1 Introduction
The purpose of this Confidentiality Policy is to lay down the principles that must be
observed by all who work within NHS England and NHS Improvement and have
access to person-identifiable information or confidential information (see appendix
D). All staff need to be aware of their responsibilities for safeguarding confidentiality
and preserving information security.
All employees working in the NHS are bound by a legal duty of confidence to protect
personal information they may come into contact with during the course of their work.
This is not just a requirement of their contractual responsibilities but also a
requirement within the common law duty of confidence and data protection legislation
– the European General Data Protection Regulation (GDPR) and Data Protection Act
2018 (DPA2018) which implements the GDPR in the UK.
Confidentiality is also a requirement within the NHS Care Record Guarantee,
produced to assure patients regarding the use of their information.
NHS England and NHS Improvement are cooperating to establish a joint enterprise.
This mirrors the focus of the NHS Long Term Plan on how we will deliver integrated
care to patients at the local level, how we set the whole of the NHS up to do that and
how it will benefit patients and communities. To ensure that we comply with our data
protection obligations the three statutory organisations (NHS England and NHS
Improvement – which comprises Monitor and TDA) have entered into a Joint
Controller and Information Sharing Framework Agreement. This sets out our joint
data protection responsibilities and the measures that we have put in place to ensure
that we comply. The Information Sharing Policy sets our framework for processing
personal data in support of joint working with reference to this agreement.
It is important that NHS England and NHS Improvement protect and safeguard
person-identifiable and confidential business information that it gathers, creates
processes and discloses, in order to comply with the law, relevant NHS mandatory
requirements and to provide assurance to patients and the public.
This policy sets out the requirements placed on all staff when sharing information
within the NHS and between NHS and non-NHS organisations.
Person-identifiable information is anything that contains the means to identify a
person, e.g. name, address, postcode, date of birth, NHS number and must not be
stored on removable media unless it is encrypted as per current NHS Encryption
Guidance or a business case has been approved by the Transformation & Corporate
Development Directorate’s Information Governance Team.
Confidential information within the NHS is commonly thought of as health
information; however, it can also include information that is private and not public
knowledge or information that an individual would not expect to be shared. It can take
many forms including patient level health information, employee records,