The Data Protection Act 1998 came into effect on 1 March 2000 and replaced the 1984 Act. The new Act has significantly changed the requirements for the storage and use of data.
All organisations that hold data relating to a third party (this includes patients) are required to be registered under the Act. In 1999 it was estimated that 30% of general practices were not registered under the Act.
Most practice managers are not only aware of the Data Protection Act but also have a working knowledge of the contents of the Act. Unfortunately, although the majority of GPs are aware of the Act, few understand the changes brought about by it.
The major concern for GPs about the new Act was that the fee for providing copies of patients' written medical records was due to be reduced from a maximum of £50 to a maximum of £10 on 1 October 2001. After much negotiation between the BMA's Professional Fees Committee and the Government, the Government has seen sense and reversed its decision and kept the maximum £50 fee.
As yet, no GP has been prosecuted under the Data Protection Act 1998, but most practices probably breach the Act on a regular basis. It is important that practices understand the implications of the Act and take appropriate action to minimise the risk of breaching it.
- The Data Protection Registrar's title was initially changed to Data Protection Commissioner (DPC) and then to Information Commissioner.
- Previous registration was replaced by a new system of notifying the DPC.
- The eight basic principles laid out in the Data Protection Act 1984 have been revised and expanded.
- The Data Protection Act 1984 covered only computerised personal records. The new Act has been expanded to cover both manual and computerised records.
- Safeguards have been introduced relating to the processing of sensitive data, e.g. racial origin, trade union membership and health. Thus to store on an individual's manual or computer records that he/she is a Christian member of a trade union, is heterosexual and is in poor health, without his/her explicit consent, would breach the Data Protection Act on several counts.
- Previous regulations regarding the use of data for direct marketing have been strengthened.
- New rules about taking data to other countries that do not have adequate protection for personal data have been introduced.
The Data Protection Act must not be considered in isolation GPs are also bound by the GMC regulation on how personal health information is disclosed to a third party.
Under the 1998 Data Protection Act the person whose personal information is stored (called the data subject) has the following legal rights:
- The data subject has the right of access to any personal information of which he/she is the subject.
If a patient requests in writing any of the following, the GP must comply:
- The GP must inform the patient if personal data are being processed by the GP or on the GP's behalf.
- If personal data are held, the GP must give the patient a description of the personal data, the purpose for which they have or will be processed, and whom the data will be disclosed to.
- The patient may apply to have inaccurate information corrected or erased.
- The patient may seek compensation for damage or distress relating to the unauthorised disclosure of personal information, whether accurate or inaccurate.
- The patient may complain to the Information Commissioner if he/she believes that any part of the Act has been breached by a GP.
Personal data shall be processed fairly and lawfully.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
The data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for any longer than is necessary for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Patient confidentiality is a complex area, where GPs can often receive several different opinions. Some general advice was issued to GPs in 1998.1
When collecting personal data from patients, GPs should ensure that patients are not misled as to why the data are required, what they will be used for and to whom they may be disclosed. This information should be passed on by personal contact, via a display on the waiting room notice board, or by inclusion in the practice information booklet.
Patients must have the option to 'opt out' of having their personal data processed in any way other than the way they have specified. Explicit patient consent is required before 'sensitive personal data' are processed.
The Information Commissioner would consider that disclosure without consent could only occur in life or death situations, e.g. disclosing a patient's medical history to an Accident and Emergency Department following a serious road accident.
Care must be taken when adding information obtained from a third party: this must be fair to the data subject. The source of any third party information should be identifiable.
Records should show:
- Who is responsible for entering and updating the data
- When data were added to the system and by whom
- If data are corrected, why the correction was made.
These are the reasons that all accredited GP computer systems have an audit trail.
- All doctors, nurses and practice staff should be made aware of the Data Protection Act 1998.
- All doctors, nurses and practice staff should be made aware that under the 1998 Act:
- unlawful disclosure of data covered by the Act can result in compensation being paid by the practice to the data subject (e.g. patients, practice staff, third parties or partners in the practice).
- data subjects have a right to view data that you hold in their manual or computer records.
- data subjects (patients) have the right to have incorrect or inaccurate data corrected.
- Ensure that each person using your computer system has an individual password. If any data are added or changed, you can then identify the person responsible.
- All staff should sign a confidentiality agreement; this could be part of their contract of employment and should refer to the 1998 Act.
- Computer passwords should be changed regularly, at least every 3 months.
- Back-up of computer data should be performed daily.
- A copy of a recent back-up should be stored off site or in a fireproof container.
- VDUs should be in a position where they are not viewed casually by the public.
- When leaving your computer for a significant time, ensure that you log out.
- Do not leave patient data on your screen when seeing another patient.
- Computer printouts with patient identifiable data must be destroyed, usually by shredding. (Tearing them up and throwing them in the bin is not adequate.)
- Old computers, back-up tapes or disks that contain stored patient data need the data erased before disposal.
- If you are involved in research with a third party, ensure that any letter inviting the patient to participate comes from the practice. If the third party writes directly to the patient you will have breached the Data Protection Act.
Inform the patients via a surgery notice board or your practice leaflets that:
- Doctors and nurses use the computer to record clinical data.
- Practice staff use the computer to:
- prepare prescriptions
- arrange appointments
- recall patients' personal details, e.g. cervical smear results.
- If you are involved in teaching or research, anonymised data will be used wherever possible.
The principles are explained in full on the website www.dataprotection.gov.uk (see Figure 1, below).
|Figure 1: Screenshot from the Data Protection website|
The Data Protection Act applies to everyone and all organisations and is not specifically aimed at healthcare. Consequently, specific clauses of the Act do cause some problems for the NHS. These issues are being addressed on a national basis.
For example, the fifth principle 'Personal data processed for any purpose or purposes shall not be kept for any longer than is necessary for that purpose or those purposes' would require GPs to delete computerised medical records of all patients once they left the practice.
This would have serious implications in the future as this may be the only record with full integrity and a complete audit trail. The Commissioner has accepted these arguments, and has provided an exemption until GP-to-GP transfer of electronic patient records is complete. The target set for electronic transfer of patient records from GP to GP is 2004.
GPs should also consider how they process information regarding staff, partners and third parties, as these data are also covered by the Act.
Figure 2 (below) lists some sources of useful information.
|Figure 2: Useful information sources|
Data Protection Website http://www.dataprotection.gov.uk
GPC Guidance http://web.bma.org.uk/gpc.nsf/guidancevw
BMA ethics guidance on access to health records; this deals with fees and time limits for consent http://www.bma.org.uk/public/ethics.nsf/webguidelinesvw
- GPC Guidance. September 2000. The Data Protection Act 1998. (http://www.dataprotection.gov.uk)
- GPC Guidance, September 2000. The Data Protection Act 1998. An updated code of practice for GPs. Appendix IV. (http://www.dataprotection.gov.uk)