Skip to main content

Patient data misuse and the health professional regulators

18 Aug 2009 | Professional Standards Authority
  • Policy Advice

August 2009 advice to the Secretary of State about the current codes of conduct for the regulated healthcare professions around data misuse.


The confidentiality and security of patients’ data is a core value for health professionals and this is reflected in the regulators’ codes and standards. Some regulators issue guidance to help registrants manage patients’ information in particular situations they may encounter in the course of their practice. Wider legal duties govern health professionals’ use of patients’ data, and professionals can also refer to guidance provided by other organisations and the NHS. These sources are cross-referenced in regulators’ standards and codes. In our report we found that the standards are satisfactory, but recommend that when regulators provide new guidance to registrants it is essential that this reflects both the public’s expectations around their data security, as well as any new risks that emerge from innovative use of information technology.


Under section 26A of the National Health Service and Health Profession Reform Act 2002, we have been asked by the Secretary of State to provide advice about the current codes of conduct for the regulated healthcare professions around data misuse. In particular we have been asked to:

'work with Professional Regulation bodies to provide clarification about personal misconduct in relation to data misuses and transparency in relation to how these issues are reported in particular, by providing advice on the following:

  • The extent to which they reflect the information governance requirements that now prevail within the NHS;
  • Suggestions to whether these codes of conduct might need reviewing so that they more adequately (if required) reflect the information governance requirements in relation to electronic information relating to patients and staff; and any role the Department might play in such reviews; and
  • If it would be feasible or desirable to incorporate into definitions of misconduct the responsibilities of all parties in relation to electronic person identifiable data.’

This report provides our response to this request. In preparing our response we have considered the standards registrants are expected to demonstrate and the regulators’ management of fitness to practise issues that can arise when registrants fail to meet these standards. First we describe the current approaches taken in regulators’ codes of conduct around data misuse. We then consider these approaches in relation to other information governance requirements that prevail in healthcare. Finally we consider misconduct around data handling, how it is managed by the regulators, and discuss whether changes are necessary.