Another example would be to comply with a legal obligation the NHS has, for example notifying Health Protection Scotland when someone contracts a specific disease. When we are using more sensitive types of personal information, including health information, our legal basis is usually that the information is necessary:.
Only in certain circumstances will NHS Scotland, its partners or subcontractors want to use your personal information for other reasons. If this happens we will:. As well as receiving information directly from you we may also receive it from someone making a call on your behalf such as:.
Equally, GPs have access to health information about you from other areas of the NHS such as hospitals or laboratories. GPs need this information to provide you with effective healthcare. Pharmacies may have also access to some of your health information, such as prescriptions and allergies. Depending on the situation, and only where appropriate, we may share personal information with the following types of recipients:.
When sharing information, NHS Scotland only provides the minimum information required and only if there is a legal basis for that, otherwise the NHS will ask for your consent prior to sharing your data. The law protects your confidentiality and we will not share your personal information with others unless there is a clear legal basis to do so. Any information shared will be appropriate, relevant and proportionate to the purpose of the sharing.
When needed, information may be transferred to countries or territories around the world. This sets out the recommended retention periods for information, including personal information held in different types of records including medical and administrative records.
We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential.
We do this by:. When planning the development of new information systems or services, NHS Scotland follow the principles of 'Privacy by Design'. This means that we will always use your personal information appropriately. This right includes making you aware of what information we hold. It also gives you the opportunity to check that we are using your information fairly and legally. We must provide this information free of charge, however in certain circumstances we may charge a reasonable fee or refuse to process your request such as:.
If you would like to access your personal information, you can do this by contacting the relevant data controller for example your local NHS Board or GP. Once the relevant data controller has received your request and you have provided them with enough information for them to locate your personal information, they will respond to your request within one month.
However if your request is complex they may take up to two months, to respond. If this is the case the data controller will explain the reason for the delay. If the personal information held by an NHS Scotland organisation the data controller is inaccurate or incomplete you have the right to have this corrected. If it is agreed that your personal information is inaccurate or incomplete the data controller will aim to amend your records accordingly.
The original information, along with an explanation of why information has been corrected or amended, must remain on our records as an audit trail. The data controller will normally amend records within one month. If they need more time to do this they will let you know. They may need another two months if the request is complex. All members of staff who provide care to the patient are bound by a duty of confidentiality and the patient should be informed of this.
If a patient objects to the sharing of information and you consider that it is not possible to provide them with safe care without sharing such information, you should explain this to them and advise them that it may not be possible to refer them for treatment.
Information for clinical audit should be anonymised where possible; when anonymised, the information ceases to be confidential. If information is required by third parties, such as an insurer, employer, or agency assessing benefits, 19 express consent should be sought for such disclosures. Written consent should be sought from the patient or person authorised to act on the patient's behalf.
The patient must be informed that information cannot be concealed or withheld in these circumstances, but only relevant and factual information should be disclosed. A copy of the report should be offered to the patient unless:. As mentioned above, disclosure of personal information can be made without the patient's consent if it is required by law or justified in the public interest.
Disclosures in the public interest are justified to protect individuals or society from risk of serious harm, such as crime or serious communicable disease.
The patient must be informed of the disclosure even if you have not sought the consent. The disclosure would be justified in order to assist in the prevention, detection, or prosecution of serious crime and to protect others, including children, from various type of violence. If a patient's identifiable information is required in the public interest, the patient's consent should be sought unless it will put you or others at risk of serious harm or undermine the purpose of disclosure.
The other exception would be in cases where action must be taken quickly and there is insufficient time to contact the patient. Disclosure can only be obtained without consent if it is required by law, approved under section of the NHS Act , 33 or justified in the public interest and: 34, Information can be disclosed in the public interest if it will benefit society over time for use in medical research, epidemiology, public health surveillance, health service planning, and education.
A mentally competent patient who is at risk of serious harm and who declines information to be shared must be warned of the risks, but the patient's decision must be respected.
It should be established with a patient who has the required mental capacity what information they want to be shared, and with whom. If a patient lacks capacity, it is reasonable to assume that they would like information to be shared with people closest to them unless the patient has suggested otherwise. When deciding whether to disclose information about mentally incompetent adults, you must make the care of the patient your first concern, encourage the patient to get involved, respect their dignity, and take into account their previous wishes, feelings, beliefs, and values.
Views of Lasting Powers of Attorney for a mentally incompetent person should be sought and advance decisions should be followed. The duty of confidentiality continues after a person dies, especially if the person asked for information to remain confidential.
Relevant information about a person who has died should be disclosed in the following circumstances: The same duty of confidentiality applies to children and young people as to adults. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
The duty to share information can be as important as the duty to protect confidentiality. It covers the five confidentiality rules:.
0コメント