Confidentiality is an essential part of the relationship between any healthcare provider and its patients. We consider the obligations set out in the Data Protection Act and their implications for healthcare providers. Without the security to speak freely and the knowledge that personal details are respected and protected, the patient may not disclose important information. Without such information, a full and accurate understanding of the patient’s symptoms or reasons for seeking help may not be obtained. A risk of harm to the wider community may also materialise in the event infections are left untreated.
Information sharing is, therefore, at the heart of being able to provide proper advice and treatment, to both the individual patient and society as a whole.
The Data Protection Act 1998 (“the Act”) aims to safeguard personal data by protecting the right of the individual to privacy whilst at the same time allowing organisations to legitimately use personal data. Personal data concerns only living individuals and includes data where, although the person is not named, he or she can still be identified.
If the information concerns physical or mental health it is considered to be sensitive personal data and requires additional care over and above the general conditions outlined below. (Information pertaining to political opinions or religious beliefs are other typical examples of types of sensitive data.)
Eight common sense principles when handling data are set out within the Act. In summary, personal data should be:
- Fairly and lawfully processed
- Processed for limited purposes (so that it is clear why personal data is being collected and what the intention is of collecting such data)
- Sufficient and relevant (not excessive)
- Not stored for longer than necessary
- Processed in accordance with the rights of the individual (such as the right for the individual to access the information, object to its processing and claim compensation for damages caused by a breach of the Act)
- Transferred only to countries with adequate security
When obtaining, recording, storing, using or disclosing information (or, as the Act states, “processing” personal data), consent must be obtained. In a healthcare setting, if consent is not obtained the processing of information must be to protect the patient, such as in an emergency, where details of medical history may need to be disclosed. Alternatively, there must be a legitimate interest such that it is fair and lawful to use the information.
If the data is of a sensitive nature (because it includes information about physical or mental health), there are, as noted above, additional requirements to ensure a higher level of care. The consent must be explicit or the processing must be necessary for medical purposes, such as sharing the information with another health professional who has the same duty of confidentiality. Alternatively, its use may be necessary to protect another person. For example, if a clinician were to suffer a needle stick injury, access to the relevant patient’s medical records, without explicit consent, may become paramount.
A workable and carefully managed data protection policy, which is periodically reviewed, should be in place to avoid any breach of the Act. The security measures under that policy should also reflect the sensitive nature of the information held – the greater the consequences of disclosure, the greater the measures should be. If security is compromised then an effective response should be swiftly put in place.
Access to personal information must be controlled and staff made aware of their obligations. Steps should also be taken to ensure recovery or destruction if data is lost. Staff must be aware of the importance of notifying a breach to the appropriate person in the organisation so that the extent of any damage may be limited.
As well as physical security measures (such as locked storage and clear desks), the security for electronic storage should be up to date and safe. Ideally, data should be encrypted and/or tracked when sent or, alternatively, remote access set up.
A patient may claim compensation if damage or distress is suffered due to loss of information. In addition, the Information Commissioner’s Office (ICO) can seek an undertaking from the head of the organisation that certain measures are adopted to avoid a future occurrence. In the event of a serious or persistent breach, the ICO can issue an enforcement notice to the organisation which prevents or compels it from taking certain steps - non-compliance with which carries criminal penalties.
The ICO may also perform an audit and/or impose a financial penalty up to £500,000 if a serious breach of the Act is deliberate or if the risk of a breach was known and likely to cause substantial damage or distress.
Finally, unlawful obtaining and disclosing of personal data is a criminal offence which may result in prosecution.
In order to maintain trust in a healthcare provider, a difficult balance must be achieved between the need to collect and use personal information - with the aim of benefiting the patient - against the need to protect that individual’s right to privacy.
Healthcare providers have a duty to their patients to protect personal data. The more intimate the information the stronger the justification for disclosure has to be. To maintain the confidence of patients, all healthcare providers should, where possible, inform the patient of the need to disclose the information if required, seek explicit consent and disclose the minimum amount of information necessary.
Any inadvertent breach of the Act should be avoided for fear of causing unnecessary harm or distress to the patient involved and to avoid embarrassment and damage to the organisation’s reputation. Developing a culture of awareness and accountability among staff when it comes to security issues is essential to any organisation operating in a healthcare environment.