1. Introduction 

1.1 The purpose of this policy is to: 

a. establish the confidentiality principles which apply in respect of our confidential information  
b. ensure that everyone to whom this policy applies understands their role and responsibilities in maintaining the confidentiality of confidential information
c. direct everyone to whom this policy applies to further information to aid them with meeting their confidentiality responsibilities

1.2 It is critical that NHS England protects and respects all confidential information for which it is responsible. Everyone who acts on behalf of NHS England, including employees and contractors, has a duty to maintain the confidentiality of confidential information. That duty is reflected in our contracts, in data protection law and in the common law duty of confidentiality. This policy should be read in conjunction with the Information governance policy.

1.3 This policy explains your responsibilities in relation to:

a. protecting confidential information
b. respecting and maintaining your and NHS England’s duty of confidentiality in relation to confidential information

2. Scope  

2.1. All NHS England directorates and regions fall within the scope of this policy.  This includes staff who are employed on a permanent, fixed term or zero-hours basis, contractors, temporary staff, secondees and volunteers. It also covers non-executive directors and non-executive associate directors. We use the terms ‘staff’ within this policy to cover all of these different types of staff.   

2.2. Staff of the following NHS areas are also within the scope of this policy:   

a. all commissioning support units  
b. all other NHS England hosted bodies, such as strategic clinical networks and clinical senates   
c. compliance with this policy is mandatory

2.3. Confidential information for the purpose of this policy means:  

a. personal data which has been obtained in circumstances where it is considered to be confidential (including personal demographic data about patients)
b. confidential patient data
c. commercially sensitive information
d. corporate confidential information

2.4. The definitions table in Appendix A explains the meaning of each category of confidential information.

3. Policy statement

Common law duty of confidentiality

3.1. We are responsible for ensuring that we respect the confidentiality of the confidential information which we create, obtain, use and share. We must ensure that confidentiality is appropriately maintained as we create, obtain and use information and that our sharing of confidential information with others meets our legal and ethical obligations, as set out in this policy.

3.2. A duty of confidentiality arises when one person discloses information to another in circumstances where it is reasonable to expect that the information will be held in confidence (for example, patient to clinician).

3.3. The duty is a legal obligation that is derived from case law, it is a requirement established within professional codes of conduct and it must be included within NHS employment contracts as a specific requirement linked to disciplinary procedures.

3.4. The common law duty of confidentiality therefore protects confidential information which has been disclosed in circumstances where the recipient has a duty to keep it confidential and where a breach of that duty would:

a. be unlawful
b. cause damage and/or distress to the person the confidential information relates to
c. could result in court action, regulatory enforcement action and/or disciplinary action

3.5. The duty of confidentiality will typically exist between:

a. medical professionals and their patients
b. employers and their employees
c. legal professionals and their clients

Exceptions to the common law duty of confidentiality

3.6. There are 5 main exceptions to the duty of confidentiality, where the duty does not apply or where it may be overridden:

a. public domain: the information is already in the public domain and can no longer be regarded as confidential, for example, when information is legitimately published, such as when a contract award notice has been published identifying a successful bidder following a procurement exercise
b. consent: the person or organisation to whom the confidential information relates gives their consent for the information to be disclosed. In the case of confidential patient data, this can be implied consent where information is shared for the direct care of the patient with other members of their healthcare team. Otherwise, express consent is required
c. legal requirement: the information is required to be disclosed by law. This includes where there is a court order requiring its disclosure or there is a statutory duty to disclose the information. For example, s259 of the Health and Social Care Act 2012 imposes a statutory duty on health and social care bodies to supply information to NHS England following the issue of a data provision notice where we have been directed to collect and analyse confidential patient data
d. statutory power: there is a statutory power to disclose the information which expressly overrides the duty of confidentiality. For example, this includes where permission is provided by the Health Research Authority or Secretary of State with support from the Confidentiality Advisory Group under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002, also known as a section 251 approval
e. public interest: disclosure of the information is justifiable in the public interest

3.7. Before we rely on an exemption to the duty of confidentiality, approval must be obtained from the Privacy, Transparency, Trust Sub-Directorate. Where relying on the public interest justification to disclose confidential patient data, approval is also required from the Caldicott Guardian.

The confidentiality principles

3.8. We have summarised our confidentiality obligations into the following principles which underpin our approach to maintaining the confidentiality of confidential information.

3.9. Everyone to whom this policy applies is required to comply with these principles in respect of all confidential information.

a. respecting the duty of confidentiality: we ensure that we respect our duty of confidentiality whenever we handle, or make decisions concerning, confidential information. In relation to confidential patient data, this includes complying with the 8 Caldicott Principles issued by the National Data Guardian. The 8 Caldicott Principles apply to the use of confidential patient data within health and social care organisations, including sharing data between organisations and between individuals, both for individual care and for other purposes. The principles are set out in the definitions above
b. protection from improper disclosure: we ensure that confidential information is effectively protected against improper disclosure throughout its lifecycle, from when it is created or received until it is deleted. This includes exercising all due care and diligence to prevent unauthorised disclosure of confidential information
c. internal access to information: we ensure that, within NHS England, we only provide individuals (contractors or NHS England employees) with access to the confidential information which is necessary for them to perform their role and in line with internal processes and policies

d. sharing information with third parties: before we share any confidential information with other organisations, we must ensure that:

• statutory authority: we have appropriate statutory authority for sharing the information. The Privacy, Transparency and Trust Sub-Directorate or Legal Sub-Directorate can provide advice and support on this
• UK GDPR: where the confidential information contains personal data, that there is a legal basis under Article 6 and Article 9 (where necessary) of the UK GDPR, and that all other aspects of UK GDPR are complied with including transparency and security requirements. The Privacy, Transparency and Trust team, or the Legal team, can provide advice and support on this
• duty of confidentiality: the sharing does not breach our duty of confidentiality or we have identified a specific exemption which overrides the duty. The Privacy, Transparency and Trust Sub-Directorate, or the Legal Sub-Directorate, can provide advice and support on this
• recipient assurances: the recipient of the information is informed that the information is confidential and they provide a binding assurance that they shall treat the information as confidential. Such assurance will often be in the form of a contractual obligation. For example, where data is shared through the Data Access Release Service (DARS), recipients must enter into a data sharing agreement which contains these assurances
• purpose limitation: we only share the minimum information which is necessary to achieve the purpose of the sharing. The Privacy, Transparency and Trust team, or the Legal team, can provide advice and support on this
• accountability: we justify and document the decision to share the confidential information

Your responsibilities

3.10. Whilst working at NHS England:

a. Whenever you handle or make decisions concerning confidential information, you must take the following actions:

• principles: comply with our principles of confidentiality (see above)
• deidentification of personal data and confidential patient data: before accessing, using or sharing confidential patient data or personal data, always consider whether it can be pseudonymised or anonymised to achieve the purpose
• identification of confidential information: ensure that confidential information is identified as such when it is created and/or shared
• marking confidential information: ensure that confidential information is appropriately marked as official-sensitive, official-sensitive-commercial or official-sensitive-personal in line with the NHS England records management policy
• method of sharing data: disclose confidential information using secure methods and channels only, for example secure encrypted file transfer (SEFT), NHS Mail and encryption and password protection of documents and email attachments (see the NHS England Information security policy). Encryption of emails and email attachments also need to be considered when sharing confidential information
• physical security: ensure the physical security of all documents and/or media containing confidential information, including storage of files on computers (see NHS England Information security policy)
• information security: ensure that confidential information is secure when in use and also when not in use (see NHS England Information security policy)
• IT systems: abide by the terms of use and privacy requirements for all IT systems (see NHS England’s Acceptable use policy)
• communication channels and collaboration tools: ensure that confidentiality requirements are observed and controls are in place to protect confidential information stored or shared through communications channels and collaboration tools, such as MS Teams, NHS Mail, SharePoint, WhatsApp, etc. All staff have a duty to maintain confidentiality over documents they produce and make available to others on a restricted basis by ensuring access permissions are in place and appropriate, for example, document sharing via SharePoint and Microsoft Teams. When sharing confidential information with a shared inbox, consideration must be given to who has access to the shared inbox
• publication and social media: ensure that confidential information is not published on a public site, including social media, including any unauthorised disclosure of confidential information. Social media includes LinkedIn, Twitter, Facebook (see NHS England’s Standards of business conduct policy)
• discussing confidential information: ensure discussions which are confidential and where confidential information may be disclosed, take place in secure locations where they cannot be overheard
• NHS England business use: only use confidential information for NHS England business purposes as required for your role. Personal use of confidential information or use for non-NHS England business is not permitted
• disposal: ensure confidential information is disposed of securely and correctly and that it is not held for longer than necessary (see NHS England’s Records management policy)
• seek guidance: if you are unclear whether information amounts to confidential information, seek guidance from your line manager, the Privacy, Transparency and Trust team, the Legal team, the Commercial team or the NHS England Caldicott Guardian
• access to patient identifiable data: access to NHS England systems containing patient identifiable data must be granted in accordance with NHS England’s policies and processes concerning data access including NHS England’s Registration authority policy and guidance

b. Individuals to whom this policy applies shall not be restrained from using or disclosing any confidential information in the following circumstances:

• authorisation: they are authorised to use or disclose by NHS England, for example in managing and responding to data subject access requests, in accordance with the NHS England Data protection policy
• legal requirement: they are required to disclose the confidential information by law. Before sharing any confidential information, which is subject to a legal requirement of disclosure, please seek advice from the Privacy, Transparency and Trust team or the Legal team
• whistleblowing: they are entitled to disclose the confidential information under the Public Interest Disclosure Act 1998 provided that the disclosure is made in an appropriate way to an appropriate person having regard to the provisions of that Act

3.11. When you leave NHS England:

a. all confidential information must be returned to NHS England
b. you are not permitted to retain or remove any confidential information for personal or subsequent non-NHS England business use. Any exceptions to this rule must be agreed with your line manager. For example, clinicians who are working within the wider NHS must seek authority from their NHS England line manager if, after their secondment/fixed term contract expires, and only on agreement that there is a requirement to do so, they wish to continue to use certain specified relevant NHS England information within their role in the NHS
c. the following must be returned to NHS England:

• any hard or electronic copies of software, documents or correspondence, diaries, plans, specifications, policies etc relating to NHS England business
• any confidential information contained in or on any portable or removable media devices

d. for information on the NHS Mail policy for staff leaving NHS England, please access the Acceptable use policy

Confidential Information on your personal devices

3.12. Under NHS England’s Acceptable use policy, individuals to whom this policy applies are only permitted to use their own devices for accessing confidential information via NHS England’s Office 365 and OneDrive environments. Confidential information must not be copied to or saved in local storage.

3.13. If any confidential information has been stored on a local device in breach of this policy, it must be securely deleted immediately.

Ongoing duty of confidentiality

3.14. All individuals to whom this policy applies are bound to maintain the duty of confidentiality in relation to confidential information they know of in accordance with this policy beyond the end of their relationship with NHS England.

Requests to share information that may include confidential information

3.15. We may be asked to share confidential information with other organisations or people. Any enquiries or requests for information from the following organisations should be referred to the following teams:

a. press/media organisations: must be referred to NHS England Communications at media@nhs.net
b. public enquiries and freedom of information requests: must be referred to NHS England Contact Centre at england.contactus@nhs.net
c. suppliers, commercial companies and legal firms: must be referred to the NHS England Commercial team via the commercial email inbox at contractmanagement@nhs.net

3.16. All other requests to share confidential information with other organisations or people should be referred to the Privacy, Transparency and Trust team via the IG Query Management Portal.

Breaches of confidentiality

3.17. A breach of this policy may amount to serious misconduct and may result in:

a. dismissal
b. termination of secondment for secondees and a request for their employer to apply their internal disciplinary procedures
c. termination of contracts for interim resources, temporary workers, agency workers and/or contractors; and/or legal action being taken against the discloser and/or any other third party
d. NHS England may monitor staff compliance with this policy

Reporting a breach

3.18. If anyone to whom this policy applies becomes aware of a breach of this policy or our duty of confidentiality, they must report it immediately to their line manager and in relation to a breach relating to personal data or confidential patient data, to the data protection officer via our National Service Desk by calling 0113 518 0000, option 3 (see NHS England Data protection policy).

4. Roles and responsibilities 

4.1 Responsibilities for meeting our confidentiality obligations flow through the organisation from the top down. The specific responsibilities of individuals and groups of individuals within NHS England are set out below. 

All NHS colleagues and others who this policy applies to

It is the responsibility of everyone to whom this policy applies to adhere to this policy and all associated data protection, information governance and information security policies and procedures.  

Chief executive

Overall accountability for procedural documents across the organisation lies with the chief executive as the accounting officer that has overall responsibility for meeting all statutory, legal and regulatory requirements, including those relating to confidentiality.

Caldicott Guardian

The Caldicott Guardian is an advocate for patients and acts as the conscience of the organisation for patient information, patient confidentiality, patient information sharing issues and the proper management of patient information. The role of the Caldicott Guardian is advisory. Within NHS England the Caldicott Guardian responsibility is under the remit of the national medical director.

The Caldicott Guardian ensures that NHS England satisfies the highest ethical and legal standards for processing confidential information about patients and staff. 

Senior information risk owner (SIRO)

The SIRO is a senior advocate for data protection and security matters at board-level. The responsibilities of the SIRO include providing leadership during a major incident or breach.

Data protection officer (DPO)

It is a legal requirement under UK GDPR for NHS England to appoint a DPO. The DPO is an independent advisory role held by an expert in data protection (deputy director of data protection and trust). The DPO and the Data Protection and Trust Team are part of the Privacy, Transparency, and Trust Sub-Directorate. 

The responsibilities of the DPO include providing advice to the organisation and its staff on compliance with data protection law, including confidentiality.  

5. Equality and health inequalities assessment  

As part of the development of this policy, its impact on equality has been analysed and no detriment identified. 

6. Additional Resources 

Supporting Data Protection and Information Governance policies, procedures, standards, templates, guidance and advice can be found here: 

• NHS England’s Information governance policy and Data protection policy
• NHS England’s Information governance intranet page
• NHS England’s information governance query management portal
• Information Commissioner’s Office website

Our legal obligations concerning confidentiality are set out in various laws, including:  

• UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018  
• The Human Rights Act 1998  
• The Common Law Duty of Confidentiality
• The Computer Misuse Act 1980
• Health and Social Care Act 2012
• Public Interest Disclosure Act 1998

 We also need to have regard to other sources of guidance and policies such as: 

• NHS Code of Practice on Confidentiality
• The General Medical Council’s confidentiality guide
• NHS Care Record Guarantee
• Government Security Classification Scheme
• NHS England’s Code of practice on confidential information
• Guidance published by the Information Commissioner’s Office  
• Guidance published by the National Data Guardian, including the 8 Caldicott Principles
• NHS England’s Standards of business conduct policy
• NHS England’s Data protection policy
• NHS England’s Records management policy
• NHS England’s Information security policy
• NHS England’s Acceptable use of ICT policy

Appendix A – Key definitions used in this policy   

The following terms are used in this policy and have the meanings set out below: 

Caldicott Principles

The Caldicott Principles apply to the use of confidential information within health and social care organisations and when such information is shared with other organisations and between individuals, both for individual care and for other purposes. The principles are:  

• Principle 1: We shall justify the purpose(s) for using confidential information.
• Principle 2: We shall use confidential information only when it is necessary.
• Principle 3: We shall use the minimum necessary confidential information.
• Principle 4: Access to confidential information should be on a strict need-to-know basis.
• Principle 5: Everyone with access to confidential information should be aware of their responsibilities.
• Principle 6: We shall comply with the law.
• Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality.
• Principle 8: We shall inform patients and service users about how their confidential information is used.

Commercially sensitive information

Means information which, if disclosed, would be likely to prejudice the commercial interests of NHS England or any other person or organisation.  

Commercially sensitive information may relate to NHS England and/or its agents, customers, prospective customers, patients, suppliers or any other third parties connected with NHS England. 

Commercially sensitive information includes: 

• confidential business information
• ideas/programme plans/forecasts/risks/issues
• trade secrets
• business methods and business design 
• finance/budget planning/business cases/reports
• prices and pricing structures
• sources of supply and costs of equipment and/or software
• prospective business opportunities in general
• computer programs and/or software adapted or used
• contracts and contractual information
• procurement information
• confidential supplier information

Commercially sensitive information may appear in a wide range of formats, including electronic or hard copy whether or not they are or were marked as confidential.  

Corporate confidential information

Means any other information, which is not commercially sensitive information, personal data or confidential patient data, which has been obtained or created in the course of NHS England business and which is identified as confidential when provided or created or which ought reasonably to be considered to be confidential given the circumstances in which it has been provided.  

It should be information that is not generally known internally or outside of the organisation or is only known to those who need to know it. It includes: 

• the formulation and development of policy, guidance, standards, strategies and plans, including drafts and comments on the same
• ministerial submissions including drafts and comment on the same
• requests for advice and advice provided and received by NHS England, including from subject matter experts
• requests for advice and advice provided by legal professionals which is regarded as privileged legal advice
• information identified by legal professionals as covered by litigation privilege

Confidential information

Means:  

• personal data which has been obtained in circumstances where it is considered to be confidential. This includes personal demographic data about patients
• confidential patient data
• commercially sensitive information
• corporate confidential information

Confidential patient data

Means all data collected for the provision of health and social care services where patients and service users can be identified and would expect that it will be kept private. This may include for instance, details about symptoms, diagnosis, treatment, names and addresses (see the National Data Guardian’s guidance on The Eight Caldicott Principles, December 2020). It includes confidential patient information as defined in section 251 of the National Health Service Act 2006.

Incident

An actual or suspected security breach or data loss incident.

Patient identifiable data

Means information that identifies a patient or service user to whom the information relates or enables the identity of such an individual to be ascertained. See section 263(2)(a) of the Health and Social Care Act 2012.  

Key identifiable information includes:  

• patient’s name, address, full post code, date of birth
• pictures, photographs, videos, audiotapes or other images of patients
• NHS number and local patient identifiable codes
• anything else that may be used to identify a patient directly or indirectly. For example, rare diseases, drug treatments or statistical analyses which have very small numbers within a small population may allow individuals to be identified. See definition in Confidentiality NHS Code of Practice, November 2003

Personal data

Has the meaning given in UK GDPR being any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the purposes of this DPIA this also includes information relating to deceased patients or service users. Personal data can be directly identifiable personal data or pseudonymised data.  

Personal data breach

Has the meaning given in UK GDPR being a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Process or processing

Has the meaning given in UK GDPR being any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

UK GDPR

UK GDPR as defined in and read in accordance with the Data Protection Act 2018.