New guidance for health and care professionals on confidentiality and data protection

New guidance for health and care professionals on confidentiality and data protection

The Health and Care Professions Council (“HCPC”), a regulator for health and care professionals in the UK, has run a consultation on its draft revised confidentiality guidance.

The ‘Confidentiality – guidance for registrants’ was first published in 2008 and sets out certain guidelines for its members or ‘registrants’ on handling client information, including disclosing such information to other practitioners.  The proposed changes are aimed at increasing the clarity and usefulness of the guidance, and reflecting recent changes made to the HCPC Standards of Conduct Performance and Ethics.

The office of the UK data protection regulator (the “ICO”) has commented on the revised guidance and the interaction between the HCPC confidentiality regime and the requirements of the Data Protection Act 1998 (“DPA”), which applies to the processing of “personal data” (client names, addresses and non-anonymised health information are personal data and, in the case of health information, “sensitive personal data”, so fall within the remit of the DPA). 

In summary:

  • Compliance with the DPA 

The HCPC confidentiality regime operates in parallel with the DPA.  The ICO requests the guidance clarifies that registrants must also comply with the DPA when processing personal data and sensitive personal data.  It suggests wording is included to the effect that “Registrants must also comply with the requirements of the DPA.  The ICO regulates this and produces advice and guidance”.

  • Consent

Whilst the concept of “consent” exists under both the HCPC confidentiality regime and the DPA, the ICO considers it important that registrants understand the differences between the meaning of consent under the confidentiality regime and consent as one of the conditions for processing under the DPA.  A key difference is that the HCPC regime allows registrants to rely on “express consent” (i.e. specific permission) or “implied consent” (where consent is not expressly spoken or written but can in some circumstances be “taken as understood”) to disclose or share client information.  Whereas the ICO’s view is that only express consent will be valid for the purposes of the DPA.  Organisations can, however, rely on other conditions for processing under the DPA instead of consent (for example, processing for medical purposes) – and, in practice, registrants are likely to rely on some of these other conditions rather than relying on consent.  Registrants should be clear about the conditions they are relying on to comply with the DPA and ensure that any processing is fully explained to clients in a manner that is clear and easy to understand.

  • Disclosing information without consent

The HCPC confidentiality regime allows registrants to disclose client information without consent, if it is in the public interest to do so.  However, the ICO has explained that the DPA does not provide a condition for processing, or an exemption, for disclosures made "in the public interest".  Therefore, if a registrant wishes to make a disclosure in the public interest, they will still have to satisfy a condition for processing under the DPA.

  • Other legislation

Registrants should also bear in mind that individuals have a fundamental right to respect for their private life under the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union (“Charter”), and additional data protection rights under the Charter.  Where the processing of personal data (such as disclosing it) would infringe these rights, the infringement must be justified and proportionate. 

The revised version of the guidance is expected to be launched in mid-2017.

For more information please contact Head of Data Protection, Beverley Flynn, on +44 (0)1483 734264 or

Contact our experts for further advice

Search our site