|
Q & A - Data Protection & Confidentiality
Index
DP506 - Patient correspondence received in error
DP505 - Copies of records after death
DP504 - Confidentiality and public health information
DP503 - Postage costs
DP502 - Data Protection Charges
DP501 - Storing police information
Q DP506 - Patient correspondence received in error - Our Practitioner and Patient Services Agency (PPSA) has asked us to return to the sender
any hospital letters and other correspondence sent in error when the patient has never, or is no longer, registered with the practice. We normally send any information on to the new GP if we know who the patient is
registered with. Is there any point in returning the letters to the originator who clearly will not have this information? (06/07/05)
Answer – You should always return such correspondence promptly to the originator who will be
able to check the correct contact details with the PPSA through the National Strategic Tracing Service. This is a database of current contact details for all GP registered patients. If every GP
co-operates in this way it is much less likely that vital patient information will fail to reach its correct destination.
There is more danger that confidential information will be lost or go astray if the practice redirects mail incorrectly to the intended recipient, which could
constitute a breach of patient confidentiality. It would also fail to alert the originator that it is necessary to correct the patient’s contact details, which could have serious implications.
Further information:
Q DPA77 National Strategic Tracing Service
CED
Q DP505 - Copies of records after death – The wife of one of our patients who recently died has asked for copies of her husband’s
medical records. However, a few months before he died he wrote to us saying that his wife was not to have access to his medical records. May we release them to her now that he is dead?
(05/05/05)
Answer – Your legal and professional duty of confidentiality to a patient
extends beyond death. In view of the husband’s explicit dissent to disclosure of his medical records to his wife you must maintain his
confidentiality. If she needs a copy of the notes to settle a claim arising out of her husband’s death the notes may need to be made available.
The wife should seek legal assistance and if necessary a court order may be obtained to require disclosure. In the absence of a court order you
should not release the notes without first seeking specific legal advice from you medical defence organisation.
CED
Q DP504 - Confidentiality and public health information – We have recently received several calls form the public health department
asking for confidential patient information. We have refused because they could not provide patient consent. Are we correct to do so?
(24/03/05)
Answer – If this is a routine matter where it would be practicable to
obtain consent, then you would be right. However, very often the Public Health Department is carrying out their statutory duty to protect
the public form a serious health risk. In this situation consent may well not be practicable within a tight enough time frame. In those
circumstances if disclosure without consent is essential to prevent death or harm to the patient or any other person, or if it is judged to be
overwhelmingly in the public interest, it is almost certainly permissible to disclose sufficient data to serve this statutory function, without consent if necessary.
One of our local public health departments recently published an item* in their news letter highlighting the problem of practices refusing to
provide data that is essential to carry out urgently required public health measures.
Wessex LMCS would ask practices to cooperate with public health doctors in such circumstances and to seek advice from their own
defence organisation or the LMC if they are unsure.
*Item from COMIC 28th February 2005.
In the course of our work we frequently call GPs’ surgeries to check
the data we hold or to request additional information. This may be specifically medical, such as patients’ vaccination status, or more administrative – checking the right address or asking for a telephone
number. Particularly we often need ‘phone numbers so that we, or our Environmental Health Officer colleagues, can liaise directly with patients to try to determine the source of infection and – equally
important – the possible risks of further transmission (especially from those involved in food handling, patient care etc.). Many surgeries are happy to comply with our requests, but sometimes we are faced with
what appears to us to be a misplaced concern for the confidentiality of such information. Last summer we had the strange situation of a hospital having been put on a Major Incident alert, but afterwards
declining to release names of those involved to us because the Caldicot guardian was away on holiday. We ask that GPs’ surgeries, and others who hold patient information, first ascertain that we have a legitimate
reason for needing the information we request. You can always check that the request is authentic by calling us on the number at the bottom of this COMIC. But having done that, please give us every
assistance. Any hold-up in the investigation could lead to unnecessary delay in putting into place the control measures required, potentially resulting in outbreaks of infection. Although there may be perceived
issues over confidentiality, we do have a statutory obligation to investigate cases of notifiable diseases – and please remember that GPs have a similar obligation to supply us with information needed to
enable us to carry out enquiries.
CED
Q DP503 - Postage costs - We have numerous requests for copies under the Data Protection Act. Producing copies is very time
consuming and therefore expensive. The cost of sending notes by recorded delivery is often around £5. Is it permissible to charge extra for this?
(13/03/05)
Answer - You are certainly permitted to include the cost of postage and
packing within the £50 maximum permissible fee for producing copies of manual or mixed records or the £10 fee for copies of computerised records.
The law requires that you supply a copy of those records to the data subject, but does not specify how you must deliver those copies to the
patient or to an authorised third party.
Whenever data is provided to a third party there are potential problems with consent and data security. If notes are to be sent abroad to a third
party, you must in addition ensure that the data will be treated with the same level of regard to data protection and confidentiality as would occur under UK legislation.
It is reasonable, therefore, to ask the patient to collect copies of their personal data from your surgery and for the patient to subsequently
forward them, at their own expense, to a third party should they so wish. This avoids any possible problems with regard to valid consent to
third party disclosure and any possibility of loss of the copies in the post or delivery in error to an unauthorised third party.
In the past we have advised that, as a service to the patient and with their legally valid consent, a practice might be prepared to offer an
additional third party delivery service, separate from and outside their legal obligations under the Data Protection Act.
The cost of this may be substantial for complicated and heavy records, or where the solicitor or insurance company requires secure express
delivery, or where records are to be sent abroad by secure carrier. We believed it was permissible to send the copies to a third party by recorded or registered post for an additonal fee, or on receipt of the
cost of postage and packing.
However, we sought specific clarification from the Information Commissioner’s Office in response to ongoing uncertainty and a
challenge from a solicitor’s office. On 11th March 2005 we received the following clarification from the Information Commissioner’s Office.
“The relevant regulation is in
Statutory Instrument 2000 no 191, The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 section 6(2).
‘(2) Where in a case to which this regulation applies, the obligation imposed by section 7(1)(c)(i) of the Act is to be complied with by
supplying the data subject with a copy of information in permanent form, the maximum fee which may be required by a data controller under section 7(2)(b) of the Act is £50.’
While we appreciate that this legislation makes no mention of the fee including postage, it does not make any specific provision of any extra
charges either and it is the view of the Information Commissioner that to ‘supply’ an individual with a copy of their data encompasses all costs
including photocopying, staff costs and postage. If a GP practice chooses to hand deliver the information or post it is entirely their
decision but the copy must be supplied to comply with the Act. If the copy is not provided or if more than £50 is charged this would be most likely to be a breach of the Act and enforcement action would be
considered if a GP practice refused to fully comply with a request.”
Sadly the Information Commissioner’s Office has not responded specifically to our particular query relating to third parties, but has
reiterated the terms of the Act and the accompanying charging regulations in relation to supplying the individual data subject with a copy of their data under the Act.
Wessex LMCS would therefore advise that, in order to be sure of discharging your duties correctly under the Act, you should supply copies
only to the data subject. It is preferable, for reasons of data security for the patient to collect the copies from the surgery, however, the
copies may be sent to the individual by recorded or registered delivery, if hand delivery at the surgery is not possible for any reason. You must
never charge more than the statutory maximum fee for this service.
With legally valid consent an authorised third party may be permitted to collect the data from the practice. This would avoid any potential
data security problems associated with the delivery of copies and also would avoid any possible legal challenge regarding the charging of excessive fees under the Data Protection Act.
CED
Q DP502 - Data Protection Charges – Have the fee for access and copies under the Data protection act changed since the introduction
of the new Freedom of Information and Data Protection
(Appropriate Limit Fees) Regulations? (12/01/05)
Answer – As far as we are aware the fees that apply to access requests under the Data Protection Act remain unchanged.
See also Q&A on Freedom of Information Act fees.
CED
Q DP501 - Storing police information - I have recently received information from the police about offences committed by several
teenage patients. All information coming into our practice is scanned into the medical records and then shredded, but I am not at all sure that details of police cautions and offences should be treated
in this way. I appreciate that there is sometimes a need to ‘share information’ but I am concerned about the possible legal implications of storing this information in the medical records.
What is your view? (04/04/05)
Answer - This information should probably not have been shared with
you without the explicit and valid legal consent of the young person concerned, unless it was absolutely essential to protect the patient, or some other person, from serious harm.
Very occasionally it may be essential to share the minimum data that will serve a legal purpose in order to draw attention to a serious danger to
the patient or to family members or to practice staff. This data may be shared without consent if necessary. However, the reason for the data
sharing in such circumstances should be spelt out very clearly in order to fulfil the specific and valid purpose of providing an adequate warning.
If the young person had been informed as to what data would be shared, with whom and for what purpose, and had consented on that basis, then
it would be permissible. If this is not the case then there has almost certainly been a breach of data protection, human rights legislation and/or the common law duty of confidentiality.
It is not appropriate to include data about offences in the medical records, unless it is specifically required to inform the medical care of
that patient or is essential to protect any other person. If the data is to be retained it should generally be filed separately and then destroyed as
soon as it has served the valid legal purpose for which it was shared in the first place.
Should you inadvertently disclose police information that you have filed in the records, you would potentially be in breach of the data protection
act, human rights legislation and/or the common law duty of confidentiality.
The LMC has concerns about some of the data sharing that occurs in relation to the welfare of children and young persons. There must
always be a good reason for sharing data without valid legal consent. It should never be a routine ‘knee jerk’ response.
When GPs are asked to share medical data with social services, the police or other professionals working with patients, the doctor has a
very strict professional and legal duty of confidentiality. He or she may only share data with someone who shares the same duty of confidentiality. Sadly some non-medical professionals have a somewhat
tenuous grasp of the legal and professional obligations of confidentiality!
It is very unlikely that routine and unnecessary data sharing will protect children or young people. It is more likely to contribute to data
overload, when important information gets overlooked or lost in a mass of extraneous material. Intelligent data sharing for a specific purpose,
with a specific person who has a legal duty to act on that information, and who will act promptly and effectively on that information, is much more likely to protect vulnerable children and young people.
Doctors must share data as and when it is important to do so, not just because of a generally held belief that data sharing is a good idea. It is
a good idea, but only if applied intelligently!
For example, the GMC has advised that no part of the Children Act 'requires' the disclosure of data without consent. This does not mean
that doctors should never share data in order to protect children, but rather that they must always share sufficient data promptly but only when it is necessary and appropriate to do so.
A doctor may be required to defend any inappropriate disclosure in the courts, or in an NHS or GMC disciplinary procedure. This tends to
concentrate the mind when making each individual decision to share data with a third party! If the decision is finely balanced the doctor
should always err in favour of protecting a child or young person, rather than protecting the data.
Footnote – Sensitive personal data may include any data relating to "the
commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of
any court in such proceedings."
The data provided by the police in this situation would therefore be classified as ‘sensitive data’ in the Data Protection Act and must be
processed according to all of the Data Protection principles set out in
Schedule 1. This includes the condition that it may only be processed if it fulfils at least one condition from Schedule 2
and one condition from Schedule 3. The only conditions in Schedule 2 & 3 that would seem to apply to 'routine' information of this sort relate to the need for consent
to the processing. Schedule 3 sets out that for sensitive data this consent must be explicit.
We believe therefore that you would have to seek the patient's explicit consent before filing this data in the medical record, unless exceptional
circumstances allowed the processing according to the conditions set out in schedules 2 and 3.
CED
|
