And whatsoever I shall see or hear …I will never divulge. Confidentiality and disclosure for intensivists

Abstract

Police requests to provide information about unconscious patients frequently cause difficulty for intensivists. This article reviews the circumstances where an intensive care doctor may and should disclose information about unconscious patients to the police. It first considers what constitutes private and confidential information and explains why this information should be protected. The relevant laws and regulations are then examined to identify circumstances in which a disclosure to the police is compulsory and when it is discretionary. It considers the required and permitted extent of the disclosures, and any requirements that must be fulfilled for the disclosure to be lawful. The role of the General Data Protection Regulations in governing all disclosures is reviewed, and a framework is provided which may be adopted to aid decision-making for disclosures to the police.

Introduction

The recent enactment of the Data Protection Act 2018,¹ the General Data Protection Regulations (GDPR),² and a series of high-profile data breaches both in healthcare and other sectors have renewed interest in how our patients’ information is collected, used, and shared.

Disclosures to the police about patients who lack capacity are particularly challenging. There is often uncertainty about what powers the police have when requesting information from clinicians caring for obtunded, critically ill patients. Moreover, requests occurring out of hours amid resuscitation and difficult clinical decision-making can add stress and lead to error.

Types of regulation

Intensivists should adopt an algorithmic approach to judge what information can be disclosed lawfully. After checking the identity of the constable they must examine the request, considering which items of information would need to be disclosed to fulfil it. Multi-part requests, for example “please can you provide the name and address of Patient X and the nature and severity of their injuries,” can be challenging and it is important to separate out what information would fulfil each component of the request.

For each item of requested information the clinician must consider the regulations governing whether that piece of information can be disclosed.

The duty to protect the patient

The first type of regulation imposes a duty on the doctor to protect the patient’s information, effectively refusing the police officer’s request. Clinicians will be familiar with these regulations – the General Medical Council (GMC) imposes a professional duty to maintain a patient’s confidence,³ and the law imposes a duty to maintain a person’s privacy.⁴

Exceptions to the duty to protect the patient

Two other broad types of regulations carve out exceptions to the duty to protect patient information. One group of regulations forces a clinician to disclose information notwithstanding the clinician’s duty to keep the information secret.

The other group of regulations permits a clinician to disclose information notwithstanding the clinician’s duty to keep the information secret. These regulations allow a clinician to choose whether to disclose the information, usually after weighing the reasons for disclosing the information against the reasons for keeping it secret.

There are two legal sources of regulations – statute law and common law. Regulations may also derive from professional bodies such as the General Medical Council and Nursing and Midwifery Council.

Section 1: The duty to protect patient information

It is important to understand the terminology used to justify the protection of patient information. Three key terms are ‘personal’ ‘private’ and ‘confidential.’

Personal information

Article 4 of the GDPR² defines personal information as information that relates to an identified or identifiable individual. The identifiability is important – the information that someone was admitted to hospital in the last 12 months due to a road traffic collision does not allow the particular person to be identified. In contrast, the information that someone was admitted at 14:37 at the Emergency Department of a particular hospital may allow identification.

Private information

Private information refers to personal information which is not in the public domain. The law protects private information and is derived indirectly from the European Convention on Human Rights. Article 8 of the Convention provides private citizens a right to a private and family life.⁵ Article 8 has multiple influences on the landscape of healthcare law and has helped to shape a patient’s right to autonomy and privacy, as well as reproductive rights and rights at the end of life.⁶

Confidential information

The common law protects confidential information. ‘Confidential’ is often used interchangeably with ‘private’, however they mean different things. ‘Confidential’ applies to information which has been received, where the nature of the information and the circumstances of its receipt creates a duty on the recipient to keep it secret.⁴ The requirements are therefore twofold, both the information itself and the circumstances of its communication must have a certain character – the information must be secret and the recipient must know (or ought to know) that the information is secret.

Information pertaining to the clinical state of a patient inevitably has the quality of confidence. Any recipient will recognise that NHS numbers and details of injuries are secrets rather than ordinary public knowledge. The information does not even have to be personal; business plans, family secrets, and information about third parties may have the quality of confidence especially if contained within medical notes.

The doctor–patient relationship is archetypal of the circumstances when received information should be considered secret.⁷ Within such a relationship it does not matter whether the information is actively disclosed, revealed inadvertently, or even despite efforts to withhold it. This is pertinent to intensivists, whose knowledge of a patient may derive from the patient’s notes and clinical examination rather than the patient’s own verbal disclosures.

Whether information is personal, private or confidential depends on the circumstances. A name, address and date of birth are personal information (in that a person is identifiable), and private information (in that it is personal and not ordinarily public knowledge). If the patient has written these details down on the paper it is not confidential, as although it contains information which is ordinarily kept secret it has not been received by anyone. If the patient hands this paper to their physician – or the physician finds it on the patient’s person in a resus bay – the information becomes confidential. The information has been received in circumstances (i.e. as part of a doctor–patient relationship) in which the recipient knows they must keep the information secret.

Professional obligations to protect the patient

Good Medical Practice (GMP)⁸ also imposes a duty to treat information about patients as confidential. The duty is justified with reference to the trust which is an essential component of the doctor–patient relationship. Nurses⁹ and allied health professionals have a similar duty to protect patient information. GMP defines a doctor’s professional – as opposed to legal – obligations, and so the sanctions for breach are imposed by the professional tribunal – the Medical Practitioners Tribunal Service.

Section 2: Compulsory disclosures

Statutory duties to disclose

The statutory duties to disclose information prevail over any professional and common law duties. The statutory duty that ICU staff are most likely to encounter is that contained in the Road Traffic Act (RTA) 1988. Section 172 of the RTA¹⁰ creates an offence of failing to give information required to lead to the identification of a driver alleged to be guilty of driving offences under the RTA. It would normally be sufficient to give the name and contact details of the person, as this would be sufficient to identify a driver. It is important to release only information which is required – Section 172 does not justify disclosing information about the severity of injuries or any treatment received.

Statutory duties arising less frequently in ICU include those contained in the Terrorism Act 2000.¹¹ The Act creates two duties relevant to intensive care doctors. Section 19 makes it a criminal offence to not disclose to a police constable if you suspect or believe another to have committed a terrorist offence. Section 38B creates an offence of failing to disclose information which might be of assistance in the prevention of terrorism or apprehending a terrorist. For example, the recent poisoning case in Salisbury, which was an act of terrorism, would give rise to statutory duties to disclose. Even if the clinician does not suspect the patient of being the perpetrator, the fact that a patient may be a victim of terrorism may be of assistance in apprehending a terrorist.

A statutory duty of increasing relevance is found in the Female Genital Mutilation Act.¹² This legislation requires those who work in regulated professions, including doctors, to inform the police if they are aware that an act of genital mutilation has been performed on a girl aged under 18.

A disclosure may be made by releasing documents which contain private or confidential information. Under the Police and Criminal Evidence Act 1984 (PACE),¹³ it is possible for the police to apply for a warrant for search and seizure of evidence, including documents such as credit cards in the patient’s pockets. However, medical records and blood or tissue samples are classed as ‘excluded material’. The police must follow special procedures to seize excluded material, outlined in Schedule 1 of PACE.

Where the police request information and there is a statutory duty to disclose it, the disclosure is compulsory by law. However, it is still important to scrutinise the request because there may be no statutory duty to disclose all information requested. A statutory duty obligates disclosure of particular information in particular circumstances.

Professional duties to disclose

GMP identifies two circumstances in which a professional duty to disclose arises. The first, outlined in Paragraph 9 of the GMC Confidentiality guidelines, is a general duty to disclose where the disclosure is also required by law.³ Consequently, disclosing confidential information to comply with a law is not regarded as a breach of a doctor’s professional duty. Paragraph 12 of the GMC Confidentiality³ guidelines does require the patient to be informed of the disclosure, unless this would cause the patient harm or undermine the purpose of the disclosure.

The second circumstance arises when treating a victim of gun or knife crime.¹⁴ The GMC bases this professional duty on the public interest in the police being responsible for public safety and aware of violent crimes. Therefore, the duty does not extend to accidental or self-harm with knives but does extend to accidental injuries from gunshot.

This professional duty requires disclosure to the police when treating a victim of a gunshot or sharp instrument; however, Paragraph 9 of the guidance specifies that the duty does not extend to identifying the victim, nor to giving any further detail about the severity of their injuries or clinical state. In practice, this professional duty can be fulfilled by calling the local police station to inform them that a patient with knife or gunshot injuries has been treated in the department. As Paragraph 18 of the guidelines helpfully points out, the police can seek a court order if they wish for specific information to be disclosed.

Section 3: Optional disclosures

Statutory powers to disclose information

A legal duty to disclose makes the disclosure compulsory, whereas a legal power to disclose leaves the decision at the discretion of the healthcare professional. Only statute and the common law can confer a power to disclose information to the police. There are three important statutes conferring a power to disclose information; the Mental Capacity Act 2005 (MCA),¹⁵ the Crime and Disorder Act 1998,¹⁶ and the Terrorism Act 2000.¹¹

The MCA permits decisions to be made for patients who lack the capacity to decide for themselves. It is frequently used in intensive care units to provide care for patients, and it can also be used by healthcare professionals to disclose private or confidential information to the police.

A full discussion of the MCA is beyond the scope of this article; however, there are three issues pertinent to information disclosure which must be addressed here. The first is that the five principles in Section 1 of the MCA still apply, just as they would for any other decision made under the MCA.

The second issue is that the MCA outlines a clear mechanism for decision-making. Section 4 of the Act specifies the parties to be consulted and factors to consider and ignore when making a decision. It follows that when deciding to disclose information under the MCA a clinician would be advised to follow the excellent guidance within the Act and to document this compliance.

Thirdly, the MCA specifies that the decision must be made in the patient’s interest, so that only the patient’s interests should be considered. This contrasts with other powers to disclose information, where a clinician may need to consider the interests of other patients, staff, or the general public.

The Crime and Disorder Act (CDA) will be less familiar to healthcare professionals.¹⁶ Section 115 of the CDA is worded broadly, allowing any person to disclose information “in any case where the disclosure is necessary or expedient for the purposes of any provision of this Act.” The relevant purpose of the Act is to prevent crime and disorder. The section allows disclosure to a ‘relevant authority’ which includes the police.

Common law powers to disclose information

The common law permits disclosure in three broad sets of circumstances.⁷ Disclosure is permitted where there is consent for the disclosure, the ‘consent exemption’, where the disclosure is in the public interest, the ‘public interest’ exemption, and where the disclosure is necessary to comply with another law, the ‘legal exemption’.

The unconscious patient cannot consent to a disclosure and here the public interest and legal exemptions must be relied upon to justify a disclosure to the police. The common law public interest exemption applies to situations where the public interest in disclosure is found to outweigh the interest in maintaining confidentiality. For example, a disclosure to the police may help to protect a third party from harm, to allow the investigation of abuse, prevent the misallocation of public funds, expose corruption of a public official or safeguard national security. The public interest exemption is important because of its flexibility, allowing physicians to disclose information to protect any important cause or benefit in which society has a stake if it outweighs the interests against disclosure.

How to weigh competing interests

Doctors frequently balance competing interests in other circumstances, for example in the rationing or prioritisation of use of healthcare resources. A helpful starting point for weighing interests for and against a disclosure is to consider the sub-group of the public which stands to benefit from the disclosure. It is then necessary to consider in what way this group stands to benefit – what interest of this group is being protected or enhanced by the disclosure.

Once the potential benefits are identified it is necessary to consider the minimum information which could be disclosed to realise these benefits. For example, disclosing a patient’s contact details alone, without any clinical information, may allow the police to pursue their line of enquiry. Note that the nature and extent of the disclosure must match the public interest in disclosure – the greater the public interest, the more extensive the disclosure which may be warranted.

It is then necessary to consider the public and private interests in avoiding the disclosure of this specific information. There is inherently a strong public interest against disclosures, as they may damage trust between patients and healthcare professionals. Personal information varies in its sensitivity, and as information becomes more sensitive the harm done to the trust placed in the profession increases. As the sensitivity of the disclosed information increases, the public benefit sought must increase proportionately.

There is frequently a private interest in avoiding a disclosure. This may be an interest of the patient themselves, who may find themselves the subject of a police investigation, or whose interactions with healthcare professionals may suffer from a perceived breach of trust.

The variety of interests which must be balanced makes the process of making a ‘public interest’ disclosure daunting. Paragraph 68 of the GMC Confidentiality guidelines³ provides helpful guidance on weighing public interest factors. As with other difficult decisions, the quality of the decision will be improved by discussion with senior colleagues.

The general data protection regulations

A recent development to the landscape of privacy regulations has been the introduction of the GDPR,² which represent an attempt by the European Union to modernise data protection law. The Regulations are directly applicable to the UK and are accompanied by UK legislation in the form of a revised Data Protection Act (DPA) 2018.¹

In the context of disclosures to the police, four aspects of the GDPR warrant mention.

Firstly, the GDPR applies to the processing of data, and disclosure of information is included in the definition of processing. This means that GDPR principles must be followed for all disclosures of patient information to the police, regardless of the statute, common law principle or professional regulation that authorises the disclosure.

Secondly, the GDPR requires a justification for any processing of information. Helpfully, the GDPR includes a list of acceptable justifications, contained within Articles 6 and 9 of the Regulations. Justifications include having the consent of that person, protecting the vital interest of the person where they cannot consent, where there is a substantial public interest, and where the person has already made the information public. The GDPR therefore permits the types of disclosures discussed in the preceding sections and should not result in a drastic change of practice.

The third aspect is that the Data Protection Principles, which were a feature of the previous DPA 1998, have been retained and updated. The Data Protection Principles summarise the overall purpose of the regulations, and one helpful approach is to use the principles as a final checklist before any information is disclosed. A copy of the principles is included in Table 1.

Table 1.

The data protection act 2018: Data protection principles.

The data protection principles
a) Lawfulness, fairness and transparency	Data must be processed lawfully, fairly and in a transparent manner
b) Purpose limitation	Data must be collected for specified, explicit and legitimate purposes, and should not be processed for incompatible purposes
c) Data minimization	Data should be limited to what is necessary in relation to the purpose
d) Accuracy	Every reasonable step must be taken to ensure inaccurate personal data is erased or rectified
e) Storage limitation	Kept for no longer than necessary
f) Integrity and confidentiality	Processed in a manner which ensures security of personal data
g) Accountability	The data controller will be able to demonstrate accountability

Lastly, both the GDPR and the DPA define personal data as information which would allow a living individual to be identified, and so they do not protect patient’s information after their death. In contrast, the professional obligation of an intensive care physician to avoid disclosure persists after a patient’s death.³

Case study

A 23-year-old man is brought into ED. He was found unconscious with evidence of a head injury and lacerations on his arms. He was intubated on arrival in ED for airway protection. The primary survey identifies left forearm fractures. After the patient is admitted to the ICU, two police constables attend and verbally request the name and address of the patient who has recently been stabbed, and information about the circumstances and severity of his injuries.

The constables have not provided a written request or a justification for the request, and so the clinical team initially does not release any information and refers the request back to the constables. A senior clinician notes that notwithstanding the validity of the police request there is a professional obligation to disclose gun and knife injuries to the police. In this case, the police are already aware of the stabbing and so no further disclosure is required.

The police constables subsequently provide a new written request under section 115 of the CDA 1998.¹⁶ This section confers a power to release information, and so it is not compulsory to make the disclosure. The consultant balances the public interest in preventing and investigating crime with the patient’s right to privacy, and his professional obligation to maintain the patient’s confidentiality.

The consultant releases the patient’s name and address, as this would allow the police to continue their investigation. No clinical information is released, as it is not clear how the disclosure of clinical information would assist the investigation or prevention of crime.

On his recovery, the patient is informed of the disclosure in accordance with the professional duty of the treating doctors.

Concluding comments

The police do not have a general legal power to demand information, and they must be able to justify their request for information. Insisting on a written request, which states the legal basis for the disclosure, will help the clinician to ensure the disclosure is justified.

Trusts must develop a structured approach to deal with such requests and ensure staff are adequately trained in their use. Figure 1 illustrates a structured approach, adapted from those used by NHS trusts in the UK.

Figure 1.

A structured approach to requests to divulge information.

Disclosures to the police should be discussed with senior members of staff, as the process of balancing the patient’s right to privacy against the public interest in disclosure requires experience. A decision to disclose may have multiple relevant public interest considerations, and the quality of the decision improves with discussion. Police requests and disclosures should also be brought to the attention of the Caldicott Guardian, who has a role in protecting patient information at an institutional level. Clinicians can also seek advice from their medical indemnity provider.

There are frequently a range of acceptable decisions with regard to making a public interest disclosure. If advice was sought appropriately, the important factors were considered, and discussions are documented, that is as much as can be expected of a clinician making a difficult decision.

Terms

Statute law	Law enacted by Parliament. Statute law takes precedence over the common law. UK statutes can be viewed online at www.legislation.gov.uk
Common law	Also termed case law, common law is developed incrementally by the courts using precedent. The common law imposes several key duties on doctors, including the duty to take reasonable care, and the duty to maintain confidences. Reports of significant court cases can be viewed online at www.bailii.org
Professional duty	An obligation which arises from a professional code of conduct. It only applies to members of the profession and is enforced by the profession’s regulatory body. This article will only consider the professional code of conduct of the General Medical Council, which only applies to Registered Medical Practitioners.
Confidential information	Information received in circumstances which oblige the recipient to keep it secret. Information in the public domain cannot be confidential
Duty of confidentiality	Where confidential information is received, the recipient comes under an obligation not to disclose it to a third party or place the information in the public domain.
Personal information	Information which relates to an identified or identifiable individual.
Private information	Information pertaining to an individual, which is not in the public domain.
Medical records	Documents created by healthcare professionals about a patient. Medical records contain information which is personal and private.
Disclosure	Where a health professional releases information to a third party.
Capacity	A patient’s ability to make a decision for themselves, tested according to criteria set out in the Mental Capacity Act 2005.

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.