Patient confidentiality and data protection policy (termination of pregnancy)

1. Purpose

This policy sets out how the Service handles patient confidentiality and personal data, with specific attention to the additional confidentiality protections that apply to termination services.

Termination data is special-category data under UK GDPR. It is also subject to the specific statutory confidentiality regime in regulation 5 of the Abortion Regulations 1991, which constrains who the HSA4 notification information may be disclosed to. The Service holds both layers.

2. Sources to verify before adoption

• UK General Data Protection Regulation (retained EU Regulation 2016/679): https://www.legislation.gov.uk/eur/2016/679/contents
• Data Protection Act 2018: https://www.legislation.gov.uk/ukpga/2018/12
• Abortion Regulations 1991, regulation 5 (restrictions on disclosure of information): https://www.legislation.gov.uk/uksi/1991/499/regulation/5
• GMC, Confidentiality: good practice in handling patient information: https://www.gmc-uk.org/professional-standards/the-professional-standards/confidentiality
• National Data Guardian Caldicott Principles: https://www.gov.uk/government/publications/the-caldicott-principles
• Information Commissioner's Office, guidance on UK GDPR special-category data: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/
• Information Commissioner's Office, personal data breach reporting: https://ico.org.uk/for-organisations/report-a-breach/

3. Scope

This policy applies to:

• All patient personal data held by the Service: identifying data, clinical records, consent records, HSA1 certificates, HSA4 notification records, payment records.
• All Service staff, contractors, locums, and third-party processors.
• Disclosure of patient information to any party (the patient's GP, a partner or family member, another healthcare provider, an insurer, the police, a court, the CQC, the CMO).
• Subject access requests under UK GDPR Article 15 and DPA 2018 Part 3.
• Personal data breaches under UK GDPR Article 33.

4. The default position

The default position is that no information about a patient's termination care is disclosed to anyone other than the patient and Service staff with a legitimate clinical need.

This includes:

• The patient's GP. Disclosure to the GP is at the patient's explicit choice; the Service asks the patient on every encounter whether they consent to the GP being informed.
• Family members. The Service does not confirm or deny whether a named person is a patient.
• Partners. Same.
• Employers. Same.

Information is only shared where the patient consents, where a statutory disclosure obligation applies (FGM Act 2003 mandatory reporting under-18s; police court order; safeguarding referrals), or where the public-interest threshold for disclosure is met (rare; clinical-lead decision).

5. The Abortion Regulations 1991 confidentiality regime

Regulation 5 of the Abortion Regulations 1991 sets out specific restrictions on disclosing information from HSA4 notifications. The Service:

• Treats the HSA4 record as confidential beyond the general UK GDPR confidentiality framework.
• Does not include HSA4 data in any subject access response without specifically considering the regulation 5 constraints.
• Does not share HSA4 data with third parties (including the patient's GP) without the patient's explicit consent + clinical-lead approval.

The Service's clinical lead is the single point of accountability for any HSA4 disclosure decision.

6. Lawful basis under UK GDPR

The Service processes patient personal data on the following bases:

• Article 9(2)(h) — preventive or occupational medicine, assessment of working capacity, medical diagnosis, provision of health or social care or treatment.
• Article 6(1)(c) — compliance with a legal obligation (Abortion Act 1967 HSA1; Abortion Regulations 1991 HSA4; CQC Reg 17 record-keeping; statutory tax records).
• Article 6(1)(f) — legitimate interests (where applicable for non-clinical processing, e.g. service improvement).

The Service does not rely on Article 6(1)(a) consent as the primary lawful basis for clinical care. Consent is a clinical-care concept (separate from the GDPR concept); withdrawal of consent does not retroactively invalidate care already provided.

7. Patient rights

Patients have rights under UK GDPR including:

• Right of access (Article 15) — the right to a copy of their personal data.
• Right to rectification (Article 16) — the right to correct inaccurate data.
• Right to erasure (Article 17) — limited; statutory retention requirements override.
• Right to restriction of processing (Article 18) — limited; clinical-record retention requirements apply.
• Right to data portability (Article 20) — applies to data processed by consent or contract; clinical data on lawful basis 9(2)(h) is not portable.
• Right to object (Article 21) — limited where processing is on legal-obligation basis.

The Service provides a subject access response within one month of a valid request, free of charge in the first instance. The response considers the Abortion Regulations 1991 regulation 5 constraints (see §5 above).

8. Communications and contact preferences

At every consultation, the Service confirms with the patient:

• The contact number(s) the patient consents to being used.
• The contact method(s) the patient consents to (phone call, text, email, post).
• Whether voicemail messages may be left, and what they may say.
• Whether reminders for appointments or follow-up may be sent.
• Whether the GP may be informed.
• Whether anyone else may be told the patient is at the Service if they enquire (default: no, including for partners and family members).

These preferences are recorded on the patient record and respected by every staff member who contacts the patient.

9. Data minimisation

The Service collects only the data necessary for the clinical purpose. In particular:

• Identifying data is collected to the extent needed for HSA1 + HSA4 compliance and for safe care delivery. Additional optional fields are clearly marked as such.
• Sexual orientation, religion, and other special-category data not relevant to the clinical pathway are not collected.
• Third-party contact information (partner, parent, GP) is collected only with the patient's explicit consent.

10. Retention

The Service retains:

• HSA1 certificates and HSA4 records for the period required by the Abortion Regulations 1991 (verify the current period before adoption).
• Clinical records for the period required by NHS England / Department of Health and Social Care records management code of practice (currently retention typically aligned to the NHS clinical record retention framework).
• Subject access response records for at least three years.
• Audit trails of disclosure decisions for the life of the patient record.

At the end of the retention period the Service securely destroys the record and logs the destruction.

11. Sub-processors

The Service maintains a current list of sub-processors with access to patient personal data. This list is shared with patients on request and includes for each sub-processor:

• The purpose of processing.
• The data shared.
• The lawful basis.
• The data residency.
• The data sharing agreement reference.

12. Data breaches

A personal data breach affecting patient information is:

• Reported internally to the clinical lead within one working hour of identification.
• Logged in the data-breach register.
• Risk-assessed for likelihood of harm to the data subject(s).
• Notified to the ICO within 72 hours under UK GDPR Article 33 where the risk threshold is met.
• Notified to affected data subjects without undue delay where the high-risk threshold is met under Article 34.

Termination data carries a particularly high reputational + safety risk if breached (e.g. data exposure to a coercing partner). The risk assessment reflects this; breaches of termination data are escalated as default-high-risk unless evidence supports otherwise.

13. Staff confidentiality obligations

All staff sign a confidentiality declaration at the start of employment, covering:

• The general duty of confidence to patients.
• The Abortion Regulations 1991 regulation 5 constraints.
• Caldicott Principles.
• The Service's specific policies on family, partner, and GP enquiries.

Breach of confidentiality is treated as a disciplinary matter and, where the breach involves a registered professional, is also referred to the relevant professional regulator (GMC, NMC, HCPC) for fitness-to-practise consideration.

14. Training

All Service staff complete:

• Confidentiality and data-protection induction training at the start of employment.
• Annual UK GDPR + Data Protection Act 2018 refresher.
• Caldicott Principles awareness training.
• Sector-specific training on the Abortion Regulations 1991 regulation 5 confidentiality regime.

15. Review

This policy is reviewed at least annually and whenever UK GDPR guidance, Data Protection Act 2018 amendments, Abortion Regulations 1991 amendments, or GMC confidentiality guidance materially changes.