.

What else happens to information?

Transfer of information for health reasons

  • We pass on information about your health, diagnosis and treatment to your family doctor.
  • We may also pass on information to community nursing, physiotherapists, occupational therapists, dieticians, other healthcare professionals, and Cancer Registries, for the purpose of improving health care and to Social Services staff to help in arranging any care needs identified for you.
  • We pass on information about you to other hospitals that may be involved in your care, or to where you may have been transferred.

Transfer of information for Statutory Reasons

Some statutory central information has to be provided for Department of Health statistical purposes.

Transfer of Notifiable Information

Some information has to be provided to others because it is “Notifiable Information”. This includes information on child abuse, and certain “Notifiable” infectious diseases, for example meningitis, salmonella infections, and other infectious diseases, to help us protect the health of the public generally. Sometimes, the law requires us to pass on information: for example, to notify a birth or a death. 

Transfer of information to other organisations with legitimate rights

We may transfer information to other organisations with legitimate rights. These are:

  • The Audit Commission and NHS Resolution, who have the right to inspect aspects of care given by the Trust, and require information about the care of relevant patients
  • Police have a right to relevant information relating to criminal investigations
  • The Coroner has a right to information about a patient when notified of a death
  • The Ombudsman has a right to information relating to a specific enquiry

How you can help to keep your information confidential

It is important that the information we collect or hold about you is as up to date and accurate as possible. This helps us provide the best clinical care to you and also to make sure that if we need to contact you or send you information, it will be directed to the right person or place. You can help us by telling us if:

  • You change your name, address or contact details
  • You think any information we have about you is wrong
  • You are unhappy about an opinion or comment recorded about you

Access to health records

The Data Protection Act gives you the right to see your health records. These can be the records made by a doctor, a nurse or any other health professional. For further information and application forms, contact or 01709 424257.

Caldicott Guardian

The Caldicott Guardian is a senior person in the Trust who is responsible for protecting the confidentiality of your information and for making sure it is shared lawfully and properly. The Caldicott Co-ordinator can be contacted on 01709 427637.


Source URL:

List of links present in page
  2. mailto: