Legal Update for Caldicott Guardians

Decision Making, the duty of candour, confidentiality and consent

Andrew Latham Associate October 2019 What we will be discussing

. The duty of candour and the Caldicott Guardian . the Caldicott Guardian and the Duty of Candour . training and supporting staff in disclosing unanticipated events in patient care . liaising with patients and families . applying ‘being open’ principles . examples in practice and interactive discussion . Brief legal update . MCA and confidentiality summary The Duty of Candour and the Caldicott Guardian

Principle 1 - Justify the purpose(s) for using confidential information Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.

Principle 2 - Don't use personal confidential data unless it is absolutely necessary Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

Principle 6 - Comply with the Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.

Principle 7 - The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies The duty of candour: what is it?

. Key set of recommendations from Francis report . Statutory duty on organisations – Health and Social Care Act 2008 (Regulated Activities) 2014, 20 . Applies to individuals through professional obligations and guidance . Provision of an explanation – not an admission of liability What is candour?

“The volunteering of all relevant information to persons who have or may have been harmed by the provision of services, whether or not information has been requested and whether or not a complaint or a report of that provision has been made”

Robert Francis QC

“The quality of being open and honest; frankness.” What is candour?

. The statutory duty of candour is: . a legal duty placed on CQC registered providers . The statutory duty is on the organisation not individuals . It is one of the ‘Fundamental Standards’ - it can be policed and enforced by the CQC as with other regulatory standards (e.g. care and treatment, safeguarding, governance) . There are 2 parts to the statutory duty: . General duty –”must act in an open and transparent way…in relation to care and treatment provided to service users…” . Specific duty applies for ‘notifiable safety incidents’ When does it apply?

. General duty to be open applies to all interactions with patients about care and treatment . Specific duty applies where there has been a: . Notifiable safety incident (‘NSI’)– an unintended or unexpected incident that ‘could result in or appears to have resulted in’: . death (i.e. caused by incident not natural progression of disease) . severe harm, moderate harm or prolonged psychological harm . Slightly different definitions for health service bodies and other registered persons (overleaf). . If it is a ‘near miss’ with no harm then specific duty will not apply. Notifiable safety incidents Other registered persons (GPs etc)

An unintended or unexpected incident that occurred in respect of a service user during the provision of a regulated activity that In reasonable opinion of healthcare professional, incident appears to have resulted in— (a) (i) the death of the service user, where the death relates directly to the incident rather than to the natural course of the service user's illness or underlying condition, (ii) an impairment of the sensory, motor or intellectual functions of the service user which has lasted, or is likely to last, for a continuous period of at least 28 days, (iii) changes to the structure of the service user's body, (iv) the service user experiencing prolonged pain or prolonged psychological harm [28 days +], or (v) the shortening of the life expectancy of the service user; or (b) requires treatment by a health care professional in order to prevent— (i) the death of the service user, or (ii) any injury to the service user which, if left untreated, would lead to one or more of the outcomes mentioned in sub-paragraph (a). When does it apply (NHS)?

. Moderate harm? . Harm requiring a ‘moderate increase in treatment’, and . significant, but not permanent harm . Moderate increase in treatment = unplanned return to surgery, unplanned re-admission, prolonged episode of care, extra time in hospital or as an outpatient, cancelling of treatment, or transfer to another treatment area (ICU) [as a result of the unintended or unexpected incident]. Is the duty of candour engaged?

. Sunita is a heavy smoker. She presents to her GP with a persistent cough and is referred to the local hospital for a chest x-ray. A lesion is reported and the results sent to the GP. . The GP messages the practice reception to arrange an urgent appointment with Sunita, although there is no answer on her phone as she is away. A letter inviting her to the practice is lost in the post, and the message to follow up is missed. Several months later Sunita presents at hospital with shortness of breath and haemoptysis. She is admitted and is diagnosed with lung cancer. Some trickier cases…

. A head injury patient comes in to A&E, is assessed as having capacity and takes own discharge, against medical advice and before a CT scan can be carried out. The patient goes home and dies of a bleed on the brain. Does the DoC apply?

. An elderly patient is admitted to the ward and is assessed as being at risk of pressure ulcers. All necessary precautions are taken and care delivered accordingly. Unfortunately the patient still develops a grade 3 pressure ulcer. Does the DoC apply? Some trickier cases (2)

. A patient with dementia admitted from residential care to an inpatient ward in the hospital. A medication error was made by the hospital. Fortunately she did not suffer any pain or lasting physical effects. However, the error resulted in her scheduled procedure being delayed, so that her stay in hospital was extended by three days. Being out of her usual care environment in a hospital ward was particularly distressing for this patient, because dementia heightened her anxiety and confusion. When does it apply? Summary

. General duty applies at all times . Specific duty only applies when threshold of harm or potential harm is met (a notifiable safety incident or ‘NSI’) . The key is to ensure you are recognising those incidents where the specific duty applies and then taking action to comply with it. How do you comply with the specific duty?

. As soon as reasonably practicable after becoming aware of a ‘NSI’ the provider must: . Notify the relevant person that the incident has occurred, and . Provide reasonable support to the relevant person . The notification (face to face) . Inform them that the incident has occurred . Provide a true account of all facts . Advise what further enquiries will be made . Apologise . A written record of the notification must be kept . The notification must be followed up in writing (covering all of the above) Who needs to be told?

The "relevant person" means the service user or, in the following circumstances, a person lawfully acting on their behalf— (a) on the death of the service user, (b) where the service user is under 16 and not competent to make a decision in relation to their care or treatment, or (c) where the service user is 16 or over and lacks capacity in relation to the matter. How do you comply with the specific duty?

. Practical points: . Apology = expression of sorrow or regret – see NHSLA (NHSR) guidance . Who should provide the notification? . consider seniority, relationship to patient, experience and expertise in the type of incident that has occurred . What about recognised risks of procedures and matters discussed during the consent process? . What if the patient doesn’t want to know? . Mixed information: staff, third party information Things to think about and train staff on

. Where should the initial conversation take place? . Tone, language, sensitivity, time . What support should be available to the patient during the conversation and afterwards? . Who will be the single point of contact following the discussion with the patient? . Who will capture the discussion in writing and where will that documented account be held? . If the patient is unable to hold the discussion who should be involved on their behalf? . What if other relatives want to know/complex family dynamics? Candour and a Caldicott scenario

. Jeff suffers from a severe and enduring personality disorder and a schizoaffective disorder. He has been detained under s. 3 of the MHA 1983 on Violet Ward since 2014, at Ambridge Partnership MHT, but becomes physically unwell with appendicitis. . He is transferred to Nightingale Ward, University Teaching Hospitals Ambridge NHST. He is supposed to be on 1:1 observations at all times, and nursed in a side room. . Bill, his nurse, goes to get a coffee whilst Jeff is in a stupor from the anaesthetic. However, whilst Bill is off the ward, getting the coffee, Jeff gets up and smothers Fred, a patient in the next side room. Candour and a Caldicott scenario

. Is the duty of candour engaged? . Who would you tell? . What information would you provide? . What, if anything, would you say to Jeff? Why do people get sued/get into legal difficulty? (1) Why do people get sued/get into legal difficulty? (2)

. They have done something that they shouldn’t have done . They haven’t done something that they should have done (or they say they will do something but haven’t). . The person who finds out is hurt/offended and motivated enough to do something about it (physically, financially, emotionally, because of their public role) . Factors increasing risk: length of time; number of people; clarity of the position that should have been taken; egregiousness of activity/other motivators Why do people get sued/get into legal difficulty? (3)

Taxonomy of claims . The claimant is motivated but the organisation hasn't done anything legally wrong (or C cannot prove that they have) [D wins] . The claimant is motivated and the organisation cannot the course of action that it has taken/acted unreasonably [Will settle] . The organisation hasn’t put the appropriate measures in place [C wins] . Decision makers haven’t considered the legal position/have ploughed on regardless [C wins] . The organisation itself has complied with the law, but it is responsible for a member of staff who has accidentally/deliberately caused harm.[C wins] Why is this relevant in the world of GDPR and current information law issues? (1)

. Mix of prescriptive and non-prescriptive/agnostic requirements . Some obligations are onerous . Low threshold (distress) for bringing a successful claim if measures insufficient . The left hand doesn’t know what the right hand is doing . New tech . Not enough money/resource . It is pervasive . The sky hasn’t fallen in . Death by a thousand cuts . Individuals have a little knowledge of their rights . Individuals often motivated because of something else . Mix of enforcement regimes/options for redress Current legal risks (1) What we are seeing

. Increasing awareness of GDPR/confidentiality obligations and enforceability of DPA rights by data subjects . GDPR being pleaded in conjunction/alternative with other heads of action: of privacy, defamation, breach of confidence . Demise of s. 13(2) DPA 1998 carried over to GDPR – low threshold of ‘distress’ . Damages/compensation for breaches . ‘Death by a thousand cuts’ – one incident, many (low value) claimants  may not be insured (and may be within excess) Current legal risks (2) What we are seeing

. Litigation around subject access requests . ICO enforcement action . Staff using records inappropriately . Vicarious liability for bad pennies + reputational risk associated with ICO prosecutions of individuals (erosion of trust?) . Hacking and ransomware . Discussion point: what’s your experience? Data protection – current issues in the

. Increased environment of damages for misuse of private information (post Gulati and Vidal Hall v Google, but see also quantum in TLT v Home Office, Andrea Brown v Met and Greater Manchester Police, PSNI case) . Vicarious liability for rogue employees (Various Claimants v Morrisons) . Subject access requests . Disproportionate effort (Dawson-Damer v Taylor Wessing) . Nature and scope of the right (Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v Oxford University) . Third party data – confirmation of approach (DB v GMC) . Recent ICO enforcement action: Regal Chambers GP Practice Other legal issues in the Courts – legal update (1)

. ABC v St George’s Healthcare NHS Foundation Trust (2017) EWCA Civ 336 . Mr A had Huntingtons. He told his brother, but not his daughter, ABC, and was emphatic she should not be told. . There is a 50% risk of inheriting Huntingtons. ABC became pregnant (and told her father) and gave birth. Her father did not tell ABC about his Huntingtons diagnosis. ABC was subsequently diagnosed with Huntingtons. . ABC said it was critical that she should be informed of her father's diagnosis, firstly presumed and subsequently confirmed, in the light of her pregnancy. . ABC made a claim against the Trust that, if informed of her father's diagnosis she would have sought to be tested for Huntington's Disease. If her own diagnosis was confirmed, she would have terminated the pregnancy. Other legal issues in the Courts – legal update (2)

. Trust had previously got claim struck out (i.e. no duty to warn). ABC appealed to the of Appeal to get it reinstated. . Issue for the Court: is the case arguable that the Trust owed a duty of care [in this context] to override confidentiality? . Court of Appeal : . It is arguable (and so claim reinstated for further consideration) . Geneticists get definite, reliable information on risk. . More practical to warn a ‘closed’ group of people on genetic risk than, say, former sexual partners of STIs. . Reference to American (Tarasoff) Candour and GDPR – the interaction Notifiable personal data breaches (article 33 GDPR)

. Need to tell the ICO: . Within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to rights and freedoms of individuals . Description of nature of breach, categories and numbers of individuals and records concerned; . Provide details of DPO . Describe consequences of the breach . Describe measures taken to address the breach . May need to update/provide information in phases . Maintain a register of breaches . Is a breach an incident? Duty to notify data subject (art 34)

. When the breach is likely to result in a high risk to the data subject, the controller shall communicate the breach to the data subject without undue delay. . Communications need to be in clear and plain language. . Data subject to be told at least: . Nature of breach . Details of DPO . Likely consequences of breach . Measures taken to manage the risk. Current legal issues – is it really anonymised?

. What are the chances of you (or anyone else with access to this data) being able to work out who the person is? (Miller v ICO) Access to health records under GDPR/Data Protection Act 2018 (with impact on AHRA)

. Can no longer charge a fee . Ordinarily should respond within one month . Rules about exemptions follow the old law (now Schedule 3 DPA 2018). Can refuse to provide health information where: . Disclosure would be likely (in the view of the “appropriate health professional” given in response to the request or six months prior) to cause serious harm to any person’s physical or mental health . Request made by third party on behalf of patient (e.g. parent) and complying with the request would disclose information— a) which was provided by the data subject in the expectation that it would not be disclosed to the person making the request, b) which was obtained as a result of any examination or investigation to which the data subject consented in the expectation that the information would not be so disclosed, or c) which the data subject has expressly indicated should not be so disclosed. . Clinician details should normally be disclosed. Confidentiality and the MCA MCA section 4

. Decision maker must consider, so far as is reasonably ascertainable— . P’s past and present wishes and feelings (especially any statement of advance wishes); . the beliefs and values that would be likely to influence P’s decision if he had capacity, and . the other factors that P would be likely to consider if P were able to do so.

. Decision maker must take into account, if it is practicable and appropriate to consult them, the views of— . anyone named by P as someone to be consulted, . anyone engaged in caring for P or interested in P’s welfare, . Anyone with LPA or Deputyship.

. Further resources in MCA Code of Practice Q+A and thank you!

Andrew Latham Associate | Clinical Law Capsticks LLP

T: 020 8780 4674 M:07912 563 029 E: [email protected] @ajlhealthlaw