Skip to main content
hpa logo
Topics A-Z:
Search the site:
Home Topics Infectious Diseases Infections A-Z Surveillance Surveillance and confidentiality ›  Surveillance and confidentiality

Surveillance and confidentiality

Information for health care professionals

The HPA is unreservedly committed to preserving medical confidentiality in all aspects of its work, both in its direct contacts with clinicians and patients and in aggregating data for surveillance purposes and research. Its aim and intention is always to be worthy of the trust that, each year, so many patients place in it.

The Caldicott Report (December 1997) and Executive Letter (January 1999) set in motion a process of continuous improvement in medical confidentiality within the National Health Service, including the organisations now comprising the Health Protection Agency (HPA). In accordance with guidance laid out in the report, the HPA has appointed a Caldicott Guardian and Security of Information Officers (SIO), whose functions are to ensure that data handling is in accordance with the recommendations of the Caldicott Committee, subsequent guidance and requirements of the Data Protection Act. These requirements especially affect data with Personal Identifiable Information (PII).

The principles in the Caldicott Report are summarised below:

  1. Justify the purpose(s) for using patient data
  2. Don't use patient-identifiable information unless it is absolutely necessary
  3. Use the minimum necessary patient-identifiable information
  4. Access to patient-identifiable information should be on a strict need to know basis
  5. Everyone should be aware of their responsibilities to maintain confidentiality
  6. Understand and comply with the law, in particular the Data Protection Act

The HPA has achieved a high level of compliance with the recommendations of the Caldicott Report. For example all staff have been familiarised with their responsibilities under the Report (a rolling process as new staff join the service); data flows have been mapped, and redundant records containing PII are being culled and securely destroyed. In addition all electronic data with PII are secured by password. The premises at Colindale have been reviewed and improvements made in physical security. Auditing performance in this area is ongoing so that continuous improvement is taking place. Staff are frequently reminded, and they remind each other, that PII is sensitive and its security the basis for patients continuing to have confidence in the clinical and surveillance work.

A Health Protection Agency-wide group meets regularly and has the remit of promoting and ensuring compliance with these issues across the whole of the Agency.

Section 251 Support

In December 2001 the Public Health Laboratory Service (the predecessor body to the HPA) applied to the Patient Information Advisory Group (PIAG) to secure the Secretary of State's support for the use of confidential patient information for the surveillance, control and prevention of communicable diseases. This application covered reporting of non statutorily notifiable infectious diseases, enhanced surveillance for certain diseases including some that are statutorily notifiable and for the surveillance and control of communicable diseases in general. Our application included many examples of our public health surveillance work.

Frequently Asked Questions on 'Caldicott', patient confidentiality, law and regulation, as they apply to the reporting of infections especially concerning "section 251 support"

Q What do the 2002 regulations and Section 251 cover?

A Infection reporting is in part covered by statutory notification to the local 'Proper Officer' and chiefly functions around local control measures. In addition other systems of reporting infections exist which are not part of the statutory notifications. In theory at least a clinician or microbiologist reporting such an infection could have been accused of breaking the common law duty of confidence unless the data were anonymised or patient consent obtained.

It is not always possible to obtain consent nor to undertake complete anonymisation. A system of obtaining permission to cover reporting and handling of such data was set up under section 60 of the Health and Social Care Act (2001). The Public Health Laboratory Service and the Cancer Registries were the first applications to be received by the group set up to advise the Secretary of State - the Patient Information Advisory Group (PIAG) which is now the National Information Governance Board (NIGB).

These permissions were passed by both Houses of Parliament under the Health Services (Control of Patient Information) Regulations 2002 (Statutory Instrument 2002 No.1438). The same permissions have been enacted under section 251 of the NHS Act 2006.

Q Do the Regulations make it legal for confidential patient information relating to patients with confirmed or suspected diagnoses of infection to be supplied to the Health Protection Agency?

A Yes.

The Health Service (Control of Patient Information) Regulations 2002 make it both lawful and appropriate to share confidential patient information with the HPA in the circumstances specified in the regulations.

Q Do the Regulations make it obligatory for "confidential patient information relating to patients referred for the diagnosis or treatment of infection" to be supplied to the Health Protection Agency?

A For notifiable infections there is a statutory duty to report to the local Proper Officer (usually the CCDC). However many important infections are not statutorily notifiable and enhanced surveillance systems also exist for some of the infections which are statutorily notifiable. It is for these circumstances where reporting is encouraged by the regulations but it is not statutory ( ie compulsory) to do so. Public health surveillance and understanding of both outbreak situations and how infections are spreading is dependent on the voluntary confidential reporting of such infections.

Q Do these regulations mean that the following data sources can supply "confidential patient information relating to patients with confirmed and suspected diagnoses of infection be supplied to the Health Protection Agency" without needing to obtain explicit informed consent from patients?

NHS Trusts
Private hospitals
NHS laboratories
HPA laboratories
Private laboratories
Primary Care Trusts

A Yes.

We have now produced a leaflet for surgeries, outpatients etc. which informs patients about reporting procedures for infections:

Information and the Health Protection Agency (PDF, 856 KB)

If patients wish to opt out of their data being reported and insist on such action even when the reasons for collecting such data are explained, their patient identifiers should not be reported by clinicians. Opt-out is not, however, possible for infections which are statutorily notifiable.

Q Can the HPA release information to PCTs, for cases registered in their practice populations or resident in their defined geographical populations?

A Yes, although release of such information will be in aggregate format and not personally identifiable.