This article relates to the CQC key question: Is your practice safe? and is your practice responsive to people's needs
The legislation and guidance that supports this include: national standards from the General Medical Council (GMC) and the Department of Health (DH), Data Protection Act 1998, Human Rights Act 1998, Mental Capacity Act 2005, and Freedom of Information Act 2000. There are key aspects around consent, confidentiality, safeguarding and data storage that practices should ensure they adhere to.; We may look for evidence of this on an inspection.
Specifically the GMC states that "serious or persistent failure to follow this guidance [consent and confidentiality] will put [doctors] registration at risk."
Article 8 of The Human Rights Act 1998 (HRA) enshrines the right to respect for private and family life. The HRA makes it unlawful for public authorities (including NHS trusts and NHS Foundation Trusts) to act in a way which is incompatible with the Convention.
The European Commission has found that the collection of medical data and the maintenance of medical records fall within the sphere of private life protected by Article 8 of the Convention. This would, therefore, apply to personal medical information including information which identifies a patient such as a photograph.
- Doctors must respect patients’ privacy and dignity
- Give patients the information they want, or need, about the purpose of the recording
- Make recordings only where you have appropriate consent or other valid authority for doing so
- Ensure that patients are under no pressure to give their consent for the recording to be made
- Where practicable, stop the recording if the patient asks you to, or if it is having an adverse effect on the consultation or treatment
- Anonymise or code recordings before using or disclosing them for a secondary purpose, if this is practicable and will serve the purpose
- Disclose or use recordings from which patients may be identifiable only with consent or other valid authority for doing so
- Make appropriate secure arrangements for storage of recordings (see below).
The Information Commissioner’s Office states that all public and private organisations are legally obliged to protect any personal information they hold. Any individual who takes a photograph of another individual using the camera on their mobile phone, subject to exceptions, will be processing personal data and must comply with the Data Protection Act 1998 (DPA) in relation to the circumstances in which the photograph is taken and the use of that photograph.
The use of camera phones and other photographic devices can result in the creation of sensitive personal data such as the racial or ethnic origin of the individual or information about their mental or physical health.
Where a photograph contains sensitive personal data, it is generally necessary for the individual being photographed to give their explicit consent to the photograph being taken and they should also be notified of all of the purposes for which the photograph will be used.
- Images of internal organs or structures
- Images of pathology slides
- Laparoscopic and endoscopic images
- Recordings of organ functions
- Ultrasound images
If photographs form part of a patient’s care medical record the Data Protection Act 1998 obliges organisations to take 'appropriate technical and organisational measures' to prevent the unauthorised or unlawful processing or disclosure of personal data. Doctors must:
- Only collect information for a specific purpose;
- Keep it secure;
- Ensure it is relevant and up to date;
- Only hold as much as you need, and only for as long as you need it; and
- Allow the subject of the information to see it on request
Once the recordings have been transferred from a clinical setting the following actions are recommended:
- Recordings must be stored within an institutional repository or other secure server (never on a personal computer, laptop, USB or other peripheral mobile device).
- Implement a mechanism to ensure that recordings can be traced back to the consent and licensing information by an appropriate authority. All personal information must be coded or anonymised.
- Where possible clinical recordings should be stored in their original format without manipulation to preserve their integrity, if recordings are subsequently manipulated both versions should be stored and version control documented.
- Ensure files are backed up regularly to prevent accidental data loss and these backups are stored securely.
- Avoid sharing recordings through social media sites such as Facebook, YouTube, etc. as these sites often hold the copyright of information stored on their servers.
If in doubt about how to hold or use recording, seek advice from a Caldicott Guardian or equivalent.
- Photographs where the photograph refers to a particular patient it should be treated as part of the health record:
- Retain for the period of time appropriate to the patient/specialty, e.g. children’s records should be retained as per the retention period for the records of children and young people; mentally disordered persons (within the meaning of the Mental Health Act 1983) 20 years after the last entry in the record or 8 years after the patient’s death if patient died while in the care of the organisation.
- Unless there is a clinical reason for retaining the digital image and a print is placed on the patient’s record, there is no requirement to retain the digital image.
- Destroy under confidential conditions.
- Photographs where the images present the primary source of information for the diagnostic process should be retained for 30 years.
Patient access to images
As with other forms of medical record, a patient can send a subject access request requiring doctors to tell them about the personal information they hold about them, and to provide them with a copy of that information. (See Information Governance (IG) Toolkit and IG reporting guidance checklist)
Adult patients who lack capacity
Doctors must obtain consent from someone who has legal authority to make the decision on the patient’s behalf before making the recording. Where no individual has legal authority to make the decision on a patient’s behalf, recordings may still be made where they form an integral part of an investigation or treatment that they are providing in accordance with the relevant legislation or common law. (GMC guidance)
Children or young people
Those under 16 who have the capacity and understanding to give consent for a recording may do so. Where a child or young person is not able to understand the nature, purpose and possible consequences of the recording, you consent must be from a person with parental responsibility to make the recording. (GMC guidance)
Concerns and breeches
It is important that all IG SIRIs (Serious Incident Requiring Investigation) which occur in health, public health and adult social care services are reported at the earliest opportunity and are handled effectively. All health service organisations in England must now use the IG Toolkit for Incident Reporting (also IG reporting checklist guidance).
NB: We have issued separate guidance to inspectors on the use of images arising from an inspection and for enforcement purposes.
- Making and using visual and audio recordings of patients April 2011 (GMC)
- Making and using clinical and healthcare recordings for learning and teaching (University of Bristol)
- Data protection (ICO)
- Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation V5.1. 29 May 2015, Health and Social Care Information Centre
- Information Governance Toolkit (DH)
- Using mobile phones in NHS hospitals. January 2009 (DH)
- Records Management. NHS Code of Practice Part 2 (2nd Edition) (DH)
- Information: To share or not to share? The Information Governance Review March 2013, Caldicott review: information governance in the health and care system (DH)
- Legal and ethical (Institute of Medical Illustrators)
- Human Rights Act 1998 c.42 Schedule 1 Part I Article 8 (The National Archives)
Professor Nigel Sparrow is senior national GP advisor and responsible officer at the CQC
More CQC resources
- View the full CQC Essentials series on Medeconomics
- CQC's recommended reading to help practices meet regulations and prepare for an inspection