Website of the Department of Health

Protection and use of patient information

- the Act now covers certain types of manual records (including all health records) as well as electronic records. There are transitional arrangements concerning manual records between now and 2007;
- the definition of "processing" is wider than that in the 1984 Act, and includes the concepts of obtaining, storing and disclosing data. Most actions involving data, including storage, will be included within this definition;
- although both the 1984 and 1998 Act include eight Data Protection Principles the nature of the principles differs between the two Acts;
- the Access to Health Records Act 1990 permitted access to manual health records made after the Act came into force (1 November 1991). The Data Protection Act 1998 permits access to all manual health records whenever made, subject to specified exceptions;
- changes to the requirements for notification of processing to the Data Protection Commissioner (formerly the Data Protection Registrar).

Information is provided below on the following aspects of the Act:

Section A - schedule 1 (the data protection principles)
Section B - schedule 2 (conditions relevant for the purposes of the first principle: processing of any personal data)
Section C - schedule 3 (conditions relevant for the purposes of the first principle: processing of sensitive personal data)

PART 1 - BACKGROUND AND MAIN PROVISIONS OF THE 1998 ACT

Background

1. The Act implements EC Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data which was adopted on 25 October 1995 for implementation by 24 October 1998. One of its purposes is to safeguard "the fundamental rights of individuals". In March 1996, the Home Office issued a consultation paper concerning the implementation of the Directive which was drawn to the attention of NHS bodies. "Data Protection: The Government's Proposals" (CM 3725) was issued in July 1997 prior to the introduction of the Data Protection Bill which subsequently received Royal Assent on 16 July 1998. Its main provisions come into force on 1st March 2000.

Scope of the Act

2. The Act defines personal data as that which relates to a living individual who:- can be identified from that data or
- from that data and any other information which is in the possession of, or likely to come into the possession of, the data controller.
and includes any expression of opinion about the individual and any intentions of the data controller or any other person in respect of the individual.

3. Data is defined as information which is:

- processed automatically or recorded with the intention to process automatically or
- recorded as, or with the intention that it be, part of a manual "relevant filing system" which is further defined in the Act or
- contained in a health, educational or social services record.

4. A health record for the purposes of the Act is one which relates to the physical or mental health of an individual which has been made by or on behalf of a health professional in connection with the care of that individual.

5. Thus with the exception of anonymised information most if not all NHS information concerning patients, whether held electronically or on paper, will fall within the scope of the Act. The inclusion of manual or paper based records within the scope of the Act is one of the major changes from the 1984 Act.

General Principles

6. All processing of data to which the Act applies must comply with 8 principles which are reproduced in Section A. The first principle is particularly important as it emphasises that processing must be fair and lawful in the context of the common law and other UK legislation. Generally it will be complied with if all the following conditions are met:

- the common law of confidentiality and any other applicable statutory restrictions on the use of information are complied with;
- the data subject was not misled or deceived into giving the data;
- the data subject is given basic information about who will process the data and or what purpose;
- in the case of health data, one of the conditions in both Schedules 2 and 3 (reproduced in sections B and C) to the Act is satisfied.

7. Schedule 2 conditions apply to the processing of all personal data. More stringent protection is provided for sensitive data, which includes data about racial or ethnic origin, physical or mental health or condition, and sexual life. Processing of such data must meet one of the conditions of not only Schedule 2 but also Schedule 3. One of those conditions is that the processing is necessary for "medical purposes", which is not defined exhaustively but includes preventative medicine, medical diagnosis, medical research, provision of care and treatment and the management of healthcare services.

8. "Processing" of the data is widely defined and covers all manner of use including obtaining, recording, holding, altering, retrieving, destroying or disclosing data.

9. Data processing for legitimate NHS purposes is likely to satisfy one or more of the conditions set out in Schedules 2 and 3 - in particular the conditions set out at Schedule 2(6) and at Schedule 3(8) appear relevant. In addition the Data Protection (Processing of Sensitive Personal Data) Order 2000 provides further conditions under which it will be lawful to process sensitive personal data. Lawful processing under the 1998 Act requires compliance with the common law duty of confidentiality where patient data is concerned. Guidance on this can be found in HSG(96)18, The Protection and Use of Patient Information.

10. Data subjects should be informed of the identity of the data controller (this will usually be the NHS body), the purposes for which data are to be processed, and any other information needed to make the processing fair (see paragraph 2(3) (d) of Part II of Schedule 1). Where the data was not obtained from the data subject himself, there is an exemption from the requirement to provide this information where providing it would involve disproportionate effort or data is obtained or used pursuant to a non-contractual legal requirement. However, if the ground of disproportionate effort is to be relied on then the provisions of the Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 must also be met. As required by HSG(96)18 The Protection and Use of Patient Information NHS bodies should seek to ensure that patients are informed of the potential use of their data in general terms.

11. Individuals are entitled to prevent processing:

i) for direct marketing purposes; it is Department of Health policy that patient information should not be disclosed for such purposes; or

ii) which will, or is likely to, cause the data subject or another person unwarranted and substantial harm or distress. This right can be over-ridden in certain circumstances including:-where the processing is necessary to meet contractual obligations to which the data subject is a party or to enter a contract at the latter's request
-where it is necessary to protect the data subject's vital interests, or
-it is necessary for compliance with the data controller's non-contractual legal obligations

12. Any data subject who suffers damage due to an unauthorised disclosure is entitled to compensation, although a data controller will have a defence if reasonable care was taken to comply with the Act.

Subject Access Rights

13. Rights of access to personal data are central to the Act. However, similarly to the 1984 Act, if the personal data concerns physical or mental health or condition the provisions are modified by the Data Protection (Subject Access Modification) (Health) Order 2000 (see Part 3).

Research

14. Data legitimately processed for research or statistical purposes, as long as such processing neither causes substantial harm or distress to the data subject nor is used to support measures or decisions in relation to individuals, are exempt from certain provisions of the Act. Such data can be kept indefinitely and are exempt from the subject access rights if the results of the work are not made available in a form from which data subjects can be identified. Use of such data for research, although obtained for other purposes will not breach the second principle (use incompatible with the purposes for which it was obtained) and hence will not be unlawful on those grounds. However, this does not absolve the data controller from the obligation, in order to comply with the first principle, to give the data subject general information about intended uses (see paragraph 10 above).

Data Protection Commissioner

15. The office of Data Protection Registrar is renamed Data Protection Commissioner (DPC). As now, data controllers will need to notify the DPC about certain particulars (previously referred to as registration) and additionally will need to include some details of security measures before processing data. Part 4 provides further details on notification arrangements.

16. Certain data protection processes may be likely to cause substantial damage or substantial distress to, or prejudice the rights and freedoms of, data subjects. Therefore certain processes specified by Order will be subject to the process of "prior checking" by the DPC before processing commences. This will not affect processing already being undertaken at the time the Act comes into force. No categories have yet been designated for prior checking.

17. The DPC can serve an enforcement notice on a data controller who is believed to be contravening the Act; failure to comply is an offence. Requests may also be made by, or on behalf, of a data subject affected by the processing of personal data to the DPC for an assessment as to whether the processing is in compliance with the Act. The DPC may then issue an "information notice" to a data controller requiring information to assist the assessment.

18. The DPC has a duty to promote good practice and may disseminate codes of good practice to this end. Such codes may either be prepared by the DPC or by a "trade association" (ie a body that represents data controllers, such as the GMC or the BMA). If submitted to the DPC for approval, such codes will be subject to consultation by the DPC as part of the determination of whether the code promotes good practice. If the code was approved by the DPC it would have a similar status to a code prepared by the DPC. Thus more than one code may exist in a particular sector.

Social Work Records

19. Separate guidance on the Data Protection Act 1998 is being prepared for local authority social services. Draft guidance was issued to social services on 26 July 1999 under cover of LASSL(99)16. The relevant provisions of the DPA for local authority social services will be introduced during the first transitional period. NHS trusts and social services will need to have appropriate procedures in place where joint records are held. While both organisations will be required to notify separately - as both are data controllers in their own right - either organisation can provide access to the joint record. Therefore the data subject should only have to apply to the NHS trust or social services for access to their records. NHS trusts and social services will need to have procedures in place to inform the data subject that the data are held jointly, that access can be provided through either organisation, and to inform each other that access has been given.

Overseas transfer of information

20. If data is to be transferred overseas, then the eighth data protection principle must be observed: Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. (The EEA consists of the EU member states and Iceland, Norway and Liechtenstein).

Sources of further information

21. The DPC has issued An Introduction on the new Act. NHS bodies are strongly advised to obtain copies of this, the Act and the associated secondary legislation, in particular the Data Protection (Subject Access Modification) (Health) Order 2000 (see Part 3).

22. The Act repeals the Access to Health Records Act 1990 with the exceptions of provisions concerning the deceased. The Department of Health's guidance (HSG (91)6) on that Act is similarly now in force only with effect to the records of the deceased. More detailed guidance on subject access will be available shortly.

23. The Security & Data Protection Programme of the NHS Information Authority is providing resources to assist NHS organisations implementing the Data Protection Act. (For further information see Part 5). An Action plan to help NHS organisations to move towards compliance with data protection legislation was issued, in December 1999, in booklet form, to Information Managers in Health Authorities and Trusts, for onward transmission to Data Protection Officers. The Information Policy Unit of the NHS Executive issued copies to all Caldicott Guardians.

The plan is intended to be a framework and illustrative of the issues involved; it is not necessarily comprehensive for all organisations and local review will, therefore, be essential. The plan was produced in association with the Office of the Data Protection Registrar, the Department of Health and staff working within the NHS. It is intended to complement this material.

The Action Plan can be downloaded from
http://nww.standards.nhsia.nhs.uk/sdp

Further information can be obtained from:
Security & Data Protection Programme Helpdesk
NHS Information Authority
15 Frederick Road
Edgbaston
Birmingham B15 1JD
Telephone: 0121 625 1992
Help Desk: 0121 625 2711

24. Information Sharing - A Working Group at the Department of Health is developing national guidance to assist NHS bodies and local authorities on the principles and practical issues involved in sharing client/patient records for service delivery and of using such aggregated data for planning, commissioning, managing and monitoring. Initial guidance will be circulated as part of the package of guidance and regulations on the partnership provisions in the Health Act. (For further information contact Carole Bell of the Health and Social Care Joint Unit at the Department of Health on 0171 972 4978).

SECTION A

SCHEDULE 1 - THE DATA PROTECTION PRINCIPLES

1. Personal data shall be processed fairly and lawfully, and, in particular, shall not be processed unless-

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside he European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Part II of Schedule 1 of the Act provides a more detailed interpretation of these provisions which should be consulted as appropriate.

SECTION B

SCHEDULE 2 - CONDITIONS RELEVANT FOR THE PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF ANY PERSONAL DATA

1. The data subject has given his consent to the processing.

2. The processing is necessary -

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4. The processing is necessary to protect the vital interests of the data subject.

5. The processing is necessary-

(a) for the administration of justice

(b) for the exercise of any functions conferred on any person by or under any enactment

(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department

(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.

6. (1) The processing is necessary for the purpose of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

(2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.

SECTION C

SCHEDULE 3 - CONDITIONS RELEVANT FOR THE PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF SENSITIVE PERSONAL DATA

1. The data subject has given his explicit consent to the processing of the personal data.

2. (1) The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.

(2) The Secretary of State may by order-

(a) exclude the application of sub-paragraph (1) in such cases as may be specified, or

(b) provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

3.1 The processing is necessary-

(a) in order to protect the vital interests of the data subject or another person, in a case where-
(i) consent cannot be given by or on behalf of the data subject, or,
(ii) the data controller cannot reasonably be expected to obtain the consent of the data subject, or

(b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

4. The processing -

(a) is carried out in the course of its legitimate activities by any body or association which-
(i) is not established or conducted for profit, and
(ii) exists for political, philosophical, religious or trade-union purposes,

(b) carried out with appropriate safeguards for the rights and freedoms of data subjects,

(c) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes, and

(d) does not involve disclosure of the personal data to a third party without the consent of the data subject.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

6. The processing-

(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b) is necessary for the purpose of obtaining legal advice, or

(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

7. (1) The processing is necessary -

(a) for the administration of justice,

(b) for the exercise of any functions conferred on any person by or under an enactment, or

(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department.

(2) The Secretary of State may by order -

(a) exclude the application of sub-paragraph (1) in such cases as may be specified, or

(b) provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

8. (1) The processing is necessary for medical purposes and is undertaken by-

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(2) In this paragraph "medical purposes" includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

9. (1) The processing-

(a) is of sensitive personal data consisting of information as to racial or ethnic origin,

(b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and

(c) is carried out with appropriate safeguards for the rights and freedoms of data subjects.

(2) The Secretary of State may by order specify circumstances in which processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes of sub-paragraph (1)(c) to be carried out with the appropriate safeguards for the rights and freedoms of data subjects.

10. The personal data are processed in circumstances specified in an order made by the Secretary of State for the purposes of this paragraph.

PART 2 - TRANSITIONAL PROVISIONS

These are contained in Schedule 8 to the Act.

1. Manual Records

1.1 During the period from commencement of the Act until 23 October 2001, manual social services or health records are exempt from its provisions except for sections 7 and 12A (ie access and correction rights of data subject). All other manual files which were held immediately before 24 October 1998, will be exempt from all relevant parts of the Act.

1.2 Between 23 October 2001 and 23 October 2007, more limited exemptions apply (to manual data held immediately before 24 October 1998 and, in any event, to all manual data in social services or health records which are not held in a "relevant filing system"). The exemptions cover the first data protection principle (but not the obligation to give basic information to the data subject contained in Schedule 1 Part II) the second to fifth data principles (see Section A) and section 14(1) - (3) of the Act (rectification rights etc). Further exemptions apply to data that is processed only for historical research purposes.

2. Automated Data

Provided automated data was subject to processing immediately before 24 October 1998, it is exempt during the first transitional period (commencement of the Act until 23 October 2001) from most parts of the Act except certain obligations in section 7 (to inform the data subject of the processing and where lawful communicate the information constituting the data by way of a copy pursuant to section 8) section 14 (rectification etc) as well as the general obligation to ensure that processing is fair. During this period, in broad terms the Act might be said to maintain the effect of the Data Protection Act 1984. Further exemptions apply to data that is processed only for historical research purposes.

3. General

3.1 Manual files (other than social services or health records) and automated data created after 24 October 1998 will immediately become subject to all of the provisions of the Act.3.2 From 24 October 2001, the full regime will apply to all automated data and from 24 October 2007, the full regime will also apply to all manual files covered by the Act (whenever collated or created).

PART 3 - RIGHTS OF ACCESS TO PERSONAL DATA

Access Rights

1. In general the Act gives data subjects rights to access personal data about themselves which is held in either computerised or manual form, whenever the record was compiled.

2. The rights give an entitlement to:
-be informed whether personal data is processed (which includes being held or stored)
-a description of the data held, the purposes for which it is processed and to whom the data may be disclosed
-a copy of the information constituting the data
-information as to the source of the data.

2.1 Data subjects have access rights to all records irrespective of when they were created (whereas the Access to Health Records 1990 restricted access to records compiled after 1 November 1991).

3. There are exemptions to these rights:

i) a request can be refused if the data controller is not supplied with the fee (see below) and such information as he may reasonably require to satisfy himself as to the identity of the applicant and locate the information requested;ii) where information is processed solely for historical or scientific (including medical) research purposes, is not processed to support measures or decisions with respect to particular individuals nor in such a way as will or may cause substantial damage or distress to any data subject, and where the results will not be made available in a form from which individuals can be identified;iii) where disclosing the personal data would reveal information which relates to and identifies another person (for example that a relative had provided certain information) unless that person has consented to the disclosure or it is reasonable to comply with the request without that consent. The factors listed in section 7(6) should be considered in determining whether it would be reasonable in all the circumstances. These provisions do not apply where the person to be identified is a health professional who has either compiled or contributed to either the record or the care of the patient;iv) in the case of personal data consisting of information about the physical or mental health or condition of the data subject (ie most information held by NHS bodies) the Data Protection (Subject Access Modification) (Health) Order 2000 provides exemptions from the subject access rights in two situations:

(a) where permitting access to the data would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person (which may include a health professional);

(b) where the request for access is made by another on behalf of the data subject, such as a parent for a child, access can be refused if the data subject had either provided the information in the expectation it would not be disclosed to the applicant or had indicated it should not be so disclosed, or if the data was obtained as a result of any examination or investigation to which the data subject consented on the basis that information would not be so disclosed.

4. Before deciding whether the exemption in paragraph 3 iv (a) above applies, a data controller who is not a health professional must consult the health professional responsible for the clinical care of the data subject; or if there is more than one, the most suitable available health professional. If there is none, or the relevant data concern certain social security matters specified in Article 2(c)(ii) of the Order, a health professional with the necessary qualifications and experience to advise on the matters to which the information requested relates must be consulted.

Responding to access requests

5. A request for access must be made in writing, and no reason need be given. Subject to any applicable exemption, the applicant must be given a copy of the information and, where the data is not readily intelligible, an explanation (eg of abbreviations or medical terminology). Data controllers may not charge for the explanation, but can charge a fee for the application and copying charges.

5.1 Regulations on subject access fees have been agreed up until 24 October 2001 and are publicly available on the Home Office website at: http//www.homeoffice.gov.uk/ccpd/dpsafmsi.htm The regulations provide that a maximum fee of £50 can be charged for access to health records for a transitional period running until 24 October 2001.5.2 The data controller is entitled to satisfy itself that the applicant is either the data subject, or, if the applicant is applying on behalf of a data subject that the person has been authorised to do so.5.3 The obligation to provide a copy may be waived where the data subject agrees otherwise or it is not possible to supply a copy of the material sought, or to do so would involve disproportionate effort (for example because papers have been destroyed, or are spread around the country).5.4 However, the person may not wish to access their entire record and therefore NHS bodies may wish to confirm what material the applicant requires before processing the request which will both decrease the cost of copying for the applicant and unnecessary work by staff.5.5 The Act does not provide an express right to directly inspect records, although it is permitted with the agreement of the data subject and data controller. It remains Department of Health policy that such requests should be accommodated subject to the exemptions listed in paragraph 3 above.5.6 Requests for access should be responded to promptly, and no later than forty days after the request and fee (and any additional information as to the identity of the applicant or the location of the information reasonably required by the data controller) are received by the data controller. In exceptional circumstances if compliance is not possible within this period the applicant should be advised accordingly.5.7 Where an access request has previously been complied with, the Act permits data controllers not to respond to a subsequent identical or similar request unless a reasonable interval has elapsed since the previous compliance. There is no definition of "reasonable interval", but regard should be had to the nature of the data, how often it is altered and the reason for its processing. The reason for the request(s) may also be relevant.

Rights of rectification

6. If the data subject believes that data recorded about them are inaccurate the person may apply to the court, for an order, or to the DPC for an enforcement notice, either of which may require that the inaccurate data, and any expression of opinion based on it, is rectified, blocked, erased or destroyed.

7. However, where the data is inaccurate but accurately records information given by the data subject or another person the Court or the Commissioner may instead order that the record should be supplemented by a statement of the true facts as approved by the court/Commissioner.

PART 4 - NOTIFICATION AND SECURITY

PART 5 SOURCES OF FURTHER INFORMATION

NHS Information Authority

1. Principle 7 of the 1998 Data Protection Act states "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

The NHS Information Authority is committed to helping the NHS protect the privacy of individuals whilst maximising the availability of information for patient care and for improving the health of the population. The objective of the Information Authority is to ensure that the NHS is able to effectively manage the risks associated with its use of information.

The Authority is providing resources to assist NHS organisations in implementing this aspect of the new Act.

The relevant resources being made available focus on three main areas of activity:

It is anticipated that resources to assist NHS organisations in understanding and implementing the 1998 Data Protection Act will include:

Further information can be obtained from:

Security & Data Protection Programme
NHS Information Authority
15 Frederick Road
Edgbaston
Birmingham B15 1JD
Tel: 0121 625 2711
Fax: 0121 625 1999