Lost notes

Issues

1. Patient confidentiality
2. Data security
3. Patient safety
4. Duty of candour

Seek information

1. Identify what notes were lost, at what time, for which patients?
2. Are there electronic backups?

Patient safety

1. Disrupt continuity of care
2. Private health information made public may make patients vulnerable

Initiative

1. Re-trace steps
2. Call colleague at work to ask to check common areas
3. Call public transport company

Escalate

1. Consultant in charge of patient
2. Clinical/educational supervisor
3. Data protection champion for the trust
4. Caldicott guardian for the trust
5. Medical defence organisation
6. Medical archives team - for replacement copy of notes to be available to the clinical teams

Support

• Support patient: Duty of candour - discuss with patients, explain what happened, apologise, how it can affect them going forward; what we're doing to make it right; I would ensure any relevant specialities are aware of the problem to prevent issues with continuity of care
• Support team: Explore if there was there lack of guidance on the issue, would organising teaching on safe handling of patient data be useful
• Support myself: be open with supervisor if I think I need more support

Document

• DATIX

Reflect

• Reflect in portfolio, including what I learnt
• E-learning on patient confidentiality and data protection
• Review GMC guidelines
• Reflect with supervisor on lapse of judgement, and my management of the situation

Statutory duty, a crucial legal requirement under CQC Regulation 20, requiring doctors to be open and honest with patients/families when "notifiable safety incidents" occur. Notifiable safety incidents are defined as unintended incidents causing moderate/severe harm or death.

The GMC, in joint guidance with the NMC, outlines that it is a professional responsibility to: 

• Tell the patient (or representative) immediately when a mistake or unexpected incident happens
• Apologise sincerely for the harm or distress caused
• Explain fully and promptly what occurred and the short-term and long-term effects
• Offer a remedy or support to put matters right
• Report incidents internally to employers and, if applicable, to regulatory bodies
• Document all conversations and actions taken. 

• Data Protection Act 2018 is a domestic law governing the use of personal data and the flow of information in the UK including on processing personal health data, covering how it is obtained, used, and stored, allowing patients to request access via "Subject Access Requests".
• The UK General Data Protection Regulation (UK GDPR) is the UK’s data protection law governing the processing of personal data for UK residents, effective since 2021. Alongside the DPA 2018, it ensures data is handled legally, fairly, and transparently, enforced by the Information Commissioner’s Office (ICO). Health data is classed as a special category, requiring extra protection. It also gives patients rights to access their records, rectification, erasure (in limited cases), restriction of processing and data portability.
• Common Law Duty of Confidentiality is not statute, but legally binding - states that information provided in confidence must not be disclosed without consent unless there is a legal basis, such as direct care, public interest, or court order.
• Data Use and Access Act 2025: This newer Act amends and modernises existing data law (including the DPA 2018 and UK GDPR) to clarify lawful bases for processing, information standards (including in health and care), and how data can be used responsibly for public service delivery and research. It doesn’t replace core protections but updates how they operate in practice.
• Human Rights Act 1998: Article 8 of the Human Rights Act protects a person’s private and family life. Courts and public bodies must consider this right when making decisions about accessing or disclosing health data. This right underpins many confidentiality decisions in health and social care.
• Caldicott Principles: Although not statutory law, the Caldicott Principles are a mandatory ethical and professional framework in the NHS of 8 principles to guide how confidential patient information should be used and shared. They include key tenets such as justifying purpose, minimum necessary use, and compliance with law. Organisations must follow them as part of information-governance practice.
• GMC guidance on Confidentiality: good practice in handling patient information - is the main GMC guidance on patient data and confidentiality. It explains doctors’ ethical and legal duties to manage patient information appropriately. Key points include: confidentiality is central to trust and good care, you must only access information when you have a legitimate clinical purpose, you should share relevant information within a patient’s direct care team where appropriate unless the patient objects; implied consent may be assumed for sharing information for direct care; explicit consent should be sought for other purposes unless there’s a lawful basis to share without consent; information should be minimised – share only what is necessary. This guidance has been updated to align with data protection law (UK GDPR / Data Protection Act 2018) and to reflect expectations for modern practice. 

1. In routine care, implied consent is usually sufficient for sharing within the direct care team unless the patient objects
2. When required by law — for example:

• Court orders or subpoenas
• Certain statutory notifications (e.g. notifiable diseases)
• Terrorism legislation
• Road Traffic Act requests in specific circumstances
• Coroner’s investigations

3. In the public interest to prevent serious harm - where failure to do so would expose others (or the patient) to a risk of serious harm or death. This includes situations like:

• Threats of serious violence
• Safeguarding concerns - child or vulnerable adult abuse
• Serious communicable diseases posing risk to others
• Unsafe drivers with medical conditions who refuse to notify the DVLA
• Radicalisation or terrorism concerns

4. If a patient lacks capacity and there are safeguarding concerns such as abuse or neglect, it is necessary to act in their best interests under the Mental Capacity Act and disclose relevant information to the safeguarding team or statutory authorities.