1. Introduction

Coventry Road Medical Centre is committed to maintaining the confidentiality of all patient information in compliance with the Care Quality Commission (CQC) requirements, the Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and other relevant legislation. Protecting patient confidentiality is fundamental to providing safe, effective, and trusted healthcare.

2. Purpose

This policy outlines how Coventry Road Medical Centre manages, stores, and shares confidential information to ensure that patients’ rights to privacy are respected and that information is handled securely and appropriately.

3. Scope

This policy applies to all staff, contractors, volunteers, and any other individuals working at or on behalf of Coventry Road Medical Centre who have access to patient information.

4. Definition of Confidential Information

Confidential information includes, but is not limited to:

• Patient medical records
• Personal identifiers (name, address, date of birth, NHS number)
• Clinical notes, test results, and treatment plans
• Information about patients’ social, psychological, and financial circumstances
• Any other information shared in confidence by patients

5. Principles

Coventry Road Medical Centre will:

• Collect, store, and use patient information only for the purpose of providing healthcare and related services.
• Ensure that all staff understand their duty to maintain confidentiality and are trained accordingly.
• Obtain valid consent from patients before sharing their information, unless disclosure is legally required or justified in exceptional circumstances (e.g., safeguarding concerns).
• Share information securely and only with authorised personnel.
• Keep records accurate, up to date, and stored securely to prevent unauthorised access.
• Allow patients access to their own records in line with the Data Protection Act 2018 and UK GDPR.
• Report and manage any breaches of confidentiality promptly according to the practice’s incident reporting procedure.

6. Consent and Sharing Information

• Patient consent must be informed, voluntary, and recorded.
• Information will only be shared with third parties (including other healthcare providers, family members, or organisations) with patient consent unless required by law or safeguarding protocols.
• In cases where the patient lacks capacity, information sharing will follow legal frameworks such as the Mental Capacity Act 2005.
• Information may be shared without consent if there is a legal obligation or overriding public interest, such as safeguarding vulnerable individuals or preventing serious harm.

7. Data Security

• Electronic records are password-protected and access-controlled.
• Physical records are stored in locked, secure areas.
• Staff must follow secure disposal procedures for confidential information no longer required.
• Regular audits of data protection measures will be conducted to ensure compliance.

8. Training

All staff will receive mandatory training on confidentiality, data protection, and information governance at induction and regularly thereafter.

9. Breach of Confidentiality

• Any suspected breach of confidentiality must be reported immediately to the Practice Manager or designated Caldicott Guardian.
• Investigations will be carried out promptly, and appropriate action taken.
• Serious breaches may be reported to the Information Commissioner’s Office (ICO) and the CQC as required.

10. Patient Rights

Patients have the right to:

• Access their medical records
• Request corrections to inaccurate data
• Withdraw consent for sharing information, where appropriate
• Be informed about how their data is used and who it is shared with

11. Monitoring and Review

This policy will be reviewed annually or sooner if required by legislative or regulatory changes.

Version 1.1

Approved by: Practice Manager
Date: August 2025
Next Review Date: August 2026