BACKGROUND: The police arrive at a GP surgery and ask to speak to the practice manager – Ms R. They inform her that an abandoned car has been found in a local woods. They have obtained the registered keeper’s name and an address but have been unable to trace that individual. A search of the vehicle has also found a diary in the car, which seems to indicate that someone has a doctor’s appointment at 2pm today. They tell Ms R that officers are visiting all local hospitals and surgeries asking for the names of all patients with 2pm appointments. The officers say that they require this information under the powers conferred to them by Section 29 of the Data Protection Act 1998.
The practice manager and senior partner take the officers into one of the consulting rooms for a quiet chat. One of the officers explains that they believe some harm may have come to the owner of the vehicle and it is important that they contact the individual if possible.
The practice manager and senior partner take the officers into one of the consulting rooms for a quiet chat. The lead officer says it’s a “routine” investigation into a possibly stolen car and they need to speak to the owner.
ANALYSIS/OUTCOME: First to consider is that the request in the initial scenario is very broad in nature and it would be entirely inappropriate for the practice to simply disclose the names of all patients with 2pm appointments that day. The police themselves may be wary about providing specific information, which could identify an individual at this stage, but the practice manager in this case really does require more information to proceed with here.
As well as breaching the duty of confidentiality owed to the patients concerned, disclosure of these names could amount to a breach of the Data Protection Act 1998. There is an exemption in the Act under Section 29 – Crime and Taxation – which allows a ‘data controller’ to give out personal information for these purposes, but there are limits on what can be released (see page 9 in this issue). The Information Commissioner’s Office advises that if you do decide to release personal information to the police, you should consider what is the minimum necessary for them to be able to do their job.
Importantly, Section 29 does not confer any particular police powers in this respect, but allows the ‘data controller’ to consider release of personal information for the stated purposes and only if not releasing it would be likely to prejudice any attempt by police to prevent crime or catch a suspect.
The second consideration in any such request is: “Am I sure that the person making the request is who they say they are?” Confirmation of identity is essential before proceeding any further. In relation to this particular request, the manager could then ask what specific concerns the police have about the circumstances in which the car has been discovered.
In the case of Scenario 1, it would be more helpful if the police could ask a direct question about whether the registered keeper is a patient at the practice, if they had an appointment at 2pm today, and if they turned up for it. This would allow Ms R to respond by disclosing only the minimum amount of information necessary to answer the police request while at the same time acting in the best interests of the patient.
In the case of Scenario 2 – the stolen car – the situation is less clear. While the police request would appear to comply with Section 29 DPA requirements, allowing appropriate disclosure for the purposes of investigating a crime, the corresponding GMC guidance for doctors on confidentiality and consent is less helpful, and boils down to whether the alleged offence constitutes a ‘serious crime’ or not. The GMC do not state what constitutes a ‘serious crime’, and the practice would have to consider the relevant facts and circumstances available before coming to a decision. In order to do this, sufficient information from the police will be required if they are seeking compliance.
In these circumstances it would also be prudent and possibly extremely helpful, to attempt to seek the patient’s consent before agreeing to provide the police with the information. If this is not possible or the patient refuses, then the practice would have to make a judgement call based on the ‘public interest’ criteria – having first of course, discussed the matter with an MDDUS adviser, who will be able to help in considering the various factors relevant to the request before coming to a decision.
Also, remember, that in a decision not to disclose the information requested, the police can apply for and obtain a lawful warrant or court order requiring disclosure.
- Give careful consideration to any police requests for patient information – even confirmation that someone is a patient.
- Consider all relevant GMC guidance on disclosure in the public interest, weighing it up against the patient’s right to confidentiality.
- Obtain consent for disclosure if possible, practical and/or reasonable.
- If disclosing, provide only the minimum information necessary to fulfil the purpose.
- Ask for confirmation of identity of any officer making a disclosure request.
- Call MDDUS for advice in specific cases.
Alan Frame is risk adviser with MDDUS Training and Consultancy