Management of Public Health Incidents: Guidance on the Roles and Responsibilities of NHS led Incident Management Teams - October 2011

ANNEX G

SHARING PERSONAL/PATIENT INFORMATION IN THE CONTEXT OF THE PUBLIC HEALTH INCIDENT RESPONSE

1. Building up the overall picture of a public health incident normally requires collated information from individuals. Personal health information is integral to effective investigation of the cause and development of effective control measures. Personal health information is recognised as particularly sensitive within the Data Protection Act.

In an incident with significant risk to the wider population there remains a duty both to protect and minimise the personal health information used and also a duty to share information with other NHS bodies and Local Authorities if required to determine the cause and enable effective control of the incident. Police officers may be members of an IMT and police action may be essential to control the incident and reduce harm to the wider population. The Data Protection Act and other guidance can enable the sharing of personal health information when there is significant risk to the broader public.

There may therefore be duties in any incident to both protect and to share personal health information. Decisions should be guided by the Data Protection Act principles and the highlighted guidance following in paragraphs 2 and 3. Those leading the IMT should be able to justify decisions to share or not to share personal health information and to record the reasons for such decisions. The IMT chair must base the final decision on all the available information and balance the duty to share data with the duty to keep personal data confidential.

2. The Data Protection Act and the 'Caldicott Rules' provide a clear framework in which we are all required to work. More specifically, the following material is available both in relation to information sharing in the context of public health incidents:

• Chapter 7 of 'Preparing Scotland' (http://www.scotland.gov.uk/Publications/2007/06/12094636/21) also provides guidance on the need to share information generally.

• CEL (13) 2008 Information Sharing between NHS Scotland and the Police describes the protocols to be followed by the NHS and the Police Service on the sharing of information between the two services and is viewable at: (http://www.sehd.scot.nhs.uk/mels/CEL2008_13.pdf)

• CMO letter of 28 January 2010 on the OUTBREAK OF ANTHRAX IN HEROIN INJECTING DRUG USERS- Confidentiality and Data Sharing Requirements reminds NHS Boards of the existing policy agreements on information sharing with the police and the broader guidance on duties related to sharing and protecting personal health information: (http://www.sehd.scot.nhs.uk/cmo/CMO(2010)03.pdf)

3. The General Medical Council guidance 'Confidentiality: disclosing information about serious communicable diseases' (September 2009) provides guidance to doctors responding to public health incidents. It is important to read this guidance as a whole but the following are important elements of the guidance:

• 'Personal information may therefore be disclosed in the public interest without the patients' consent, and in exceptional cases where patients have withheld consent, if the benefits to an individual or to society as a whole outweigh both the public and patient's interest in keeping the information confidential.'
• 'Disclosure of personal information about a patient without consent may be justified in the public interest if failure to disclose may expose others to risk of death or serious harm.'

'You should pass information about serious communicable diseases to the relevant authorities for the purpose of communicable disease control and surveillance. You should use anonymised or coded information if practicable and as long as it will serve the purpose.'

The Nursing and Midwifery Council (NMC) provides guidance for nurses in the NMC Standards of conduct, performance and ethics for nurses and midwives (2008).