european standards on confidentiality and privacy in ... · confidentiality are not reducible to...

European Standards onConfidentiality and Privacyin Healthcare

European Standards on Confidentiality and Privacy in Healthcare 1

Preface 3

1. Introduction 4

2. Foundations of the Standards 5

2.1 Ethics, law, vulnerability 5

2.2 Principles 5

2.3 The Ethical Basis of Privacy and Confidentiality 5

2.3.1 Privacy and confidentiality in ethics 5

2.3.2 Ethical justifications for confidentiality 6

2.3.3 Ethical boundaries to confidentiality 6

2.4 The Legal Basis of Privacy and Confidentiality 6

2.4.1 Privacy and confidentiality in law 6

2.4.2 Legal boundaries to privacy and confidentiality 8

2.4.3 Country specific legislation and their commonalities 8

2.5 Vulnerability 9

2.5.1 The nature of vulnerability 9

2.5.2 The impact of vulnerability on the protection, use and disclosure of patient information 10

2.6 Balanced Decision-making 11

3. Standards 12

3.1 Protection, Use and Disclosure of Patient Information—General Considerations 12

3.1.1 Patient consent 12

3.1.2 Circumstances where a patient is unable to consent 12

3.1.3 Disclosure to protect interests that override the patient’s right to confidentiality 13

3.1.4 Disclosure after a patient’s death 13

3.1.5 Patient access to their healthcare records 13

3.2 Protection, Use and Disclosure of Patient Information for Their Healthcare 14

3.2.1 Keeping patients informed 14

Contents

2 European Standards on Confidentiality and Privacy in Healthcare

3.2.2 Consent to the use and disclosure of patient information 14

3.2.3 Clinical audit 14

3.2.4 Disclosure to a patient’s carers 15

3.2.5 Multidisciplinary and Inter-agency working 15

3.2.6 Dual roles and obligations 16

3.3 Protection, Use and Disclosure of Patient Information for Healthcare Purposes not Directly Related totheir Healthcare 16

3.3.1 Keeping patients informed about secondary uses 17

3.3.2 Consent for secondary use or disclosure of confidential patient information 17

3.3.3 Maintaining information in a form which protects the identity of the patient 18

3.3.4 Use of information for teaching purposes 18

3.3.5 Anonymisation for research uses 18

3.3.6 Research databases containing personal identifiable information 19

3.4 Obligations and Justifications for the Disclosure of Patient Identifiable Information for Purposes notRelated to their Healthcare 20

3.4.1 Legal obligations to disclose 20

3.4.2 Justifications to disclose 21

3.5 The Security of Patient Information 23

Glossary 24

EuroSOCAP Project Board 26

European Guidance for Healthcare Professionals on Confidentiality and Privacy inHealthcare 28


These European Standards on Confidentiality and Privacyin Healthcare were developed through the work of theEuroSOCAP Project (QRLT-2002-00771). EuroSOCAP is aEuropean Commission funded project (2003-2006)established to confront and address the challenges andtensions created within the healthcare sector between theinformation or knowledge-based society and thefundamental legal and ethical requirements of privacy andconfidentiality of healthcare information.

The Standards apply to all healthcare professionals and tohealthcare provider institutions and address the areas ofhealthcare confidentiality and informational privacy. Theyprovide background on the ethical and legal foundationsof the Standards, guidance on best ethical practice forhealthcare professionals and recommendations tohealthcare provider institutions. These European Standardsalso provide a framework and model for national provisionand can be used to support professional training andpractice.

These European Standards are primarily ethical standards.They also consider European legal obligations uponhealthcare professionals and the general legal contextwithin which professional decisions about the protection,use and disclosure of confidential information take place.The legal context of this ethical guidance includes sharedlegal principles and law enforceable within Europe (suchas the EU Data Protection Directive and the EuropeanConvention on Human Rights). Such laws do not exhaustthe obligations on healthcare professionals to respect andprotect patient confidentiality and privacy. Healthcareprofessionals may also need to exercise professionaljudgment. These Standards provide ethical guidance to allhealthcare professionals in the making of such judgments.Best ethical practice also requires a supportive context andthe Standards contain recommendations to healthcareprovider institutions on those measures necessary for themost effective realization of the Standards in practice.

The Standards were written following detailedconsideration of the needs of vulnerable patients—particularly children and young people, older people,migrants and mobile populations, prisoners, homelesspeople, people with mental health problems, people withan intellectual disability, and people who lack decision-making capacity. The explicit focus on the specific risks tothe healthcare privacy and confidentiality of vulnerablepatients has greatly informed the development of genericStandards to guide healthcare professionals, includingpractice involving vulnerable patients.

Copies of these Standards and the Guidance are availablein various languages from the Project website atwww.eurosocap.org. The website also provides: updateson items of interest in the area of healthcareconfidentiality and privacy; a searchable database of linksto relevant material; and a searchable database of expertsand interested parties throughout Europe.

The Project team had 20 members—clinicians (withvarious specialisms), therapists, legal experts, and ethicistsfrom 11 European states. Draft Standards were developedover a two year period by this team (with contributionsfrom six invited experts). The draft Standards were thencirculated widely for consultation during 2005 and werethe subject of a Workshop attended by 80 experts from26 European and neighbouring states. A broad range ofresponses were received through this consultation process,including perspectives from Patient Organizations,National Medical Associations, National Ministries ofHealth, National Data Protection Authorities, the EuropeanCommission, industry, universities, and relevantinternational organizations. Based on this consultationprocess, revised draft Standards were prepared andcirculated for a further round of consultation. TheStandards were finalized at a meeting of the EuroSOCAPProject Board in November 2005.

The work of the EuroSOCAP Project has been supportedand informed by the work of others and the Project Boardparticularly wishes to thank the following:

Marie Brooks (Administrative Assistant to theEuroSOCAP Project);the Confidentiality Advisory Group, Royal College ofPsychiatrists, UK;the PRIVIREAL project, (SIBLE, UK);Vilhjálmur Árnason (University of Iceland & ELSAGENProject);Bernd Blobel (Health Telematics Project Group,Fraunhofer Institute, Erlangen);Linus Broström (Department of Medical Ethics, LundUniversity);Ruth Chadwick (CESAGEN & University of Lancaster);Ethel Franz (Centro per la Scienza, la Società e laCittadinanza, Rome);Brandon Hamber (Independent Consultant);Henk ten Have (Division of Ethics of Science andTechnology, UNESCO);Fanny Senez (European Forum for Good ClinicalPractice, Brussels); andthe many stakeholders throughout Europe whosework contributed to the development of theseStandards.

Roy McClelland, Coordinator of the EuroSOCAP Project on behalf of theProject Team

Tom Berney Deryck Beyleveld Jesus CarbajosaFrancis Crawley Béatrice Despland Bill FulfordWolfgang Gaebel Sefik Gorkey Danielle GrondinMarc Guerrier Colin Harper Goran Hermerén Alastair Kent Tony McGleenan Sabine MichalowskiEmilio Mordini Rosa Ordonez Paul ThorntonMichael Weindling

Preface


All patients have the right to privacy and the reasonableexpectation that the confidentiality of their personalinformation will be rigorously maintained by all healthcareprofessionals. Each patient’s right to privacy and theprofessional’s duty of confidentiality apply regardless ofthe form (for example, electronic, photographic,biological) in which the information is held orcommunicated. Not all healthcare professionals are boundby the same legal obligations of confidence, but all areunder the same ethical obligations to maintainconfidentiality. Particular care is needed on the part ofhealthcare professionals to ensure that the right to privacyof vulnerable patients is respected and that their duty ofconfidentiality toward them is fulfilled.

The aims of these European Standards are to:

• establish the ethical and legal framework and principlessupporting the protection of confidentiality andinformational privacy of people in healthcare;

• delineate the ethically necessary protections ofconfidential information and those circumstances wherethe use or disclosure of private or confidentialinformation may be legitimate;

• provide Guidance on best ethical practice for healthcareprofessionals and policy Recommendations for providerinstitutions.

The ethical standards of healthcare professionalconfidentiality are not reducible to data protectionstandards, although they operate in conjunction withthem. Further, confidentiality is an indispensable ethicalcomplement to maintaining the security of informationsystems.

The high status of healthcare confidentiality can be foundin several European Union (EU) laws. Directive 95/46/EC,the ‘data protection directive’, refers to certain data being‘processed by a health professional subject under nationallaw or rules established by national competent bodies tothe obligation of professional secrecy’ (Article 8 (3)).Recital 9 of Directive 2001/20/EC on clinical trials refers to‘the rules of confidentiality’. However, the content ofthese ‘confidentiality rules’ in a European context has notbeen clarified. These Standards clarify these sharedprinciples and rules within the rich diversity of theEuropean community and in an international context.

While each patient’s healthcare information is protectedunder both ethical and legal obligations of confidentiality,

there are a variety of situations where the use anddisclosure of personal information may occur forlegitimate purposes. For practical purposes it is helpful toconsider:

• the purpose of any planned use or disclosure ofconfidential healthcare information; and

• the criteria which must be satisfied to allow such use ordisclosure.

In general, any use or disclosure of confidential healthcareinformation without consent, (for example, to theappropriate authorities at State level for healthmonitoring) should clearly serve one of the purposesspecified in international human rights law as being alegitimate limitation on the right to privacy. Suchdisclosures must also meet the criteria of beingproportionate to the legitimate aim of the disclosure, inaccordance with (domestic) law, and taking place withinthe highest levels of data protection and data security.

In these Standards three categories of protections, usesand disclosures are considered:

• protections, uses, and disclosures of patient informationfor their healthcare (Section 3.2);

• protections, uses, and disclosures of patient informationfor healthcare purposes not directly related to theirhealthcare (Section 3.3); and

• obligations and justifications for the disclosure ofpatient identifiable information for purposes not relatedto their healthcare (Section 3.4).

1. Introduction


2.1 Ethics, law, vulnerability

There are core principles of medical confidentiality andprivacy which find expression in both ethical and legalnorms. These are not simply rules, but rather guides forhealthcare professionals in decision-making and aids forthe promotion of ethical conduct in particular situations.

The protection of privacy and confidentiality is both anethical obligation and a legal obligation. These are twodifferent kinds of obligations, although normally whatthey require will be the same in a particular situation. Theyare not absolute obligations and must often be consideredin the light of other obligations. Healthcare professionalshave an ethical obligation to be aware of the nature andextent of their legal obligations. Health professionalorganisations should work to ensure that such legalobligations are in keeping with the ethical obligations oftheir profession. While healthcare professionals have anobligation to obey the law, doing so does not guaranteethat they have behaved ethically.

Ethical standards may be different from the legalstandards of a particular jurisdiction. Where the ethicalstandards require greater protection for patientconfidentiality and privacy than the legal standards, thenhealthcare professionals should follow their ethicalobligations and work to promote the protections requiredby ethics. Individual responsibility remains with thehealthcare professional to ensure that they have actedethically. Healthcare professionals should be aware of theimportance of international human rights law and howthese legal norms embody ethical principles which areboth widely shared and deeply held across the world.

The needs of vulnerable patients are greater with respectto confidentiality—there is greater risk of theirconfidentiality being breached than is the case for otherpatients. Healthcare professionals have an ethicalobligation to recognise vulnerable patients and to actappropriately. Achieving the same effective level ofprotection for vulnerable patients as for other patientsmay require greater attention.

2.2 Principles

The importance of maintaining confidentiality in thepractice of healthcare has been recognised continuouslyover the two and a half millennia since the composition ofthe Hippocratic Oath. Medical confidentiality has beenconsistently upheld as a core value of European healthcarethrough profound cultural, technological, political, socialand economic changes. It remains a core value to this dayand in modern Europe finds expression in three keyprinciples of healthcare confidentiality.

• Individuals have a fundamental right to the privacy andconfidentiality of their health information.

• Individuals have a right to control access to anddisclosure of their own health information by giving,withholding or withdrawing consent.

• For any disclosure of confidential informationhealthcare professionals should have regard to itsnecessity, proportionality and attendant risks.

These principles find application in specific ways withdifferent patient groups.

2.3 The Ethical Basis of Privacy and Confidentiality

2.3.1 Privacy and confidentiality in ethics

Privacy refers here to the general interest in control ofone’s private sphere broadly conceived. The right toprivacy, the right to respect for private life, is a well-established right in the European tradition. This rightguarantees the protection of the person against theintervention or interference of public authorities in theprivate sphere and it embraces, but is not restricted to,the protection of personal information.

For doctors, the ethical requirement of confidentiality was

Guidance Point 1Healthcare professionals should respect the followingthree key principles of healthcare confidentiality.

• Individuals have a fundamental right to the privacyand confidentiality of their health information.


• For any non-consensual disclosure of confidentialinformation healthcare professionals must haveregard to its necessity, proportionality and attendantrisks.

2. Foundations of the Standards


first set out in the Hippocratic Oath which states that‘what I may see or hear in the course of treatment I willkeep to myself holding such things shameful to be spokenabout’. The World Medical Association affirmed the ruleof confidentiality in the Declaration of Geneva (1948) andin the International Code of Medical Ethics (1949).

2.3.2 Ethical justifications for confidentiality

As the rule of confidentiality in medical care indicates, andas is already suggested by the word ‘confidentiality’, amajor source of the requirement of confidentiality is thefact that the relationship between the healthcareprofessional and the patient is, or should be, one of‘fidelity’ or ‘trust’. Within the relationship between thehealthcare professional and the patient, there exists a tacitunderstanding on the part of the patient that confidentialinformation will not be further used or disclosed withoutthe awareness and consent of the patient. The patienthas, thus, a reasonable expectation that informationshared with the healthcare professional will not be furthershared with anyone else.

A different, though related, reason for not using ordisclosing personal information is that the patient may notwant it to be used or disclosed. Just as the patient has aright to self-determination in various other healthcarematters, it is the patient’s decision as to who should haveaccess to personal healthcare information and how itshould be used.

The confidential nature of the relationship betweenhealthcare professional and patient and respect for thepatient’s autonomy constitute prima facie reasons forprotection of personal information. Taken together theystrengthen the case for the non-use or non-disclosure ofprivate information about a patient. There are also otherjustifications. For example, one reason for respectingconfidences in healthcare is that doing so enables patientsto disclose sensitive information that the healthcareprofessional needs to carry out treatment. Without anassurance that confidentiality will be maintained, patientsmight be less willing to disclose information, resulting innegative effects for their health, for public health and forhealthcare practice. The patient’s right to self-determination in matters of information sharing could alsobe justified on other grounds. These include the view thatthe patient is in the best position to understand andtherefore protect his or her own interests, and that thereis an intrinsic value in people deciding about and takingresponsibility for their own lives. In ethical theory, possiblejustifications can be in terms of the consequences ofactions or rules, or can be in terms of duty. While theirreasons differ, both of these approaches are united in their

commitment to a confidentiality requirement.

2.3.3 Ethical boundaries to confidentiality

None of the ethical arguments stated above lead to theconclusion that the healthcare professional’s duty ofconfidentiality is absolute. The confidentiality requirementexists within a wider social context in which healthcareprofessionals have other duties, which may conflict withtheir duty of confidentiality. In particular, healthcareprofessionals may have other ethical duties to discloseconfidential information, without consent, if serious andimminent dangers are present for third parties and wherethe healthcare professional judges that the disclosure ofthat information is likely to reduce or eliminate thedanger. In assessing such risks and whether they outweighthe duty of confidentiality both the probability of theharm and its magnitude need to be considered. Insituations where both the probability and seriousness ofharm to a third party are high, the moral duty to discloseto prevent harm is greater.

2.4 The Legal Basis of Privacy and Confidentiality

2.4.1 Privacy and confidentiality in law

The relationship between healthcare professionals andtheir patients carries with it legal obligations ofconfidentiality as well as ethical ones. For the MemberStates of the European Union (EU), the disclosure and useof personal information about health are regulated bylaws on privacy, confidentiality and data protection.

I International norms on privacy.

At an international level the protection of privacy,including healthcare privacy, is required by the followinggeneral instruments.

(i) Universal Declaration of Human Rights (1948).

Article 12: ‘No one shall be subjected to arbitraryinterference with his privacy, family, home orcorrespondence, nor to attacks upon his honour andreputation. Everyone has the right to the protection of thelaw against such interference or attacks’.

(ii) International Covenant on Civil and PoliticalRights 1966.

This is a treaty legally binding on all European Unionstates. Article 17: ‘No one shall be subjected to arbitraryor unlawful interference with his privacy, family, home orcorrespondence, nor to unlawful attacks on his honourand reputation. Everyone has the right to the protectionof the law against such interference or attacks’.


(iii) Universal Declaration on Bioethics and HumanRights (2005).

Article 9: ‘The privacy of the persons concerned and theconfidentiality of their personal information should berespected. To the greatest extent possible, suchinformation should not be used or disclosed for purposesother than those for which it was collected or consentedto, consistent with international law, in particularinternational human rights law.’

II European norms on privacy and confidentiality.

Within the broader legal context, confidentiality in aprofessional relationship (such as healthcare professionaland patient), is part of privacy, and already protected bythe general right to privacy. Added protection stems fromthe fact that confidentiality imposes an obligation on theperson who obtained information in confidence not todisclose this information.

(i) Charter of Fundamental Rights of the EuropeanUnion (2000/C 364/01).

Two articles of the Charter emphasize the importance ofthe protection of privacy: Article 7 states: ‘Everyone hasthe right to respect for his or her private and family life,home and communications.’ Article 8 states: ‘1. Everyonehas the right to the protection of personal dataconcerning him or her. 2. Such data must be processedfairly for specified purposes and on the basis of theconsent of the person concerned or some other legitimatebasis laid down by law. Everyone has the right of access todata which has been collected concerning him or her, andthe right to have it rectified. 3. Compliance with theserules shall be subject to control by an independentauthority.’

(ii) Council of Europe’s Convention for theProtection of Human Rights and FundamentalFreedoms (ECHR) (ETS no 005, 1950 as amended).

The ECHR is an international treaty which is binding on allthose countries that have ratified it, which includes all EUMember States. Article 8 (1) of the Convention states‘Everyone has the right to respect for his private andfamily life, his home and his correspondence’.

The case law of the European Court of Human Rights(ECtHR) makes clear that the essential object of Article 8 isto protect the individual against arbitrary interference bythe public authorities. There are in addition obligations onStates to take positive steps to ensure that the right isrespected, not merely to avoid measures which interferewith the right. In determining whether such a positiveobligation exists, the Court will consider the ‘fair balance

that has to be struck between the general interest of thecommunity and the interests of the individual’. The ECtHRhas acknowledged that State Parties enjoy some discretionin restricting the guaranteed rights, but monitors therelevance and the proportionality of the reasons and themeans of the interference undertaken by nationalauthorities. It leaves the States a wide ‘margin ofappreciation’ where there are diverse traditions orconcepts of law in the national legal orders.

The ECtHR has held: ‘Respecting the confidentiality ofhealth data is a vital principle in the legal systems of allthe Contracting Parties to the Convention. It is crucial notonly to respect the sense of privacy of a patient but alsoto preserve his or her confidence in the medical professionand in the health services in general. Without suchprotection, those in need of medical assistance may bedeterred from revealing such information of a personaland intimate nature as may be necessary in order toreceive appropriate treatment, and, even, from seekingsuch assistance, thereby endangering their own healthand, in the case of transmissible diseases, that of thecommunity’ (Z v Finland 1997; MS v Sweden, 1997).

(iii) Council of Europe ‘Convention for the Protectionof Individuals with regard to automatic processing ofpersonal data’ (No. 108) (1981).

While decisions of the ECtHR show that the ECHR doesnot grant an absolute right to personal data confidentiality(see below), the protection granted to confidentiality isextended in the Council of Europe ‘Convention for theProtection of Individuals with regard to automaticprocessing of personal data’ (No. 108). This Conventionwas the first international legally binding text on dataconfidentiality. It applies to all ‘automated personal datafiles and automatic processing of personal data in thepublic and private sectors’ (Article 3), as long as the datarelates to an ’identified or identifiable individual’ (Article2), whatever their nationality or place of residence.According to the Explanatory Report to Convention No.108, the notion of ‘data subject’ in this Convention’expresses the idea that a person has a subjective rightwith regard to information about himself, even where thisis gathered by others’.

(iv) Council of Europe ‘Convention for the Protectionof Human Rights and Dignity of the Human Beingwith Regard to the Application of Biology andMedicine: Convention on Human Rights andBiomedicine’ (No. 164) (1997).

The Convention on Human Rights and Biomedicineexpands on many of the rights contained in the European


Convention on Human Rights and elaborates how theyapply in the field of medicine. Unlike the ECHR whichapplies to all EU Member States, the Convention onHuman Rights and Biomedicine has not been signed orratified by many States, including most of the largerStates. In spite of it not applying directly to many EUStates, it is nevertheless significant in that it has beendrawn upon by the European Court of Human Rights inmaking judgments involving States who are not parties tothis Convention. Article 10 of the Convention on HumanRights and Biomedicine states:

(1) Everyone has the right to respect for private life inrelation to information about his or her health.

(2) Everyone is entitled to know any information collectedabout his or her health. However, the wishes ofindividuals not to be so informed shall be observed.

(3) In exceptional cases, restrictions may be placed by lawon the exercise of the rights contained in paragraph 2in the interests of the patient.

The recent ‘Additional Protocol to the Convention onHuman Rights and Biomedicine, concerning BiomedicalResearch’ (No. 195) (2005) also emphasizes theimportance of confidentiality. Article 25 (1) states that:‘Any information of a personal nature collected duringbiomedical research shall be considered as confidentialand treated according to the rules relating to theprotection of private life.’

2.4.2 Legal boundaries to privacy and confidentiality

Whilst patient privacy and confidentiality find legalprotection at the national, the European and theinternational level, this protection is not absolute. Theright to privacy of Article 8 (1) of the ECHR is limited byArticle 8 (2) which states, ‘There shall be no interferenceby a public authority with the exercise of this right exceptsuch as is in accordance with the law and is necessary in ademocratic society in the interests of national security,public safety or the economic well-being of the country,for the prevention of disorder or crime, for the protectionof health or morals, or for the protection of the rights andfreedoms of others’. Therefore to be compatible with theECHR, any interference with the right to privacy mustmeet certain conditions. It must be ‘in accordance withthe law’, which means that any interference must havesome basis in national law, and the law must be preciseenough so that people can reasonably understand itsrequirements and consequences. It must be ‘necessary in ademocratic society’, which means that the interferencemust also both correspond to a ‘pressing social need’ andbe ‘proportionate to the legitimate aim pursued’. Such‘legitimate aims’ are exhaustively listed in Article 8(2).

Within the EU, Article 8 of Directive 95/46/EC ‘on theprotection of individuals with regard to the processing ofpersonal data and on the free movement of such data’deals with the processing of special categories of data andin particular with data concerning health. Member Statesmust prohibit the processing of those special categories ofdata, except in the situations (a) where the data subjecthas given his or her explicit consent; (b) where theprocessing is necessary to protect the vital interests of thedata subject or of another person; and (c) where the datasubject is physically or legally incapable of giving consent.Paragraphs 3 and 4 provide for other exceptions:

§3 ‘(…) where processing of the data is required for thepurposes of preventative medicine, medical diagnosis,the provision of care or treatment or the managementof healthcare services, and where those data areprocessed by a health professional subject undernational law or rules established by nationalcompetent bodies to the obligation of professionalsecrecy or by another person also subject to anequivalent obligation of secrecy.

§4 ‘Subject to the provision of suitable safeguards,Member States may, for reasons of substantial publicinterest, lay down exemptions (…) either by nationallaw or by decision of the supervisory authority’.

Directive 95/46/EC is thus broadly in keeping with otherinternational and European norms in this area.

2.4.3 Country specific legislation and theircommonalities

In many Member States of the EU, country specific humanrights legislation often incorporates the ECHR and therebyunderpins all other legislation concerned with privacy.Country specific legislation giving effect to EC Directive95/46/EC sets standards of information processing.

With the individual Member States, laws on privacy andconfidentiality are enshrined in statutes, civil and criminalcodes or, in jurisdictions such as the United Kingdom, inthe common law. In most Member States confidentialityand privacy are protected by statutory laws. For example,while the French Constitution does not expressly protectthe right to privacy the Constitutional Court hasconfirmed that privacy is a constitutional principle. Againin Germany the Federal Constitutional Court has arguedthat Articles 1 (1) and 2 (1) of the Constitution grant everyindividual an inviolate sphere of private life. Unlike inmany European countries, UK law does not recognise ageneral criminal offence of breach of professional secrecy.In the UK statutory duties of confidentiality are limited tospecial circumstances such as abortion or venereal disease.


Despite the variety of legal provisions, the overall directionacross the Member States is a strong protection ofconfidentiality in healthcare. The following pointssummarise some shared European legal principles onconfidentiality:

(a) there is a prima facie obligation to maintainconfidentiality when information has been imparted toa professional within a confidentiality relationship;

(b) this obligation to maintain confidentiality can bedischarged when the subject of the confidence affordsappropriate consent to the disclosure of theinformation; and

(c) in providing a justification for the non-consensualdisclosure of confidential information healthcareprofessionals should have particular regard to issuessuch as:

(i) the necessity of any particular disclosure;

(ii) the proportionality of any particular disclosure;

(iii) the risks attendant upon any particular disclosure;and

(iv) the existence of identifiable risks of serious harmto identifiable third parties arising from non-disclosure.

2.5 Vulnerability

2.5.1 The nature of vulnerability

Vulnerability refers to a circumstance in which a personfinds himself or herself particularly susceptible to injury orharm. All patients in healthcare are vulnerable to misusesor abuses of their private information by healthcareprofessionals, healthcare providers, and by healthcareresearchers. The circumstances of some persons (forexample, children, the homeless or those with disabilities)can create particularly challenging situations for ethicaland legal conduct.

The vulnerability of patients is a significant factorwarranting ethical consideration and the perspective ofthose who are vulnerable should be at the centre ofconsiderations for decision-making about the protection,use or disclosure of their confidential information.

A person in a vulnerable situation may be less able toassert claims to rights that they possess. They can alsohave their rights violated because of a formal or informallabel of ‘vulnerable’ being applied to them. It is importantnot to judge a person as being vulnerable in such a waythat they become stigmatised or subject to greater risk ofdiscrimination. It is not a person who is vulnerable butrather some aspect of their circumstances that makesthem vulnerable: that is, at a particular time; in aparticular way; and vis-à-vis a particular harm or harms.

A person can move in and out of being vulnerable, andthe nature and extent of their particular vulnerability canchange and can have multiple and/or varying sources. Thesource of the vulnerability of a person can be a result of(a) their possession of a particular characteristic (such asbeing ignorant of certain information, being ill or beingold or young); (b) their being in a certain place orenvironment (such as a prison, a refugee centre, or a placewhere they do not speak the language); (c) occupying acertain position with respect to others (such as being amember of a minority group, or being an asylum seeker);or (d) several or all of the above.

It is important to consider the full range of potentialsources of a patient’s vulnerability to ensure that both theethical and practical issues which arise from thatvulnerability are fully considered and properly addressed. Itis only when the concept of vulnerability is used ofsomeone in a specific manner that its true significance forthe privacy and confidentiality of that particular personcan be determined. For example, adolescents may bevulnerable because of assumptions made simply on thegrounds of chronological age about their ability to makecompetent decisions. In many prison situations, the rightof a prisoner to privacy, including the right to privacy ofhealth information, is compromised. A refugee may befaced with disclosure requirements as part of a pre-departure health assessment. Someone with impairedcapacity, for example a person with an intellectualdisability or dementia, may be unable to make decisionsabout the use or disclosure of their health information. Aperson with severe and enduring mental illness may faceexpectations to disclose personal information with regardto risk management. Some people may have multiplesources of vulnerability—for example a migrant child withan intellectual disability within the criminal justicesystem—and such a person’s vulnerability must beunderstood in its complexity, especially where onevulnerability can obscure the existence of others.

Explicit attention to the vulnerability of a personencourages better practical and ethical engagement withthem, regardless of the ethical views or values of thehealthcare professional or of the patient. Awareness ofvulnerability avoids unwarranted assumptions being madeabout the status of decision-making processes wherethere are significant power differentials. Such awarenesshelps to ensure that discussions about information use ordisclosure between healthcare professionals and a patient(or their legal representative*, such as a parent orguardian) can take place on fair terms.

(* Throughout these Standards, ‘legal representative’refers to a person provided for by law to represent theinterests of, and/or take decisions on behalf of, a personwho does not have the capacity to consent.)


2.5.2 The impact of vulnerability on the protection,use and disclosure of patient information

Article 8 of the Universal Declaration on Bioethics andHuman Rights (2005), states: ‘In applying and advancingscientific knowledge, medical practice and associatedtechnologies, human vulnerability should be taken intoaccount. Individuals and groups of special vulnerabilityshould be protected and the personal integrity of suchindividuals respected.’ While the provisions necessary forgood practice in information sharing are fairlystraightforward in many clinical situations, the presence ofspecific vulnerabilities, either because of the patient’scondition or their situation, poses significant challengesfor healthcare providers and healthcare professionals.

There are many overlapping sources of vulnerability, but akey one in information sharing is patient vulnerabilitybecause of a lack of decision-making capacity. (See 3.1.1and 3.1.2.) The consequences of this vulnerability for theeffective protection of patient rights are not adequatelyaddressed through the protections of the ECHR.

Patients who lack capacity can also be harmed in theirbasic rights through a failure to identify such patientscorrectly. Effective measures must be in place at all levelsof an institution to ensure that patients lacking decision-making capacity are correctly identified and that theyreceive the added protection and empowerment theyneed.

While a legal determination of a lack of decision-makingcapacity with respect to the use and disclosure of their

information is a valid reason for added protection, not allvulnerable patients lack that capacity. Although legallycompetent to make decisions, many patients remainvulnerable to undue influence and/or exploitation throughan inability to assert their own interests and rights.

All patients, including the vulnerable, must be treatedwith respect. In particular, their exercise of their right todecide about the use and disclosure of their confidentialinformation should be facilitated.

Views of a patient’s ‘vulnerability’ may contain judgementsby the healthcare professional about values which maynot be shared by the patient and due care must be takenthat ’vulnerability’ is not being used in a vague andpotentially discriminatory manner, but in a precise anduseful way. Any decision about the use or disclosure ofconfidential information based partly or wholly on apatient’s vulnerability and the possible harms to which itexposes them should, with their consent or that of theirlegal representative, be recorded in their case notes withthe reasons for the decision.

Recommendation 4Patients should be involved to the greatest extentpossible in decisions about the protection, use anddisclosure of their confidential information. Allreasonable measures should be taken to ensuremaximum participation in spite of any vulnerability.

Guidance Point 2Healthcare professionals should ensure that vulnerablepeople are given all necessary support to enable themto understand the complexities of confidentiality issuesand to help them to express their wishes.

Recommendation 3A patient who has the capacity to decide about theprotection, use and disclosure of their healthcareinformation may nevertheless be vulnerable to undueinfluence. Patients should have access to independentconfidential support to make such decisions.

Recommendation 2Policies and procedures should be in place withinhealthcare institutions to ensure that patients who maylack the capacity to decide about the protection, useand disclosure of their confidential healthcareinformation are correctly identified.

Recommendation 1A clear institutional framework to protect the fullrange of rights and interests of all those who lackdecision-making capacity should be developed as thecontext for all decisions about the protection, use anddisclosure of their confidential patient information.Such a framework should include provision for theindependent review of such decisions and be inaccordance with the relevant laws of the jurisdiction.


2.6 Balanced Decision-making

Within the framework of fundamental rights of thepatient, there is a need for balanced ethical decision-making about the protection, use and disclosure ofconfidential information. In healthcare decision-making,privacy and confidentiality, although important values intheir own right, often have to be balanced against othervalues. The value placed on privacy and confidentiality canvary between patients and for the same patient indifferent contexts. Good decision-making will take fullaccount of the values and fundamental beliefs of thepatient concerned.

Balanced decision-making about the use and disclosure ofconfidential patient information in day-to-day practicemay require difficult judgements and these judgementsneed to be supported by a clear framework of ethical andlegal obligations. However, there are limits to the extentto which regulations alone can provide for balanceddecision-making. Balanced decisions, and the judgementson which these are based, also depend on good processin applying the general guidance defined by ethical andlegal regulation in individual cases.

The following are the most important aspects of theprocess for balanced decision-making about uses anddisclosures of confidential information:

(a) Good decision-making about the use and disclosure ofconfidential patient information needs an appropriatemodel of service delivery, specifically one that is bothuser-centred and multidisciplinary/inter-agency. Manyvulnerable people feel that professionals andpolicymakers consistently misjudge their real needs andinterests, making it difficult for healthcare professionalsto make ethically sound decisions about disclosure.Only when the vulnerable are empowered are theirperspectives on what is most valuable in their livesgiven proper weight in making difficult balancingdecisions about their confidential information. Therelative lack of decision-making capacity of somevulnerable people makes it essential that variousperspectives on what is valuable are brought to play in

coming to balanced decisions in particular situations.This balance of perspectives is provided in the case ofclinical decision-making in part by a well-functioningmultidisciplinary team. However, the healthcare teamdoes not necessarily contain the value perspective ofthe patient, which underlines the importance ofkeeping patients (and where appropriate, their legalrepresentative) informed about the possible uses anddisclosures of their information and of their choices inthis regard.

(b) Decision-making about information protection, use ordisclosure with people from vulnerable groups shouldbe closely focused on the particular and often diverseneeds and values of the individuals concerned. Thisrequires four key areas of professional skill: (i)awareness of values and of the diversity of values; (ii)knowledge of values and of the diversity of values; (iii)reasoning skills for exploring differences of values; and(iv) communication skills in exploring values and inresolving differences of values.

(c) Partnership between stakeholders with different valueperspectives is important. The guiding principle ofpartnership between those most directly involved in agiven situation is essential if their needs and interestsare to be properly served—this may be difficult torealise with vulnerable groups.

Guidance Point 3Whenever a patient is identified as vulnerable by ahealthcare professional, that identification, its specificnature and the justification for it, should, with theconsent of the patient or their legal representative, berecorded in their case notes.


3.1 Protection, Use and Disclosure of PatientInformation—General Considerations

In principle, patient information is confidential and shouldnot be disclosed without adequate justification. In manyinstances disclosure of confidential information, or its use,are desirable or necessary. First, patient information mightneed to be shared with members of the multidisciplinaryhealthcare team for that patient’s healthcare needs, or itmight be needed for auditing purposes, in order toimprove the patient’s care. Second, in some situations, thedisclosure or use of confidential patient information mightbe important for purposes that are related to healthcare,but not to the care of the particular patient, for example,where patient information is used for healthcare research.Third, it is possible that confidential patient informationheld by a healthcare professional may have important usesoutside the healthcare context, for example where ahealth care professional has information about thedangerousness of the patient to the public. These threekinds of situations to some extent require differentconsiderations when deciding according to what criteriadisclosure can be justified and are dealt with separatelyunder Sections 3.2, 3.3 and 3.4 below. Someconsiderations, however, are common to all situations andthese are outlined below.

3.1.1 Patient consent

The justification for disclosure should normally be consent.Where the patient is competent, only the patient can giveconsent to disclosure.

Consent is a means by which the competent patient canexercise control over the dissemination of confidentialpatient information. Valid consent requires that thepatient has been informed as to what information it isintended to disclose, and for which purposes disclosure isproposed. Consent also presupposes choice, which meansthat the patient who is asked to consent must have thepossibility to refuse or withdraw such consent. (See 3.2.2)

If the competent patient refuses to consent to disclosure,the information cannot be disclosed, unless, exceptionally,a justification other than consent exists (see 3.4). Thehealthcare professional should discuss with the patientwhy he/she thinks that disclosure is in the patient’s bestinterests. However, it can never be justified to discloseinformation in the best interests of the competent patientwho refuses to consent to disclosure, as it is thecompetent patient, not the healthcare professional whodecides what the competent patient’s best interests are.

3.1.2 Circumstances where a patient is unable toconsent

There are circumstances where a patient is unable toconsent to the use or disclosure of their confidentialinformation and in such circumstances, specialconsiderations apply.

Incapacity. The precise definition of incapacity, how it isto be determined, and the status of any legalrepresentative, who would have the right to give proxyconsent to uses and disclosures on behalf of anincompetent patient, depend on country-specific law. Thecontrol a legal representative exercises over the patient’sinformation is usually more limited than that exercised bythe patient him/herself while competent, as legalrepresentatives have to act in the patient’s best interests.Where a healthcare professional thinks that disclosurewould be in the best interests of a patient unable toconsent, he/she should raise this with the patient’s legalrepresentative. If the consent of the legal representative iswithheld, the healthcare professional might involve thecourt to settle the dispute.

Emergency Situations. In emergency situations it may beimpossible to keep a patient and/or their legalrepresentative properly informed and to gain theirconsent. In such situations, uses or disclosures may bemade, but only the minimum necessary informationshould be used or disclosed to deal with the emergencysituation.

Guidance Point 5In emergency situations, uses or disclosures ofconfidential patient information may be made, butonly the minimum necessary information should beused or disclosed to deal with the emergency situation.

Guidance Point 4Where a healthcare professional thinks that disclosurewould be in the best interests of a patient unable toconsent, he/she should raise this with the patient'slegal representative (including the parent/guardian of aminor). If the consent of the legal representative iswithheld, the healthcare professional should follow thecurrent best practice of their country in resolving thedispute.

3. Standards


3.1.3 Disclosure to protect interests that override thepatient’s right to confidentiality

Exceptionally, it might be justified to disclose confidentialpatient information where disclosure is necessary toprotect interests that override the patient’s right toconfidentiality. This is dealt with in more specific terms in3.4.2, but as a general principle, it is important toremember that the interests of the competent patientcannot justify disclosure against the patient’s wishes. Thus,where the patient is competent, disclosure withoutconsent can only be justified if it is exceptionally necessaryto protect the overriding rights of others, or there areoverriding legally protected public interests. With regardto the incompetent patient, disclosure might also bejustified to protect overriding interests of the incompetentpatient, for example where disclosure is necessary toprotect the incompetent patient from sexual abuse.

3.1.4 Disclosure after a patient’s death

The confidential nature of a patient’s healthcareinformation and the healthcare professional’s obligation torespect that confidentiality are not changed by the deathof that patient. However, just as in life, the right to privacyand the duty to maintain patient confidentiality after theirdeath are not absolute, but are subject to ethical and legallimitations.

The death of a patient never in itself permits disclosure,but it does represent a changed situation for balanceddecision-making. After the death of a patient it will bemore common that the balanced ethical decision willfavour disclosure, as the possible harm to which the deadpatient is subject is considerably reduced. The death ofthe patient does not automatically favour disclosure andan ethical balance must still be struck by the healthcareprofessional. Disclosures after death remain subject to theethical considerations governing any disclosure, such aswhether disclosure serves a legally protected publicinterest and that any disclosure should be as minimal aspossible.

A competent patient can give or withhold consent todisclosure before their death and such wishes should berespected as they would in other circumstances. Inparticular, where a competent patient has made an explicitrequest before his or her death that their confidence bemaintained following requests from family members orcarers for disclosure, then that request should normally berespected.

3.1.5 Patient access to their healthcare records

Patients have a right, both ethical and legal (EC Directive95/46/EC on data protection), to know what informationa healthcare professional holds in relation to them anddisclosure of their healthcare records to the patient is thusalways justified.

Guidance Point 9Healthcare professionals must respect patients’requests for access to their healthcare information andcomply with their legal obligations under DataProtection laws.

Guidance Point 8Where a healthcare professional considers thatdisclosure after the death of a patient may benecessary, desirable, or receives a request for disclosureand has no specific instructions from that patient, theprofessional should consider this as a situation ofpossible disclosure to third parties or disclosure for alegally protected public interest. (See Guidance Points19-23.)

Guidance Point 7Where a competent patient has made an explicitrequest before his or her death that their confidencebe maintained, then that request should be respected.

Guidance Point 6The confidentiality of patient information must bemaintained after the death of the patient.


3.2 Protection, Use and Disclosure of PatientInformation for Their Healthcare

3.2.1 Keeping patients informed

That patients must be kept informed about the possibleuses and disclosures of their information is a binding legalobligation across the EU. Keeping patients fully informedis also essential for maintaining the relationship ofconfidentiality. Better communication with patients (and/ortheir legal representative) will also improve the partnershipbetween patients and professionals enhancing the qualityand experience of their care.

Modern health services often involve sharing informationbetween healthcare professionals to provide optimal careand treatment. Patients may be unaware of whatinformation is held about them, the purposes for whichthe information is used or the people with whom suchinformation may need to be shared to provide their care.Patients and/or their legal representative must be madeaware that information given may be recorded and sharedto provide the patient with care. It may also be used tosupport clinical audits and other work to monitor thequality of care provided. Patients and/or their legalrepresentative, also need to be aware of the choices theyhave for the use and disclosure of the information sharedin confidence with a healthcare professional.

It is an ethical and legal requirement that patients areboth kept informed of all circumstances in which they cangive or withhold consent to the use of their informationand given information necessary for that consent.

3.2.2 Consent to the use and disclosure of patientinformation

As with any other intervention in healthcare, patientconsent occupies a pivotal role in legitimising the uses anddisclosures of patient information. Patients and/or theirlegal representative must be informed of what informationsharing is necessary for their healthcare. Provided they areinformed in this way, explicit consent is not necessary,implied consent is sufficient for the ethical sharing ofpatient information for their healthcare.

3.2.3 Clinical audit

Patient identifiable information will often be required forpurposes which aim to support or assure the quality ofpatient care, for example clinical audit. Processes ofclinical audit are an essential part of healthcare provision

Guidance Point 11Patients, or where appropriate their legalrepresentative, must be informed of what informationsharing is necessary for the patient’s individualhealthcare. Provided they are informed in this way,explicit consent is not necessary, implied consent issufficient for the ethical sharing of patient informationfor their healthcare.

Guidance Point 10Healthcare professionals must ensure that patientsand/or their legal representative are informed in amanner appropriate for the patient’s communicationneeds:

• of what kinds of information are being recorded andretained;

• of the purposes for which the information is beingrecorded and retained;

• of what protections are in place to ensure non-disclosure of their information;

• of what kinds of information sharing will usuallyoccur;

• of the choices available to them about how theirinformation may be used and disclosed;

• about their rights to access and where necessary tocorrect the information held about them withinhealthcare records;

• the information required to be provided to them bynational law implementing Directive 95/46/EC; and

• country specific legal provisions or principlesgoverning disclosure.

Recommendation 5Healthcare service providers must ensure there is anactive, effective and appropriate policy about informingpatients and/or their legal representative in eachsetting about the protections, uses and disclosures oftheir information.


for which personal health information may need to beused. Patients in general (and the wider public) have aclear interest in the health services being subject toeffective audit. Audits are part of the primary uses ofpatient information. Patients and/or their legalrepresentative must be aware of such uses.

From an ethical perspective, a wide range of activities byhealth service staff providing that care or treatment maybe covered under the heading of audit. Clinical auditwhich makes use of confidential patient information isusually carried out within the health service by staffdirectly involved in that patient’s care. Implied consent issufficient.

Provider institutions must ensure that patient expressconsent (or that of their legal representative) is obtainedfor processes of clinical audit by staff not involved in thecare of that patient. Where it is proposed to makeinformation available outside the health providerinstitution, the audit process should also be subject toethical review.

3.2.4 Disclosure to a patient’s carers

All people employed by or working in organisationsproviding healthcare should be under an obligation ofconfidentiality.

Families and other persons who are caring for a patienthave an understandable desire or need for informationabout a patient’s healthcare problems and management.Such knowledge may benefit both the patient and thecarer by, for example, creating a better understanding ofthe patient’s illness, or by promoting more appropriateresponses to the patient and their needs. However, thefact that such information sharing may be beneficial doesnot diminish the duty of confidentiality owed to thepatient by the healthcare professional. In situations ofongoing need for care and support, the potential benefitsof information sharing with their informal carers should bediscussed with the patient and/or their legalrepresentative.

3.2.5 Multidisciplinary and Inter-agency working

It is good practice that when a healthcare professionallegitimately discloses information in a multidisciplinaryteam or in inter-agency working, that such disclosuretakes place on a clear basis of agreed protocols forinformation sharing.

Multidisciplinary work. Healthcare professionals as partof their work will have contact with other professionalsand other agencies delivering aspects of care. Healthcareprofessionals may have different criteria and thresholds forthe disclosure of confidential information, for example inrelation to public safety. It is essential that each healthcareprofessional familiarise him or herself with suchdifferences and moderate disclosures accordingly.

Recommendation 8Service providers must establish and ensure theadoption of clear publicly accessible protocols forinformation sharing within teams, beyond teams andwith outside organisations.

Guidance Point 13The potential benefits of information sharing with theirinformal carer should be discussed with the patientand/or their legal representative. However, the fact thatsuch information sharing may be beneficial does notdiminish the duty of confidentiality owed to the patientby the healthcare professional.

Recommendation 7All organisations providing healthcare should ensurethat all people employed by or working in theorganisation are under a legal obligation to protectpatient confidentiality.

Guidance Point 12Healthcare professionals should strive to ensure thatinstitutional policies for clinical audit are compatiblewith the ethical requirement for confidentiality.

Recommendation 6Provider institutions must ensure that the expressconsent of the patient (or of their legal representative)is obtained for processes of clinical audit by staff notinvolved in the care of that patient. Where it isproposed to make information available outside thehealth provider institution, the audit process shouldalso be subject to ethical review.


Inter-agency work. It is common practice in many areasof healthcare provision to involve outside agencies inproviding services for patients. This inevitably involvesdiscussions about patients at various points in theirtreatment. Issues about sharing information may arise inthe context of verbal or written reports, or attendance atcase conferences.

3.2.6 Dual roles and obligations

Healthcare professionals may work in situations wherethey may have dual roles with dual and conflictingresponsibilities and obligations. This includes work inprisons and for court liaison schemes where there areduties to both the patient in their care and to theauthority. Such dual roles and obligations may causeconflict about the confidentiality of patient information.

For example, a prisoner or defendant may have consultedthe healthcare professional and divulged information thatthey do not wish an outside agency to know, while intheir current role the healthcare professional may beobligated to disclose that information.

3.3 Protection, Use and Disclosure of PatientInformation for Healthcare Purposes not DirectlyRelated to their Healthcare

Many uses of confidential healthcare information notdirectly related to the healthcare of the patient arelegitimate for limited and specified healthcare purposesprovided certain criteria are met. In particular, patientsand/or their legal representatives must be kept informedof all such anticipated uses, their express consent gainedfor such uses, and all such uses kept to the minimumnecessary. A possible exception to the requirement ofgaining consent for a particular secondary use would bewhere a legal obligation to disclose for that purpose exists(see 3.4.1).

Secondary uses of confidential patient information areuses in healthcare which do not contribute directly to orsupport the healthcare that a patient receives. Such usesare increasingly required for evidence based practice and arational approach to service planning, management and

Guidance Point 16Healthcare professionals should avoid situations withdual responsibilities and obligations to the samepatient wherever possible.

Where a healthcare professional has dualresponsibilities it is important that they explain at thestart of any consultation or assessment to the patientand/or their legal representative on whose behalf theyare seeing the patient and the purpose of theconsultation or assessment. It should also be madeclear to the patient and/or their legal representativethat the information given will not be treated asconfidential.

Recommendation 9The importance of avoiding placing healthcareprofessionals in situations where they have dual andconflicting responsibilities and obligations with respectto the same patient should be given full weight indecisions about institutional structure and staffing.

Guidance Point 15Where it is planned to involve staff from otheragencies this should first be discussed with the patientand/or their legal representative. The purpose ofinvolving the other agency should be clarified alongwith the purpose of the contemplated informationsharing.

Where a patient or their legal representative refuses toconsent to the involvement of other agencies theirrefusal should be respected unless there are overridinginterests. (See Guidance Points 19-23.)

Where other agencies request information aboutpatients, healthcare professionals should first seek theconsent of the patient or their legal representativeabout such sharing, including the content ofinformation to be disclosed.

Guidance Point 14The healthcare team may include temporary membersfor particular functions and the healthcareprofessionals must not disclose information totemporary members unless they are under a sufficientobligation of confidentiality for that level of disclosure.

Multidisciplinary teams should agree strategies for anydisclosure of confidential information beyond theteam.

Healthcare professionals may have different criteria andthresholds for the disclosure of confidentialinformation, for example in relation to public safety. Itis essential that each healthcare professional familiarisehim or herself with such differences and moderatedisclosures accordingly.


commissioning. The following are some examples ofsecondary uses:

• planning of services;

• payment for services;

• management of services;

• contracting of services;

• risk management;

• patient safety;

• investigating complaints;

• auditing accounts and performance;

• local and national inquiries;

• teaching;

• research.

Many administrative and management uses of confidentialpatient information are essential to the provision ofhealthcare in modern societies. However, research todevelop healthcare is not itself healthcare and the twosituations must be treated differently when considerationsof privacy and confidentiality arise.

The development and increased use of Information andCommunication Technology (ICT) have increased theopportunities for secondary uses of patient information.The establishment of large medical databases extractedand aggregated from individual clinical data can be usedto enhance healthcare evaluation and public healthsurveillance. They can be used for example to trace long-term effects of medication, courses of particular diseasesand outcomes of specific medical interventions. Theprotection of confidentiality and respect for privacy rightscontribute to the development of such databases byhelping to ensure that patients or their legalrepresentatives are willing to provide the information inthe first place.

Secondary uses of patient information raise concernsabout confidentiality. Practice varies as to how patientinformation is used, what procedures are followed toensure confidentiality and where responsibilities lie. Theintroduction of ICT to assist administrative and widersecondary uses raises additional concerns. Paper basedmedical records typically do not move much beyond theprimary location where patient care is delivered and theyare maintained locally. However, extracting patientinformation from such records on to other systems,particularly electronic, can lead to widespread dispersal ofpatient identifiable information. While the use ofelectronic media raises particular concerns (such as largecentrally held databases), the same technology also offers

solutions to such problems.

One cannot assume that patients seeking healthcare, ortheir legal representative, are aware of or content forpatient information to be used in these ways. Under theData Protection Directive patients must be informed aboutsuch secondary uses and their purposes, and have a rightto object to the use or sharing of confidential informationthat identifies them.

3.3.1 Keeping patients informed about secondaryuses

All health service organisations must have policies forinforming patients and/or their legal representative of theprotections, uses and disclosures of their information forsecondary purposes. Patients and/or their legalrepresentative must also be informed of the categories ofpeople and organisations to which information may needto be passed for health services to function. Patientsand/or their legal representative should be told howinformation will be used before they are asked to provideit and should be given an opportunity to discuss anyaspects. It should be made clear to patients and/or theirlegal representative that they may object to specificsecondary healthcare uses of identifiable patientinformation and that their objection will be respected.

3.3.2 Consent for secondary use or disclosure ofconfidential patient information

Express consent from the patient or their legalrepresentative should wherever possible be obtainedbefore any proposed secondary uses of patient personalinformation. Where there is agreement to disclosure, onlythe minimum necessary patient identifiable informationshould be used for each legitimate healthcare purpose.

Guidance Point 17Express consent from the patient or their legalrepresentative should where possible be obtainedbefore any proposed secondary uses of their personalinformation. Where there is agreement to disclosure,only the minimum necessary patient identifiableinformation should be used for each legitimatehealthcare purpose.

Recommendation 10Health providers must ensure that patients and/or theirlegal representative are informed of all proposedsecondary uses of their information and that they areaware of their choice on such issues.


Possible justifications for not seeking consent for asecondary use of patient information are that it isimpracticable or impossible because of particularcircumstances. These grounds for not seeking consent fora secondary use of patient information can be consideredas follows:

(a) It might be impracticable to obtain consent for the useof patient information for a secondary use (forexample a public health study) where the patientinformation had been obtained some time previously.A possible ground for justifying not obtaining consentwould be disproportionate effort (for exampleobtaining consent for a large sample of patients onwhom the information had been obtained many yearsearlier).

(b) It might be impossible where the confidentialinformation was obtained with consent for a particularsecondary use, and the potential for use for anotherpurpose is now being considered. If the data hassubsequently been irretrievably unlinked from thosewho initially gave consent, then although they have amoral interest in its further use, gaining their consentto the second use is impossible. Likewise, previouslygathered information may have a value beyond thedeath of the individual. It is sometimes impossible togain consent for the secondary use of informationfrom a patient who lacks decision-making capacity butin such circumstances there are additional protectionswhich must be observed. (See section 3.1.2)

Independent data protection officers or Ethics Committeesshould be involved whenever judgments of impracticabilityor impossibility are given as grounds for secondary uses ofconfidential information without receiving consent. It isalso appropriate for such prior independent checking tooccur whenever there is any claim of exemption from theduty to provide information to patients and/or their legalrepresentative about uses or disclosures.

3.3.3 Maintaining information in a form whichprotects the identity of the patient

Personal information should wherever possible be

maintained in a form that protects the identity of thepatient from disclosure to unauthorised persons.

3.3.4 Use of information for teaching purposes

Not only healthcare professionals, but also students inhealthcare training have obligations of confidentiality. Inaddition to meeting the general requirements forsecondary uses of patient information, training providersmust ensure that students are aware of their obligationsof confidentiality and the consequences of any breaches.

3.3.5 Anonymisation for research uses

Anonymisation does not provide an alternative to thegaining of express consent, but rather an additionalprotection for what remains confidential informationwhich is only legitimately used or disclosed with consent.Anonymisation, as understood by the Data ProtectionDirective, places data outside the reach of the dataprotection principles of the Directive. As such,administrators and researchers have a special interest inbeing able to claim the data they are processing has beenrendered anonymous in the terms of Recital 26 of the

Recommendation 14In addition to meeting the general requirements forsecondary uses of patient information, trainingproviders must ensure that students are aware of theirobligations of confidentiality and the consequences ofany breaches.

Guidance Point 18Healthcare professionals should strive to ensure thatappropriate policies and protocols to protect theidentity of the patient are in place and operational intheir hospitals and units and among commissioners ofservices for secondary healthcare uses of patientidentifiable information.

Recommendation 13Organisations providing healthcare must have formalinformation protection agreements with any otherorganisation with whom it is proposed thatinformation be shared. There should be clearinstitutional policies on protecting confidentialinformation in a situation where no such agreementexists.

Recommendation 12Personal information should wherever possible bemaintained in a form that protects the identity of thepatient from disclosure to unauthorised persons.

Recommendation 11Independent data protection officers or EthicsCommittees should be involved whenever judgmentsof impracticability or impossibility are given as groundsfor secondary uses of confidential information withoutreceiving consent. It is also appropriate for such priorindependent checking to occur whenever there is anyclaim of exemption from the duty to provideinformation to patients and/or their legal representativeabout uses or disclosures.


Data Protection Directive. However, in these terms,personal data is only rendered anonymous if it is nolonger possible for anyone (the data controller or anyoneelse) to identify the data subject from the data itself orfrom this in combination with any other means that offera reasonable likelihood of being able to reveal the identityof the data subject. Thus, for example, where a researcherholds data in a form that does not enable the researcherto identify the data subject, but someone else holds acode that enables that person to do so, the processingdone by the researcher is not processing of data renderedanonymous. However, it is not unknown for researchers toclaim that they are processing anonymised data whenothers, or even they themselves, can identify the datasubject by various straightforward means. For example,researchers usually describe any data that does not havethe subject’s name attached as anonymous. In practice,designating data as ‘anonymous’ is a value judgment, andresearchers should not use the term at all, but simplydescribe the form in which the data will be kept andprocessed, leaving it to the Ethics Committees and datasubjects to decide what significance that has.

Where someone intends to render information genuinelyanonymous, they can best ensure that they act legally andethically by informing patients and/or their legalrepresentative of their intention to do so and the effectthat this will have, specifically on the ability of patients toaccess their data and to know what it is being used for(and hence to object to such uses). This is because theData Protection Directive requires data subjects to beinformed of the purposes of all processing of personaldata and rendering data anonymous is itself a processperformed on personal data. Furthermore, such priorinforming should not be used as an excuse not to informdata subjects of the purposes of intended processing ofdata after rendering it anonymous. Anonymisation shouldbe used in situations where that data does not need to bekept in personal form and it is not known for whatpurposes it might be used.

Information should only be kept in forms that enable thepatient to be identified if this is necessary for the purposesfor which it is being kept. Data which has been renderedanonymous means that the patient can no longer beidentified directly or indirectly by anyone from that data.Whenever it is intended to render data anonymous,patients and/or their legal representative must beinformed by the healthcare professional of this intentionand the precise effect that this will have, specifically theability of patients to access their data and to know what itis being used for and hence to object to such uses.Patients and/or their legal representative should beinformed of the purposes of the intended processing ofdata after it has been rendered anonymous.

3.3.6 Research databases containing personalidentifiable information

Specific considerations apply where identifiable patientinformation is to be stored in databases as a resource forresearch and where such information is to be used asresearch data by researchers other than those involved inthe patient’s care. Information can be stored in databasesin several forms, including hardcopy, digital records andbiological samples. Patients’ privacy rights andconfidentiality must be respected regardless of the form inwhich the information is held.

Traditional informed consent, where participants areinformed about particular research projects, is onlysuitable for databases with clearly defined and restrictedresearch uses that can be described prior to collectinginformation. A form of communal consent is a valid way of ensuringthat the creation of all databases occurs in ademocratically legitimating manner. No new databaseshould be established without preceding extensive public

Guidance Point 19Information should only be kept in forms that enablethe patient to be identified if this is necessary for thepurposes for which it is being kept. Data which hasbeen rendered anonymous means that the patient canno longer be identified directly or indirectly by anyonefrom that data. Whenever it is intended to render dataanonymous, patients and/or their legal representativemust be informed by the healthcare professional of thisintention and the precise effect that this will have,specifically the ability of patients to access their dataand to know what it is being used for and hence toobject to such uses. Patients and/or their legalrepresentative should be informed of the purposes ofthe intended processing of data after it has beenrendered anonymous.


dialogue and consultation aiming to explain and assess itsuses, purpose and public benefits. A database should notbe established if there is a general dissent in thepopulation to its creation. However, a general consent inthe population to the creation of a database cannotreplace the need for individual consent to be obtainedfrom individuals for the inclusion of their confidentialinformation in that database. The population can withholddemocratic consent communally, but consent for theinclusion of information can only be given individually.

In those situations where it is impossible to foresee apotential research use of confidential information at thetime of collection, it is difficult to meet the requirementsfor informed consent without re-contacting participants.This can be both a nuisance for participants and a serioushindrance to database research. A general consent maypermit research use of the personal information, wherepotential participants are initially properly informed aboutgeneral details of the database including the following:

• what data will be placed into the database;

• how research on the data will be regulated;

• how privacy will be secured (non-technical);

• to what other data this data will be connected;

• who will have access to their information;

• that their data will only be used for specified healthcarepurposes;

• the data will be used for the research of nameddiseases;

• who will be likely to benefit from the research;

• who will profit financially from the research;

• that participants will be regularly informed if they wishabout the research; and

• that they can opt out of the research at any time if theychoose.

All database research should be ethically reviewed. TheResearch Ethics Committee should judge what research issufficiently important, as well as what precautions arenecessary to protect the information of participants, withinthe limits of national and international legal regulations.Research Ethics Committees should also decide when

participants need to be contacted again (for example, whenproposed research differs from the initial conditions for use).

3.4 Obligations and Justifications for the Disclosureof Patient Identifiable Information for Purposesnot Related to their Healthcare

In some situations, healthcare professionals might beunder a legal obligation to disclose information, ordisclosure might be legally justified. Where a legalobligation to disclose exists, non-disclosure might havelegal consequences. A legal justification of disclosure, onthe other hand, means that while the healthcareprofessional does not have to disclose confidentialinformation, disclosure might under certain circumstancesbe regarded as legally acceptable. Every disclosure mustalso be ethically acceptable.

3.4.1 Legal obligations to disclose

In a number of European countries there are legalregulations governing the disclosure of confidentialinformation that require the duty of confidentiality to beoverridden, for example notification requirements withregard to certain communicable diseases. Where there is alegal obligation a healthcare professional is required todisclose the relevant information to the appropriateauthorities. The healthcare professional must bear in mindthat failure to do so may lead to legal sanctions. However,given that every disclosure is an interference with thepatient’s right to privacy, disclosure should not be madeuncritically and should be kept to the absolute minimum.

In some European countries courts and other authoritiesthat have a legal right of access to certain confidentialinformation have powers to order the disclosure ofdocuments before and during proceedings. They can alsoorder the production of that material to an applicant andto their legal and professional advisers. Also during courtproceedings a judge may order that medical records bedisclosed. A healthcare professional of a defendant canalso be compelled to answer questions about what thedefendant has said to them, as well as providing details ofthe patient’s medical history and condition. The healthcareprofessional must do his or her best to ensure that everyargument that can properly be put against disclosure is

Recommendation 16All research using databases of personal identifiableinformation should be independently ethicallyreviewed. In particular, the independent ethicalreviewers should decide on the permissibility of newresearch uses and the necessity for recontactingresearch subjects.

Recommendation 15For those situations where it is impossible to foresee apotential research use of personal identifiableinformation as part of a database at the time ofcollection, it is essential that the initial consent toincluding participants’ data include consent to limitedconditions for use of the database, specificallyhealthcare purposes and named diseases.


put before the court. Any disclosure must be limited towhat is strictly relevant to the court proceedings.

3.4.2 Justifications to disclose

Disclosure of confidential information to third partiesoutside the health services may be justifiable in order toprotect overriding interests of third parties or a legallyprotected public interest. However, every decision todisclose confidential patient information outside thehealthcare services violates the patient’s right to privacy,and is in breach of the healthcare professional’s obligationof confidentiality. The disclosure will only be justified inexceptional circumstances, that is, if the disclosure serves aninterest that in the particular circumstances outweighs thepatient’s right to privacy. Potential outweighing interestscould be the protection of the rights and freedoms ofothers, national security, public safety, the economic well-being of the country, the prevention of disorder or crime, orthe protection of health or morals (as suggested by Article8 (2) of the ECHR).

In all of these cases, there is no obligation to disclose, butwhether or not disclosure can be justified rather dependson balancing the interests that are in conflict in each case.It needs to be borne in mind that every instance ofdisclosure leads to a certain violation of the patient’s rightto privacy, while the benefits of disclosure will often be lesscertain. While a balancing of the patient’s right to privacyagainst other rights and interests is always difficult, it isusually more easily performed where the conflict is withrights of identifiable third parties, than where there is aconflict with a more diffuse public interest such as nationalsecurity or public health. It is not sufficient that it might bemore convenient for the protection of such interests thatinformation is disclosed, but the test is instead one of strictnecessity in the specific circumstances of each case.

Disclosure to protect the best interests of the patient.Disclosure to protect the interests of the competent patientagainst his/her wishes can never be justified, as on balance,the right of the patient to decide autonomously what is inhis/her interests always prevails.

Guidance Point 22In situations involving disclosure to protect overridingrights of third parties, each case must be considered onits merits. The test is whether the release ofinformation to protect the interests of a third partyexceptionally prevails over the duty of confidence owedto the patient in the public interest. Decisions todisclose patient identifiable information outside thehealth services where no obligation to discloseinformation exists, are matters of balanced judgement.

Factors to consider when reaching such a decision are,among others:

• the importance of the interest that is at risk withoutdisclosure, for example disclosure might be moreeasily justified where the life or integrity (physical orpsychological) of a third party is at risk;

• the likelihood of the harm occurring in the individualcase, that is, disclosure might be justified wherethere is a high likelihood of harm to the life ofanother, but not necessarily justified where there is alow likelihood of harm;

• the imminence of the harm, that is, disclosure mightbe justified where protection of the third partyrequires immediate action, but not where there is nomore than a possibility that at some future point thepatient might pose a threat to another;

• the existence of a sufficiently appropriate authorityto whom disclosure can be considered;

• the necessity of the disclosure to avert the harm,that is, that there is no possibility of averting theharm without disclosure;

• the likelihood that disclosure can avert the harm,which requires that the healthcare professional besatisfied that the harm to the third party or to thelegally protected public interest is sufficiently likely tobe averted by disclosure.

Guidance Point 21Healthcare professionals should ensure that they areaware of any country specific legal provisions orprinciples according to which the weighing of interestsneeds to be performed.

Guidance Point 20Where in the course of the healthcare professional-patient relationship a legal obligation to disclose isclearly becoming relevant, this should be discussedwith the patient and/or their legal representative asearly as possible unless such discussion would itselfundermine the purpose of the disclosure. Beforecomplying with any possible legal obligation todisclose, healthcare professionals must satisfythemselves that the situation clearly falls under thecategory of cases for which disclosure is legallyrequired. They must ensure that every argument thatcan properly be put against disclosure is put before theauthority to which disclosure needs to be made. Anydisclosure must be limited to what is strictly necessary.


Where the patient is incompetent, disclosure can bejustified to protect the best interests of that patient.Whether disclosure is justified in the individual casedepends on a careful weighing of the patient’s interest inhaving the confidentiality of his/her information maintainedand the interests that are at risk without disclosure.

Good practice for justified disclosures. When adecision has been reached that disclosure is justified in aparticular situation, there are requirements for how thatdisclosure should best be made

.

Guidance Point 24In all instances where judgment is involved, healthcareprofessionals are urged to discuss the case withcolleagues without revealing identifiable details of thepatient and, if necessary, to seek legal or otherspecialist advice.

Most of the situations where decisions to disclose arereached require good communication with and supportfor patients whose confidentiality is to be breached.

Once a decision to disclose has been reached the usualprocedure would be as follows:

• an explanation of the reasons for sharinginformation should be given to the patient and/ortheir legal representative;

• the healthcare professional should encourage thepatient (and/or where appropriate, their legalrepresentative) to inform the relevant authority (forexample, police or social services). If the patient orlegal representative agrees, the healthcareprofessional will require confirmation from theauthority that such disclosure has been made;

• if the patient or their legal representative refuses toact, the healthcare professional should then tellthem that he or she intends to disclose theinformation to the relevant authority or person. Heor she should then inform the authority, disclosingonly relevant information and make available to thepatient and/or their legal representative theinformation that he or she has released; and

• healthcare professionals who decide to discloseconfidential information (with or without priorinforming of the patient and/or their legalrepresentative) should be prepared to explain andjustify their decision to the authority if called uponto do so. The healthcare professional should recordin the healthcare record details of all conversations,meetings and appointments involved in the decisionto disclose or not to disclose such information.

The exception to this normal procedure is whereinforming the subject of the disclosure in advance thatthe disclosure will be made would prevent achievingthe justified aim of the disclosure.

Guidance Point 23Where a patient is incompetent, disclosure can bejustified to protect the best interests of that patient.Whether disclosure is justified in the individual casedepends on a careful weighing of the patient’s interestin having the confidentiality of his/her informationmaintained and the interests that are at risk withoutdisclosure.


3.5 The Security of Patient Information

The quality and integrity of patient information,information protection and the controls required to ensurethat patient information sharing is secure, confidential andresponsive to patient preferences are inextricably linked. Acoherent institutional framework for informationgovernance is required. Within such a framework theprincipal means of enhancing the security of personalinformation are restriction of access and the maintenanceof information in a form which protects the identity of thepatient.

Guidance Point 25Given the healthcare professional’s responsibility tomaintain patient confidentiality, professionals shouldstrive to ensure that appropriate policies and protocolsare in place and operational in their institutions andamong commissioners of services for maintaining thesecurity of patient information.

Healthcare professionals should be mindful of strictprivacy and security obligations when communicatingwith patients, their legal representatives, carers andcolleagues, particularly where indirect methods arebeing used such as telephones, e-mails and faxes.


Anonymisation. According to Recital 26 of the DataProtection Directive, to render personal data anonymousplaces it outside the scope of the Directive. For personaldata to have been rendered anonymous it must no longerbe possible for anyone to identify the person who is thesubject of the data directly (that is, from the data itself) orindirectly (that is, from the data itself in conjunction withother data or means that are "reasonably likely to beused", such as an identification number or to one or morefactors specific to the subject's physical, physiological,mental, economic, cultural or social identity). Coded andencrypted data is not anonymous for the purposes ofEuropean data protection law if anyone can decode or de-encrypt it without unreasonable effort.

Best Interests. A standard according to which decisionsare made on behalf of incompetent patients.

Capacity. Laws specific to each country define therequirements for someone to have the mental capacity tomake a decision as well as the place for a proxy to havethe authority to take a decision on behalf of the patient.

Carer. A term used to include a variety of people thatrange from parents to relatives or professional carers who,while caring for the person, may not have any legalauthority to have access to their information.

Clinical Audit. The process of comparing actual clinicalactivity undertaken and outcomes against standards tomeasure achievement and identify mechanisms forimprovement.

Consent. Three conditions must be satisfied for consentto be effective. First it must be informed. A patient (ortheir legal representative) cannot be considered to haveconsented to something of which they are ignorant. It isimportant that patients are made aware of theinformation sharing that must take place to provide themwith appropriate care. Second, it must be given freely andwithout duress. Third, there must be some indication thatthe patient has given consent. This may be express(explicit) or implied (implicit). Valid consent requires thatthe patient has been provided with information as towhat information it is intended to disclose, and for whichpurposes disclosure is suggested. Consent alsopresupposes choice, which means that the patient who isasked to consent must have the possibility to refuse togive such consent or to withdraw such consent.

Council of Europe. The Council of Europe is thecontinent's oldest political organisation, founded in 1949.It groups together 46 European countries and is distinctfrom the 25-nation European Union, but no country hasever joined the Union without first belonging to theCouncil of Europe. The European Convention on HumanRights and related international instruments come fromthe Council of Europe. See http://www.coe.int for furtherinformation.

European Union. The European Union (EU) is a union oftwenty-five independent states (as of 2005) founded toenhance political, economic and social co-operation. Seehttp://europa.eu.int for more information.

European Court of Human Rights. The European Courtof Human Rights is an international court based inStrasbourg. The Court applies the European Conventionon Human Rights. Its task is to ensure that States respectthe rights and guarantees set out in the Convention. Itdoes this by examining complaints lodged by individualsor, sometimes, by States. Where it finds that a memberState has violated one or more of these rights andguarantees, the Court delivers a judgment. Judgments arebinding: the countries concerned are under an obligationto comply with them.

Healthcare Professional. Includes, doctors, nurses,psychotherapists, physiotherapists, occupational therapists,radiographers etc. Anyone who provides healthcaredirectly to the patient.

Healthcare Purposes. Activities undertaken forhealthcare purposes are those with the aim, directly orindirectly, of improving health or reducing illness inindividuals or groups.

Healthcare Information. Includes information about aperson, regardless of the form in which that information isheld.

Intellectual Disability. The current WHO diagnostic termis ‘Mental retardation’ but, although in use in theAmericas, is unpopular and has been replaced with‘Mental Handicap’ (in much of the EU) or ‘LearningDisabilities’ (in the UK).

Legal Representative. A person provided for by law torepresent the interests of, and/or take decisions on behalfof, a person who does not have the capacity to consent.

Glossary


Patient. Any person receiving healthcare from ahealthcare professional.

Primary Uses. Primary uses of confidential patientinformation are uses in healthcare which contributedirectly to or support the healthcare that a patientreceives.

Principle. A basic rule that guides or influences thoughtor action.

Public Interest. Legal justification for the disclosure ofconfidential information in order to protect an overridinginterest of members of the public or the public as awhole. In many jurisdictions this legal justification willoften be provided on the basis of necessity.

Secondary Uses. Secondary uses of confidential patientinformation are uses in healthcare which do notcontribute directly to or support the healthcare that apatient receives.


Professor Roy McClelland

Project Co-ordinator

[email protected]

Dr Colin Harper

Technical Assistant

[email protected]

Mrs Marie Brooks

Administrative Assistant

[email protected]

EuroSOCAP Project

Queen’s University Belfast

Division of Psychiatry &Neuroscience

Whitla Medical Building

97 Lisburn Road

BELFAST BT9 7BL

Tel: 00 44 28 9097 5790

Fax: 00 28 44 9097 5870

Dr Tom Berney

Consultant Psychiatrist

Northgate and Prudhoe NHS Trust

Prudhoe Hospital, Prudhoe

Northumberland NE42 5NT

[email protected]

Tel: 00 44 1670 394000

Fax: 00 44 1670 394003

Professor Deryck Beyleveld

Sheffield Institute ofBiotechnological Law & Ethics

The University of Sheffield

Crookesmoor Building

Conduit Road

SHEFFIELD S10 1FL

[email protected]

Tel: 00 44 1142226716

Fax: 00 44 1142226832

Dr Jesus Carbajosa

Septimania Association

Ronda General Mitre 230, Entlo.

E-08006 Barcelona

SPAIN

[email protected]

Tel: 00 34 932240412

Fax: 00 34 934151404

Professor Francis Crawley

Director General, Good ClinicalPractice Alliance

Schoolbergenstraat 47

BE-3010 Kessel-Lo

BELGIUM

Tel: 00 32 16 35 03 69

Fax: 00 32 16 35 03 69

Dr Béatrice Despland

Institute of Health Law

Avenue du ler Mars 26

2000-Neuchâtel

SWITZERLAND

[email protected]

Tel: 00 41 327181280

Fax: 00 41 327181281

Professor Bill Fulford

Department of Philosophy

University of Warwick

Gibbet Hill Road

COVENTRY CV4 7AL

[email protected]

Tel: 00 44 2476 524961

Fax: 00 44 2476 523019

Professor Wolfgang Gaebel

Heinrich Heine University

Bergische Landstr. 2

40629 Düsseldorf

GERMANY

[email protected]

Tel: 00 49 2119222004

Fax: 00 49 2119222020

Professor Sefik Gorkey

Marmara University

Faculty of Medicine

Medical History of Ethics Dept

Tibbiye Cad. No 49

81326 Haydarpasa

Istanbul TURKEY

[email protected]

Tel: 00 90 216 3474989

Fax: 0090 216 4144731

Dr Danielle Grondin

The International Organisation forMigration

17 Route des Morillons, CP 71

CH-1211 Geneva

SWITZERLAND

[email protected]

Tel: 00 41 227179111

Fax: 00 41 227986150

Dr Marc Guerrier

Espace Ethique AP-HP

CHU Saint-Louis

1 Avenue Claude Vellefaux

75475 PARIS

[email protected]

Tel: 00 33 1 44 84 17 57

Fax: 00 33 1 44 84 17 58

Professor Goran Hermerén

Lund University

Medicinsk etik

S:t Gråbrödersgatan 16

222 22 Lund

SWEDEN

[email protected]

Tel: 00 46 46 222 1280

Fax: 00 46 46 222 1285

EuroSOCAP Project Board


Mr Alastair Kent

Director, Genetic Interest Group,Unit 4D

Leroy House

436 Essex Road

LONDON N1 3QP

[email protected]

Tel: 00 44 207 704 3141

Fax: 00 44 207 359 1447

Professor Tony McGleenan

School of Law

University of Ulster

Jordanstown

NEWTOWNABBEY

[email protected]

Dr Sabine Michalowski

Department of Law

University of Essex

Wivenhoe Park

COLCHESTER CO4 3SQ

[email protected]

Tel: 00 44 1206873000

Fax: 00 44 1206869493

Professor Emilio Mordini

Centre for Science, Society andCitizenship

Via Sistina 37

00187 Rome

ITALY

[email protected]

Tel: 00 39 064740144

Fax: 00 39 0697840359

Dr Rosa Ordonez

Septimania Association

Ronda General Mitre 230, Entlo.

E-08006 Barcelona

SPAIN

[email protected]

Tel: 00 34 932240412

Fax: 00 34 934151404

Mr Jean-Pierre Tassignon

Chairman, European Forum forGood Clinical Practice

c/o Executive Vice President

PSI Pharma Support InternationalAG

Bahnhofstrasse 12, 6300 ZUG

SWITZERLAND

Tel: 00 41 41 72 888 00

Fax: 00 41 41 72 888 01

Dr Paul Thornton

General Practitioner

Pear Tree Surgery

28 Meadow Close

Kingsbury

Warwickshire B78 2NR

[email protected]

Tel: 00 44 1827 872755

Fax: 00 44 1827 874700

Professor Michael Weindling

Professor of Perinatal Medicine &Consultant Neonatologist

University of Liverpool

Neonatal Unit

Liverpool Women's

Hospital,

Crown Street,

Liverpool L8 7SS

[email protected]

Tel: 00 44 151 702 4055

Fax: 00 44 151 702 4313


Introduction

All patients have the right to privacy and the reasonableexpectation that the confidentiality of their personalinformation will be rigorously maintained by all healthcareprofessionals. Each patient’s right to privacy and theprofessional’s duty of confidentiality apply regardless ofthe form (for example, electronic, photographic, biologicalsample) in which the information is held orcommunicated. This guidance applies to all healthcareprofessionals and addresses the areas of healthcareconfidentiality and informational privacy. It forms part ofthe European Standards on Confidentiality and Privacy inHealthcare which elaborate this Guidance and provideRecommendations to healthcare provider institutions,based on ethical and legal foundations. The Standardsalso contain a Glossary. The text of the Standards and theGuidance are available in various languages atwww.eurosocap.org.

The European Standards are primarily ethical standards,developed within the legal context in which healthcareprofessionals make decisions about the protection, useand disclosure of confidential information. Not allhealthcare professionals are bound by the same legalobligations of confidence, but all are under the sameethical obligations to maintain confidentiality.

The Guidance gives detailed consideration to the needs ofvulnerable patients. The needs of vulnerable patients aregreater with respect to confidentiality—there is greaterrisk of it being breached than is the case for otherpatients. Particular care is needed on the part ofhealthcare professionals to ensure that the right to privacyof vulnerable patients is respected and that their duty ofconfidentiality toward them is fulfilled.

In this Guidance three areas of protections, uses anddisclosures are considered:

• protections, uses, and disclosures of patientinformation for their healthcare;

• protections, uses, and disclosures of patientinformation for healthcare purposes not directlyrelated to their healthcare; and

• obligations and justifications for the disclosure ofpatient identifiable information for purposes notrelated to their healthcare.

Protection, Use and Disclosure of PatientInformation—General Considerations

1. Key principles of healthcare confidentiality.Healthcare professionals should respect the followingthree key principles of healthcare confidentiality.

• Individuals have a fundamental right to the privacyand confidentiality of their health information.


• For any non-consensual disclosure of confidentialinformation healthcare professionals must have regardto its necessity, proportionality and attendant risks.

2. Support for the vulnerable. Healthcare professionalsshould ensure that vulnerable people are given allnecessary support to enable them to understand thecomplexities of confidentiality issues and to help themto express their wishes.

3. Protecting the vulnerable. Whenever a patient isidentified as vulnerable by a healthcare professional,that identification, its specific nature and thejustification for it, should, with the consent of thepatient or their legal representative 1, be recorded intheir case notes.

4. Incapacity. Where a healthcare professional thinksthat disclosure would be in the best interests of apatient unable to consent, he/she should raise this withthe patient's legal representative (including theparent/guardian of a minor). If the consent of the legalrepresentative is withheld, the healthcare professionalshould follow the current best practice of their countryin resolving the dispute.

5. Emergency situations. In emergency situations, usesor disclosures of confidential patient information maybe made, but only the minimum necessary informationshould be used or disclosed to deal with theemergency situation.

6. Disclosure after death. The confidentiality of patientinformation must be maintained after the death of thepatient.

7. Where a competent patient has made an explicitrequest before his or her death that their confidencebe maintained, then that request should be respected.

European Guidance for Healthcare Professionals on Confidentiality and Privacy inHealthcare

1 A legal representative is a person provided for by law to represent the interests of, and/or take decisions on behalf of, a person who does not have the

capacity to consent.


8. Where a healthcare professional considers thatdisclosure after the death of a patient may benecessary, desirable, or receives a request fordisclosure and has no specific instructions from thatpatient, the professional should consider this as asituation of possible disclosure to third parties ordisclosure for a legally protected public interest. (SeeGuidance points 19-23.)

9. Patient access to their healthcare information.Healthcare professionals must respect patients’requests for access to their healthcare information andcomply with their legal obligations under DataProtection laws.

Protection, Use and Disclosure of Patient Informationfor their Healthcare

10. Keeping patient’s informed. Healthcareprofessionals must ensure that patients and/or theirlegal representative are informed in a mannerappropriate for the patient’s communication needs:

• of what kinds of information are being recorded andretained;

• of the purposes for which the information is beingrecorded and retained;

• of what protections are in place to ensure non-disclosure of their information;

• of what kinds of information sharing will usuallyoccur;

• of the choices available to them about how theirinformation may be used and disclosed;

• about their rights to access and where necessary tocorrect the information held about them withinhealthcare records;

• the information required to be provided to them bynational law implementing Directive 95/46/EC; and

• country specific legal provisions or principlesgoverning disclosure.

11. Patients, or where appropriate their legalrepresentative, must be informed of what informationsharing is necessary for the patient’s individualhealthcare. Provided they are informed in this way,explicit consent is not necessary, implied consent issufficient for the ethical sharing of patient informationfor their healthcare.

12. Clinical audit. Healthcare professionals should striveto ensure that institutional policies for clinical audit are

compatible with the ethical requirement forconfidentiality.

13. Carers. The potential benefits of information sharingwith their informal carer should be discussed with thepatient and/or their legal representative. However, thefact that such information sharing may be beneficialdoes not diminish the duty of confidentiality owed tothe patient by the healthcare professional.

14. Multidisciplinary teams. The healthcare team mayinclude temporary members for particular functionsand the healthcare professionals must not discloseinformation to temporary members unless they areunder a sufficient obligation of confidentiality for thatlevel of disclosure.

Multidisciplinary teams should agree strategies for anydisclosure of confidential information beyond theteam.

Healthcare professionals may have different criteriaand thresholds for the disclosure of confidentialinformation, for example in relation to public safety. Itis essential that each healthcare professionalfamiliarise him or herself with such differences andmoderate disclosures accordingly.

15. Inter-agency teams. Where it is planned to involvestaff from other agencies this should first be discussedwith the patient and/or their legal representative. Thepurpose of involving the other agency should beclarified along with the purpose of the contemplatedinformation sharing.

Where a patient or their legal representative refuses toconsent to the involvement of other agencies theirrefusal should be respected unless there are overridinginterests. (See Points 19-23.)

Where other agencies request information aboutpatients, healthcare professionals should first seek theconsent of the patient or their legal representativeabout such sharing, including the content ofinformation to be disclosed.

16. Dual roles and responsibilities. Healthcareprofessionals should avoid situations with dualresponsibilities and obligations to the same patientwherever possible.


Where a healthcare professional has dualresponsibilities it is important that they explain at thestart of any consultation or assessment to the patientand/or their legal representative on whose behalf theyare seeing the patient and the purpose of theconsultation or assessment. It should also be madeclear to the patient and/or their legal representativethat the information given will not be treated asconfidential.

Protection, Use and Disclosure of Patient Informationfor Healthcare Purposes not Directly Related to theirHealthcare

17. Consent for secondary uses. Express consent fromthe patient or their legal representative should wherepossible be obtained before any proposed secondaryuses of their personal information. Where there isagreement to disclosure, only the minimum necessarypatient identifiable information should be used foreach legitimate healthcare purpose.

18. Protecting the identity of the patient. Healthcareprofessionals should strive to ensure that appropriatepolicies and protocols to protect the identity of thepatient are in place and operational in their hospitalsand units and among commissioners of services forsecondary healthcare uses of patient identifiableinformation.

19. Anonymisation. Information should only be kept informs that enable the patient to be identified if this isnecessary for the purposes for which it is being kept.Data which has been rendered anonymous means thatthe patient can no longer be identified directly orindirectly by anyone from that data. Whenever it isintended to render data anonymous, patients and/ortheir legal representative must be informed by thehealthcare professional of this intention and theprecise effect that this will have, specifically the abilityof patients to access their data and to know what it isbeing used for and hence to object to such uses.Patients and/or their legal representative should beinformed of the purposes of the intended processingof data after it has been rendered anonymous.

Obligations and Justifications for the Disclosure ofPatient Identifiable Information for Purposes notRelated to their Healthcare

20. Legal obligations to disclose. Where in the courseof the healthcare professional-patient relationship alegal obligation to disclose is clearly becomingrelevant, this should be discussed with the patientand/or their legal representative as early as possibleunless such discussion would itself undermine thepurpose of the disclosure. Before complying with anypossible legal obligation to disclose, healthcareprofessionals must satisfy themselves that the situationclearly falls under the category of cases for whichdisclosure is legally required. They must ensure thatevery argument that can properly be put againstdisclosure is put before the authority to whichdisclosure needs to be made. Any disclosure must belimited to what is strictly necessary.

21. Justifications to disclose. Healthcare professionalsshould ensure that they are aware of any countryspecific legal provisions or principles according towhich the weighing of interests needs to beperformed.

22. In situations involving disclosure to protect overridingrights of third parties, each case must be consideredon its merits. The test is whether the release ofinformation to protect the interests of a third partyexceptionally prevails over the duty of confidenceowed to the patient in the public interest. Decisions todisclose patient identifiable information outside thehealth services where no obligation to discloseinformation exists, are matters of balancedjudgement.

Factors to consider when reaching such a decision are,among others:

• the importance of the interest that is at risk withoutdisclosure, for example disclosure might be more easilyjustified where the life or integrity (physical orpsychological) of a third party is at risk;

• the likelihood of the harm occurring in the individualcase, that is, disclosure might be justified where thereis a high likelihood of harm to the life of another, butnot necessarily justified where there is a low likelihoodof harm;

• the imminence of the harm, that is, disclosure mightbe justified where protection of the third partyrequires immediate action, but not where there is nomore than a possibility that at some future point the


patient might pose a threat to another;

• the existence of a sufficiently appropriate authority towhom disclosure can be considered;

• the necessity of the disclosure to avert the harm, thatis, that there is no possibility of averting the harmwithout disclosure;

• the likelihood that disclosure can avert the harm,which requires that the healthcare professional besatisfied that the harm to the third party or to thelegally protected public interest is sufficiently likely tobe averted by disclosure.

23. Disclosure to protect the best interests of theincompetent patient. Where a patient isincompetent, disclosure can be justified to protect thebest interests of that patient. Whether disclosure isjustified in the individual case depends on a carefulweighing of the patient’s interest in having theconfidentiality of his/her information maintained andthe interests that are at risk without disclosure.

24. Good practice for justified disclosures. In allinstances where judgment is involved, healthcareprofessionals are urged to discuss the case withcolleagues without revealing identifiable details of thepatient and, if necessary, to seek legal or otherspecialist advice. Most of the situations wheredecisions to disclose are reached require goodcommunication with and support for patients whoseconfidentiality is to be breached. Once a decision todisclose has been reached the usual procedure wouldbe as follows.

• An explanation of the reasons for sharing informationshould be given to the patient and/or their legalrepresentative.

• The healthcare professional should encourage thepatient (and/or where appropriate, their legalrepresentative) to inform the relevant authority (forexample, police or social services). If the patient orlegal representative agrees, the healthcare professionalwill require confirmation from the authority that suchdisclosure has been made.

• If the patient or their legal representative refuses toact, the healthcare professional should then tell themthat he or she intends to disclose the information tothe relevant authority or person. He or she shouldthen inform the authority, disclosing only relevantinformation and make available to the patient and/ortheir legal representative the information that he orshe has disclosed.

• Healthcare professionals who decide to discloseconfidential information (with or without prior

informing of the patient and/or their legalrepresentative) should be prepared to explain andjustify their decision to the authority if called upon todo so. The healthcare professional should record inthe healthcare record details of all conversations,meetings and appointments involved in the decision todisclose or not to disclose such information.

The exception to this normal procedure is whereinforming the subject of the disclosure in advance thatthe disclosure will be made would prevent achievingthe justified aim of the disclosure.

Security

25. Security. Given the healthcare professional’sresponsibility to maintain patient confidentiality,professionals should strive to ensure that appropriatepolicies and protocols are in place and operational intheir institutions and among commissioners of servicesfor maintaining the security of patient information.

Healthcare professionals should be mindful of strictprivacy and security obligations when communicatingwith patients, their legal representatives, carers andcolleagues, particularly where indirect methods arebeing used such as telephones, e-mails and faxes.

Co-ordinated and publishedthrough Queen’s University Belfast

Designed and printed byGPS Colour GraphicsAlexander RoadBelfast BT6 9HP

european standards on confidentiality and privacy in ... · confidentiality are not reducible to...

Documents