• Keeley Harrison

What is the Duty of Candour?

Regulation 20 of The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 requires anyone involved in the provision of care to have a policy of openness and transparency with all care users and anyone who acts on behalf of those care users.

It also sets out some specific requirements that providers must follow when things go wrong with care and treatment, including informing people about the incident, providing reasonable support, truthful information and an apology when things go wrong.

In March 2021, the CQC updated its guidance on the Duty of Candour to ensure that providers understand what it takes to comply.

The Duty includes specific requirements for situations known as ‘notifiable safety incidents’.

What is a notifiable safety incident?

A notifiable safety incident is defined in the Duty of Candour regulation as any unintended or unexpected incident that results in death or physical or mental harm being caused to service users in the course of their care or treatment.

A notifiable safety incident must meet all 3 of the following criteria:

  1. 1. It must have been unintended or unexpected.

  2. 2. It must have occurred during the provision of an activity regulated by the CQC.

  3. 3. In the reasonable opinion of a healthcare professional, it already has, or might, result in death, or severe or moderate harm to the person receiving care. This element varies slightly depending on the type of provider.

Definitions of harm

Paragraph 7 of the Regulation defines these harms.

Moderate harm

Harm that requires a moderate increase in treatment and significant, but not permanent, harm.

Severe harm

A permanent lessening of bodily, sensory, motor, physiological or intellectual functions, including removal of the wrong limb or organ or brain damage, that is related directly to the incident and not related to the natural course of the service user's illness or underlying condition.

Moderate increase in treatment

An unplanned return to surgery, an unplanned re-admission, a prolonged episode of care, extra time in hospital or as an outpatient, cancelling of treatment, or transfer to another treatment area (such as intensive care).

Prolonged pain

Pain which a service user has experienced, or is likely to experience, for a continuous period of at least 28 days.

Prolonged psychological harm

Psychological harm which a service user has experienced, or is likely to experience, for a continuous period of at least 28 days.

The apology

A crucial part of the duty of candour is the apology. This is not an admission of liability, regardless of whether the organisation is in the health or social care, or public or private sectors.

In many cases, it is the lack of a timely apology that leads to legal action being taken against the organisation. To comply with the Duty of Candour, the organisation must apologise for the harm caused, regardless of fault, as well as being open and transparent about what has happened.

When can the CQC prosecute?

The CQC can prosecute for a breach of parts 20(2)(a) and 20(3) of the Regulation. It should be remembered that the CQC can move directly to prosecution without first serving a Warning Notice.

What are the consequences of breaching the Duty?

A breach of Regulation 20(2)(a) and (3) is a criminal offence. It will carry a maximum penalty of a level 4 fine, which is currently up to £2,500. The Duty will apply to organisations registered with the CQC rather than individuals.

It is, however, a defence for a registered person, or a health service body, to prove that they took all reasonable steps and exercised all due diligence to prevent the breach.


Since the Duty of Candour was introduced, three prosecutions have been brought by the CQC:

  • University Hospitals Plymouth NHS Trust for their failure to disclose the details of how a patient died and the failure to apologise within a reasonable timeframe. The trust was fined £1600, plus a £120 victim surcharge and £10,845.43 in court costs.

  • Bradford Teaching Hospital for failing to apologise to the family of a baby boy who died in 2016. The hospital was fined £1250.

  • Royal Cornwall Hospitals NHS Trust fined £16,250 for 13 fixed penalty notices, for failing to comply with the Duty of Candour.

What should employers do?

In order to ensure that it meets the requirements of Regulation 20, an organisation needs to:

  • ensure it operates in an open and transparent way in relation to care and treatment provided;

  • inform the persons affected as soon as reasonably practicable after the notifiable incident has occurred;

  • give an account of the incident, containing all the facts the organisation knows about the incident;

  • advise about further enquiries the health service body believes are appropriate;

  • offer an apology;

  • maintain a written record of all communication between the organisation and the affected person.

Disciplinary action

Organisations subject to the Duty of Candour may well view an employee who causes or contributes to a breach of that duty as guilty of misconduct (or even gross misconduct). Existing disciplinary policies may well have sufficiently broad definitions of misconduct into which breaches of the Duty of Candour will fit. However, in cases where dismissal or other disciplinary action results from a breach, employers might find it easier to justify such action if they have specifically worded the policies to take into account the Duty of Candour.

It is important that employers take steps to ensure that all employees are aware of the Duty of Candour and the consequences of breaching it. This would make it easier for employers to justify any subsequent disciplinary action if they could show that it was a reasonable expectation that employees would be familiar with the revised requirements.


It may be the case that a breach of the Duty of Candour only comes to light through the actions of an employee. Employers should take steps to ensure that employees are aware of how important it is that all breaches or possible breaches are reported as soon as possible.

Whistleblowing policies should be reviewed and revised to establish mechanisms for staff to report concerns and protection for them if they do so.