arrow_up-blue blog branches consultations events facebook-icon facebook-icon2 factsheet forum-icon forum hands key link location lock mail measure menu_plus news pdf pdf2 phone policies publications related search share subjectguide twitter-icon word instagram-icon youtube-icon

Good record keeping, consent and appropriate disclosure in occupational health nursing

This page includes guidance on the confidentiality of occupational health information and records.

General principles of consent and confidentiality

Occupational health nurses have the same general duties of confidentiality as other nurses. The best concise guide on confidentiality is the Confidentiality: NHS Code of Practice

The same principles apply to non-NHS workers as to NHS workers. The fact that this is an NHS code should not prevent private sector nurses from consulting it.

The general rule is that confidential health information may only be disclosed with the employee’s informed consent. If consent is given orally then this should be recorded in the patient record. 

Oral consent can often cause anxiety and while legally it is perfectly acceptable and consent does not have to be in writing, the concern is that it can be challenged. 

As a safety net, it is worth getting the individual to sign alongside where the record of their verbal consent has been given, as soon as is practicable.

If what is proposed is a report to a manager, the ideal is a copy of the proposed report with a section at the bottom of the page clearly stating that the individual consents for example:

'I consent to disclosure of the above report to [name of manager]'. Signed.......Dated......' 

Case study 

In this case of a prospective employee challenged a company stating that they had been discriminated against for employment? 

The case went to industrial tribunal and the occupational health records were subpoenaed as part of the investigation. 

The occupational health nurses record of the telephone conversation had been dated, and the time recorded that the conversation started and finished. This was challenged by the employee, as not being a true and accurate record and that the conversation did not last for the length of time recorded. 

The tribunal ruled that this was an accurate record even though it was a telephone conversation as it clearly stated the time and length of the conversation and it had been signed. 

While this was a satisfactory outcome, on reflection the occupational health nurse now requests that wherever possible the employee sign the clinical record to say that it is an accurate recording of our discussion to help in particular difficult cases.

There are limited exceptions to this general rule. Records may be disclosed without consent if:

  • the employee is not capable of consent and disclosure is necessary in the best interests of the employee
  • if there is a legal requirement to disclose (e.g. with certain transmissible diseases)
  • if there is a court order for disclosure
  • when disclosure is necessary in the public interest.

For further detail, please consult the NHS Code of Practice.

If there is said to be a legal requirement to disclose (e.g. if a police officer asserts this) but the employee does not consent to disclosure, then it is best to seek legal advice from your employer’s legal advisers before making the requested disclosure.

Regarding disclosure in the public interest, there is a useful supplementary guidance, see: Confidentiality: NHS Code of Practice–– Supplementary Guidance: Public Interest Disclosures.

All nurses should adhere to the NMC code.

Disclosures to the employee’s manager

The day to day decision that has to be made by occupational health nurses is how much information to disclose to management. 

Occupational Health nurses are sometimes put under pressure by management to make wholesale disclosures of health information. 

The General Data Protection Regulations (GDPR) make it clear that consent needs to be freely given and clearly stated. See paragraphs 32 and 43 of the Recital to the GDPR:

32. Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. ...Silence, pre-ticked boxes or inactivity should not therefore constitute consent...

43. In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.

Thus, when seeking consent to disclosure, the OH nurse should ensure that the consent is 'specific, informed and unambiguous'; the employee should know exactly what disclosure s/he is consenting to, and the purpose of this disclosure. Best practice is to show the employee the draft report.

Furthermore, given that there is a clear imbalance of power between the employer and the employee, occupational health nurses should not disclose confidential health records or data to managers on the basis of consent alone. In most cases they should seek consent AND satisfy themselves that one of the other GDPR justifications for disclosure exists. 

In most cases, the justification will be GDPR Article 9 paragraph 1(h):

'...processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems...' 

The occupational health nurse should disclose only as much information as is necessary for this purpose. 

When reporting to management, therefore, the OH nurse should normally:

  1. consider what information it is necessary to disclose 'for the assessment of the working capacity of the employee'
  2. inform the employee of the information to be disclosed and the reason for disclosing it
  3. seek the consent of the employee for disclosure of this information
  4. if consent is granted, send the report
  5. if consent is refused, consider whether or not it is necessary to disclose this information without consent. 

It will not usually be necessary to disclose without consent. If the patient does not consent to disclosure, the nurse will usually report to the manager that the employee has not consented, and the manager will then make the necessary management decisions without benefit of health advice. 

However, sometimes disclosure without consent is necessary in order to protect others. See the case study example, below.

Case study

An employee is a bus driver and refusing to consent to disclosure of the result of their eye test, which indicates that they have an open angle glaucoma causing extensive reduction of the visual field.

In view of the potential danger to the public, some kind of disclosure probably is necessary, even though the employee has not consented.

In these circumstances, it is not necessary to disclose the diagnosis to the manager. However, it is necessary to disclose that the employee has severe eyesight problems and cannot safely work as a bus driver. 

Access to reports or records by other members of staff

Occupational health records and reports should only be disclosed to other members of staff on the same basis as to management. 

E.g. if disclosure to the health and safety manager is requested, the OH nurse should:

  • consider what information it is necessary to disclose in order to enable the health and safety manager to carry out her duties
  • inform the employee of the information to be disclosed and the reason for disclosing it
  • seek the consent of the employee for disclosure of this information
  • if consent is granted, disclose the information
  • if consent is refused, consider whether or not it is necessary to disclose this information without consent.

Subject access to records

All patients have a right to access their records in accordance with the Data Protection Act. The exceptions to this are unlikely to apply in the OH setting. See the ICO guidance on Right of access.

Time limits for storing OH records

For some records such as ionising radiation, asbestos and COSHH the period of retention is laid down in legislation. The duration of retention should be identified in the local policies or procedures and be compliant with legislation. 


Useful resources

RCN members can contact the RCN to discuss particular issues.