Handling Information and Data Protection

Access to health records and data protection

Under the Data Protection Act 1998 people have the right of access to information held about them, including such information in their health records. Access can only be denied in limited circumstances on the basis of certain specified exemptions. The Data Protection Act replaced the Access to Health Records Act 1990 on 1 March 2000, except that applications to see the records of someone who has died are still dealt with under the latter.

Who can apply for access under the Data Protection Act

Health records are any records which consist of information about the physical or mental health or condition of an individual and have been made by or on behalf of a health professional in connection with the care of that individual.

Under the Data Protection Act the holder of the information (known as a

‘data controller’) is not obliged to deal with a request for access unless it is made in writing. Data controllers may be GPs, the Health Boards, or Trusts or independent providers.

Sometimes a patient may ask to see their records in the course of a consultation. Often the practitioner may feel that it is helpful to share the record with the patient and go through it with them. Such an oral request does not have to be treated as an application under the Data Protection Act.

An application may be made to the Data Controller by:

a. The patient;

b. A person authorised by the patient (e.g. in writing) to make the application on the patient’s behalf;

c. Where the patient is a child and the child does not understand the nature of the request, then by a parent or person with parental responsibility for the child or is otherwise acting in law on behalf of the child;

d. an attorney or agent appointed by the Court of Protection with general authority to manage the property and affairs of the patient where the patient is incapable of managing his or her own affairs.

Where the patient has died, the patient’s personal representative and any person who may have a claim arising out of the patient’s death may apply under the Access to Health Records Act 1990.

Time-scales for dealing with applications under the Data Protection Act

It is a statutory requirement that all requests are dealt with promptly, and in any event within 40 calendar days of receiving a request that meets the conditions set by a data controller for processing such a request e.g. that it be put in writing, proof of identity, a fee and sufficient information to locate the information sought.

What information can the applicant see?

The applicant has the right to have access to all personal data held about them in written records and on computer, including those made before 1991.

Reasons to refuse

The Data Protection (Subject Access Modification)(Health) Order 2000 gives two circumstances where access can be refused to health records, after consultation with a health professional.

• Access would seriously harm the physical or mental well-being of the patient or any other individual (which could include a health

professional)

• The request for access has been made by someone who is not the patient (such as the parent of a child) where the information was provided in the expectation that it would not be disclosed to the applicant. This includes the results of any examination or

investigation which the patient consented on the basis that the information would not be disclosed.

Furthermore, the Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 lists a number of categories of personal data, which are exempt from access by the patient:

• UK human fertilisation and embryology information;

• Information contained in adoption and parental order records and reports;

• Information provided by reporters for the purposes of a children's hearing.

Both of these Orders contain complex provisions and what is stated above is merely a summary of parts of those Orders and any data controller

proposing to rely upon provisions in those Orders should consider those provisions as they appear in the Orders.

If access is denied, the individual can complain to the Information

Commissioner or make a complaint under the NHS Complaints Procedure. In the last resort individuals can seek redress through the courts.

Process for access

As stated above, a data controller is not obliged to deal with a request for access unless the application has been made in writing. The applicant does not need to give a reason. The data controller must consider the application.

The Data Protection Act, generally, requires that data controllers provide the data subject (subject to the exemptions) with a permanent copy of the information that is held about them.

Normally it will be important that a health professional is present to explain the records to the patient, though this is not data protection requirement.

Applicants should be advised that the Data Protection Act provides a right of complaint to the Information Commissioner who can serve an enforcement notice on a data controller who is believed to be contravening the Data Protection Act; failure to comply with an enforcement notice is a criminal offence.

Correction of inaccurate records

If an applicant considers the information to be inaccurate, the individual may apply to the court, for an order, or to the Information Commissioner for an enforcement notice, either of which may require the inaccurate data, and any expression of opinion based on it, is rectified, blocked, erased or destroyed.

In cases where there is dispute (between the health professional and patient) about the accuracy of the information recorded, the health professional should work with the patient with the aim of finding a mutually agreeable solution which will address the patients underlying concerns about the data.

Such situations may occur because the data was given by another person or was believed to be accurate at the time of writing (e.g. diagnosis). However the Court or the Commissioner may instead order that the record should be supplemented by a statement of the true facts as approved by the

Court/Commissioner.

Charges

No fees will be charged where the patient inspects the written records, but does not take a copy away.

If an individual makes a formal request under the Data Protection Act, the data controller may charge a fee. Such fees are governed by the Data Protection (subject Access)(Fees and Miscellaneous Provisions) Regulations 2000, as amended – see the Information Commissioner’s guidance; Subject Access & medical record: fees for access.

Where a patient has died

Where a patient has died, the patient’s personal representative and any person who may have a claim arising out of the patient’s death has a right to access to the relevant part of the deceased’s health record under the Access to Health Records 1990.

If the patient has died, the records will generally have been returned to the Local Health Board where the patient lived. The application for records should normally be made to the Local Health Board. When the Local Health Board receives an application, it is required to obtain the advice of the last registered GP. Depending on the circumstances, the Local Health Board should consider copying the records before there are returned to the last registered GP to avoid allegations that they may have been altered.

Complainant acting on behalf of a person under a mental incapacity who is unable to give consent

Where a complainant is acting on behalf of a patient in such circumstances, the Trust, Local Health Board or family health service practitioner, must be

satisfied that the individual who is bringing the complaint is acting ‘in law’ on behalf of the patient.

Guidance issued by the Information Commissioner suggests that where an individual has a guardianship order or an enduring power of attorney, that person is acting ‘in law’ on behalf of a patient. As far as the NHS complaints procedure is concerned, it will not be practical in every instance to require a complainant in such circumstances to have written proof that he or she is acting ‘in law’ for the patient. Where the complainant is the patient’s next of kin and is acting in the best interests of the patient this should be sufficient to satisfy the ‘in law’ requirement. However, it is good practice in such cases to seek guidance from the Health Compliance Team at the Information

Commissioner’s Office.

Disclosure of information that may identify third parties

Sections 7(4) to (6) of the Data Protection Act deals with disclosure of data to a complainant from which another individual can be identified. The

organisation holding the data is not obliged to deal with the request unless the other individual is a health professional involved in the care of the complainant.

Where information about someone other than the complainant is disclosed to third parties the disclosure must be lawful (for example not in breach of the duty of confidence owed to the other individual), it must be fair to the other individual, it must meet all the relevant conditions in Schedules 1 and 2 of the Data Protection Act and must, in all circumstances, comply with the eight data protection principles.

Further information

http://howis.wales.nhs.uk/caldicott

Use and Disclosure of Health Data (Information Commissioner, May 2002) www.informationcommissioner.gov.uk

Data Protection Act 1998 –

www.hmso.gov.uk/acts/acts1998/19980029.htm