Module 1 - The Data Protection Act Introduction

Welcome to your EduCare programme on data protection in health. This module gives an introduction to the Data Protection Act 1998 and who it applies to, as well as a guide to its overarching principles and what organisations must do to comply with it. When the Act was made law, many myths abounded about what organisations could or could not do for fear of infringing it and incurring sizeable penalties. When you have completed this module, we hope that you will see that most if it is common sense and typically, most organisations will already have systems in place that comply.

Why was the Act introduced?

The Act was introduced in response to organisations' increasing use of computers in the second half of the twentieth century. Prior to this, most records were typed on an old fashioned typewriter or handwritten and stored in a paper filing system which made access to them so much more difficult. Computers allowed organisations of all descriptions to easily access, search and edit files on electronic databases. As technology developed, computers were then networked, so potentially everyone in an organisation could access database information, some of it potentially very sensitive. As the number of organisations using computers to store and process personal information grew, people became more aware that information could be misused or fall into the wrong hands. The Data Protection Act 1998 updated previous data protection law. It was introduced to control the way information is handled and it also gave legal rights to people who have information stored about them. Similar legislation has been passed to protect people in other European countries too because computers, combined with the internet, know no geographic boundaries.

The purpose of the Act

The primary purpose of the Act is to promote high standards in the handling of personal information and therefore protect an individual's right to privacy. The Act is enforced by the Information Commissioner whose role is to: promote the Act give advice and guidance

keep a register of organisations that are required to notify them about their information processing activities (details of the types of organisations who must notify can be found at www.ico.gov.uk)

help to resolve disputes involving the processing of personal data.

The Information Commissioner also enforces compliance and can prosecute those who commit criminal offences under the Act. For example, if an organisation fails to notify or renew a notification, they can be fined up to 5,000 and if their information processing is not in line with the principles of the Act, they can also be fined 5,000. However, if the Information Commissioner deems that the Act has been seriously breached, they can serve notices requiring organisations to pay up to 500,000. Who is covered by the Act? All of us - the Act covers any information that relates to living people and is held on computer and in some cases, on paper. This could be an individual's name, address, telephone or mobile number, date of birth and so on. It also covers any opinions about the individual or any other information from which they could be identified.

The main eight requirements of the Act

There are eight data protection principles that together constitute what the Information Commissioner (IC) regards as good information handling. These are that all personal information about individuals should be: 1. Fairly and lawfully processed (the IC describes processing as 'obtaining, disclosing, recording, holding, using, erasing or destroying personal information'. They also state that: 'The definition is very wide and will cover virtually any action which is carried out on a computer.') 2. Processed for a specified purpose (this means that information can only be used for those purposes the organisation has registered with the IC. It cannot be given away or sold unless an individual has given permission.) 3. Adequate, relevant and not excessive (when compared with the purpose stated in the register, for example, you must not collect more data than you need to fulfil the task stated in the IC's register.)

4. Accurate and, where necessary, kept up-to-date (for example updating peoples' names when they marry or their addresses when they move house.) 5. Not kept for longer than is necessary (information can only be held for specified periods, not indefinitely.) 6. Processed in line with the rights of the individual (people have a right to know what information is held about them by organisations and they can ask to see it. Individuals also have a right to prevent organisations from using their personal details for marketing purposes.) 7. Kept secure (meaning backed up and protected from unauthorised access.) 8. Not transferred to countries outside the European Economic Area unless the information is adequately protected.

Extra rules for organisations that hold sensitive information

Everyone must follow the previous eight requirements of the Data Protection Act, but many organisations also hold 'sensitive' information about individuals, for example, details of their healthcare, criminal records, or sexual life. There are stricter rules for these organisations which concern any information held about an individual's: Racial or ethnic origin Political opinions Religious or similar beliefs Trade union membership Physical or mental health condition Sexual life Offences or alleged offences committed Proceedings relating to those offences or alleged offences.

Can I process personal information?

Organisations who wish to process an individual's personal information should consider whether the act of processing it is 'fair and lawful'. This means that they should have a legitimate purpose for processing it.

They should also fulfil at least one of six standard conditions as follows: 1. The individual who the personal data is about has consented to the processing 2. The processing is necessary: - In relation to a contract which the individual has entered into; or - Because the individual has asked for something to be done so they can enter into a contract 3. The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract) 4. The processing is necessary to protect the individual's 'vital interests'. This condition only applies in cases of life and death, such as where a person's medical history is disclosed to a hospital A&E department treating them after a serious road accident 5. The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions 6. The processing is in accordance with the 'legitimate interests' condition. The 'legitimate interests' condition is intended to permit such processing, provided you meet certain requirements as follows: you must need to process the information for the purposes of your legitimate interests or for those of a third party to whom you disclose it the interests must be balanced against the interests of the individual(s) concerned. The 'legitimate interests' condition will not be met if the processing is unwarranted because of its prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. Your legitimate interests do not need to be in harmony with those of the individual for the condition to be met. However, where there is a serious mismatch between competing interests, the individual's legitimate interests will come first Finally, the processing of information under the legitimate interests condition must be fair and lawful and must comply with all the data protection principles.

Extra conditions for sensitive personal information

Organisations can only process sensitive personal information if they meet one of the six standard conditions previously mentioned, plus at least one of a much narrower set of conditions. These are intended to provide further protection to those who have sensitive information stored about them and they are: The individual who the sensitive personal data is about has given explicit consent to the processing. The processing is necessary so that you can comply with employment law. The processing is necessary to protect the vital interests of:

- the individual (in a case where the individual's consent cannot be given or reasonably obtained), or - another person (in a case where the individual's consent has been unreasonably withheld). The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition. The individual has deliberately made the information public. The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights. The processing is necessary for administering justice, or for exercising statutory or governmental functions. The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality. The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.

Extra conditions for sensitive personal information continued

In addition to these conditions - which are all set out in the Data Protection Act itself regulations set out several other conditions for processing sensitive personal data. Their

effect is to permit the processing of sensitive personal data for a range of other purposes typically those that are in the substantial public interest, and which must necessarily be carried out without the explicit consent of the individual. Examples of such purposes include preventing or detecting crime and protecting the public against malpractice or maladministration. A full list of the additional conditions for processing is set out in the Data Protection (Processing of Sensitive Personal Data) Order 2000 and subsequent orders.

In Summary
In this module, we have covered the principles of the Data Protection Act 1998 and what you need to consider when holding and processing personal information. As technology gets ever more sophisticated and widespread, this Act protects our rights as individuals. Should you have any queries about any aspect of the Act, the Information Commissioner has a very informative website at www.ico.gov.uk and they run a helpline on 0303 123 1113 which is open from 9am to 5pm, Monday to Friday. In the next module, we will look at information requests and the basics of patient confidentiality.

Module 2 - Information Requests and the Basics of Confidentiality Introduction

The nature of data protection and confidentiality in the health sector are closely entwined. Confidentiality should be a 'given' in order that the trust between patients and the people charged to care for them is preserved at all times. Patients rightly expect that information they supply about their health will be kept confidential unless there is a compelling reason not to. Without this trust, many people would not seek treatment for their medical or health conditions. Of course, confidentiality of patient information is a requirement of employment under NHS and many independent sector contracts. All staff employed by or contracted to the NHS may be disciplined following a breach of patient confidentiality which may involve a warning, restriction of practice or removal from their professional register. Furthermore, there is a requirement that all patient information should be held securely and all staff should be trained to protect it. In this module we will look at how to correctly process information whilst considering the importance of confidentiality.

Information requests - General

When someone asks to see personal information an organisation holds about them, it is called a Subject Access Request. The rules are that: People have a right to make a request in writing for a copy of the information you hold about them. They are also entitled to be given a description of the information, what you use it for, who you might pass it on to and any information you have about the source of the information People also have a right to ask that information about them is updated or corrected if it is inaccurate They can prevent the use of their data for sales and marketing purposes They have a right to ask that 'automated' decisions are notmade about them, for example where a computer might add up the 'scores' to determine whether someone should have their application for credit passed People also have a right to make a complaint to the Information Commissioner who can investigate an organisation's records and make a ruling under the Data Protection Act. Organisations cannot respond to a third party's request for someone else's personal information without the consent of the person in question (unless it is reasonable in all circumstances and the organisation's duty to uphold the person's confidentiality has been fully considered).

Information requests for health records

A health record is defined in the Data Protection Act 1998 as any record that: consists of information relating to the physical or mental health or condition of an individual, and has been made by or on behalf of a health professional in connection with the care of that individual.

When you receive a subject access request for a health record, you should consider the following: Section 7 of the Act gives individuals the statutory right, subject to some exemptions, to see information that organisations hold about them. Requests must be made in writing to the person or organisation holding the health records. The type of access you must provide and the fee you are allowed to charge may vary depending on how the records are held. You should have a procedure for handing requests for health information. The request does not have to use the term 'subject access' or 'data protection' for it to be valid. Staff should be trained to recognise requests and must deal with them within 40 days or sooner if possible. Requests should include the full name and address of the person seeking access to their health records, plus any other information that can help to identify them, eg their NHS number. If the record is open and there is an ongoing relationship between a health professional and the person making the request, you should confirm the identity with the lead practitioner. Confirming identity is very important if the request is for old information from closed records. Consider all the information held about the individual, not only medical records, bearing in mind the person may wish to restrict their request to specific information. You can ask the person to give you more information to help you find the information they are requesting. It is best practice to record all incoming requests for information and track them through to completion. You should acknowledge all requests and let the person know when they can expect a response.

Charges
In order to fulfil a Subject Access Request, organisations can charge a fee of between 10 and 50, depending on how the health records are held. Charging a fee is optional. However, you can charge a maximum of 10 for complying with a subject access request to health records held on a computer system only. You can charge a maximum of 50 for complying with a subject access request to health records held in a manual filing system, or

a combination of electronic and manual filing systems, Subject access requests are not subject to VAT. Instead of providing copies, you can offer the applicant the opportunity to inspect their medical records in person if the health records: are held manually, and have been added to in the 40 days since the request was first made.

You are not allowed to charge a fee for this. Individuals may also choose to view the records rather than receive copies.

Subject access requests made by a representative

Anyone with full mental capacity can authorise a representative to help them make a subject access request. When you receive one from a person's representative, you must satisfy yourself that they have the authority to make the request before disclosing information to them. Children's health records Parents can make subject access records on behalf of their children who are too young to make their own request. A young person of 12 or above is considered old enough to understand what a subject access request is. They would need to provide their consent to allow their parents to make a request, but you must use your judgement to decide whether a young person aged 12 or above is sufficiently mature. People who lack capacity People who cannot make their own requests because of an illness or mental health problems have the same rights and protections under the Act as anyone else. Such a person is said to 'lack capacity'. Someone else may be able to make a request on their behalf, however, you must be sure that the representative of a person who lacks capacity: is allowed to make a subject access request on their behalf, and is acting in their best interests.

If an adult has lost the mental capacity to appoint a representative, you will need to be cautious when deciding whether or not you can disclose the individual's health records to anyone claiming to act on their behalf.

Information you must provide

You must provide the information requested plus: a description of the information an explanation of why you keep the information, and a list of people to whom you may disclose the information, and an explanation of why you may do so. You don't necessarily have to supply all the information in an individual's health record. There may be information in an individual's health record about another person, such as a family member or partner. This information is known as third party data. An individual can make a subject access request only for their own information. If information is clearly personal data about more than one person, you must consider the interests of all the parties before deciding whether or not you may disclose the information. So you may sometimes have to withhold parts of an individual's record that relate to the third party if it would be unreasonable to the third party to disclose the information. Disclosure of information that may harm someone's health A medical professional may believe that providing an individual access to certain information in their health record might cause serious harm to their physical or mental health or to that of another person. If so, the Data Protection (Subject Access Modification) (Health) Order 2000 allows a data controller to withhold information. However, only a medical professional can make such a decision and it must be fully documented.

Accessing the health records of someone who has died

Only specific people have the right to apply for access to the health records of someone who has died. They are: a personal representative, executor, administrator, or someone who has a claim resulting from the death (this could be a relative or another person). People requesting access should show: they have a valid reason.

they have a legitimate relationship to the deceased person. that access to the records is in the public interest.

Other things that need to be taken into consideration include: the preferences or wishes or the deceased person prior to the death any distress the knowledge of this information may cause to a living person loss of privacy which may affect the reputation of the deceased person views of the surviving family

Mistakes in a medical record

If, after an individual has seen their medical record, they think something in it is incorrect, they should first discuss it with you. If the incorrect information is non-clinical, such as a wrongly recorded name or address, this should be corrected. If the information they think is incorrect is a professional's opinion, such as that of a GP, the information should not be amended but the individual's statement of correction will need to be recorded. This is because the original information is an accurate statement of the opinion on which treatment may have been based, even if the conclusions drawn in the opinion prove to be incorrect.

Best practice
Complying with the Data Protection Act is a matter of best practice that can have unexpected benefits. For example, customers and patients will feel assured that you are protecting their personal information from getting into the wrong hands; it can actually save money by ensuring that records are up-to-date so that postage and stationery are not wasted and it can also protect you against complaints and claims for damages. We will now move on to look at the basics of confidentiality.

What is confidential?
Everything that can be linked to a patient is confidential whether it is hand-written, held on a computer, on a camera or audio recorded. Even holding something in the memory is still subject to the duty of confidentiality. This includes all clinical information, photographs, videos, tapes, scans all of descriptions and who the patient's doctor is and the clinics they attend. Health professionals must in all cases seek patient consent before sharing this information with third parties.

Ethical and legal dilemmas

Occasionally, the duty to preserve confidentiality can present an ethical or legal dilemma, usually when a third party asks for information about patients or their treatment. You must consider: Properly informing patients about how identifiable information about them will be used Making any data anonymous whenever possible Seeking explicit consent for the use or disclosure of personal health information, unless it is very clearly implied From time to time, when it is not practicable to obtain consent, information may be disclosed where the law requires or where there is an overriding public interest, for example, where child abuse is suspected. This is in harmony with the requirements of the Data Protection Act. In these cases, any disclosures should be kept to the minimum necessary to achieve the purpose. It should be noted in general, that where patients withhold their consent to disclose information about them, their wishes should be respected. In short, health professionals must always be prepared to justify their decisions about the use of personal health information.

Types of consent
When a patient gives consent to the disclosure of information about them, it may be explicit or implied. In either case, the consent should be informed and freely given. Explicit consent is given when a patient actively agrees, either orally or in writing to the disclosure of information which has previously been discussed with them and this is the ideal type of consent as it leaves no room for doubt. Agreement to disclose can also be implied by an informed patient. In order for implied consent to be valid it is important that: patients are made aware that the information about them will be shared

patients are made aware with whom it will be shared patients are made aware of their right to refuse to the disclosure

Where consent is implied, health professionals must be able to demonstrate that the assumption of consent was made in good faith and based on sound information, otherwise consent will not be deemed to have been given. Where information must be shared, for example between different areas of the health service, it would be helpful if, in addition to spoken advice about the necessity of sharing information, the patient is given further written information and this will provide extra security. It should be noted that the more sensitive the information, the more likely it is that explicit consent will be required.

Making data anonymous

Where the usual personal identifiers are removed (name, address, date of birth, NHS number etc), data can be used more freely, although in a small number of cases, even where these are removed, due to the rarity of a condition for example, data may be identifiable. It is good practice to give patients information about when their data will be made anonymous. Where identifiers have been replaced with a code so that a person could track back the data to an individual, that person should treat the data as identifiable and therefore confidential. People who receive the coded information and cannot track back because they do not have the code linked to the person's identifiable information can use the information and there is no common law requirement to seek consent.

Sharing information with other health professionals

Patients are usually considered to have given implied consent for the use of their information by health professionals for the purposes of the care they receive. Information sharing in this context is acceptable to the extent that health professionals share only what is necessary and relevant for patient care on a 'need to know' basis. Health and social care, whilst closely linked, do not always fall into the same category however, and disclosure to social services usually requires explicit consent from competent patients. Where a patient gives informed refusal to allow their information to be shared, even though it may compromise their health and/or safety, it should be taken that they have made an informed decision and it should be respected.

In summary
This completes your learning programme on an introduction to data protection and the basics of patient confidentiality. Of course, it is a much wider area and there are many other ethical and legal dilemmas to be considered - thinking about adults who lack capacity, confidential information about children and young people, what is in the public interest and the use of information for non-medical purposes etc. The British Medical Association has produced an excellent toolkit on the subject, and whilst not exhaustive, it will enable you to widen and deepen your knowledge. The toolkit is available at: http://bma.org.uk/practicalsupport-at-work/ethics/confidentiality-tool-kit We hope that you have found this taster programme informative and that you can apply what you have learned to your own circumstances. EduCare offers an extensive range of other subjects in its Business Skills series, as well as other longer programmes that may be of interest to you. Please visit www.educare.co.uk to view the full range of programmes.