Appendix 2: Legal considerations
Data Protection Act 1988 and Data Protection (Amendment) Act 2003
The Data Protection Acts (DPA) place a number of responsibilities on individuals and organisations who hold data on identifiable living individuals, and corresponding rights to data subjects (in the clinical context, patients are data subjects). The Acts and their supporting regulations form a complex legal framework designed to protect people’s privacy by preventing unauthorised or inappropriate use of their personal details.
Putting the Acts into practice boils down to complying with the eight data protection principles, which are relatively straightforward (see Box 12).
It is up to everybody working in an organisation that holds records containing personal information to comply with the spirit of the DPA – ie, respect the subject’s privacy, keep the use of information to the minimum necessary and allow appropriate access.
Private practice
If you are in private practice, you are required to register as a data controller and to demonstrate that you have an appropriate data protection policy in place. This applies both for records held in your private place of work and for any private practice you may have within a public hospital. A designated member of staff will need to take on the further responsibility of ensuring that the practice as a whole is complying with the Acts. You can be reasonably sure that you are working within DPA requirements as long as you:
- have registered as a data controller
- hold no more information about patients
- than is needed for their medical care, and you use it only for that purpose (though see Box 6, "Confidentiality of records")
- institute robust security measures and confine access to authorised personnel on a need to know basis
- comply with patients’ legitimate requests for access.
Box 12: Data Protection Act
Data controllers must:
- Obtain and process the information fairly
- Keep it only for one or more specified and lawful purposes
- Process it only in ways compatible with the purposes for which it was initially given
- Keep it safe and secure
- Keep it accurate and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it no longer than is necessary for the specified purpose or purposes
- Give a copy of his/her personal data to any individual, on request.
Furthermore, personal information should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. (This does not apply if the patient has consented to information being sent overseas.)
Requests for access
Under the terms of the DPA, patients have a right to access their own records, for which you may charge a small fee (no more than €6.35). You must comply with the request within 40 days. Before granting access, however, it is important to check the records to ensure that they do not include identifiable information about third parties, which should be edited out of any copy you make available to the patient. This does not generally include omitting letters or opinions contributed by colleagues, such as a letter from a consultant (see Box 13).
There is no lower age limit specified by DPA legislation regarding access to one’s own records. The Data Protection Commissioner has, however, endorsed the view taken by the Irish College of General Practice that 16-year-olds should be given access on request, and children below that age should be given access if the doctor is satisfied that they are mature enough to understand the implications.
Those with parental responsibility for a child can also request access to that child’s records, but the confidentiality of mature minors should be respected, if it is likely that they might object to their records being disclosed.
Requests for access to the records of a patient who is mentally incapacitated must be decided on a case-by-case basis, bearing in mind that the interests of the patient are paramount.
You are permitted to withhold access to part or all of the record if there is a real possibility that viewing it would result in serious damage to the patient’s physical, mental or emotional wellbeing. This would be a rare circumstance and such a decision should be based on sound clinical judgment.
Your reasons for withholding the information should be clearly documented and you should indicate to the person requesting the record where omissions have been made. The patient has the right to ask the Data Protection Commissioner to investigate the matter, so it is important that your reasons for denying access are defensible.
Box 13: Opinions expressed in the record
“Where personal data consists of an expression of opinion about the data subject by another person, the data subject has a right to access that opinion except if that opinion was given in confidence. If the opinion was not given in confidence then the possible identification of the individual who gave it does not exempt it from access.”
Source: Data Protection Commissioner.
Correcting the records
Data protection law gives individuals the right to request that inaccurate or misleading information be rectified. Such a request must be made in writing and you have 40 days in which to respond – either by making the amendment as requested or by giving reasons why you are not complying with the request.
This sort of situation is rarely straightforward – you might need to investigate the matter to confirm that the information in question is indeed inaccurate or misleading, and in most cases the best course is to arrange to meet the patient and discuss the issue.
If the information proves to be inaccurate, it should be erased or corrected, with a note saying that it was deleted at the request of the patient. If you find that the information is accurate, you should explain to the patient why it is important that it be retained in the record and offer to append a note detailing the patient’s views.
You are under no obligation to erase or amend clinical information that has been fairly collected, is relevant and accurate, and is not excessive for the purpose for which it was obtained. However, this raises the issues of confidentiality and consent; patients have the right to expect healthcare professionals to respect their wishes regarding disclosure of personal information. If the patient does not want certain information to be available to the healthcare team, you should agree to restrict access to it, but explain that this could compromise the patient’s care.
Case 5
A 56-year-old man had accessed his clinical records when dealing with a claim following a road traffic accident. While viewing them, he saw references to treatment for an STD some 12 years earlier and asked that they be erased.
His GP discussed the matter with him, ascertaining that the patient was worried that this information would "get out” and affect his reputation locally. The doctor assured him that the practice had strong measures in place to protect patients’ confidentiality, but this did not put the patient’s mind at rest. When the doctor offered to categorise this information as highly sensitive so that access would be restricted to himself, the patient was satisfied with this compromise.
As the STD had been successfully treated with no recurrence, the doctor felt that keeping the healthcare team in ignorance about this aspect of the patient’s medical history was unlikely to have an adverse effect on his future care.
Freedom of Information (FOI) Act
Patients – and in some instances relatives and others – can apply, under the FOI, for access to records held by publicly funded healthcare agencies. This also applies to medical card holders’ GP records.