Clinical audit programme - Guidance on standards

Find information here about patient confidentiality and use of information.

Use of patient information

Some national clinical audits need access to patient identifiable information. This enables the tracking of the patient experience, from the initial GP visit through to recovery and rehabilitation. More importantly, it enables the identification of changes or improvements to the system that will have a real impact on patient care. The Healthcare Commission has been working with all interested parties to secure a competent legal and ethical framework within which the clinical audit programme can operate.

Patient identifiable information cannot be used for any other purpose than the direct care of the patient unless either:

• the patient has given their explicit consent
• the Patient Information Advisory Group (PIAG) has granted authority under Section 60 of the Health and Social Care Act 2001

Regulations on patient confidentiality

The legislation for the protection of personal information is contained in the Data Protection Act 1998 and the Health and Social Care Act 2001. The Department of Health has incorporated this legislation into guidance in the NHS confidentiality code of practice, which has been endorsed by the British Medical Association, the General Medical Council (GMC) and the Office of the Information Commissioner. This is to be implemented right across the NHS, ensuring a common approach.

In addition, clinicians are bound by the regulations of the GMC and the Nursing and Midwifery Council.

Data Protection Act 1998 (opens new window)

Health and Social Care Act 2001 (opens new window)

Practical implications

NHS trusts should follow the NHS confidentiality code of practice. The NHS Information Authority has produced an information governance toolkit to enable trusts to assess their level of compliance.

1. supply of anonymous information

According to guidance published by the GMC in April 2004, anonymous information is:

"Data from which the patient cannot be identified by the recipient of the information. The name, address, and full postcode must be removed together with any other information, which in conjunction with other data held by or disclosed to the recipient, could identify the patient. Unique numbers may be included only if recipients of the data do not have access to the 'key' to trace the identity of the patient using this number."

The Healthcare Commission, and those performing analyses on its behalf, do not have access to the NHS number key or the NHS strategic tracing service to identify individuals. NHS numbers may therefore be supplied as anonymous information but only in accordance with the GMC guidance above. Name, address, or full postcode can never be considered anonymous information.

2. consent

The NHS confidentiality code of practice has been issued as a key source of guidance on confidentiality for NHS organisations. Since the Healthcare Commission is working with audit contractors and NHS trusts to deliver national clinical audit, it will proceed within the framework of the code. The Healthcare Commission encourages NHS trusts to inform patients about how their information is being used for national clinical audit and to seek patient consent.

The National Clinical Audit Support Programme (NCASP) audits have been granted authority under section 60 of the Health and Social Care Act 2001 by PIAG. Clinicians should feel confident that in releasing information to support the programme, they are doing so legally and ethically. This information currently includes NHS numbers, date of birth and full postcode if necessary. This applies to the following national audits:

• myocardial infarction (MINAP)
• adult cardiac surgery
• paediatric cardiac surgery
• heart valve registry
• angioplasty
• lung cancer (LUCADA)
• head and neck cancer (DAHNO)
• colorectal cancer 
• diabetes

Further information

The audit work conducted by The Healthcare Commission aims to encompass the principles for best practice in clinical audit, as outlined in a guide to clinical audit produced by the National Institute for Clinical Excellence (NICE) in 2002.

In addition, visit the Department of Health website on patient confidentiality, which includes information about the NHS confidentiality code of practice.

Principles for Best Practice in Clinical Audit (opens new window)

Department of Health: Patient confidentiality and Access to Health Records (opens new window)

Back to top