Data protection

Data Protection Principles:

  1. Personal data shall be processed fairly and lawfully
  2. Personal data shall be obtained for specified and lawful purposes
  3. Personal data shall be adequate, relevant and not excessive
  4. Personal data shall be accurate and up to date
  5. Personal data shall not be kept for longer than is necessary
  6. Personal data shall be processed in accordance with the rights of the subject
  7. Appropriate technological measures shall be taken to safeguard the data
  8. Personal data shall not be transferred outwith the EC unless that country ensures an adequate level of protection for the rights and freedoms of data subjects

Data protection act 1998 governs access to medical records.  Other acts address rights to data not relating to individuals (Freedom of information 2000), or access to records for deceased individuals or for insurance or employment reasons.  It is the duty of the Data Controller (ie whoever decides how data is used) to recognize that a request in written form (incl an email) is a valid request ie no specific form required, data protection act does not need to be cited.

Doctors are still permitted to informally allow access to notes eg for purposes of confirming list of medication.

Applies only to living individuals and excludes anonymized data.

Patients have right to know whether data about them is held, but no need for them to be informed each time it is used.  If factual content is disputed, patient has right to have details amended but should be done so that it is clear change has been made in light of new information.  If doctor believes existing record is accurate  statement of clinical opinion, they may offer patient opportunity to add statement of their own opinion.

If record requested, must be supplied in a permanent format unless disproportionate effort involved, and in a format acceptable to the patient.

Under statutory instrument 2000 no 413 (Disclosure if information that may harm somenone’s health) data controller can restrict access to record but otherwise there is no restriction on the type or age of record (eg electronic or paper).  GMC advises that potentially causing upset is not sufficient grounds to withhold access.

Access must be given within 40 days of request and any applicable fee.

Use of records must be according to the principles of processing fairly and lawfully, obtaining only for specific purposes, adequate, relevant and not excessive; and held only for as long as necessary.  Where use of records is being considered for more indirect purposes, eg audit, then must be done carefully, by named data controller.

Reasonable steps should be taken to ensure that “subject access requests” are genuine and to verify identities, particulary if request seems unusual,or disproportionate (eg whole of case record rather than just certain dates).  Eg Solicitor letters, is signed mandate included and recent?

Not appropriate to hand over notes and let someone else do the sifting – data controller must take appropriate measures to prevent unauthorised or unlawful processing (eg alterations) or accidental loss.

Patient has right to have data explained to them in understandable terms eg jargon, undecipherable text.  If unable to contact the original author, data controller must make an effort to provide explanation, which is no different from what they would do in their own day to day work.

You can ask why data is being requested, eg as part of verification of whether an agent is acting within the scope of their authority, but no legal duty for this info to be provided.

See also Confidentiality