1 Introduction2 Confidentiality3 Confidentiality — Guidelines4 Data Protection Act 19985 Access to Medical Records6 Privacy7 Other Legal Provisions
2 — Confidentiality
‘… a duty of confidence arises whenconfidential information comes to theknowledge of a person (the confidant) incircumstances where he has notice, or is held tohave agreed, that th e information isconfidential, with the effect that it would bejust in all the circumstances that he should beprecluded from disclosing the information toothers.’ AG v Guardian Newspapers (No 2) 3 All ER 545
The material for which protection is claimed must be:1 Of limited public availability; and2 Of a specific character. SPECIFIC CHARACTER For material to be protected as confidential it must be possible to point to a definite body of material or source of information. The material must not be so intermingled with material publicly available that it is impossible to indicate its limits. This has been stressed by the courts in relation to injunctions which must be so drafted as to leave the party enjoined in no doubt as to what is forbidden.
In order for a person to be held liable for breach of confidence, it mustbe shown that:1 The material communicated to them had the necessary quality of confidence.2 It was communicated or became known to them in circumstances entailing an obligation of confidence.3 There was an unauthorised use of that material. Coco v AN Clark (Engineers) Ltd  RPC 41 at 47–48, per Megarry J Some authorities require that the unauthorised use be to the detriment of the claimant. An obligation of confidence which is or becomes unreasonable may not be enforced even if detriment to the claimant is shown.
R (on the application of Leonard O’Reilly) v Blenheim Healthcare Ltd.  EWHC 241 (Admin)F a ctsThe claimant was detained under sections 37 and 41, having been convicted of ABH on his father.He attributed the motivation, or at least the background, for his assault, to abuse that he said hesuffered at the hands of his father during his childhood. The RMO wished to enquire into theclaimants past personal history.The claimant sought judicial review. The issue which arose was whether the claimant had a legalright to prevent such enquiries being made. He argued that his rights under art 8 of the EuropeanConvention on Human Rights would be infringed because if the enquiries took place there wouldbe a communication by the RMO to the claimants parents of confidential medical informationrelating to the claimant himself, which would be wrong without the consent of the claimant orother legal justification.He ldThe claim would be dismissed.(1) The inquiries sought to be made by the RMO were not treatment. An enquiry of a third partywas not within that category.(2) It had not been established that there was any real risk of confidential information beingdisclosed. Moreover, mere contact itself between the RMO and the claimants parents could notinfringe the Article 8 rights of the claimant. The object of the enquiry is to obtain information andnot to communicate it. Accordingly there was no possible infringement of Article 8.
The confidentiality of information concerning misconduct or iniquity which in the public interest ought to be disclosed will not be protected. This applies to matters relating to past and contemplated crime, health risks to the public, and matters within the purview of regulatory bodies or public inquiries set up to investigate the efficiency of public bodies or institutions. See, e.g., A Health Authority v X  EWCA Civ 2014,  2 All ER 780, where it was held that there is a high public interest in seeing that professional disciplinary hearings for medical malpractice are properly administered, and that this could outweigh the confidentiality of patient records that are inextricably linked with the case papers.
‘The crucial question is how, on the specialfacts of the case, the balance should bestruck between the public interest inmaintaining professional confidences andthe public interest in protecting the publicagainst possible violence.’ Egdell case W. v. Egdell and others  Ch. 359
It had never been doubted that the circumstances imposed on Dr. Egdell a duty of confidence to W. The breadth of that duty was dependent on the circumstances. The decided cases very clearly established (1) that the law recognised an important public interest in maintaining professional duties of confidence but (2) that the law treated such duties not as absolute but as liable to be overridden where there was held to be a stronger public interest in disclosure. The crucial question was how, on the special facts of the case, the balance should be struck between the public interest in maintaining professional confidences and the public interest in protecting the public against possible violence.
‘There was one consideration which weighed the balance of public interest decisively in favour of disclosure. It could be shortly put. Where a man had committed multiple killings under the disability of serious mental illness, decisions which might lead directly or indirectly to his release from hospital should not be made unless a responsible authority was properly able to make an informed judgment that the risk of repetition was so small as to be acceptable. A consultant psychiatrist who became aware, even in the course of a confidential relationship, of information which led him, in the exercise of what the court considered a sound professional judgment, to fear that such decisions might be made on the basis of inadequate information, and with a real risk of consequent danger to the public, was entitled to take such steps as were reasonable in all the circumstances to communicate the grounds of his concern to the responsible authorities. There was no doubt that the judge’s decision in favour of Dr. Egdell was right on the facts of this case. Nor could it be said that if Dr. Egdell was entitled to make some disclosure he should have disclosed only the crucial paragraph of his report and his opinion. An opinion, even from an eminent source, could not be evaluated unless its factual premise was known, and a detailed 10- page report could not be reliably assessed by perusing a brief extract.’
R v Crozier (1990) The Guardian, 8 May The defendant had pleaded guilty to attempted murder and proceedings had been adjourned for medical reports. Dr M was instructed to examine Mr Crozier. However, his report did not reach defence counsel at the time of the hearing. The defendant was sentenced to nine years in prison. Dr M then arrived late. Approaching counsel for the prosecution, he informed him that in his opinion the defendant was suffering from a psychopathic disorder under the Mental Health Act 1983. He also said that another doctor who had originally been of the view that the defendant was not suffering from that mental disorder had changed his mind. The prosecution applied for and obtained variation of sentence, with the judge making hospital and restriction orders. The defendant’s appeal was rejected. The Court of Appeal said that Dr M had been in very much the same position as had Dr Egdell. Both doctors had believed that they were acting in the public interest.
3 — Confidentiality — Guidelines
See, Good Medical; Practice, 2006 Guidelines General Medical Council
‘37. Patients have a right toexpect that information aboutthem will be held inconfidence by their doctors.You must treat informationabout patients as confidential,including after a patient hasdied. If you are consideringdisclosing confidentialinformation without apatient’s consent, you mustfollow the guidance inConfidentiality: Protecting andproviding information.’ ‘Good Medical Practice’ General Medical Council
See, Confidentiality: Protecting and Providing Information, April 2004 April 2004 Guidance General Medical Council
1. If you are asked to provide information about patients you must: inform patients about the disclosure, or check that they have already received information about it; anonymise data where unidentifiable data will serve the purpose; be satisfied that patients know about disclosures necessary to provide their care, or for local clinical audit of that care, that they can object to these disclosures but have not done so; seek patients’ express consent to disclosure of information, where identifiable data is needed for any purpose other than the provision of care or for clinical audit – save in the exceptional circumstances described in this booklet; keep disclosures to the minimum necessary; and keep up to date with and observe the requirements of statute and common law, including data protection legislation. April 2004 Guidance
Circumstances where patients may give implied consent to disclosureSharing information in the health care team or with others providing care10. Most people understand and accept that information must be shared within thehealth care team in order to provide their care. You should make sure that patientsare aware that personal information about them will be shared within the healthcare team, unless they object, and of the reasons for this … You must respect thewishes of any patient who objects to particular information being shared withothers providing care, except where this would put others at risk of death orserious harm.11. You must make sure that anyone to whom you disclose personal informationunderstands that it is given to them in confidence, which they must respect …12. Circumstances may arise where a patient cannot be informed about the sharingof information, for example because of a medical emergency. In these cases youmust pass relevant information promptly to those providing the patient’s care. April 2004 Guidance
Disclosures required by law18. You must disclose information to satisfy a specific statutory requirement, suchas notification of a known or suspected communicable disease. You should informpatients about such disclosures, wherever that is practicable.Disclosures to courts or in connection with litigation19. You must also disclose information if ordered to do so by a judge or presidingofficer of a court …Disclosures to statutory regulatory bodies21. Patient records or other patient information may be needed by a statutoryregulatory body for investigation into a health professional’s fitness to practise … April 2004 Guidance
Disclosures in the public interest22. Personal information may be disclosed in the public interest, without the patient’s consent,and in exceptional cases where patients have withheld consent, where the benefits to anindividual or to society of the disclosure outweigh the public and the patient’s interest inkeeping the information confidential ...23. Before considering whether a disclosure of personal information ‘in the public interest’would be justified … you should still try to seek patients’ consent, unless it is not practicable todo so, for example because … the patients are not competent to give consent …; or the patienthas been, or may be violent; or obtaining consent would undermine the purpose of thedisclosure (e.g. disclosures in relation to crime) …24. In cases where there is a serious risk to the patient or others, disclosures may be justifiedeven where patients have been asked to agree to a disclosure, but have withheld consent (forfurther advice see paragraph 27).25. You should inform patients that a disclosure will be made, wherever it is practicable to doso … April 2004 Guidance
Disclosures to protect the patient or others27. Disclosure of personal information without consent may be justified in thepublic interest where failure to do so may expose the patient or others to risk ofdeath or serious harm. Where the patient or others are exposed to a risk so seriousthat it outweighs the patient’s privacy interest, you should seek consent todisclosure where practicable. If it is not practicable to seek consent, you shoulddisclose information promptly to an appropriate person or authority. You shouldgenerally inform the patient before disclosing the information. If you seek consentand the patient withholds it you should consider the reasons for this, if any areprovided by the patient. If you remain of the view that disclosure is necessary toprotect a third party from death or serious harm, you should disclose informationpromptly to an appropriate person or authority. Such situations arise, for example,where a disclosure may assist in the prevention, detection or prosecution of aserious crime, especially crimes against the person, such as abuse of children. April 2004 Guidance
Disclosures in relation to the treatment sought by children or others who lack capacity to giveconsent28. Problems may arise if you consider that a patient lacks capacity to give consent to treatmentor disclosure. If such patients ask you not to disclose information about their condition ortreatment to a third party, you should try to persuade them to allow an appropriate person tobe involved in the consultation. If they refuse and you are convinced that it is essential, in theirmedical interests, you may disclose relevant information to an appropriate person or authority.In such cases you should tell the patient before disclosing any information, and whereappropriate, seek and carefully consider the views of an advocate or carer …Disclosures where a patient may be a victim of neglect or abuse29. If you believe a patient to be a victim of neglect or physical, sexual or emotional abuse andthat the patient cannot give or withhold consent to disclosure, you must give informationpromptly to an appropriate responsible person or statutory agency, where you believe that thedisclosure is in the patient’s best interests … April 2004 Guidance
Q14 I work with sex offenders who are transferred from prison to hospital during theircustodial sentence. A patient has recently been discharged, but I know he does not intend toregister his new address with the police, as he is required to do by law. Should I tell the policehe has been discharged?The Sex Offenders Act 1997 requires the offender to register his name and address with thepolice. However, disclosures without consent are justified when a failure to disclose informationmay put the patient, or someone else, at risk of death or serious harm. If you believe that thepatient poses a risk to others, and you have good reason to believe that he does not intend tonotify the police of his address, then disclosure of the patient’s discharge would be justified. April 2004 Guidance
1.Q15 A child in my practice has recently been taken to hospital suffering serious injuries fromabuse. His father is now being prosecuted. I’ve been asked to provide information about thechild and her family for a Case Review. I’m the GP to the child’s father and he won’t giveconsent to the release of information, what should I do?Case Reviews are often set up to identify why a child has been seriously harmed, to learnlessons from mistakes and to improve systems and services for children and their families. (InEngland and Wales such reviews are often referred to as Part 8 Reviews).Where the overall purpose of a review can reasonably be regarded as serving to protect otherchildren from a risk of serious harm, you should co-operate with requests for information, evenwhere the child’s family does not consent, or if it is not practicable to ask for their consent.Exceptionally, you may see a good reason not to disclose information; in such cases you shouldbe prepared to explain your decision to the GMC. April 2004 Guidance
Q16 A patient of mine is a doctor; I am concerned that he has a drinking problem which couldaffect his judgement. It has taken me a long time to get him to admit to any problems, and if Idisclose the information to his employer or the GMC now he will probably deny everything andfind another doctor. What should I do?This patient has the same right to good care and to confidentiality as other patients. But, thereare times when the safety of others must take precedence. If you are concerned that hisproblems mean that he is an immediate danger to his own patients, you must tell his employingauthority or the GMC straight away. If you think the problem is currently under control, youmust encourage him to seek help locally from counselling services set up for doctors or for thepublic generally. You must monitor his condition and ensure that if the position deterioratesyou take immediate action to protect the patients in his care. April 2004 Guidance
Q17 A patient of mine suffers from a serious mental illness. He is often erratic and unstable. I know that hedrives, although I have warned him that it is often unsafe for him to do so. He insists that his illness does notaffect his judgement as a driver. Should I tell the DVLA?Where patients have such conditions you should:a. Make sure that patients understand that the condition may impair their ability to drive. If a patient isincapable of understanding this advice, for example because of dementia, you should inform the DVLAimmediately.b. Explain to patients that they have a legal duty to inform the DVLA about the condition.If patients refuse to accept the diagnosis or the effect of the condition on their ability to drive, you can suggestthat the patients seek a second opinion, and make appropriate arrangements for the patients to do so. Youshould advise patients not to drive until the second opinion has been obtained. If patients continue to drivewhen they may not be fit to do so, you should make every reasonable effort to persuade them to stop. This mayinclude telling their next of kin, if they agree you may do so.If you do not manage to persuade patients to stop driving, or you are given or find evidence that a patient iscontinuing to drive contrary to advice, you should disclose relevant medical information immediately, inconfidence, to the medical adviser at the DVLA. Before giving information to the DVLA you should try to informthe patient of your decision to do so. Once the DVLA has been informed, you should also write to the patient, toconfirm that a disclosure has been made. April 2004 Guidance
W h o i s m o s t a t r i s k o f v i o l enc e? Are these individuals aware of the risk, the history of violence, the AE context within which it occurred, a n d a n y w a r n i n g s i g n s? Will strictly observing th e confidentiality of patient information place any person(s) at greater risk? Should information about the risks therefore be shared with those bearing the risks, as part of the risk management strategy?
The Nursing and Midwifery Council Code of Professional Conduct http://www.nmc-uk.org/(sknklt551haimf55pdsrmd25)/aFrameDisplay.aspx?DocumentID=475 The Chartered Society of Physiotherapy: Rules of Professional Conduct http://www.csp.org.uk/director/effectivepractice/rulesofconduct/professionalconduct.cfm General Social Care Council: Codes of Practice for Social Care Workers and Employers http://www.gscc.org.uk/Good+practice+and+conduct/What+are+the+codes+of+practice/ Information on ethical practice This can be obtained from the British Medical Association at: http://www.bma.org.uk/ap.nsf/Content/Hubethics Information on record keeping can also be obtained from the following: N u r s i n g a n d M i d w if e r y C o u n c i l ( N M C ) G u i d a n c e 0 1 . 0 5 Guidelines prepared by the NMC on records and record-keeping practices for nurses and midwives. See: http://www.nmc-uk.org/(k452wr55m2qj1p2ppgy3xf45)/aDisplayDocument.aspx?DocumentID=1120 Midwives Rules and Standards - NMC Standards 05.04 The Nursing and Midwifery Order 2001 requires the NMC to set rules and standards for midwifery. The rules and standards document provides guidance on the interpretation of these rules and standards and includes record keeping. See: http://www.nmc-uk.org/(k452wr55m2qj1p2ppgy3xf45)/aDisplayDocument.aspx?DocumentID=169
4 — Data Protection Act 1998
Trusts are required by law to look after all personal information in accordance with the Data Protection Act of 1998. They will be registered as a ‘Controller’ of personal information with the Office of the Information Commissioner. The Act replaces the Access to Health Records Act 1990 (except for records relating to people who have died) and allows patients to have access to their medical records subject to certain limited exceptions. However, the Act is extensive and covers all types of data whether held on computer database or in manual form.
Personal data Personal data means information which relates to a living individual who can be identified from that information, or other information held by the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. The definition does not cover information relating to someone who has died. Access to health records relating to deceased individuals is still covered by the Access to Health Records Act 1990.Sensitive personal Sensitive personal data includes informationdata relating to ethnic or racial origin, religious or political beliefs, physical or mental health, sexual matters and criminal offences.
Processing Processing has an extensive definition. It means obtaining, recording or holding information or any handling of the information, including organising, altering, retrieving, using, disclosing or destroying the information.Data processor Data processor means any person (other than an employee of the data controller) who processes personal information on behalf of the data controller.Data subject Data subject means the individual to whom the information refers. A data subject must be a living individual. Organisations such as companies and other corporate and unincorporated bodies of persons cannot, therefore, be data subjects.
Data controller Data controller means the person who determines the purposes for which and the manner in which any information is to be processed (broadly speaking, the person who holds the data). It is the duty of the data controller to comply with the Data Protection Principles. The definition of data controller comprises individuals, companies and other organisations including corporate and unincorporated entities. More than one person can be a data controller.In terms of disclosure and the Act, disclosing information about apatient’s mental health therefore involves a data processor/professional processing/using and disclosing information/sensitivepersonal data concerning the patient/data subject.
There are eight principles governing the proper handling of data under the Act.
Personal data shall be processed fairly and lawfully and, inparticular, shall not be processed unless:1 At least one of the conditions in Schedule 2 is metAnd, in the case of sensitive personal data, either2a At least one of the conditions in Schedule 3 is also metOR2b Processing is permitted in the public interest.
Is at least one of the Patient (data subject) has given their consent. The disclosure (processing) is necessary to conditions in Schedule comply with a legal obligation. 2 met? The disclosure (processing) is necessary in order to protect the vital interests of the patient (data subject), i.e. where the processing is necessary for matters of life and death. The disclosure (processing) is necessary for the administration of justice or the exercise of functions of a public nature in the public interest. The processing is necessary for the pursuit of legitimate interests by the trust (data controller) or the person to whom the information is being disclosed, unless such processing is unwarranted because of prejudice to the rights, freedoms or legitimate interests of the data subject. Is Schedule 2 satisfied? The Conditions
The data subject has given their explicit consent to the processing (implied consent is not sufficient). The processing is necessary for the purposes of exercising or performing any right or obligation relating to employment. The processing is necessary in order to protect Is at least one of the the “vital interests” of the data subject or another person in a case where consent cannot be given by or on behalf of the data subject, or conditions in Schedule the data controller cannot reasonably be expected to obtain their consent. 3 (also) met? The processing is necessary in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld. The processing is necessary for the exercise of any functions conferred on any person by or under any enactment. The information has already been made public by the data subject. The processing is necessary for legal proceedings or the administration of justice. The processing is necessary for the provision of care and treatment and the management of healthcare services and is undertaken by a health professional, or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional. The processing is permitted by the 2000 Order (substantial public interest, see Step 3). Is Schedule 3 satisfied? The Conditions
Sensitive personal data (for example information relating to physical or mental health) may be lawfully processed without explicit consent where there is a substantial public interest in disclosing the data for any Is the disclosure of the following purposes: (processing) permitted 1. for the detection and prevention of crime; 2. for the protection of members of the public against in the substantial malpractice, incompetence, mismanagement etc; to publicise the fact of malpractice, incompetence, public interest? 3. mismanagement etc, for the protection of the public; 4. to provide confidential counselling and advice where explicit consent cannot be given nor reasonably obtained, or where the processing must (Alternative ground to be carried out without explicit consent so as not to prejudice that confidential counselling or advice; or Step 2) 5. to undertake research that does not support measures or decisions with respect to any particular data subject unless the data subject has explicitly consented and does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person. 6. Where the processing is necessary for the exercise of any functions conferred on a constable by any r u l e o f l a w. The 2000 Order Public Interest Conditions See: The Data Protection (Processing of Sensitive Personal Data Order) 2000
2 Lawful purpose Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.3 Proportionality Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.4 Accuracy Personal data shall be accurate and, where necessary, kept up to date. Information is inaccurate if it is incorrect or misleading as to any matter of fact.5 Relevance Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes. Data controllers must therefore review the information they hold on a regular basis and delete any information no longer required.
6 Compliance Personal data shall be processed in accordance with the rights of data subjects under the Act. This means that a data controller must comply with the provisions of the Act relating to access to information, the prevention of processing which causes distress and the correction of inaccurate data.7 Security Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Data controllers must ensure that adequate safeguards are taken to protect information and keep it confidential.8 Jurisdiction Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
In determining whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed. For the purposes of the first principle, data are to be treated as obtained fairly if they consist of information obtained from a person who— (a) is authorised by or under any enactment to supply it, or (b) is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the United Kingdom.
HSC1999/012, dated 22 January 1999, instructed Chief Executives of NHS organisations to appoint a Caldicott Guardian by 31 March 1999. A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. The Caldicott Guardian Manual takes account of developments in information management in the NHS and in Councils with Social Services Responsibilities since the publication of the Caldicott report. It sets out the role of the Caldicott Guardian within an organisational Caldicott/confidentiality function as a part of broader information governance. For a copy of the manual, see http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/Publication sPolicyAndGuidance/DH_062722.
5 — Access to Medical Records
The Act provides that, upon making a request in writing and payment of a fee (currently no more than £10 for computer records and £50 for paper records), an individual is entitled to be told by the data controller whether they or someone else on their behalf is processing that individual’s personal data and, if so, to be given a description of the information, the purposes for which it is being processed and the people to whom it is or may be disclosed. The individual is also entitled to be given a copy of the information in an intelligible and permanent form unless this would involve “disproportionate effort”. The data controller must comply with a request for access as soon as possible and, in any event, within 40 days of the request. The data controller must consider whether the information in question contains information relating to an identifiable third party (who is not a health professional). If it does, then where the data controller cannot comply with the request without disclosing information relating to such other party, he is not obliged to comply unless the other individual has consented to the disclosure. However, he can do so if it is reasonable in all the circumstances to comply without the consent of the other individual.
Where the application is made on behalf of a child or an incapacitated adult, the data controller may also withhold any information which was provided on the understanding that it would not be disclosed to that person. Where information can be disclosed, the courts have held that there is a discretion to disclose information to carers in order to allow them to exercise their rights as carers, even if the consent of the person being cared for cannot be obtained. A balance needs to be struck between the individual’s right to confidentiality and the rights of the carer to be able to exercise his or her responsibilities.
Special rules apply to health and social work records. Access to health records may be refused on medical advice by the data controller where disclosure would be “likely to cause serious harm to the physical or mental health or condition of the data subject or another person”. However, the data controller can only do this after consulting the “appropriate health professional” (meaning the person most recently responsible for the patient’s clinical care in connection with the subject matter of the request). There is a similar provision in relation to social work records. In this case, however, the decision rests with the social work authority alone, with no obligation to consult any other professional.
1 Processing causing If an individual believes that a data distress controller is processing personal data in a way that causes, or is likely to cause, substantial unwarranted damage or distress, t h e A c t p r o v i d e s t h a t t h e i n d i v i d u al c a n s e n d a notice to the data controller requiring him or her to stop the processing. When the data controller receives such a n o t i ce h e o r s h e m u s t , w i t h i n 2 1 d a y s , r e p l y to the individual stating either that he or she has complied with the request or explaining what he or she intends to do. If the individual is not happy with the decision of the data controller, he or she can appeal to the Information Commissioner.
2 Dealing with An individual may feel aggrieved about errors, omissions inaccurate facts or other inaccuracies which may be contained in personal d at a. If the complaint is about inaccurate facts as opposed to disputed opinions, the individual may apply to the Court for an order requiring the data controller to rectify, block, erase or destroy the inaccurate data, together with any other personal data which contain an expression of o p i n i on w h i c h t h e C o u r t f i n d s i s b a s e d o n t h e i n a c c u r a t e data. Data are only inaccurate if they are incorrect or m i s l e a di ng a s t o a n y m a t t e r o f f a c t . T h e C o u rt m ay als o m ak e s u c h an o rd e r if t h e d at a subject has suffered damage due to any breach of the Act and there is a substantial risk of further breaches occurring. In either of these cases the Court may order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.
3 Dealing with It is far more difficult to alter statements of disputed opinions opinion such as medical diagnoses, unless these have clearly been formed from obviously incorrect facts. In these circumstances, the practical solution may be f o r t h e d a t a s u b j e ct t o s u b m i t t o t h e d a t a controller his or her own statement of facts, with or without a second opinion. This can t h en b e a d d e d t o t h e f i l e . I f t h e d a t a controller refuses to record such statement, t h e d a t a s u b j e ct m a y a p p l y t o t h e C o u r t , w h i ch c a n o r d e r t h a t t h e d a t a b e supplemented by an approved statement of t h e t rue fa c t s o r m a k e a ny o t he r o rde r a s it se es f i t .
Records Management: NHS Code of Practice, Department of Health, April 5 2006 The NHS Information Governance Toolkit The Information Governance Toolkit return is required from all NHS organisations and provides guidance and best practice on all facets of information governance including: Data Protection Act 1998 Freedom of Information Act 2000 The NHS Confidentiality Code of Practice Records Management Information Quality Assurance Information Security Information Governance Management. See: http://nww.nhsia.nhs.uk/infogov/igt/
6 — Privacy
1. Everyone has the right to respect for his private and family life, his home and his correspondence.2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Is the national measure, or the local policy or procedure, which interferes with the enjoyment of a Convention right proportionate to the (legitimate) aim which the measure seeks to achieve? Is the measure actually appropriate? Does the measure have a wider effect than is strictly necessary? Does the measure impose an excessive burden on any individual?
PRIVATE LIFE FAMILY LIFE Personal life F a m il y t i e s Relationships C o h a bita tion Sexual identity Family visits/children Telephone calls, data Protection from H e a l th a n d i n j u r y domestic violence Sexual practices Hospital transfers? M ai l Personal office space
In Z v Finland, the ECHR had observed that ‘respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention. It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general.’ Z v Finland (1997) 25 EHRR 371, 45 BMLR 107; See also MS v Sweden (1997) 28 EHRR 313, 45 BMLR 133, 3 BHRC 248
Stone v South East Coast Strategic Health Authority and others  EWHC 1668 (Admin), CO/10426/2005 Following the conviction of Mr Stone at his first trial, the three Defendants commissioned an independent Inquiry into his care, treatment and supervision. In 2005, Mr Stone objected to the report in its full form being published to the world at large. He accepted that the full report could be provided to health professionals and relevant professional bodies and similar agencies (who would be under a duty of confidentiality with regard to its contents). He also accepted that some version of the report properly could, indeed should, be placed before the public. However, he asserted that the extensive citations from his private medical and other such notes, and disclosure of psychiatric and other such information in the report would, if publicised, be a disproportionate and unlawful interference with his private life, contrary to art 8 of the European Convention on Human Rights. It was also asserted that publication would breach the provisions of the Data Protection A c t 1998.
Grounds of AppealUltimately the two grounds pursued in court were that:1. Publication to the world at large of the full report was not in accordance with lawor necessary in the public interest, by reference to Article 8 of the Convention.2. In any event, such publication would constitute a breach of the provisions of theData Protection Act 1998.He ldIt is notable that in a letter dated 9 July 2004 that the panel chairperson hadexplained that in preparing its report the Panel had considered whether the facts setout were (in the view of the panel) necessary to be included in the public interestafter taking account of Mr Stones rights in respect of his privacy and theconfidentiality of his records. Specific examples were given to the court of mattersexcluded from the final version of the report by the panel as not satisfying thisrequirement.
The most weighty point in Mr Stone’s favour was his entitlement to claim a right of privacy (seeArticle 8). However, this was significantly outweighed by a number of other considerations:1) The publication of a report undertaken by a system of expurgation that involved removingreferences to the contents of medical notes, and (in some respects) editing comments andconclusions of the inquiry, was not viable and could even mislead.2) There was a true public interest in the public knowing of the actual care and treatment suppliedto Mr Stone; and knowing, and being able to reach an informed assessment of, the failuresidentified and the steps recommended to address identified deficiencies. Such an objective couldnot be met simply by releasing a full version of the report to relevant health professionals.3) Where individuals or agencies involved in Mr Stones treatment were or were not criticised, thepublic could legitimately expect to know the full reasons for that. The information to be disclosedwas disclosed solely with the aim of providing an informed view as to what went wrong, with a viewto important lessons being learned for the future, both for the assistance of other people in theposition of Mr Stone and for the protection and reassurance of the public. The actual details of thecase were crucial for an informed assessment of the Panel’s conclusions and comments.
4) A justification for restricting Mr Stones right to privacy in this context wasthat the inquiry and publicity had arisen out of Mr Stones own acts. He had, asit were, put himself in the public domain by reason of those criminal acts.5) A great deal of information relating to his background, treatment andmental health was already in the public domain.6) Josie Russell and Dr Russell - the victims - supported publication. So didthe panel itself and all the Defendants - the Secretary of State and relevantMental Health authorities.7) Publication of the report in full could only assist the legitimate and ongoingpublic debate about the treatment of the mentally ill and those with disturbedpersonalities in the community.
Data Protection Act 1998 The Data Protection Act 1998 was made in consequence of Directive 95/46/EC of 24 October 1995. As a matter of principle, the Act should be sought to be interpreted so as to accord with the policy and purpose behind the Directive. A condition in Schedule 2 was satisfied (‘The processing is necessary . . . for the purpose of any other functions of a public nature exercised in the public interest by any person’). A condition in Schedule 3 was satisfied. Paragraph 7 provides that one such condition is where ‘the processing is necessary . . . (b) for the exercise of any functions conferred on any person by or under an enactment’. The Defendants had the power to commission an inquiry and promulgate its report. It was established under section 2 of the National Health Service Act 1977 and para 3 of the 2002 Regulations. (Obiter) The report’s publication would also be within the ambit of "medical purposes", for the purposes of para 8, as relating to "the management of healthcare services". It would also be "necessary" for such medical purposes. Furthermore the processing would be by the Defendants, who are within the class of persons owing a duty of confidentiality equivalent to that which would arise if they were health professionals.
7 — Other Legal Provisions
This Act has been repealed to the extent that it now only affects thehealth records of deceased patients. It applies only to records createdsince 1 November 1991. The Act allows access to: a) the deceased’s personal representatives (both executors or administrators) to enable them to carry out their duties; and b) anyone who has a claim resulting from the death. However, this is not a general right of access, it is a restricted right and the following circumstances could limit the applicants access: if there is evidence that the deceased did not wish for any or part of their information to be disclosed; or if disclosure of the information would cause serious harm to the physical or mental health of any person; or if disclosure would identify a third party (i.e. not the patient nor a healthcare professional) who has not consented to that disclosure.
As with the Data Protection Act, a medical professional may be required to screen the notes before release. Under the Act, if the record has not been updated during the 40 days preceding the access request, access must be given within 21 days of the request. Where the record concerns information all of which was recorded more than 40 days before the application, access must be given within 40 days, however, as with the Data Protection Act 1998, organisations should endeavour to supply the information within 21 days. A fee of up to £10 may be charged for providing access to information where all of the records were made more than 40 days before the date of the application. No fee may be charged for providing access to information if the records have been amended or added to in the last 40 days. Where a copy is supplied, a fee not exceeding the cost of making the copy may be charged. The copy charges should be reasonable, as the doctor or organisation may have to justify them. If applicable, the cost of posting the records may also be charged.
Records management considerations Organisations should have processes that address where and how the records of deceased persons are stored. Secure and environmentally safe storage is vital to ensure that records are maintained in good order and are available if required. It is essential that organisations put in place processes and procedures to enable the efficient and effective retrieval of such records within the timescales specified by the Act.
Section 60 of this Act gives the Secretary of State for Health the power to make regulations to authorise or require health service bodies to disclose patient information, including data which is patient-identifiable, which is needed to support essential NHS activity, in the interests of improving patient care or in the wider public interest. The processing permitted is still subject to the Data Protection Act 1998. However, it does mean that the common law duty to obtain consent has been set aside.
The aim of the Act is to allow individuals to see medical reports written about them, for employment or insurance purposes, by a doctor who they usually see in a normal doctor/patient capacity. This right can be exercised either before or after the report is sent. The chief medical officer of the employer/insurer is the applicant and he/she will send a request for a report to the doctor. The request must be accompanied by a written and signed patient consent. The patient may view the report by obtaining a photocopy, or by attending the organisation to read the report without taking a copy away. The patient has a right to view the report from the time it is written and has a window to do so before the report is supplied, or he/she may view it after supply for up to six months. However, in certain circumstances the patient may be prohibited from viewing all or part of the report if: in the opinion of the doctor, viewing the report may cause serious harm to the physical or mental health of the patient; or access to the report would disclose third-party information where that third party has not consented to the disclosure. The patient retains the right to withdraw consent to the reports preparation and/or supply at any time. Therefore, if the patient is unable to view any of the report due to one of the circumstances listed above, he/she can refuse to allow it to be supplied. If a patient disagrees with the content of the report, he/she has several options. He/she can: refuse to allow its supply; ask the doctor to correct agreed inaccuracies; or have a note added addressing the point(s) of disagreement. Records management considerations It is important that these reports remain accessible to the patient for at least six months after they have been supplied to the employer or insurer. After six months, organisations should consider whether retention is necessary; however, if they do decide to retain the report it must be accessible should a subsequent subject access request be made. In some organisations, it may be easier to hold the report as part of the health record.
The Act allows a worker to breach their duty of confidentiality towards theiremployer for the purpose of ‘whistle-blowing’. A disclosure qualifying forprotection under the Act is known as a ‘qualifying disclosure’.Such a disclosure is allowed in the following circumstances: where criminal activity or breach of civil law has occurred, is occurring, or is likely to occur; where a miscarriage of justice has occurred, is occurring or is likely to occur; where health and safety has been, is, or is likely to be compromised; where the environment has been, is being or is likely to be damaged; or where information indicating evidence of one of the above circumstances is being or is likely to be deliberately concealed.
A qualifying disclosure must only be made: in good faith to the individual’s employer, or to any other person having legal responsibility for the conduct complained of; for the purpose of obtaining legal advice; where the worker is employed by the Crown, in good faith to a Minister of the Crown; or in good faith to a person prescribed by the Secretary of State. Under this Act, the worker must reasonably believe that any allegation s/he makes is substantially true.
If it is the employer who is responsible for the conduct complained of, the Actallows a worker to make a disclosure to a person not noted above, provided thefollowing conditions are met: it must be made in good faith, and not for personal gain, with a reasonable belief that the allegations complained of are true; and the worker reasonably believes he will suffer a detriment if he makes the disclosure to his employer; or he has previously complained of the conduct and no action has been taken; or he reasonably believes that evidence of the conduct has been or will be destroyed or concealed. Such a disclosure will be subject to a test of reasonableness.
Multi Agency Public Protection Arrangements. Sections 67 and 68 of the Criminal Justice and Court Services Act 2000 imposed duties upon the police and probation services (jointly the Responsible Authority) in each of the 42 Areas of England and Wales to establish the MAPPA. The legislation also empowered the Home Secretary to issue guidance to the Responsible Authorities on how their MAPPA duties should be discharged: (Section 67(6)). Responsible Authorities must (i) establish arrangements to assess and manage the risks posed by sexual and violent offenders; (ii) monitor those arrangements and make necessary changes; and (iii) prepare and publish an annual report on the MAPPA. Sections 325-327 of the Criminal Justice Act (2003) re-enacted and strengthened those provisions. Section 325 of the Criminal Justice Act 2003 imposed a duty to co-operate with the MAPPA Responsible Authority upon a number of bodies including NHS trusts, PCTs, Health Authorities local authorities with social services responsibilities. ‘Co-operation’ may include the exchange of information. For further information, see: LASSL (2004)3.
The population of relevant offenders falling within the remitof MAPPA in each Area comprise the following: Category 1: Registered sex offenders Category 2: Violent and other sex offenders Category 3: Other offendersIn the first year of operation of the MAPPA (2001/2) therewere over 47,000 offenders in England and Wales consideredby the Responsible Authorities under MAPPA. This comprisedapproximately 18,500 Category 1 offenders, 27,500Category 2 offenders and 1,200 Category 3 offenders.
The framework comprises four core functions:(i) the identification of MAPPA offenders;(ii) the sharing of relevant information among thoseagencies involved in the assessment of that risk;(iii) the assessment of the risk of serious harm; and,(iv) the management of that risk.
The principles take into account the common law duty ofconfidence, the Data Protection Act 1998 and the EuropeanConvention on Human Rights.Information sharing must: (i) have lawful authority; (ii) be necessary; (iii) be proportionate; and done in ways which, (iv) ensure the safety and security of the information shared; and, (v) be accountable.