Key considerations when making a decision regarding whether to disclose patient records to the police:
Has a Court Order been obtained by the police or is there a witness summons compelling an individual to produce the relevant records to the Court?
The common law duty of confidentiality owed to patients should be respected where possible, but this duty is not absolute. As per paragraph 17 of the General Medical Council’s guidance ‘Confidentiality: Good practice in handling patient information’ (updated May 2018) disclosure must be made where it is required by statute, or ordered to do so by a judge or presiding officer of a court. The guidance notes that only information relevant to the request should be disclosed and wherever practicable, patients should be told about such disclosures, unless that would undermine the purpose. The risk of an action for breach of confidence is significantly reduced where disclosure is made in compliance with a Court Order or pursuant to a witness summons requiring production of the documents. However, as stated by Munby J in A Health Authority v X and Ors (No.1) 2001 WL 513038 at paragraph 9:
[…] Dr X’s ultimate obligation is to comply with whatever order the court may make. But prior to that point being reached his duty, like that of any other professional or other person who owes a duty of confidentiality to his patient or client, is to assert that confidentiality in answer to any claim by a third party for disclosure and to put before the court every argument that can properly be put against disclosure. All the more so when, as in the present case, he knows, because he has asked, that his patient or client is refusing to consent to disclosure.
It is therefore important to note paragraph 91 of the GMC guidance which advises that objection should be made to the Judge or the presiding officer if attempts are made to compel disclosure of what appears to be irrelevant information. Therefore even when an order is obtained or summons is issued it is necessary to consider whether there remain concerns regarding disclosure.
Are the police referring to the Data Protection Act 2018 (DPA), General Data Protection Regulation (GDPR) or data laws more generally as a basis for disclosure of the records?
For clarity, there is no provision in the DPA or GDPR which compels healthcare professionals or organisations to disclose patient records to the Police. It is important to note that in the absence of an Order or summons, the disclosure will be voluntary. Such disclosures may only be made with the patient’s consent or if there is an overriding public interest.
The regime does not apply to the personal data of a deceased patient, albeit of course the duty of confidentiality which is owed continues after death. For completeness, the opinions expressed by healthcare professionals in a deceased patient’s medical records are the personal data of the clinicians who expressed those opinions.
What does the reference(s) to the DPA mean in practice?
Typically references to DPA Schedule 2 para 2 or para 5 will be included in the request (perhaps with the addition of an Article 6 GDPR basis for lawful processing). These provisions relate to disclosures made for the purposes of prevention and detection of crime or in connection with legal proceedings. They are ‘exemptions’ in so far as they exempt the body processing the data for these defined purposes from having to comply with various provisions of the GDPR which broadly relate to rights of data subjects, i.e. to be informed.
In summary, the provisions are permissive and so do not create obligations. They are only available in defined circumstances, thus it cannot be assumed that they can be relied upon in all cases of voluntary disclosure.
Have the police provided a consent form completed and signed by the individual concerned?
Consideration as to whether the consent is valid will be necessary, and whether there are any concerns in relation to the patient’s capacity. Where a consent form is signed by someone other than the capacitous adult who is the subject of the request, further consideration will be required as to whether the signatory has legal authority to provide that consent.
It may seem an obvious point, however it is important to check that the consent obtained covers the disclosure requested. For example, the consent may be limited to treatment provided between two dates in a particular hospital or by a particular professional whereas the request may be for ‘all health records’.
Are the police suggesting there is an overriding public interest in making the disclosure?
As above, in the absence of an Order, summons or valid consent the records may be disclosed where there is an overriding public interest. Paragraphs 63 – 70 of the GMC guidance set out the relevant considerations.
Paragraph 64 notes “if it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm”. The guidance goes on to note that such a situation might arise if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. Paragraph 67 addresses the issue of consent in this context. The British Medical Association’s Guidance ‘Access to Health Records’ confirms that theft, minor fraud or damage to property where loss or damage is less substantial, would generally not justify the breach of confidence necessary to justify disclosure in the public interest.
Paragraph 68 of the GMC Guidance sets out a range of factors which must be considered when deciding whether to disclose patient information, such as the potential harm which may be caused to others if the information is not disclosed. There is also an obligation to consider whether assistance can be provided without breaching the patient’s privacy and if not, to consider what the minimum intrusion might be. In practice this could be an offer to provide a brief statement answering specific questions as opposed to disclosing full medical records.
What does the organisation’s Access to Health Records say, if anything, in relation to disclosures to the police?
Most organisations are likely to have a policy which covers the approach to be adopted in response, and there may be particular forms that the Police should be asked to complete when requesting records. Following the organisation’s policy and seeking advice from the relevant personnel, for example the Caldicott Guardian, before embarking on a response is also likely to reduce risk of action for breach of confidence.
Where should any decision be recorded?
This may be addressed in the organisation’s policy, however we would expect that this would be recorded in the records of the patient and indeed any decision to be forwarded to the organisation’s information governance team. An index of the copy documents sent should be retained on file. Where redacted versions are sent it would be advisable to keep copies for future reference.
Please note that the relevant considerations in relation to a request for information where the organisation or an employee of the organisation may be implicated will of course be different. In such situations relevant defence organisations should be contacted and or legal advice should be sought as appropriate.