Exam Pass Notes - GOC Standard 14: Confidentiality & Privacy in Optical Practice

Download (Word)

Key Takeaways

• Confidentiality underpins trust and safe clinical decision‑making. GOC Standard 14 requires respect for privacy across reception, consulting rooms, domiciliary visits and digital systems.
• Core principles: minimum necessary disclosure, need‑to‑know sharing, valid consent where required, and clear recording of legal basis and rationale for any disclosure.
• All staff (clinical and non‑clinical), locums and students share the duty. Induction and simple scripts reduce human error.
• Digital and domiciliary contexts introduce special risks (screens, photos, messaging apps, bystanders). Use approved, encrypted systems and physical controls.
• Breaches may lead to complaints, legal/GDPR penalties and Fitness to Practise action - document decisions and actions promptly.

Legal & Professional Framework - Quick Facts to Remember

• Main UK laws: Data Protection Act 2018 + UK GDPR (processing and special category health data), Human Rights Act 1998 (Article 8), Access to Health Records Act 1990, Common Law Duty of Confidentiality.
• Lawful bases:

• Routine direct care: usually legitimate interests / public task (NHS) + special category processing justified for health care.
• Sharing beyond direct care: explicit consent often required; otherwise rely on legal power, serious public interest or safeguarding.

• Common law requires consent for disclosure outside care unless exception (serious risk, legal requirement).
• Confidentiality continues after death - Access to Health Records Act and coroner/procurator fiscal requests apply.
• Keep documentary evidence: privacy notice, Record of Processing Activities, DPIAs, confidentiality policy, processor contracts, incident logs, training records.

Principles & Exam‑Ready Rules

• Minimum necessary: share the least data required (summary preferred to full record).
• Need‑to‑know: recipients must be appropriate and authenticated.
• Document: who, what, when, why (legal basis), and safeguards used.
• Three quick tests before sharing:

1. Is it necessary for care or safety?
2. Is the recipient appropriate and verified?
3. Is the amount disclosed the minimum necessary?

Practical Controls - High‑Yield Habits (Memorise these)

Reception & public areas

• Speak quietly; offer a private space or side room; use first‑name/partial ID where safe.
• Use reception scripts; avoid reading full identifiers aloud. Screens & equipment
• Angle monitors away from public view; use privacy filters; short auto‑lock timeouts.
• Printers out of sightlines; secure release where available; collect prints immediately. Paper & transport
• Opaque folders for travel; lockable cabinets; clear‑desk culture; shred misprints. Phones & callers
• Authenticate callers before releasing information; use three‑way calls or written authority for third‑party requests. Digital & social
• Use approved encrypted systems; no patient data on personal messaging apps; no screenshots to personal devices. Domiciliary
• Check who can overhear, position equipment with backs to walls, use low‑voice summaries, carry opaque folders. Training & induction
• One‑page induction: reception scripts, private-call locations, screen rules, escalation contacts.

Consent, Capacity & Carers - Core Exam Points

• Types: implied consent for direct care; explicit consent for sharing beyond care or for publication/teaching.
• Valid consent = informed, voluntary, specific and recorded (scope, recipients, expiry).
• Adults lacking capacity: share only what is necessary in their best interests per national capacity law; document decision‑making.
• Children/young people: assess competence; parental responsibility typical unless safeguarding overrides.
• Carers: check patient consent before discussing; record named authorised contacts and limits.

Managing Disclosures - What to Do When Asked

With consent

• Obtain explicit scope; record who, when, what and how. Safeguarding / serious harm
• Disclosure without consent is justified to prevent serious harm. Share minimum necessary with safeguarding services; document rationale and advice taken. Police requests
• Verify identity and require written/legal authority (court order) before sharing; consider public interest only for serious crime and document reasoning. Deceased patients
• Verify requester authority under Access to Health Records Act; disclose minimum necessary; consult Caldicott lead when unsure. Documentation for any disclosure should include: requester, request date/time, legal basis, data items shared, recipient, method and safeguards.

Scenarios - Short, Exam‑Smart Answers

Scenario 1 (prescription read aloud at busy desk)

• Lower voice; authenticate discreetly; offer private space; hand prescription in cover; add reception script and checklist prompt.

Scenario 2 (screen facing waiting area)

• Lock screen, apologise, log near‑miss; rotate screens, add privacy filters, shorten timeout; update risk assessment and record actions.

Scenario 3 (WhatsApp photo of referral in staff group)

• Ask immediate deletion and confirmation; move discussion to approved encrypted system; log near‑miss; refresh team guidance.

Scenario 4 (tweet about clinical case with timing/town)

• Remove post if possible, assess identifiability, inform privacy lead, document incident, coach on de‑identification and consent.

Scenario 5 (suspected non‑accidental injury; parent refuses consent)

• Share without consent where risk of significant harm; inform safeguarding services; disclose minimum necessary; document facts, contacts and rationale.

Scenario 6 (police verbal request without paperwork)

• Verify identity; request appropriate legal authority; only share once authority confirmed or if exceptionally justified in public interest - always record rationale and consult IG lead.

Scenario 7 (relative asks for prescription by phone)

• Explain need for patient consent; offer patient collection, written authorisation, or three‑way call; authenticate and record consent method.

Scenario 8 (patient with learning disability accompanied by carer)

• Address patient first; assess capacity for decision; provide accessible information; if patient consents include carer; if no capacity, act in best interests and document.

Records & Documentation - What to Capture (Memorise the essentials)

For access, sharing, incidents and decisions capture:

• Who requested/received data (name and role)
• What was disclosed (specific items, pages)
• When (date & time)
• Why (clinical reason and legal basis)
• How (secure route used)
• Safeguards (redaction, encryption, secure transfer)
• Any consent (who, when, scope) or capacity assessment details
• Who authorised exceptions and their rationale

Simple templates to keep usable:

• Incident/Near‑miss log: time, people involved, identifiers seen, immediate mitigation, patient communication, owner for remediation.
• Disclosure record: requester details, legal basis, items shared, method, confirmation of receipt.

Induction, Training & Team Compliance - Practical Checklist

Keep these live and visible:

• One‑page reception scripts and caller authentication checklist
• Role‑specific training matrix (topic, audience, date, trainer, evidence, expiry)
• Short observed competency checks (reception interactions, secure printing)
• Regular refreshers after incidents or system changes
• Contracts and DPIA records for processors and new platforms

Digital & Social Media - Rapid Rules

• No patient data on personal messaging apps or personal cloud accounts.
• No screenshots saved to personal devices; use approved clinical platforms only.
• Use unique logins, MFA, encryption at rest/in transit, auto‑lock.
• DPIA triggers: new cloud services, messaging apps, tele‑optometry, photographic workflows.
• Incident response basics: contain access, reset credentials, notify leads, assess harm, record lessons.

Quick On‑The‑Spot Prompts (use in practice & exams)

Ask before speaking/sharing:

• Who can overhear here?
• Is my screen visible to others?
• Is this information the minimum needed?
• Who is the authorised recipient and have I verified them?
• Do I have a lawful basis or valid consent? If unsure: stop, seek Caldicott/IG lead, document the pause and escalate.

Common Pitfalls (and how to avoid them)

• Sharing full records when a summary would do - always redact/unrelated detail.
• Using personal devices/messaging for case discussion - ban or tightly control BYOD with MDM.
• Assuming consent by proxy - verify and record.
• Poor recording of rationale - always write the legal basis and why sharing was proportionate.
• Treating privacy as only clinical staff's duty - include reception, lab, admin, domiciliary teams.

Short Practical Scripts (memorise or adapt)

Reception: "To confirm your details discreetly, can I check two identifiers with you in a quieter area? We can discuss prescription details in private if you prefer." Phone (third party): "I'm sorry, I can't share that without the patient's permission. They can authorise release in writing, by a three‑way call, or collect the info themselves." Refusal/decline by patient: "I respect your choice. If there's a safety reason we need to share information, I'll explain why and record what we do. Would you like to record who can receive information?" Social media reply: "Please remove the post and contact our privacy lead. We cannot discuss identifiable cases on public platforms."

Audit & Continuous Improvement - Short Cycle

• Pick one risk (e.g., screen visibility) → implement a control (privacy filters, signage) → test for two weeks → review results → adopt/adapt and record owner/date.
• Monthly sampling: a few records, a reception observation, and a layout check.
• Metrics that matter: number of privacy prompts offered at reception; proportion of referrals sent on secure channels; time from incident to staff briefing.

Incident Response - Immediate Steps

1. Contain exposure (lock devices, remove access).
2. Preserve evidence (logs, screenshots of issue if safe).
3. Reset compromised credentials and secure accounts.
4. Notify privacy/IG lead and follow internal breach process.
5. Assess harm and notify affected patients if required.
6. Record actions, lessons, manager sign‑off and update training/policy.

Memorise: minimum necessary + need‑to‑know + record the why. Use simple, repeatable scripts and document every step. Small, consistent behaviours are the most effective defence.