What does Duty of Candour actually require?

There are two named duties most people mean when they say "duty of candour", and they live in different regulations.

Regulation 18 of the Care Quality Commission (Registration) Regulations 2009 covers notifications to CQC. It lists the categories of event you must tell the regulator about: deaths, allegations of abuse, police involvement, certain injuries, and so on. CQC is the audience. The notification is sent through the CQC online system.

Regulation 20 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 is the duty of candour. The audience is the patient or their representative(the regulation calls this the "relevant person"). The duty is to be open with the patient about what went wrong, in a specific shape. CQC inspects whether you did this; but the duty itself is owed to the patient, not to CQC.

Same word ("notification" or "candour"), different audiences, different triggers, different content requirements, different shape. They are not interchangeable. Treating them as one duty is the source of most of the trouble I see.

I will not quote the operative wording in this article. Regulation 20 is short. Read it directly the next time you are setting up or reviewing your incident process. What follows is a description of the shape, so you know what to look for when you read it.

Reg 20 turns on what the regulation calls a notifiable safety incident. That category is precise. It involves harm above a defined threshold and an unintentional element. The threshold language differs between health-service providers and adult-social-care providers; the regulation defines each. Do not assume the threshold from memory or from a consultancy slide. Match your event to the actual wording.

The duty has two stages that I see conflated.

Stage oneis a face-to-face conversation with the relevant person, as soon as reasonably practicable after the incident becomes known. "As soon as reasonably practicable" is a judgment standard, not a fixed period. You are expected to be able to defend whatever timing you chose, in writing, against the specific facts of the case.

Stage twois a written follow-up that must contain specific content listed in the regulation. The content list matters. Inspectors look for those specific elements in your written record, not for the existence of a generic "duty of candour letter".

If you do the verbal apology and skip the written follow-up, you have done half the duty. If you send a generic written letter that omits the regulation's content elements, the same. The two stages are both required, both inspected, and both recorded as separate evidence.

Four mistakes I see repeatedly, ranked roughly by frequency.

Conflating Reg 18 and Reg 20.This is the most common. A team has an incident, files the CQC notification, ticks "duty of candour done". Reg 18 is satisfied; Reg 20 is not even started, because Reg 20 is owed to the patient, not the regulator.

Treating the verbal stage as the end of the duty. The face-to-face conversation feels like the hard part, because it is. After it happens, the written follow-up gets pushed to "later this week" and slides. By the time anyone looks again, it is six weeks later and the file has no written record.

Documenting "duty of candour completed" without recording the specific content delivered. A tick-box is not evidence. An inspector reading your file is looking for the actual letter, with the actual content from the regulation, dated and signed. The tick-box alone reads as "we know we have to do this and we did something".

Treating it as a CQC reporting duty.A surprising number of services I have seen genuinely believe Reg 20 is a thing you send to CQC. It is not. It is a duty to the patient. CQC inspects that you discharged the duty; you do not "send a Reg 20" anywhere.

Most events that trigger Reg 20 also trigger Reg 18, so you owe both. The reverse is not always true. Plenty of Reg 18 notifications (a service-user death from a chronic condition where nothing went wrong, for example) do not involve a notifiable safety incident, so Reg 20 does not engage.

The honest test is to read each regulation against the facts. Reg 18 has a list of trigger categories. Reg 20 has the notifiable-safety-incident definition. Match your event to each, independently. If both fit, you owe both. If only one, you owe that one. If neither, document why for your own audit trail.

Where this most commonly bites is the borderline cases. Was the harm "moderate"? Was it unintentional? Different reasonable people will reach different conclusions on the same fact pattern. The defensible position is to record the reasoning, not just the conclusion.

CQC inspectors look at Reg 20 evidence as a marker of culture, not just compliance. A service that records the verbal apology, the written follow-up with the specific content elements, and the dates of both, is showing that openness is something the team does, not something the team performs once when asked.

A service with checkbox-only records and no specific content is showing the opposite, and inspectors read that signal immediately. The well-led key question rests heavily on this kind of evidence; the safe key question, on the substance of the incident response.

This is one of the places where the difference between a service that knows what the rules say and a service that has been told what the rules say shows up cleanly.

The reason I am strict about this in the platform: Verivius separates Reg 18 and Reg 20 as distinct evidence records, with the regulation reproduced verbatim alongside each, and the specific content fields the regulator lists. You cannot tick "duty of candour done" without filling in what was delivered, when, and to whom. This is not a feature to sell; it is the only honest way to record the duty.

Read these directly, not the paraphrases:

• Regulation 18 of the Care Quality Commission (Registration) Regulations 2009.
• Regulation 20 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014.

Both are on legislation.gov.uk. Both are short. Reading them is the cheapest piece of governance work you will do this quarter.