Further to their concluded consultation, CQC has this September published a new ‘Code of practice on confidential personal information’ (the Code). Through the consultation CQC proposed to revise its Code on confidential personal information (CPI) governing the way in which CQC obtains, handles, uses and discloses information in its possession. As defined within the Health and Social Care Act 2008, CPI includes medical records, care records and personal documentation that a provider holds on its staff and service users.
According to CQC, the intention of the consultation was to create an amended Code to act as a reference point for inspectors; ensuring consistent practice, and informing and re-assuring the public on why and how CQC will handle CPI.
Consistency and transparency are of course vital aspects of any regulator’s activities and it was hoped that a more defined Code would encourage more productive dialogue between CQC and providers in terms of what CPI CQC retained and for what purpose.
On first analysis there is little that appears ground-breaking or a significant amendment to the present system, but two potentially positive points do stand out.
The first can be found at page 15 of the new Code. Having confirmed that CQC do not need to seek consent to obtain CPI if necessary to perform their statutory functions (condition 5(b) of the Data Protection Act 1998), the Code has provided what amounts to best practice guidance in terms of consulting individuals in advance when CQC intends to access their information.
Where CQC cannot consult with people in advance, they must now consider whether it is practical and proportionate to notify the individual after having accessed their CPI. Specifically, where CQC access medical or care records, they will support providers to meet their responsibility to ensure that the provider maintains a proper record to ensure that individuals can find out whether CQC has accessed their records. Whilst one might imagine that this was previously at the very least a legitimate expectation , providers often reported CQC inspectors attending their service for an unannounced visit, photocopying a large amount of documentation and taking this away without confirming to the provider exactly whose documentation was accessed and retained.
This clarification within the new Code is helpful to providers; ensuring that inspectors can be held to account and will be expected to provide a comprehensive list of that which they have taken. This not only allows the provider to record properly that the information has been accessed (and pass this to the service user as appropriate) but also assists the provider’s investigations if they choose to scrutinise any criticisms of their documentation or record keeping post-inspection with a view to rectifying concerns raised by CQC.
The second aspect of interest is contained within CQC’s ‘Protecting your privacy when using your information’; a new document written for individuals, explaining how, when and why CQC has the ability to access their CPI. The section of interest states that “If you don’t want CQC inspectors to look at information, please tell your care provider so that they can make a note about your preference. We will not usually look at the records of someone who does not want us to”.
Whilst, as confirmed above, CQC can access any records with or without consent if to do so furthers the exercise of their statutory duties, this section provides an important add-on. It allows individuals the option to put on record their objection to such access. Arguably, it follows that, as the holder of the CPI, the provider owes a duty to individuals to make them aware of their rights.
We would advise that this new guidance places a direct obligation on the provider to ensure that they have a conversation with each service user to record their preference about their CPI. This record must be kept up to date and must be provided to CQC at the point of inspection. Both the provider and CQC must also record where inspectors access an individual’s CPI contrary to their wishes and, where appropriate, feed that information back to the individual with an explanation from CQC as to why they felt it necessary to access the CPI. This adds a reassuring additional layer of accountability for the individual, the CQC and the provider.
Both these amendments to the Code are positive steps towards a more transparent and consistent way of managing CPI. However, what the guidance sadly lacks is any detail in relation to the nuts and bolts of the tests CQC apply internally as to how they define CPI and what, if any, steps they take to clarify whether those providing them with information intend it to be confidential or otherwise.
Providers often come to us to ask whether there is any facility for them to obtain from CQC the identities of the residents, residents’ family members or members of staff who have provided a particular (CQC-anonymised) comment within an inspection report. Without the identifying detail, providers reasonably explain, they are often unable to investigate the alleged concern; and, without investigation, they have no way of addressing the concern. They are stuck between a rock and a hard place; either they accept a criticism without investigation (and likely without the detail to adequately remedy the concern) or they leave themselves open to being accused of lacking insight by refusing to accept a criticism which they do not recognise as reflecting the reality of their service.
When asked for such detail, CQC regularly deny a provider’s request, advising that the information given to them is automatically confidential; despite inspectors rarely having asked the person to whom they were speaking what their expectations were in terms of confidentiality.
There will always be situations in which confidentiality is absolutely necessary; as exemplified by the growing legislation around whistleblowing. It is also appropriate to acknowledge that some individuals who talk to inspectors will assume that their identity will never be disclosed. However, that cannot be sufficient reason to assume that all who provide information to CQC must have their identities hidden.
As with the new positive expectation on providers to seek service users’ wishes around their CPI, we would submit that a more appropriate starting point for inspectors would be to ensure that each individual who provides information to CQC is aware that their identity will be disclosed to the provider unless they object. This enhances a provider’s ability to scrutinise their own service and facilitates the consistent and transparent practice which this new Code is intended to enhance.
