Section 10: Using health and social care information –direct care and indirect care purposes

The Guide to Confidentiality distinguishes between information that is used for direct care and information that is used for purposes other than care (indirect care).

The term ‘direct care’ is defined as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals (all activities that directly contribute to the diagnosis, care and treatment of an individual). It includes

• supporting individuals’ ability to function and improve their participation in life and society; 
• the local audit/assurance of the quality of care provided; 
• the management of untoward or adverse incidents; 
• the measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care

It does not include research, teaching, financial audit, service management activities or risk stratification (see note below on borderline cases).

Sharing for direct care can take place across departmental and organisational boundaries. For example, the direct care team may include physiotherapists, nurses, midwives, occupational therapists and others on regulated professional registers. For direct care of an individual, registered and regulated social workers must also be considered part of the care team and covered by implied consent when the social worker has a legitimate relationship to the individual concerned.

The term ‘indirect care’ is defined as activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of indirect care activities include risk prediction and stratification (see note below on borderline cases), service evaluation, needs assessment, and financial audit.

The key reason for distinguishing between purposes in this way is that it is generally possible to imply consent for the use of confidential information for direct care purposes but not for other purposes.

There are some exceptions and some tricky borderline cases on which specific guidance is provided. 

The main exception relates to essential activity that aims to quality assure the care that has been provided. People receiving care should understand that, for their own safety and to improve care provided to others in the future, it is essential that their records are checked. This helps to ensure that the care they received was optimal and that lessons can be learned where necessary. It is generally accepted that consent can be implied for activity concerned with the quality assurance of care, but only when the audit is undertaken by those who are part of the direct care team. An argument could be made that this activity is sufficiently in the public interest that the duty of confidentiality can be overridden. When exceptionally, an individual has objected to records being looked at for these purposes, this should be respected unless there are such strong concerns about the care that has been provided that the public interest must take priority.

Some activities can appear to sit within a grey area where the relationship of the activity to direct care is not clear.

An important activity that some feel falls within this borderline is that of risk stratification, also known as predictive risk modeling, where records are reviewed to establish a cohort who might then be invited to receive a particular type of care or intervention. However, whilst this activity might eventually result in direct care being provided to a sub-set of those whose records are reviewed, the risk stratification stage falls into one of two separate categories:

1. Rare cases, where professionals have access to confidential information to make decisions about their own patient/service user, which can be done on the basis of implied consent as it is considered to be direct care.

2. When commissioning organisations (e.g. Clinical Commissioning Groups) are making commissioning decisions, which is indirect care and so requires explicit consent or a legal basis

NHS England guidance on how to lawfully conduct risk stratification is available: Information Governance and Risk Stratification: Advice and Options for CCGs and GPs31.

The Information Governance Review concluded that from an information governance perspective there is a need to ensure that the process of identifying individuals or groups of people for early intervention or help (as well as the interventions themselves) is properly underpinned by meeting all the following criteria

• there is a basis in law for processing the confidential information
• there are appropriate approaches to linking data (see sections 3.14, 6.3, 6.5 and 12.6 of the Information Governance Review)
• there are appropriate contractual arrangements in place to process de-identified data for limited disclosure or limited access (see sections 6.3, 6.5 and 12.10 and appendix 6 of the Information Governance Review)
• if help is to be offered, a clear legitimate relationship should exist between the individual or family identified and the person making contact with them (see section 3.6 of the Information Governance Review)

Any organisation deciding whether to share information or not should first consider three key questions

• What is the purpose of the information sharing — is there a clear objective that can best be achieved by sharing the information?
• What is the risk to individuals (both the subject of the information or any third parties) of sharing the information and is this risk proportionate to the benefits to the individual that will be achieved? This includes considering if there is a risk to individuals if the information is not shared.
• How will the information be shared?