Confidentiality & Information Governance

SJT Textbook: Confidentiality & Information Governance

Confidentiality and Information Governance MSRA

This guide covers the essential framework of Confidentiality and Information Governance MSRA scenarios. In the SJT, you are tested on your ability to handle data lawfully, using the Caldicott Principles as your primary shield against data breaches.

🎥 Video Lesson (YouTube)

🎧 Podcast Lesson (Spotify / Apple / Amazon)

🎯 THE CORE PRINCIPLE

Confidentiality and information governance (IG) are about protecting identifiable patient information while still enabling safe, effective care. Patients must be able to trust that their information is handled lawfully and ethically, and that you do not share more than is genuinely needed.

In practice, this means you share information when there is a clear, justified purpose (for example, direct care, safeguarding, legal requirement, or preventing serious harm), and you always use the minimum necessary information on secure, approved systems. You check whether consent is needed or whether there is another lawful basis, and you keep accurate records of what you shared and why.

In the MSRA SJT, high-scoring options balance confidentiality with patient safety and the public interest. Good answers show you clarifying the purpose of the request, verifying identity, using GMC Confidentiality, Caldicott Principles, UK GDPR/DPA 2018, and GMC Good medical practice (including social media guidance) as anchors for your decision-making.

⚡ HIGH-YIELD ACTIONS (What Scores Points)

1. Clarify the purpose and urgency of the request (direct care, safeguarding, legal, public interest, teaching, research).
2. Verify the identity and role of the person requesting information before disclosing anything.
3. Check consent or lawful basis (direct care, legal requirement, or public-interest justification) before sharing.
4. Share the minimum necessary information on a strict need-to-know basis.
5. Use approved secure channels (EPR, secure NHS email, approved clinical messaging apps) instead of personal devices or informal platforms.
6. Document who you shared information with, what you shared, your lawful or ethical basis, and how it was shared.
7. Inform the patient about disclosures whenever appropriate and safe to do so, especially when disclosure happens without consent.
8. Seek advice from a senior, information governance lead, or Caldicott Guardian if uncertain.
9. Apply the same confidentiality standards to digital and social media as to face-to-face interactions.
10. Challenge and escalate unsafe IG practice (for example, photos in WhatsApp, open-access spreadsheets) in a professional way.

To score highly in Confidentiality and Information Governance MSRA ranking questions, you must strictly adhere to the “Need-to-Know” rule.

These traps either block necessary information sharing or encourage unsafe, excessive, or insecure disclosure. The safe pattern is: purpose → lawful/ethical basis → minimum necessary → secure route → clear documentation.

💬 MODEL PHRASES (Use These in SJT Logic)

* “I cannot discuss details without your permission; if you are happy, tell me what I can share and with whom, and I will document it.”
* “I need to check there is a lawful basis for this request, then share only the minimum necessary information through our approved route.”
* “Let us use the approved secure platform rather than personal messaging, and I will put a clear entry in the clinical record.”
* “I am not comfortable sharing this without advice; I will speak to our Caldicott Guardian or information governance lead.”
* “Because of confidentiality I cannot give specific details, but I can explain the general plan with the patient’s agreement.”

Legitimate purpose • Only necessary information • Consent or condition (law/public interest/direct care) • Keep secure • Inform when appropriate • Trace in the notes

📋 QUICK FAQ

Do I always need explicit consent to share information for direct care?
No. For direct care within the healthcare team, you usually rely on implied consent, as long as sharing is necessary, proportionate, and on secure systems. You should still respect any specific patient objections and be transparent about how information is used.

When can I disclose information without consent?
You may disclose without consent if it is required by law (for example, court orders, certain notifiable diseases) or in the public interest to prevent serious harm to the patient or others. You should share the minimum necessary, document your reasoning, and inform the patient where appropriate and safe.

Can I use messaging apps such as WhatsApp for clinical photos or discussions?
You should use approved clinical systems wherever they exist. If policy allows temporary mobile messaging, you must minimise identifiers, transfer key information into the formal record promptly, delete originals, and follow local IG guidance. Avoid building informal parallel records.

What should I do if a relative asks for a detailed update by phone?
Verify their identity, check whether the patient has given permission or has capacity to consent, and involve the patient in the decision where possible. Without consent or another lawful basis, do not give specific clinical details, though you can offer general information and a plan to speak with the patient.

How much information should I share when there is a lawful basis?
Only the minimum necessary to achieve the stated purpose, on a need-to-know basis, and via an approved secure route. Always record what you shared and why, and note any advice from senior or IG colleagues.

How do GMC standards apply to social media?
The same professional and confidentiality standards apply online as offline. You must not post identifiable patient information, must avoid de-facto identification through context, and should maintain appropriate boundaries and tone in all digital communications.

📚 GMC ANCHOR POINTS

* Protect and respect patient confidentiality; only disclose in line with law and ethical guidance (GMC Confidentiality).
* Share information for direct care on a need-to-know basis, using secure systems, and record what you have done.
* Maintain clear, accurate, and contemporaneous clinical records, including reasons for disclosure or non-disclosure (GMC Good medical practice 2024).
* Apply the same standards to electronic, remote, and social media communication as to face-to-face conversations.
* Seek advice from colleagues, information governance leads, or Caldicott Guardians when the legal or ethical position is unclear.
* Support systems and processes that improve data security and confidentiality, and raise concerns about unsafe practices.

💡 MINI PRACTICE SCENARIO

A patient has been assaulted and is admitted under your care. The police telephone the ward asking for “everything you have” about the patient to help with their investigation. They provide a collar number but no written documentation.

Best action: Verify their identity and legal basis, explain that you will only share the minimum necessary information justified to prevent or detect serious crime, use a secure channel agreed with your trust, and record the decision and rationale in the notes.

Why: This balances confidentiality with the public interest, applies minimum-necessary and secure-route principles, and creates a clear audit trail that aligns with GMC and IG guidance.

🎯 KEY TAKEAWAYS

✓ Confidentiality supports trust but does not mean never sharing information.
✓ Always clarify purpose, lawful basis, and urgency before disclosing.
✓ Share the minimum necessary information on a true need-to-know basis.
✓ Use approved secure systems; avoid informal channels and personal devices.
✓ Document who you shared information with, what you shared, and why.
✓ Seek senior or Caldicott/IG advice when in doubt.
✓ Apply the same standards to digital and social media as to in-person care.

Here is your summary checklist for answering Confidentiality and Information Governance MSRA questions correctly:

🔗 RELATED TOPICS

* → Patient Confidentiality Principles
* → Sharing Information with Consent
* → Exceptions to Confidentiality (Safeguarding/Public Interest)
* → Social Media and Digital Professionalism
* → Duty of Candour
* → Raising Concerns and Whistleblowing

📖 FULL PRACTICE QUESTIONS

Example SJT — Best of 3 (8 options; choose three)

You are an FY2 on a medical ward. A patient with capacity, Mr Ahmed, has been admitted with sepsis. His partner phones the ward, saying she is very worried and wants “a full update on everything, including test results”. There is no record of any specific consent to share information, but staff recognise her as a frequent visitor. At the same time, a registrar in theatre sends you a message in a non-approved WhatsApp group asking for a photo of Mr Ahmed’s rash so they can advise urgently. The ward is busy and short-staffed.

Which THREE of the following actions are the most appropriate?

Options:
A. Give the partner a full update, including test results, because she clearly cares and is often present.
B. Politely explain that you cannot discuss detailed results without Mr Ahmed’s permission, offer to speak to him and call her back promptly, and document the discussion.
C. Refuse to give the partner any information at all and hang up to get back to your work.
D. Take a quick photo of the rash on your personal phone and post it straight into the WhatsApp group for rapid advice.
E. Explain you cannot use WhatsApp for patient images, ask if the registrar can review Mr Ahmed in person or via your trust’s approved secure app, and document the plan.
F. Ask Mr Ahmed if and what he is happy for you to share with his partner, record his preferences, then update her accordingly.
G. Print the entire admission notes and hand them to the partner at the bedside to avoid repeated calls later.
H. Ask the nurse in charge to help prioritise, then ensure any clinical photos are captured via the approved EPR process rather than personal devices.

Example SJT — Rank 5 (best → worst)

You are a neurology registrar. A colleague on another ward has taken a photograph of a patient’s leg with a complex rash and posted it into a large WhatsApp group of clinicians to “get quick thoughts”. The photo clearly shows an identifying tattoo. Your trust has an approved secure clinical messaging app and an EPR function for storing clinical images. You become aware of this shortly after the image is shared.

Rank the following actions in order of appropriateness (best to worst):

Options:
A. Ask your colleague to delete the photo from WhatsApp, move the discussion to the approved secure app, recapture the image via the EPR system with consent where appropriate, and document what happened.
B. Do nothing; reassure yourself that WhatsApp uses end-to-end encryption, so there is no real risk.
C. Save the image to your personal phone “for reference” in case you need to look at it again later.
D. Post additional clinical details (name, hospital number, date of birth) into the WhatsApp group to “give better context”.
E. Advise your colleague to email the photo to their personal email account so they can view it on a larger screen at home.