The Data Protection Act

MDDUS medical advisor Dr Barry Parker outlines what you need to know about this important legislation

IT is crucial that all doctors comply with the Data Protection Act (1998) when handling patient information, but the Act itself is rather long and complicated and we frequently receive requests for advice on its workings.

The principles, however, are simple and apply to anyone responsible for processing personal patient information. (“Processing” broadly means collecting, using, disclosing, retaining or disposing of personal data.)

The guidance states:

  • Personal data should be processed fairly and lawfully
  • It should only be obtained for a specific purpose(s) and not be processed in any manner that is incompatible with that purpose
  • It should be adequate, relevant and not excessive for the purpose
  • It should be kept accurate and up to date
  • It should not be kept for longer than is necessary for the purpose
  • It should be processed in accordance with the legal rights of the data subject under the Act
  • Appropriate steps should be taken to prevent loss or damage or unauthorised or unlawful disclosure
  • It should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures adequate protection.

The person with overall responsibility for safeguarding records/personal data is known as the data controller and the patient is the data subject. The patient is entitled to request access to, or a copy of all of their electronic and paper records. Their written request should be granted within 40 days, but certain information should not be disclosed. This includes third party information unrelated to the patient, for example about a sibling or parent. (Other health professionals involved in the care do not count as third parties.) Responses should also exclude any information which, if disclosed, may lead to serious harm to the patient or another individual.

The Act only refers to living patients and is distinct from Freedom of Information Act requests which are for general information about a public body rather than personal health information. Common queries include:

Can I charge for providing information under the terms of the Act?
There is no charge for patients who wish to view their records, but a charge of up to £50 can be made for copies of paper records, or up to £10 for copies of electronic records. This includes postage costs.

Do data subjects have to provide a reason for requesting disclosure of their records? No. Occasionally doctors may feel that a request is being made in anticipation of litigation but this does not aff ect the patient’s rights under the Act and such requests should be dealt with in the usual way.

Can parents make a request for their children’s records?
Anyone with parental responsibility may make such a request and, providing it appears to be in the best interests of the child’s health and welfare, it can normally be agreed. However, when the child is deemed competent, then consent for disclosure should be sought from them. As a working rule, a child aged 12 or over with normal capacity would be regarded as competent in this respect unless other factors exist. 

What if someone requests information on a patient with incapacity?
Adults with incapacity legislation differs slightly in Scotland and England, but the principles are similar. If the patient has a legally appointed proxy they are entitled to receive relevant medical information in order to carry out their duties in relation to the patient. If no legal proxy exists, decisions on disclosure should be made on a ‘best interests’ or ‘overall benefit’ basis.

What if a patient wants to amend their record?
If the doctor agrees with the proposed amendment, i.e. where an entry is incorrect, they may amend the record, making a contemporaneous entry to indicate what has been done and why. If not, an offer can still be made for an additional entry to be made in the records noting the patient’s view/disagreement with the contents.

What happens if there is an accidental breach of confidentiality under the Act?
First, clarify what has happened and inform the patient without delay. There should be an apology, an explanation (which may only be possible after further investigation) and prompt action to limit the effects of the breach whenever possible. Breaches that have potentially severe consequences for the patient or involve large numbers of patients or volume of data may require to be reported to the Information Commissioner’s Office (ICO).

What are the potential consequences for the data controller following a breach of confidentiality?
Patients may make a local complaint and, if they are dissatisfied with the response, escalate this to the Ombudsman. They may also complain direct to the Information Commissioner who has the power to issue a financial penalty for significant breaches of the Act. They have the option to complain to the General Medical Council if doctors are involved in the breach and they may raise a civil court action for damages. This last option is relatively uncommon and in fact the majority of breaches, if handled sensitively, honestly and efficiently from the outset, can be resolved without escalation.

When is it justifiable to share personal data without consent?
There are circumstances where information must be provided by law, and where disclosure without consent is permissible on a public interest basis. See the GMC’s guidance Confidentiality.

Further information: 

ICO guidance on the Data Protection Act 1998

Dr Barry Parker is a medical adviser at MDDUS