covid banner

Mental health law briefing 225 – CQC Code of Practice: Confidential personal information

The Care Quality Commission is currently consulting on a new draft of its Code of Practice on confidential personal information1.

‘Confidential personal information’ is defined in the Health and Social Care Act 2008 as information ‘obtained by the Commission on terms or in circumstances requiring it to be held in confidence; and that relates to and identifies an individual’. Under section 76 of the Act it is an offence to knowingly or recklessly disclose such information, subject to certain statutory offences, unless the disclosure by the CQC is a ‘permitted disclosure’

The draft Code of Practice explains the CQC’s approach to the statute. In general, the document is to be welcomed. It is a clear and succinct statement of the law and the CQC’s practice, outlining how confidential personal information is obtained, used and disclosed. It has also been simplified by removing a list of seven principles that the CQC rightly recognised could cause confusion given that there are already sets of principles both in relation to the Data Protection Act 1998 and the Caldicott Principles.

There is, however, one glaring omission from the Code: disclosure of confidential personal information to providers. There are several situations when this will routinely be in issue, and the Code should accordingly address it. This most frequently arises in connection with the CQC’s inspection and enforcement powers. The CQC’s inspection reports and enforcement documentation are based largely on the care planning of, and care delivery to, particular individuals.

Quite rightly, that highly sensitive personal information should only by available to the public if the identity of those individuals is protected. However, in so far as disclosure to providers is concerned, it is absolutely necessary for providers to be given the identity of the residents for two fundamental reasons. First, the provider may need to take action to safeguard residents, and second, the provider must be given the opportunity to verify the CQC’s judgments, which may not be possible if the identity of residents is withheld.

Generally, this has not been a problem, with the CQC tending to disclose the identities of residents when requested by providers, for example in their factual accuracy comments. Notices of proposal tend to be served together with a key so that that providers can identify residents. However, we have seen cases where the CQC has refused to provide the identity of residents until pressed to the point of litigation. It would accordingly be extremely helpful if the Code of Practice addressed this point.

If providers may wish to ensure they have access to this essential information, they may wish to respond to the consultation suggesting that the Code states that

  • the statutory permission to disclose confidential personal information ‘in order to enable the CQC to perform our own functions2’ includes the CQC providing information to providers to enable them to verify CQC’s judgements in relation to its functions; and
  • the statutory permission to disclose such information due to the disclosure being ‘necessary or very helpful in protecting the welfare of any individual’ includes disclosing sufficient information to providers to enable them to take action to protect service users.

The consultation closes on Friday 19 February 2016.


2 Section Health and Social Care Act 2008, s.79(3)(f)


This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.

Briefing tags , ,