OUR practice has received a subject access request from a patient wanting a copy of the medical records of her 6-year-old daughter. Checking through the record before sending it to the mother I noted an entry summarising the minutes of a recent multi-disciplinary child protection meeting held by the local social work service stating the girl may be at risk of sexual abuse from a named male relative within the family. There are also suspicions the mother may be complicit. The entry makes it clear that this information should not be disclosed to any member of the family at this stage. What information should be redacted to comply with data protection laws?
The Data Protection Act 1998 would normally entitle a mother to access the medical records of her young child (who lacks capacity by reason of age) but in this case it is clear that a decision has been taken to withhold specified information from the mother due to ongoing safeguarding concerns.
This presents a risk as current advice from the GMC (Protecting children and young people: the responsibilities of all doctors) states that: "You should store information or records from other organisations, such as minutes from child protection conferences, with the child’s or young person’s medical record, or make sure that this information will be available to clinicians who may take over the care of the child or young person."
This guidance is intended to ensure that such information will be readily available to other healthcare professionals who will be providing care to that child, as well as appropriate safeguarding. But in this particular case a decision has been made to withhold specific information from family members, as disclosure could place the child at risk of harm.
The GMC guidance does, indeed, clarify that: "A parent may see their child’s medical records if the child or young person gives their consent, or does not have the capacity to give consent, and it does not go against the child’s best interests."
Confronting the risk of potential inappropriate or unlawful disclosure, as in this case, it is easy to understand why some doctors would make a decision to store all such correspondence separately from the child’s main medical record. However, the risk of important information being lost or misplaced outweighs other considerations in relation to the safeguarding of children.
The aggregate of guidance now makes it clear that case conference reports for any child now or formerly subject to a child protection plan must not be kept separate or isolated from handwritten or digital clinical records and these should also be transferred with the complete patient record if the child changes GPs. Further support for this approach can be found in other guidance such as that offered by the RCGP and NSPCC in their Safeguarding Children and Young People: The RCGP/ NSPCC Safeguarding Children Toolkit for General Practice.
In particular it provides a Specimen Child Safeguarding Policy for General Practice with information in relation to all aspects of child protection. Guidance specific to record keeping can be found on pages 7 and 8. It states that case conference records must never be destroyed (e.g. by deleting electronic records or shredding hard copies) and advises that any welfare concerns should be passed on even if the child is not subject to a protection plan.
More specifically the guidance recommends:
- All reports should be scanned onto the relevant child’s records.
- Reports should be vetted to remove any third party information, especially if external agencies request these medical records. • Reports/correspondence should be seen and summarised by a GP.
- All contacts with any parties regarding any safeguarding children issues should be recorded on the patient’s medical records and any necessary action taken immediately.
These steps are also relevant to the above dilemma – particularly the requirement to carefully scrutinise and vet the record for third party information and that such tasks should be undertaken by a GP familiar with the case and not delegated to administrative staff within the practice.
In summary, case conference reports for any child now or formerly subject to a child protection plan must not be kept separate or isolated from handwritten or digital clinical records – and these should be transferred with the complete patient record if the child changes GPs. But this means care and attention is needed when complying with subject access requests to ensure against unlawful or inappropriate disclosure.
Alan Frame is a risk adviser at MDDUS