A more recent version of these Confidentiality notes – written by Oxford students – is available here.
The following is a more accessble plain text extract of the PDF sample above, taken from our Medical Law Notes. Due to the challenges of extracting text from PDFs, it will have odd formatting:
Confidentiality Introduction Learning Objectives: Understand the role of confidentiality within the medical context Learning Goals:
* What establishes a breach of confidence or privacy?
* What justifies a breach of confidence or privacy?
* Two reasons why it is important for doctors to respect patient confidentiality: (1) information about health is private, and the patient should have the right to control who has access to it; (2) without an assurance of confidentiality, a patient might withhold information and this may prevent proper diagnosis/treatment
* The legal duty of confidentiality is not absolute. The reality of modern medical treatment is that patient information will be shared among a team of health care professionals. Information can also be disclosed where the public interest in disclosure outweighs the public interest in respecting confidentiality
* Genetic information raises a number of complex issues in relation to confidentiality
Why respect confidentiality Origins of confidentiality Unlike patient autonomy, patient confidentiality has its origins in the Hippocratic oath. Justifications for confidentiality Both deontological and teleological reasoning can be used to justify the existence of a duty of confidence between doctors and patients. Deontological arguments would emphasis the patient's right to privacy and their interest in controlling access (protection of liberty i.e. patient's right to privacy, dignity etc.). Here, there is a division between privacy as constituting either the protection of informational secrecy, or the protection of informational control. There is a further deontological argument from the perspective of the doctor's conscience (which stems largely from the Hippocratic oath). However, deontological arguments can also be made to justify a weakening of the duty: e.g. patient's who don't share data are freeriding and this individualistic approach to autonomy is in conflict with the relational nature of society). The consequentialist approach would justify confidentiality from the fact that good medical care depends on patients being open and honest with their doctors. In this regard, there is evidence that patients are unlikely to be candid with their doctors if their confidentiality was not protected. Similarly though, consequentialist reasoning can be used to justify a weakening of the duty: e.g. data sharing is necessary to improve public health and medical research. In light of these tensions, obviously an absolute duty of confidentiality cannot be compatible with the realities of medical treatment, and in this sense, the law does recognise situations where the duty of confidentiality may be breached. This is made all the easier (and arguably, all the more difficult to ensure that confidentiality is not arbitrarily breached) by advances in technology. At the
1 of 14
same time, it is unrealistic to think that patients want their medical information to be kept secret from the whole world; they may very well want to share it with people who can help them or help others. The law in this area is not wellstructured. This owes to a number of factors: (1) the duty of confidentiality exists in a number of different contexts; (2) remedies available for a breach of the duty do not incentivise litigation. Remedies If a patient discovers an impeding breach of confidence, they can apply for an injunction. If the disclosure has already taken place, they can sue in negligence or defamation if there is damage. If there is no damage (feelings or reputation wise), then it is unlikely for there to be any remedy, although damages were awarded in Cornelius v De Taranto for the disclosure of a psychiatric report which contained potentially defamatory statements.
Duty of confidentiality At common law At common law, as explained by Lord Goff in the Spycatcher case, the duty of confidentiality arises when confidential information comes to the knowledge of the confidant in circumstances where he has notice, or is held to have notice that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing it to others. In other words, the duty will exist where the nature of the information itself makes it confidential, and the circumstances in which it was received makes it confidential. The duty will be breached where it would be unjust or detrimental to the individual if (a material part of) the information was disclosed to others without their consent for a purpose inconsistent with that which the information was originally disclosed. Lord Goff goes on to say that the duty of confidentiality is subject to three limiting principles (these effectively go to its scope): (1) the information must be confidential not itself not available in the public domain (although this raises questions around how much one needs to be put in the public domain for the duty to be extinguished, and the level of generality of information available in the public domain); (2) there is no duty re information that is useless or trivial (this raises questions about what is trivial or useless); (3) there exists no weightier public interest in its disclosure. The first two limiting principles deny that a duty of confidentiality exists, whereas the latter overrides it. In the medical context, the situation is generally quite clear: medical information is generally the kind which is treated as confidential, and the doctorpatient relationship is generally one in which a duty of confidence arises (see e.g. W v Egdell). An alternative way of looking at it would be to say the duty of confidentiality is a subset of the doctor's duty of care. This will only be a material alternative if the patient suffers some kind of harm as a result of negligent disclosure. It is usually assumed the duty is owed to the patient. However, health care providers might also have an interest in ensuring the confidentiality of their patient records. In Ashworth Hospital Authority v Mirror Group Newspapers, the Mirror had published information about the medical treatment of Ian Brady, one of the Moors murderers. Ian had been keen to publicise what he believed to be ill treatment and had attempted to put information about his treatment into the public. The hospital obtained an order requiring the newspaper to identify the employee who leaked Ian's medical notes. The House of Lords held that the security of medical records was such
2 of 14
that it was essential the person who disclosed them was identified and punished, even if the patient himself did not object to their disclosure. Anonymised information does confidentiality extend to this?
Depending on whether privacy is seen as embodying informational secrecy or informational control, anonymised information may not require protection. Although cf. the Source Informatics case below. It could be argued, from a deontological perspective, and premised on the position that the law of confidentiality aims to protect individual liberty, that the limitations to confidentiality are instances where substituted consent can be found (thereby removing the basis which is protected by confidentiality e.g. in cases where the information is already in the public domain), or where there are greater countervailing interests at play. Anonymised data does not however remove the basis of the law of confidentiality, nor does it serve as a countervailing interest of itself. Human Rights Act 1998 A patient's interest in confidentiality is protected by Article 8 of the European Convention of Human Rights: the 'right to respect for private and family life'. However, this is qualified under Article 8(2) by interests of national security, public safety, economic wellbeing of the country, prevention of crime, for protection of health or morals, or for the protection of the rights and freedoms of others (broadly similar to the public interest exception at common law). In an interesting case of Department of Health v Information Commissioner, Cranston J found that where the likelihood of identifying individuals was 'remote' there could be no interference with Article 8. There, the Department sought to resist a request under the FOI Act to publish statistical data about conditions that had justified late termination of pregnancy on grounds of fatal abnormality. Cranston J held the individual risk of identifying the women was remote (but not non
existent). Given the potential consequences of identifying those women, it might be thought that a remote risk would have been enough to engage Article 8. This ties into the issue around anonymised information. Article 8 is more usually engaged when justifying disclosure on policy grounds. For example, in Z v Finland, Z was married to a man who had been charged with a number of sexual offences. He was HIV positive and in order to find out when he became aware of his status, the police sought and gained access to Z's medical records. The ECHR held that seizing Z's medical records and ordering her doctors to give evidence was justifiable under Article 8(2). Disclosure without consent was also justified under Article 8 in Stone v South East Coast, where the convicted murder Stone sought to suppress publication of a homicide inquiry, which contained considerable detail about his medical treatment. While Davis J acknowledged his right to privacy, this was outweighed by the public interest in knowing more about the treatment Stone had (or didn't have). Also relevant was the fact that the need for inquiry arose from Stone's own criminal acts, and that a great deal of information was already in the public domain. Davis J also noted that a redacted or summarised version of the report might be viewed as a coverup by the public. Balancing act with Article 10 and the Human Rights Act The right to freedom of expression in Article 10 of the Convention must be balanced with Article 8, and section 12 of the Human Rights Act which specifies that the court must have particular regard to the importance of the Convention right to freedom of expression.
3 of 14
In Campbell v Mirror Group Newspapers, the House of Lords had to determine whether the press' freedom to publish information about the model Naomi Campbell's treatment for drug addiction should take priority over her right to privacy. Campbell accepted that the newspaper had been entitled, in the public interest, to disclose information that she was a drug addict, and that she was receiving treatment, because she had previously falsely and publicly stated she was not a drug addict. However, she claimed details of her attendance at Narcotics Anonymous and accompanying photographs amounted to a breach of privacy. The House of Lords agreed, saying that people trying to recover from drug addiction need considerable dedication and commitment, and that blundering in when matters are 'fragile' may do great harm. The Data Protection Act
[Soon to be replaced by a new EU General Data Protection Regulation in 2017. Query the impact Brexit might have on the implementation of a new regulation]. The new data protection regulation is aimed at giving individuals more control over their personal data and to simply the regulatory environment for businesses. Mechanisms are also to be put into place for the 'right to be forgotten' in relation to online information. Just as with the existing Data Protection Act, the new regulation is not directed specifically at medical information, and so a set of rules which are intended to protect individual's interests in their data in the world of social media and online shopping may not necessarily be a good fit with health care data. Good Medical Practice The GMCs good practice guidelines give further flesh to the duty of confidentiality, especially in context of disclosing information for education and training, reporting gunshot and knife wounds, and disclosing information about serious communicable diseases. Although the GMC guidelines does not have force as law, it is effective in terms of producing disciplinary consequences (which may have greater consequences for doctors). In addition, a failure to follow the guidelines might offer evidence the doctor has not acted as a reasonable medical practitioner and breached their duty of care. Caldicott Principles In 1997, a review of the use of patient information in the NHS produced six guiding principles:
7. Justify the purpose Don't use personal confidential data unless it is absolutely necessary Use the minimum necessary personal confidential data Access to personal confidential data should be on a strict needtoknow basis Everyone with access to personal confidential data should be aware of their responsibilities Comply with the law The duty to share information can be as important as the duty to protect patient confidentiality
Patients who lack capacity and deceased patients Patients who lack capacity Intuitively, the duty of confidentiality should extend to adults as it does children or those who lack capacity. However, as is often the case with children and other individuals lacking capacity, it is often necessary to involve other adults in the decision making process.
4 of 14
Buy the full version of these notes or essay plans and more in our Medical Law Notes.