Occupational health nurses have the same general duties of confidentiality as other nurses. The best concise guide on confidentiality is the Confidentiality: NHS Code of Practice.
The same principles apply to non-NHS workers as to NHS workers. The fact that this is an NHS code should not prevent private sector nurses from consulting it.
The general rule is that confidential health information may only be disclosed with the employee’s informed consent. If consent is given orally then this should be recorded in the patient record.
Oral consent can often cause anxiety and while legally it is perfectly acceptable and consent does not have to be in writing, the concern is that it can be challenged.
As a safety net, it is worth getting the individual to sign alongside where the record of their verbal consent has been given, as soon as is practicable.
If what is proposed is a report to a manager, the ideal is a copy of the proposed report with a section at the bottom of the page clearly stating that the individual consents for example:
'I consent to disclosure of the above report to [name of manager]'. Signed.......Dated......'
There are limited exceptions to this general rule. Records may be disclosed without consent if:
For further detail, please consult the NHS Code of Practice.
If there is said to be a legal requirement to disclose (e.g. if a police officer asserts this) but the employee does not consent to disclosure, then it is best to seek legal advice from your employer’s legal advisers before making the requested disclosure.
Regarding disclosure in the public interest, there is a useful supplementary guidance, see: Confidentiality: NHS Code of Practice–– Supplementary Guidance: Public Interest Disclosures.
All nurses should adhere to the NMC code.
The day to day decision that has to be made by occupational health nurses is how much information to disclose to management.
Occupational Health nurses are sometimes put under pressure by management to make wholesale disclosures of health information.
The General Data Protection Regulations (GDPR) make it clear that consent needs to be freely given and clearly stated. See paragraphs 32 and 43 of the Recital to the GDPR:
32. Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. ...Silence, pre-ticked boxes or inactivity should not therefore constitute consent...
43. In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.
Thus, when seeking consent to disclosure, the OH nurse should ensure that the consent is 'specific, informed and unambiguous'; the employee should know exactly what disclosure s/he is consenting to, and the purpose of this disclosure. Best practice is to show the employee the draft report.
Furthermore, given that there is a clear imbalance of power between the employer and the employee, occupational health nurses should not disclose confidential health records or data to managers on the basis of consent alone. In most cases they should seek consent AND satisfy themselves that one of the other GDPR justifications for disclosure exists.
In most cases, the justification will be GDPR Article 9 paragraph 1(h):
'...processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems...'
The occupational health nurse should disclose only as much information as is necessary for this purpose.
When reporting to management, therefore, the OH nurse should normally:
It will not usually be necessary to disclose without consent. If the patient does not consent to disclosure, the nurse will usually report to the manager that the employee has not consented, and the manager will then make the necessary management decisions without benefit of health advice.
However, sometimes disclosure without consent is necessary in order to protect others. See the case study example, below.
An employee is a bus driver and refusing to consent to disclosure of the result of their eye test, which indicates that they have an open angle glaucoma causing extensive reduction of the visual field.
In view of the potential danger to the public, some kind of disclosure probably is necessary, even though the employee has not consented.
In these circumstances, it is not necessary to disclose the diagnosis to the manager. However, it is necessary to disclose that the employee has severe eyesight problems and cannot safely work as a bus driver.
Occupational health records and reports should only be disclosed to other members of staff on the same basis as to management.
E.g. if disclosure to the health and safety manager is requested, the OH nurse should:
All patients have a right to access their records in accordance with the Data Protection Act. The exceptions to this are unlikely to apply in the OH setting. See the ICO guidance on Right of access.
For some records such as ionising radiation, asbestos and COSHH the period of retention is laid down in legislation. The duration of retention should be identified in the local policies or procedures and be compliant with legislation.
RCN members can contact the RCN to discuss particular issues.