Samantha Coleman Online
Reality Checked App
TERMS & CONDITIONS
What do these terms cover? These web and App development services uphold member, App & Web Services confidentiality to the professional standards expected in mental well-being industries. “Members” refers to all Samantha Coleman Online & Reality Checked Appregistered members, including members, online course students, Reality Checked App and website users.
“Us”, “We”, and “Our” refer to Samantha Coleman Online. This agreement guides required practice for those who work within or under contract with Us concerning confidentiality and consent to using health records.
A duty of confidence arises when one person discloses information to another in circumstances where it is reasonable to expect the information to be held in confidence. It is a legal obligation that is derived from case law, rather than an Act of Parliament, built up over many years and often open to different interpretations. It is also a requirement established within professional codes of conduct.
It is generally accepted that information provided by Members to mental health & well-being services is provided in confidence and must be treated as such so long as it can identify the individual it relates to. This is an important point, as once information is effectively anonymised, it is no longer confidential.
Where Members have consented to membership or well-being, research has consistently shown that they are typically content for information to be disclosed to provide that well-being. However, it is still essential that reasonable efforts are made to ensure that Members understand how their data will be used to support their well-being and that they have no objections.
Where this has been done effectively, consent can be implied, providing that the information is shared no more widely and that “need to know” principles are enforced. This is particularly important where the use or disclosure of information, whilst an essential element of modern well-being provision, could be more transparent and easier to understand. It is imperative to check that Members understand and are content for information to be disclosed to other organisations or agencies contributing to their health care.
1.1 A duty of confidence arises when one person discloses information to Samantha Coleman Online & Reality Checked App in circumstances where it is reasonable to expect that the information will be held in confidence. It – a. is a legal obligation derived from case law, and b. is a requirement established within professional codes of conduct.
1.2 Members entrust Us with, or allow us to gather, sensitive information relating to their well-being and other matters as part of their seeking support and using Our services. They do so in confidence, and they have the legitimate expectation that We and any staff, contractors or volunteers working for Us will respect their privacy and act appropriately. If the legal requirements are to be met and the trust of Members is to be retained, we are seen to provide a confidential service.
1.3 One consequence of this is that information that can identify individual Members must not be used or disclosed for purposes other than well-being or membership without the individual’s explicit consent, some other legal basis, or where there is a robust public interest or legal justification to do so. In contrast, anonymised information is not confidential and may be used with relatively few constraints.
1.4 All staff, contractors and volunteers assigned to work on the Samantha Coleman Online & Reality Checked App agree to protect the confidentiality and privacy of members by:
- Actively protecting information about members from unauthorised access or disclosure.
- Being fully aware and informed of the highly sensitive nature of personal data and personally identifiable information contained within the Samantha Coleman Online & Reality Checked App and treating such information as confidential in accordance with any legal requirements and what has been agreed with Members at all stages of their membership with Samantha Coleman Online.
- Agree not to share or disclose personal data and personally identifiable information with any other third party, except those reasonable while pursuing business.
- In advance, inform key Samantha Coleman Online & Reality Checked App personnel about any reasonably foreseeable limitations of privacy or confidentiality.
- Ensuring that disclosure of personally identifiable information about Members is authorised by member consent or that there is a legally and ethically recognised justification.
- Using thoroughly anonymised information about Members provides a practical alternative to sharing identifiable information.
1.5 It is imperative that Members are made aware of information disclosures that must take place to provide them with high-quality care. Any components of Our digital well-being provision which might not be evident to Members should be drawn to their attention. Similarly, whilst Members may understand that information needs to be shared between team members involved in membership and well-being provision, this may not be the case, and the efforts made to inform them should reflect the breadth of the required disclosure. This is particularly important where disclosure extends to non-Samantha Coleman Online & Reality Checked App personnel. Member information is generally held under legal and ethical obligations of confidentiality. Information provided in confidence should not be used or disclosed in a form that might identify a ember without their consent.
1.6 Many current uses of confidential Member information do not contribute to or support the well-being that a Member receives. These other uses are often essential to maintain and develop Our website and App. However, they are not directly associated with the well-being that Members receive, and we cannot assume that Members who seek membership or well-being are content for their information to be used in these ways.
1.8 Where Members have been informed of: a. the use and disclosure of their information associated with their well-being or membership; and b. the choices that they have and the implications of choosing to limit how information may be used or shared; then explicit consent is not usually required for information disclosures needed to provide that well-being or membership. Even so, opportunities to check that Members understand what may happen and are content should be taken. Where the purpose is not directly concerned with a Member’s well-being, it would be wrong to assume consent. Additional efforts to gain consent are required or alternative approaches that do not rely on identifiable information will need to be developed.
1.9 All staff, contractors and volunteers involved with Us should meet the standards outlined in this document and their terms of employment (or other engagement agreements). Much of what is required builds on existing best practices. What is needed is to make this explicit and to ensure that everyone strives to meet these standards and improve practice.
2.0 Clearly staff, contractors and volunteers are constrained from meeting these standards where appropriate organisational systems and processes still need to be put in place. In these circumstances, the test must be whether they are working within the spirit of this code of practice and are making every reasonable effort to comply.
2.1 The Confidentiality Model. The model outlines the requirements that must be met to provide Members with a confidential service. Record holders must inform Members of the intended use of their information, give them the choice to give or withhold their consent, and protect their identifiable information from unwarranted disclosures. These processes are interlinked and should be ongoing to aid the improvement of a confidential service.
The four main requirements are:
a, PROTECT – look after the Member’s information; b. INFORM – ensure that Members know how their information is used; c. Provide choice– allow Members to decide whether their information can be disclosed or used in particular ways. To support these three requirements, there is a fourth: d. IMPROVE – Always look for better ways to protect, inform, and provide choice.
2.2 Member information and their interests must be protected through several measures: a. Procedures to ensure that all staff, contractors, and volunteers are at all times fully aware of their responsibilities regarding confidentiality; b. Recording Member information accurately and consistently; c. Keeping Member information private; d. Keeping Member information physically secure, e. Using data with appropriate care.
2.3 Members must be made aware that the information they give may be recorded and shared to provide them with care, improve Our services continually, and be used to support other work to monitor the quality of care and services provided. Consider whether Members would be surprised to learn that their information was being used in a particular way – if so, they are not being effectively informed.
2.4 To inform Members properly, staff and contractors must:
a, check where practicable that information on Member confidentiality and information disclosure have been read and understood. These should be available to all staff and contractors, and each should familiarise themselves with the contents;
2.4.1 Make clear to Members when information is recorded, or health records are accessed;
2.4.2 Make clear to Members when they are or will be disclosing information with others;
2.4.3 Check that Members are aware of the choices available to them concerning how their information may be disclosed and used;
2.4.4 Check that Members have no concerns or queries about how their information is disclosed and used;
2.4.5 Answer any queries personally or direct the Member to others who can answer their questions or other sources of information;
2.4.6 Respect Members’ rights and facilitate them in exercising their right to access their records.
2.5 Members have different needs and values – this must be reflected in how they are treated, both in terms of their membership status and handling their personal information. What is very sensitive to one person may be casually discussed in public by another – just because something does not appear to be sensitive does not mean it is not essential to an individual Member in their particular circumstances.
2.6 All staff, contractors, and volunteers must:
2.6.1 Ask Members before using their personal information in ways that do not directly contribute to or support the delivery of their care or improve Our services;
2.6.2 Respect members’ decisions to restrict the disclosure or use of information, except where exceptional circumstances apply;
2.6.3 Communicate effectively with Members to ensure they understand the implications if they choose to agree to or restrict the disclosure of information.
2.7 Staff, contractors, and volunteers must:
2.7.1 Be aware of confidentiality issues and seek training or support where uncertain to deal with them appropriately.
2.7.2 Report possible breaches or risk of breaches.
2.8 The disclosure and use of confidential Member information needs to be both lawful and ethical. Whilst law and ethics in this area are mainly in step, the law provides a minimum standard that does not always reflect the appropriate ethical standards that the government and professional regulatory bodies require. Further, where the law is unclear, a standard may be set, as a matter of policy, which satisfies the legal requirement and may exceed some interpretations of the law.
2.9 A range of statutory provisions limit or prohibit the use and disclosure of information in specific circumstances and, similarly, a range of statutory provisions that require information to be used or disclosed.
3.0 This is not codified in an Act of Parliament but built up from case law where individual judgements have established practice. The fundamental principle is that information confided should not be used or disclosed further except as initially understood by the confider or with their subsequent permission. Whilst judgements have established that confidentiality can be breached ‘in the public interest’, these have centred on case-by-case consideration of exceptional circumstances. Confidentiality can also be overridden or set aside by legislation.
3.1 Data Protection Act 1998 (DPA98). This Act provides a framework that governs the processing of information that identifies living individuals’ personal data* in Data Protection terms. Processing includes holding, obtaining, recording, using and disclosing information, and the Act applies to all forms of media, including paper and images. It applies to confidential Member information but is far broader in scope, e.g. it also covers personal records.
*Personal data is defined under the DPA98 as’ data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in possession of, or likely to be in possession of, the data controller – and includes any expression of opinion about the individual and any indications of the intentions of the data controller or any other person in respect of the individual.’
3.5.1 If disclosing is not for well-being or another medical purpose, what is the basis in administrative law for disclosing?
3.5.2 We should only do the things that We have been set up to do. Is disclosure either a statutory requirement or required by order of a court? Although disclosure should be limited to that required, and there may be scope to ask the court to amend an order, at the end of the day any disclosure that has either a statutory requirement or court order must be complied with.
3.5.3 Is the disclosure needed to support well-being provision or to assure the quality of that care? Members understand that some information about them must be shared in order to provide them with care and treatment, and audits are also essential if the quality of care is to be sustained and improved.
3.5.4 Efforts must be made to provide information, check to understand, reconcile concerns and honour objections. Where this is done, there is no need to seek explicit Member consent each time information is shared.
3.5.5 If not well-being, is the disclosure to support a broader purpose? While most Members may not understand these uses of information, they are still essential and legitimate pursuits. However, Members’ explicit consent must be sought for information about them to be disclosed in an identifiable form unless disclosure is exceptionally justified in the public interest or has temporary support in law.
3.5.6 Where the purpose served is not to provide well-being to a Member and is not to satisfy a legal obligation, disclosure should be tested for appropriateness and necessity to minimise the identifiable information disclosed and anonymise information wherever practicable.
3.5.7 Have appropriate steps been taken to inform Members about proposed disclosures? There is a specific legal obligation to notify Members, in general terms, who sees information about them and for what purposes. Where the purpose of providing information is also to seek consent, more detail may be necessary, and Members need to be made aware of their rights and how to exert them.
3.5.8 Is a Member’s explicit consent needed for a disclosure to be lawful? Unless disclosure of identifiable Member information is required by law or the courts, is for a well-being purpose, can be justified as sufficiently in the public interest to warrant a breach of confidence, or is supported by section 60 of the Health & Social Care Act 2001, explicit consent is required.
3.6 Members’ information and their interests must be protected through several measures:
3.6.1 Recognising that confidentiality is an obligation for all staff, external contractors, and volunteers.
3.6.2 The duty of confidentiality arises from the common law of confidentiality, professional obligations, and staff employment contracts (including those for contractors).
3.6.3 Breach of confidence, inappropriate use of health records or abuse of computer systems may lead to disciplinary measures, question professional registration, and possibly result in legal proceedings.
3.6.4 Staff, contractors and volunteers should ensure they are aware of the requirements and standards of behaviour.
3.6.5 Voluntary staff who are not employees, and students are also under confidentiality obligations and must sign an agreement indicating their understanding when helping Us.
3.7 Recording Member information accurately and consistently. Maintaining proper records is vital to Member care. If records are accurate, future decisions may be correct and harm the Member. If information is recorded consistently, then records are easier to interpret, resulting in delays and possible errors. The information may be needed not only for the immediate care of Members and the audit of that care but also to support future research that can lead to better service and treatments in the future. The practical value of privacy-enhancing measures and anonymisation techniques will be undermined if the information they are designed to safeguard is unreliable.
3.8 Keeping Member information private. This includes aspects such as a. Not gossiping. This is clearly an improper use of confidential information. b. Taking care when discussing cases in public places. Discussing cases with colleagues for professional reasons may be pertinent, but care must be taken to ensure that others do not overhear these conversations. Generally, there is no need to identify the Member concerned.
3.9 keeping Member information physically and electronically secure. Members and Our Staff, contractors, and volunteers should not leave computers, laptops, smartphones or files in unattended or easily accessible areas. Ideally, store all files and portable equipment under lock and key when unused.
Staff, contractors and volunteers should only sometimes work from home, and where this cannot be avoided, procedures for safeguarding the information effectively should be agreed in advance. Screens should be kept locked when unattended by authorised personnel.
3.9.1 Always log out of any computer system or application when work on it is finished.
3.9.2 Do Not leave a terminal unattended and logged in.
3.9.3 Do Not share logins with other people. If additional staff need to access the website, then appropriate access should be organised for them – this must not be by using others’ access identities.
3.9.4 Not reveal passwords to others.
3.9.5 Change passwords at regular intervals to prevent anyone else from using them.
3.9.6 Avoid using short passwords, or using names or words that are known to be associated with them (e.g. children’s or pet’s names or birthdays).
3.9.7 Use a password-protected screensaver to prevent others’ casual viewing of Member information.
4.0 The Caldicott Principles:
The Caldicott Principles:
- Justify the purpose.
- Only use Member-identifiable information if it is essential.
iii. Use the minimum necessary Member-identifiable information.
- Access to Member-identifiable information should be on a strict need-to-know basis.
- Everyone should be aware of their responsibilities.
- Understand and comply with the law.
4.1 Members have the right to choose whether or not to agree to the information they had provided in confidence being used or shared beyond what they understood to be the case when they provided the information. They can change their minds if the information disclosure has yet to occur.
4.2 Members can see or have copies of their records under the Data Protection Act – see existing guidelines on charges, procedures and exceptions at GOV.UK Data Protection.
4.3 Where information about Members is required but does not satisfy the tests of necessity and appropriateness that govern the use of identifiable Member information, it should be anonymised to protect the Member.
4.4 In some cases, it may be possible to restrict information disclosure without compromising care. This would require careful discussion with the Member, but ultimately, the Member’s choice must be respected.
4.4.1 In the short term, it may not be possible to meet some Members’ requests directly, though a compromise arrangement may be possible with due care and diligence. This may require discussion about where the Member’s concerns lie, as it may be possible to allay those concerns without significant change to the information disclosure arrangements by explaining the security arrangements in place more fully or discussing options in the care process.
4.4.2 Complete records of all care provided and any disclosure restrictions by Members must be kept. When Members impose constraints, it is essential to demonstrate that neither Member safety nor clinical responsibility for well-being provision has been neglected.
4.5 To make valid choices, Members must know their options and the consequences of making those choices. Explanations must be proportionate to the risks involved and reflect, where possible, the Member’s particular circumstances.
4.5.1 Where Members insist on restricting how information may be used or shared in ways that compromise Our ability to provide them with high-quality care, this should be documented within the Member’s record. It should be made clear to the Member that they can change their mind at a later point.
4.6 Staff, contractors and volunteers must be aware of the basic requirements and where support and further information are available and encouraged to seek out training and guidance to develop confidential services. Staff, contractors, and volunteers must work within both the spirit of this code of practice and within any locally produced guidelines, protocols and procedures and be able to demonstrate that they are making every reasonable effort to comply with relevant professional standards.
4.7 Reporting of breaches. Suppose staff, contractors, or volunteers identify possible violations or risks of breaches. In that case, they must raise these concerns with their manager, other appropriate colleagues, or key Samantha Coleman Online & Reality Checked App personnel. Staff must be encouraged to report organisational systems or procedures that need modification. Staff must be made aware of local procedures for reporting where breaches of confidentiality or abuses of Member data occur.
4.8 Members have the right to object to information they provide in confidence being disclosed to a third party in a form that identifies them, even if this is someone who might provide essential well-being. Where the consequences of the choice have been fully explained, the decision should be respected.
4.9 There are several things to consider if this circumstance arises: a. The Member’s concerns must be established, and attempts must be made to establish whether there is a technical or procedural way of satisfying the concerns without unduly compromising care. b. The options for providing alternative care or care through alternative arrangements must be explored. c. Decisions about the options offered to the Member have to balance the risks, staff time and other costs attached to each alternative that might be offered against the risk to the Member of not providing well-being. Every effort must be made to find a satisfactory solution. The development of technical measures that support Member choice is a crucial element of work to determine the standards for electronic integrated care records. Careful documentation of the decision-making process and the choices made by the Member must be documented within the Member’s record.
5.0 The Data Protection Act 1998 requires that Members be informed, in general terms, how their information may be used, who will have access to it and the organisations or individuals it may be disclosed to. People must also be told who is responsible for their personal information – the ‘data controller’ – and how to contact them. This should occur before the information is used, accessed, or disclosed. The requirement falls upon both those who provide and receive information. The provider can discharge the recipient’s obligations by informing Members of the possible chain of disclosures and uses.
5.1 There are specific exemptions to the requirement in the Data Protection Act to provide fair processing information, though not to the necessary information to support choice and common law rights. Appropriate processing information does not have to be provided by a professional body that a third party has given identifiable information about an individual, i.e. it is not obtained directly from the individual in two specific cases. The first is where there is a legal requirement to hold or process the information, and the second is where providing fair processing information would require disproportionate effort. Advice on whether disproportionate effort might apply can be obtained from the Office of the Information Commissioner at http://www.informationcommissioner.gov.uk/.
5.2 Where Members are to be offered a choice about how information that relates to them might be used, they must also be made aware of their right to impose restrictions. Although this right will be provided in most circumstances by the common law of confidentiality rather than the Data Protection Act, it will generally be appropriate for Members to be told about their rights simultaneously as they are provided with information on proposed uses. Any Members joining Us receive legal documentation about their rights and obligations under their contract with Us.