LMC LIVE Archive
home LMC LIVE 2005
search contact us
new items
guidance
Q & As
info share
documents
bulletins
links

Q & A - Data Protection & Confidentiality 3
                                                         (Oct '03 - Mar '04)

Index 
DPA80 - 'Looked after children
DPA79 - Disclosure of practice identifiable data
DPA78 - Interviews with media
DPA77 - National Strategic Tracing Service
DPA76 - Cancer screening and data protection
DPA75 - Disclosure without consent for Part 8 review
DPA74 - Disclosure of data to NHS counter-fraud squad
DPA73 - Patient consent to disclose copies of records to solicitor
DPA72 - Use of data for research
DPA71 - Report about dead patient for PCT
DPA70 - Disclosure of data to PCT staff
DPA69 - Postage costs
DPA68 - Data protection and criminal activity
DPA67 - Disclosure of child's medical records to separated parents
DPA66 - Insurance reports and family and genetic history
DPA65 - Patient confidentiality and police custody
DPA64 - Confidentiality regarding a 16 year old girl
DPA63 - Information required by IVF clinic
DPA62 - Care Standards Authority access to medical reports
DPA61 - Disclosure to guardian
 

Q DPA80 - 'Looked after children' - We have been asked by social services to provide details of the immunisation status of several 'looked after children' on our medical list. Are we obliged to provide this information? Do we need consent before disclosure?
                                                                                     (10/03/04)

Answer - You should always seek consent before disclosing sensitive personal data contained in the medical records of any of your patients. Generally you may disclose data without consent only if it is not practicable to seek consent and it is overwhelmingly in the public interest, a matter of life and death for the patient or some other person, or if it is essential to protect their mental or physical health. The minimum data to serve such a legally permissible purpose data may then only be disclosed to a person with the same duty of confidentiality and a legal right to use the data for that purpose. 

The Children Act (Miscellaneous Amendments) (England) Regulations 2002, SI 2002 No. 546 introduced a number of amendments relating to the health and social care of looked after children which increased statutory obligations with respect to their healthcare.

The Local Authority Circular LAC(2002)16 Children Act (miscellaneous amendments)(England) Regulations 2002; New guidance on promoting the health of looked after Children emphasised that there should be a move away from annual 'medicals' and a new emphasis on a more holistic and continuing assessment of health needs. The health and social services must now plan to meet the physical and mental health and health promotion needs of looked after children and young people. Immunisation would fall into the category of health promotion and the immunisation history would be of importance in planning for this. 

This circular made the specific observation that many looked after young people were angry at the failure of health professionals to respect the confidentiality of their health information and at the lack of information about maintaining their future health. 

It would therefore almost certainly be in the best interests of the looked after child or young person that the information was made available. However, if possible you must seek the consent of the child or young person if he or she is 'Gillick competent', or the consent of the legal guardian otherwise. 

Footnote; Definition of 'looked after';
A young person is 'Looked After' by the Local Authority if he or she is in their care by reason of a court order or is provided with accommodation for more than 24 hours by agreement with the parent. If looked after by agreement this is referred to as being 'accommodated'.  

CED 

Return to Top

Q DPA79 - Disclosure of practice identifiable data - Our PCT plans to present identifiable practice data on access targets and referral patterns at PCT Board meetings, which are open to the press. Is this permissible?                                                                 (03/03/04)  

Answer - This is not permissible unless the PCT has the valid legal and explicit consent of each practice to share that information in the public domain. Releasing commercially sensitive data without consent is not permitted under the Data Protection Act. It probably also breaches the common law on consent and the right to privacy under the Human Rights Act. Personally and commercially sensitive data is also protected from disclosure under the Freedom of Information Act.  

If one practice objects to disclosure, it could be identified by default, and this could represent a breach of confidentiality. If a practice has objected to disclosure, this could easily be presented in such a way as to imply that it had something to hide, which could be damaging. 

It is of course critical that no patient or group of patients may be identified, either directly or by default, from the disclosure of data. 

There is currently a strong move to permit increased data sharing for the purposes of NHS administration, which has been opposed by both the GPC and RCGP.  

The Section 60 of the Health and Social Care Act 2001: consultation on proposals to revise regulations ended in January. Disclosure of sensitive data without consent in this way could well become legal in the future, but the PCT does not currently have the legal right to take this action.  

CED 

Return to Top

Q DPA78 - Interviews with media - A local TV company has asked to interview one of our doctors about a patient's complaint. The PCT's press officer say he should agree to the interview, but the doctor's defence organisation says he should not. What is your opinion?    
                                                                                     (16/02/04) 

Answer - A refusal to participate in an interview may be presented by the media in such a way that it looks as if the doctor has something to hide. However, anything that relates to your patient is a matter of medical confidentiality and, even though the complainant may be prepared to discuss the complaint openly with the media, the doctor is still bound by a legal and professional duty of confidentiality.

According to GMC guidance you should never discuss a patient's complaint with the media without first seeking valid and explicit consent from the patient and/or complainant. Even if you do not name the patient, the general details and context in which your comments are made could easily identify the patient by default.

Your responsibility is to follow the NHS complaints procedure in a timely and correct manner. You must, therefore, acknowledge the complaint promptly, carry out a thorough investigation, offer appropriate apologies to the patient and take any remedial action that is required.

The PCT should similarly follow up any complaint brought to their attention, as required by the NHS complaints procedure.

In view of the media interest, the PCT press officer may wish to grant an interview in order to represent the fact that it is a doctor's legal and professional responsibility to maintain strict confidentiality, which precludes giving media interviews related to a specific complaint. The press officer could also express appropriate regret with regard to the complaint and provide an assurance that all necessary steps are being taken to follow it up correctly under the NHS complaints procedure. This would perhaps be a reasonable compromise.

It is important that you communicate in a correct and sensitive manner directly with the complainant and that you do not allow yourself to be drawn into a media circus. This may be particularly important in the event of the complaint leading to litigation.

If there is a possibility of litigation you are always advised to follow the legal advice of your medical defence organisation.

Footnote;  
Letter to practices regarding dealing with the media

CED 

Return to Top

Q DPA77 - National Strategic Tracing Service - We have just had several letters forwarded to our practice from the hospital as they had checked on the National Strategic Tracing Service to find which practice the patients were registered with. I am concerned about the data protection issues. Who has access to this service and what details do they hold?                                                     (16/02/04)

Answer - The NHS Strategic Tracing Service(NSTS) is the first ever national database and is regarded as a vital tool for sharing information within the NHS. It is managed by the NHS Information Authority.

It includes up-to-date administrative information which includes the NHS number, name, date of birth, sex, date of death (where applicable) and, for all GP-registered patients, it includes thename and address of the registered GP. It holds no clinical information.

The service is centrally funded and covers all patients in England and Wales. The data is provided from General Practice via the Primary Care Organisations and from the Registrar of Births and Deaths, via the Office for National Statistics. It can be accessed through NHSnet or a secure NSTS telephone Trace Line. The service is free of charge.

A comprehensive security policy and stringent access and security protocols govern how the service is used and all organisations wishing to use the service must sign a Data Access Agreement before being allowed access.

The NHS Number Programme includes the NSTS and the NHS Numbers for Babies (NN4B) project, which was set up in 2002 to ensure that any vital tests and medical treatment administered in the first six weeks of life are recorded securely, even if the name and address of the child is subsequently changed.  

All patients, including new born babies, now have an NHS number for life. This makes it possible to build a life-long Electronic Health Record (HER) to collate disparate information based upon a single, unique identifier.  This will allow the creation of a comprehensive record of a person's health as set out in Information for Health .  

Reference:
NHS Number

CED 

Return to Top

Q DPA76 - Cancer screening and data protection - We have just received a copy of a "Confidentiality and Disclosure Policy" and an "Information Security Policy" for NHS cancer screening programmes from our PCT. Are we bound to follow these policies? (05/02/04) 

Answer - Sharing data within the cancer screening programmes raised a number of legal and ethical questions relating to the confidentiality and security of data shared between different agencies. It was essential to address these issues in order that the cancer screening programmes could continue effectively and within the law. As a result an application was made to PIAG to provide class support for NHS cancer screening programmes under Section 60 of the Health and Social Care Act. This was approved in March 2003. 

In order that the cancer screening programmes may enjoy the support of PIAG it is essential that the correct approved procedures are followed.  You are therefore bound to abide by these nationally agreed procedures.

Useful background information is available in a power point display NHS Cancer Screening Programmes in England produced by the North West QARC. 

Further Information:  
NHS Cancer Screening Programmes;Confidentiality and Disclosure Policy

CED

Return to Top

Q DPA75 - Disclosure without consent for Part 8 review - A child has been killed in a road traffic accident where the mother was allegedly driving under the influence of alcohol. An ex-partner of the mother is one of my patients. He was not living with the mother in the period before the accident and has no children himself. I have been told that I am obliged to provide a copy of his medical records for a Part 8 Review without his knowledge or consent. I have been told that my patient will not be identified and warned that I could be required to defend any refusal before the GMC if called upon to do so. Am I obliged to reveal this data? What is your advice?  
                                                                                     (21/01/04)

Answer - We have been advised that no part of the Children Act or Working Together to Safeguard Children requires disclosure. However, you are permitted to reveal confidential data without consent to a legitimate authority in order to prevent the death or serious physical or mental harm of a child or children, or if you believe it to be overwhelmingly in the public interest. The data should be limited to the minimum that would serve the purpose and should be disclosed only to someone who has a similar duty to maintain confidentiality.

The GMC written advice on disclosure is conflicting. On the one hand GMC guidance Confidentiality: Protecting and Providing Information states;
Disclosures in the public interest
"In cases where you have considered all the available means of obtaining consent, but you are satisfied that it is not practicable to do so, or that patients are not competent to give consent, or exceptionally, in cases where patients withhold consent, personal information may be disclosed in the public interest where the benefits to an individual or to society of the disclosure outweigh the public and the patient's interest in keeping the information confidential. "

If you decide to disclose confidential information you must be prepared to explain and justify your decision.

On the other hand the following appears in the FAQs included in that guidance;
A child in my practice has recently been taken to hospital suffering serious injuries from abuse. His father is now being prosecuted. I've been asked to provide information about the child and her family for a Part 8 Review. I'm the GP to the child's father and he won't give consent to the release of information, what should I do? (See paragraphs 36-39)

Part 8 Reviews are intended to identify why a child has been seriously harmed, to learn lessons from mistakes and to improve systems and services for children and their families. The overall purpose can reasonably be regarded as serving to protect other children from a risk of serious harm. You should therefore co-operate with requests for information, even where the child's family does not consent, or if it is not practicable to ask for their consent. Exceptionally, you may see a good reason not to disclose information; in such cases you should be prepared to explain your decision to the GMC.

This reflects the conflicting ethical and legal obligations placed upon a doctor to;

  • always act in the best interests of his or her patients and to protect the confidentiality of those patients' sensitive personal data held in the medical records
  • always act to protect vulnerable children and also to provide data that is overwhelmingly required to serve the wider public interest.

In the light of recent high profile tragic cases of child abuse, it was widely recognised that medical confidentiality sometimes interfered with the legitimate disclosure of data to protect a child or to investigate the procedures used in serious cases of harm to a child, or children, in order to learn vital lessons for the future.

It has always been permissible to breach confidentiality in exceptional cases and the GMC appear to be spelling this out a little more clearly in relation to child protection. For this reason doctors should generally cooperate with part 8 reviews. Consent to any disclosure of confidential data is always preferable, but where it is not possible or desirable to obtain consent and even where consent is refused, it may still be permissible to provide the data.

It is impossible for the GMC, or the LMC, to give precise guidance in any particular case. The justification for disclosure under current legislation and ethical guidance remains with the individual doctor, who may be required to defend that decision in a court of law or before the GMC. A doctor could of course also face the GMC or the courts in order to defend a failure to protect a vulnerable child.

In this case the child is now sadly dead and there appear to be no other children at risk. The justification for disclosure could be because it is overwhelmingly in the public interest that part 8 enquiries are held to ensure that appropriate lessons are learned for the future safety and protection of all children.

However, in this case the disclosure of your patient's medical history does not appear, judging from the information provided, to be an essential part of this part 8 review and therefore does not seem to be overwhelmingly justifiable in the public interest.

It would be reasonable to ask those holding the review to provide reasons why they believe that disclosure of this data without the consent or knowledge of your patient is in fact essential to the review process. It would be reasonable for them also to provide their reasons why you may not seek valid legal consent to disclosure.

In any case where you have sought consent and the patient has refused permission to disclose, you should seek the prior approval of your medical defence organisation before disclosure.

The assurance that the patient will not be identified would probably not permit disclosure without consent. Your patient would probably be identifiable by inference in the final report and this could be personally damaging to him.

Footnote;
Aide memoire; data disclosed without consent must conform to the 5 points of PLAN J and be:

  • Proportionate
  • Legal
  • Accountable
  • Necessary
  • Justifiable)

CED

Return to Top

Q DPA74 - Disclosure of data to NHS counter-fraud squad - I have been asked to provide data without consent about a patient who is being investigated for allegedly obtaining prescription drugs by registering with a number of practices under different assumed names. I have been told that this disclosure is permitted under the Data Protection Act. Is this true?                                   (19/01/04) 

Answer - Disclosure of confidential medical data remains a very grey area in both legal and professional terms and the work of the NHS Counter fraud squad is particularly problematic!  

Doctors may sometimes be permitted to disclose confidential personal information without the patient's consent if the greater benefit might outweigh the duty of confidence. This is of course all a matter of very fine judgement. 

Section 29 of the Data Protection Act does specifically permit data processing, which could include disclosure to a relevant authority for the purpose of the prevention or detection of crime or the apprehension or prosecution of offenders. 

However, there are also professional and ethical considerations and legal restraints in relation to the Common Law on confidentiality and the Human Rights Act. 

A common law breach of confidence would occur if the disclosure appears to be "an abuse or unconscionable to a reasonable man". Case law has established that it is permissible to breach confidentiality "in the public interest" in exceptional circumstances. 

Under Human Rights legislation any disclosure of confidential information must be justifiable as necessary to support legitimate aims and the disclosure must be proportionate to the need. In other words if the need is not sufficient, no disclosure without consent would be justifiable! 

You must always assess the appropriateness and necessity of any disclosure without consent to the counter-fraud squad and, if you believe it is justified, aim to minimise the identifiable information disclosed to the minimum that will serve the purpose. Obviously in counter fraud investigations anonymisation of data will only very rarely be an option.  

Disclosure without consent may occasionally be supported by legislation introduced under section 60 of the Health & Social Care Act 2001. However, this generally applies only to disclosures in relation to the cancer registries, public health or research approved by the Secretary of State.  

There is currently a consultation into the use of data without consent based upon Section 60 of the Health and Social Care Act. Even the proposed extended powers of disclosure would not appear to permit routine disclosure of data to the counter fraud squad without consent. 

Patients entrust doctors with very sensitive confidential data and, if you do not believe that disclosure without consent is justified in a particular situation, you may ask for additional reasons to justify any disclosure. If you are still not satisfied then you should insist on a court order which would require you to disclose the data. You should bear in mind that you may have to defend any disclosure without consent in a court of law or before the GMC!  

The NHS Code of Practice on Confidentiality provides comprehensive and authoritative details of the complex legal framework in which you are required to operate! Pages 30 -34 are particularly relevant in this context. 

The GMC in Confidentiality: Protecting and Providing Information has the following advice in relation to disclosures in the public interest.

Disclosures in the public interest
"In cases where you have considered all the available means of obtaining consent, but you are satisfied that it is not practicable to do so, or that patients are not competent to give consent, or exceptionally, in cases where patients withhold consent, personal information may be disclosed in the public interest where the benefits to an individual or to society of the disclosure outweigh the public and the patient's interest in keeping the information confidential. "

In the particular case that you quote, a patient appears to have used false identities to obtain drugs by deception is clearly;

  • breaking the law
  • obtaining medications that are not based upon safe prescribing practices, since there is no previous history available, and is therefore likely to harm himself
  • possibly, and more seriously, supplying surplus drugs to other vulnerable people who could be at serious risk.  

Many doctors would consider this as sufficient justification for disclosure of the minimum data to serve the purpose of the investigation without obtaining consent, but this has to be an individual judgement that you would personally be prepared to defend.  

Doctors would generally find it harder to justify disclosure where they did not believe either the patient or members of the public were at serious risk of harm. The NHS code of practice would in fact seem to support disclosure in the event of suspected financial fraud, because of the public interest in saving the waste of public money as a the result of fraud. However, it is the GP that would be at risk of a legal or professional challenge as a result of improper disclosure.  

CED

Return to Top

Q DPA73 - Patient consent to disclose copies of records to solicitor - When we receive a solicitor's request for copies of a patient's medical records we send off a patient authority form for completion to ensure that we have valid legal consent to disclosure. Are we entitled to state that we WILL NOT undertake copying of records until they return the completed form?                           (14/01/04)   

Answer - Under the Data Protection Act you must provide a copy to the data subject within 40 days of receiving the request in writing, the money and information sufficient to identify the patient and the location of the records. It does not specifically mention consent to disclose to a third party. However explicit consent is almost always required before you may legally disclose any sensitive personal data to a third party.  

It would therefore be reasonable to state that you can only provide the copies to the solicitor once you have been satisfied that the patient is legally competent to give consent, has been fully informed of, and fully understood, the reasons for disclosure and the ways in which the data would be used, and has given consent on an entirely voluntary basis. The solicitor would not be obliged to complete your particular form, but must satisfy you that the patient's consent permits legal disclosure of the data . 

You could state that you would provide the requested copies to the patient within 40 days, as the law requires, but that you could not provide them direct to the solicitor, unless you are satisfied that you have adequate consent before the 40 day period is over. 

CED 

Return to Top

Q DPA72 - Use of data for research - One of our regular locums also works for the PCT and has asked if he can use our practice population to take part in a public health project to improve the uptake of immunisations. He is prepared to provide us with specific advice on our practice immunisation programme and has guaranteed that all patient data will be anonymised. We are happy to take part and believe it would benefit our patients, but would it be likely to create ethical or legal problems?                                  (14/01/04)  

Answer - As long as the doctor is working for you as a regular locum he would have legitimate access to your patient database as a member of your clinical team. 

Under the Data Protection Act you have a duty inform patients how their personal data is processed by your practice, and this should include research carried out by the practice. (See DATA PROTECTION - Patient Information

Since this research would seem to be of direct benefit to your patients, there are unlikely to be problems provided you have;

  • checked that the research has received appropriate ethical approval
  • checked that the research would be in the public interest
  • informed patients that their data may be used in this way
  • allowed patients to find out more and/or register an objection to such data use
  • have no reason to believe that any patient has objected to such use
  • ensured that information is anonymised before transfer to any third party  

Further information;
Providing Data for Medical Research and
Data Protection and Research    

It would be permissible to share aggregated and anonymised data with other practices, or with the PCT, provided your practice is happy to do so, and unless patients had objected or could be identified by default. 

It is likely that in future sharing patient data in order to improve NHS services will be permitted, or even required, under legislation that is likely to be introduced as a consequence of the Health and Social Care Act.  

CED

Return to Top

Q DPA71 - Report about dead patient for PCT - As part of a review of continuing NHS health care I have been asked to review the medical records of a patient who died several years ago and to "assess these against the new criteria in order to determine whether there had been any deterioration in his health needs." I have been asked to read around 70 pages of information before completing this report. Am I obliged to do so? The PCT are not offering to pay a fee for this service.                                                                         (14/01/04) 

Answer - A doctor's contract to provide services to a patient terminates with the death of the patient. All GPs are currently struggling with an avalanche of new regulations and legislation, in addition to their main task of caring for patients. The needs of living patients must certainly take precedence over the needs of the dead, or even an NHS manager demanding this information! Since this report is not a prescribed certificate, it is not mandatory that you complete it. If you choose to do so, you are entitled to charge a fee. 

If you choose to complete it there are a number of matters that must be considered;

  • You are still bound by a common law duty of confidentiality to the patient and you must not disclose any information given by the patient on the strict understanding that it would never be released, unless there is a court order or coroner's request.  
  • The terms of the Access to Health Records Act would apply, and the consent of the next of kin would be required. Seeking consent could easily cause unnecessary distress to the family. 
  • You must not disclose data relating to any third party who was not a health professional providing care for the patient, without first obtaining their consent. 
  • If it is overwhelmingly in the public interest to do so, and consent is not possible, you may be permitted to disclose data without consent. Only the minimum data to serve the purpose may be disclosed to an appropriate authority, provided it will be treated with a similar duty of confidentiality.  Pursuing a serious criminal offence might justify this.  

This sounds like an entirely bureaucratic demand for data, unless there are circumstances that you have not mentioned, or are not aware of, that would justify disclosure, such as a suspected Shipman type investigation, in which case the PCT should inform you.  

The PPSA would now hold these notes and the PCT should ask them to organise a doctor to provide this service if the data is deemed essential for the review.  

The situation in the near future may change as additional legislation, permitted under the Health and Social Care Act, is likely to permit, or even require, GPs to provide information about patients, without consent if necessary, in order to facilitate the working of the NHS. 

The whole process of acquiring the notes from the PPSA, trawling through them in order to weed out any third party data, seeking any necessary consent, reading through mountains of background paperwork, all as a preliminary to compiling the report, does not sound a very attractive prospect, even assuming the PCT would pay a fee for the service!  

CED

Return to Top

Q DPA70 - Disclosure of data to PCT staff - We seem to be receiving more and more requests from the PCT for patient identifiable information. For example;
1  A letter asking for a copy of the mental health registers for psychosis.
2  A letter from a clinical services manager who is trying to compile a list of patients with diagnosed heart failure who may require echocardiography. The objective is to plan any necessary investigations as efficiently as possible so that GPs are able to comply fully with the NSF.
We are always unsure how to handle these requests and would welcome guidance.                                                     (12/01/04)

Answer - Unless the request for the Mental Health Register data provides adequate information as to what precise information is required and the way in which that data is to be used and contains assurances regarding confidentiality, this would appear to be a  bureaucratic demand for information. It does not appear to be a matter of life and death, or for the individual patient's benefit and treatment, or demonstrably and overwhelmingly in the public interest. You would therefore need the valid legal consent of the patient to disclose this very sensitive personal data.   

With regard to the echocardiography initiative, this would seem to be slightly different as the aim seems to be an attempt to organise an effective clinical service for the individual patients. This is similar to other clinical referrals and the "man in the street" would probably understand that this might occur and would recognise that the intention was to benefit his or her personal clinical management. Unless the patient had registered an objection, explicit patient consent would probably not be required.   

Under the Data Protection Act all practices should inform their patients of the way in which their data is processed by the practice and offer the opportunity to find out more or to register an objection if they so wish.  ( See DATA PROTECTION - Patient Information )    

The whole context of data protection, consent and confidentiality appears to be changing dramatically. The Health and Social Care Act is currently being used to introduce new legislation permitting certain uses of patient data without consent. This will be required for example as a necessary precursor to the introduction of the new patient electronic records and in order to permit further use of data by PCTs to facilitate the work of the NHS.
(See Consultation on Proposals for use of Section 60 Powers and Data Use by PCTs

It would not be useful to develop new guidance at this time in view of the significant changes in legislation and accepted practice which appear imminent . You may, however, find the Dorset and Somerset LMC guidelines useful. 

GPs must always be mindful that they still have a legal and professional obligation to act in the best interests of their patients, to preserve patient confidentiality and to seek appropriate consent at all times, unless there are clear legal and professionally acceptable reasons why this may not be necessary.  

PCT requests for identifiable patient data raises issues that are rarely legally or ethically clear-cut and individual judgement is required in each case! Any third party disclosure of sensitive personal data may be subsequently challenged and a doctor must be prepared to defend his or her action in a court of law or before the GMC if necessary. Such a legal or professional challenge is particularly likely where the data is especially sensitive, such as that relating to mental health!   

CED

Return to Top

Q DPA69 - Postage costs - We have numerous requests for copies under the Data Protection Act. Producing copies is very time consuming and therefore expensive. The cost of sending notes by recorded delivery is often around £5. Is it permissible to charge extra for this?                                                                       (08/01/04)  

Answer - This answer has been superceded by Q&A DP503 - Postage Costs.

CED 

Return to Top

Q DPA68 - Data protection and criminal activity - I am very confused by recent media reports concerning the police and the application of the Data Protection Act. I thought that it was permissible to disclose data in order to prevent or detect serious crime or to prosecute criminals.  Am I right?                                                  (05/01/04)  

Answer - Section 29 of the Data Protection Act and GMC guidance would seem to support this view. Any data disclosed for these purposes must be limited to the minimum necessary to serve the purpose and should only be disclosed to a person who shares a similar duty of confidence. If in doubt you should always seek the specific advice of your medical defence organisation before disclosure. 

If a court order has been issued then you are obliged to disclose the relevant data to the authorised person or body. 

Data may, of course, also be retained for long enough to serve its lawful purpose. The destruction of information that has current relevance is not a requirement of the Data Protection Act, as was recently claimed by the police in the Soham murder case. 

Unfortunately Data Protection Law is complex and often a matter of sophisticated knowledge and interpretation. Clear official guidance and advice was very slow to emerge when the Act was first introduced and serious misunderstandings have clearly developed in the police force over time.

The LMC is often asked for advice when the police demand information from GPs to which they have no rights under data protection law. Such requests must be resisted.  

The Data Protection sections of Guidance and Q&As on this website provide further information, but if in doubt please contact the LMC office or your own defence organisation.

CED 

Return to Top

Q DPA67 - Disclosure of child's medical records to separated parents - The parents of a young child registered with our practice have separated and the child is in the care of the mother. The father has recently requested a copy of the child's notes, but the mother had previously told us that we had to provide a copy of any information we provided to the father so that she could inform her solicitors. Can you advise please?                                                 (22/12/03)

Answer - If the parents were married at the time of the child's birth the father will have legal parental responsibility, unless this has been restricted in any way by the courts. If the parents were not married at the time of the child's birth, then the father will not automatically have parental responsibility but may have acquired it through the courts.  

You should check that the father does indeed have parental responsibility and if so then, under the Data Protection Act, he has a right to a copy of the child's medical records, in just the same way that a mother has the right to that data.  

The fact that you have disclosed medical data under the Data Protection Act, to either the mother or the father, would constitute a third party disclosure. You should not therefore reveal this information to the other partner, unless you have valid legal consent to that disclosure or it is the subject to a court order requiring you to do so. 

There may be rare occasions when disclosure to the other partner would be clearly in the child's best interests. As a doctor this must always be your most important consideration.  

In the event that the solicitor of one partner requires information relating to data provided to the other partner, then it is appropriate for him to seek this information from the other partner's solicitor, who would be aware of the legal complexities in that particular case. 

The legal proceedings relating to child custody and access are very complex and as a doctor you are not trained to make judgements that require substantial legal knowledge. The consequences of an inappropriate disclosure could prejudice the case of one or other parent unfairly and possibly result in legal action against you as the doctor.  

Sadly many children nowadays are at the centre of legal custody and access disputes and many fathers believe that they are treated unfairly by current legislation. It seems likely that many would not hesitate to take legal action against a doctor who they believed had prejudiced their chance of access to their own child.  

If an older child is legally competent to provide consent or dissent to disclosure of their own medical data, then this must also be taken into consideration.  

In situations where it is unclear what action you should take, you are always advised to seek specific legal advice from your defence organisation before disclosure.  

CED

Return to Top

Q DPA66 - Insurance reports and family and genetic history - My patient's mother has a genetically carried medical problem. My patient has received genetic counselling in the past and has been tested for the condition and found not to be a carrier. There are several references to her mother in my patient's notes.   
I have now been asked to fill in a PMA report that states that positive genetic test results need not be disclosed but that negative genetic test results should be included. Can you advise me please?  
In the family history section, should I state that the mother has a genetically inherited medical condition, or should I say that there is a family history of the condition or should I leave it out altogether?
                                                                                     (20/11/03)  

Answer - It is important to look at this question in relation to your patient, her mother and indeed to any other family members whose medical history could be revealed in the process.  

Many companies ask applicants for details of family history that may have a genetic component, such as heart disease, diabetes and cancer, and ask doctors to provide information from the applicant's medical record that shows the patient is aware of such conditions.  

This presents difficult ethical, practical and legal problems for doctors, particularly since the information in a patient's medical records may have come from the patient, the family or the GP's own knowledge of the family. 

Data about a third party should only be processed in order to provide care and treatment to the patient and should not be used for other purposes. 

Widespread fears about the possible consequences of extended use of family and genetic history by insurance companies prompted the introduction of a 5-year moratorium on the use of genetic information by insurance companies in October 2001.  

The key features of the moratorium are that insurance companies;

  • must not put pressure on applicants to undergo genetic testing
  • must not ask for genetic testing of applicants for insurance policies up to £500,000 for life insurance, or £300,000 for other forms of insurance
  • over these limits may only take into account genetic test results that the government's Genetics and Insurance Committee (GAIC) has decided are reliable and relevant for insurance purposes. 

Insurers may take into account favourable genetic test results that are volunteered by applicants, but are not required to do so unless the test has been approved for that purpose by GAIC. 

GAIC monitors compliance with this moratorium and will take up individual complaints. 

The Human Genetics Commission (HGC) in its report in May 2002 did not recommend extending the current moratorium on genetic data to family history at this stage, but it did indicate its intention to consider the matter again in the future. 

The Association of British Insurers (ABI) has also indicated its intention of reviewing their use of genetic and family history. 

For the present, applicants may volunteer details of family history and genetic test results, but insurers are not required to take normal genetic testing into account, unless the test has been approved by the GAIC. 

The BMA advises that, in order to protect family members' confidentiality, doctors may choose not to complete the family history section.  

The BMA also advises that normal genetic test results, carried out because of the family history, may help clarify details about family history provided to the insurer by the patient and may be included in the PMA report if the patient so wishes. 

Further related information;
BMA ethical guidance onMedical information and insurance and
Issues in Storing Family History Information - a geneticist's perspective   and
The Royal Society - Genetic Testing - finding out what the future holds and 
Genetics and insurance - some social policy issues and 
Government response to the report from the House of Commons Science and Technology Committee: genetics and insurance and 
Human Genetics Commission - Genetic Testing and Insurance

CED

Return to Top

Q DPA65 - Patient confidentiality and police custody - One of our patients has been taken onto police custody on suspicion of committing a serious offence and the police are demanding the medical records. Should I give them the original records or a copy?
                                                                                     (20/11/03)  

Answer - Unless your patient has given informed consent to disclosure you have a legal and professional duty of confidentiality, unless the police have a court order compelling you to provide the information or disclosure could be justified as being overwhelmingly in the public interest. 

While your patient is in custody he is no longer a threat to the public and the police could easily acquire a court order if they believed it essential to have access to his medical records. 

Revealing his entire past medical history could well be prejudicial to your patient's rights and your professional duty is to act in your patient's best interests, unless there are over-riding concerns. 

In the event that you decide that the police may have access to the contents of his medical records, a copy may not be adequate for their purposes and could involve an unacceptable delay. It would probably therefore be reasonable on this occasion to let them have the original notes, provided they are returned to you as soon as possible and returned immediately if the patient is released as they may well be required for his continuing care.   

There is further information about disclosure of personal data in relation to crime in the Q&A on prescription fraud and disclosure of confidential information  

CED 

Return to Top

Q DPA64 - Confidentiality regarding a 16 year old girl - We have recently had a 16 year old girl and 40 year old man who are living together register with our practice. We are worried that she is a runaway and are sure not sure what if anything we must do about this. Can you advise us please?                                     (05/11/03) 

Answer - The first concern is whether the young woman is living with the man voluntarily and whether she is at risk of serious harm, in which case you may be permitted to breach confidence. Similarly, if there is an overwhelming public interest or legal justification you may be permitted to breach confidence. Otherwise your two new patients have a right to complete confidentiality.  

If you believe that the couple are 'runaways' then you must consider the safety of both patients who could be at risk from an angered and vengeful family.  

It should be possible to check in a sensitive manner with the young woman, on her own, that she is living with the man willingly and that there is no cause for concern. You must reassure her that you will treat all information in complete confidence.   

Assuming that the girl is living with the man willingly, her parents may in fact know and approve. In any case at the age of 16 a young woman may choose to leave home and live with an older partner and is not obliged to seek parental permission, or indeed to let her parents know that she is leaving with this intention. At 16 she may quite legally consent to sex with her partner and you have no right to breach her confidence in this respect.  

(The exception to this is that it is illegal for a person in a position of trust, such as a teacher, a doctor or a carer, to have sex with a young person under the age of 18 who is in their care .)  

If the girl has run away and her parents do not know where she is, you could inform her that the National Missing Persons Helpline on 0500 700 700 offers a totally confidential service that would let her parents know that she was safe without divulging her whereabouts.  

If she were to be at risk at any stage in the future she will be reassured to know that you have respected her confidence and are a trustworthy source of help and advice.  

If the girl was under 16 the situation would be different. The BMA offers detailed ethical guidance on Confidentiality and people under 16.   

Further Information:  
Consultation on young runaways  

CED

Return to Top

Q DPA63 - Information required by IVF clinic - I have been asked to provide detailed information about one of my patients who is currently seeking IVF treatment with his wife. I do not believe this is part of GMS and, since it is a legal and ethical minefield, I am planning to refuse to provide the information. Can I do this?
                                                                                     (03/11/03)

Answer - The simple answer is no.    

The Human Fertilisation and Embryology Act (1990) - section 13(5) - states that;
"a woman shall not be provided with treatment services unless account has been taken of the welfare of any child who may be born as a result of the treatment (including the need of that child for a father), and of any other child who may be affected by the birth".  

This information must therefore be provided as part of the referral process to any hospital, NHS or private, in order to comply with the Act. The Terms of Service oblige you to provide this information free. 

You are, however, quite right in believing that it is a legal and ethical minefield!    

You will undoubtedly have been asked to review the case notes with particular reference to subjects such as;

  • age, medical history and family history
  • commitment to having children
  • domestic circumstances
  • ability to support a child
  • history of criminal activity or child abuse
  • special risk factors such as drug or alcohol abuse
  • estimated risk of abuse of the child
  • who will be the legal parents of the child
  • any other major concerns
  • any other reason why, in your view, this couple should not receive IVF treatment     

These are all potentially sensitive areas and your disclosure could result in a refusal to treat the couple. You should therefore provide the information based upon your objective knowledge of the patient that is recorded in the notes. You should generally avoid hearsay evidence since the patient will almost certainly challenge this, particularly if it is likely to result in an adverse outcome.   

The request for detailed information will often be accompanied by a signed consent form such as "I consent to my General Practitioner providing information he/she considers important or relevant to the interests of any child born or affected by treatment of my infertility." This may or may not be legally valid.   

Before providing the data to the hospital you would be well advised to see the patient, show him what you intend to disclose and explain that you are obliged by law to reveal to the clinic any data that would be relevant to the future welfare of a child. You must then obtain the patient's valid legal consent to third party disclosure. 

Details in your patient's notes should not be revealed to his partner without explicit consent! Even though the couple are going together for IVF treatment, there may still be confidential information that you may not reveal without consent. If you believe you must reveal such details to the clinic in the interests of the unborn child, you must explain this to the patient. The patient must be told that his partner will almost certainly have to be told the confidential information before treatment would be permitted under the law.  

You may be torn between your obligations to your patient and to the unborn child. At least the patient has a chance to discuss the issue, but the child depends entirely upon your professional judgement. Litigation on the child's behalf remains a possibility, even many years after the event! If in doubt seek prior specific legal advice from your defence organisation.  

You are not obliged to fill in any specific form, but you are obliged to provide the information. If a particular form is required to facilitate the hospital or clinic's procedures we have been advised by the GPC that you may charge a private fee, but not otherwise.  

Update 7/12/05
A patient's GP will no longer automatically be contacted prior to treatment by IVF.  The Human Fertilisation and Embryology Authority has stated that fertility clinicians should use their own professional judgment to decide if the GP needs to be contacted about a patients' suitability for parenthood. 

Clinics are obliged to assess parents under the 1990 Human Fertilisation and Embryology Act, but revised guidance says that clinics should assume they will provide treatment, unless there is evidence that any child would be at risk of serious harm. 

GPs, social services or other relevant bodies will still be contacted if clinics have concerns. 

This new guidance will be implemented from January.  

See HFEA press release for further details

Related Question:
PRA11 - IVF Referrals    

Wessex LMC Letter to The Human Fertilisation and Embryology Authority

HFEA - Code of Practice 6th edition  

CED 

Return to Top

Q DPA62 - Care Standards Authority access to medical reports - I am the medical officer for students that are resident at a local college. A recent inspection by the Care Standards Authority was carried out in my absence and I have now learned that the inspection team insisted on reviewing the medical records of students. Does the Authority have the right to access medical records without the consent of the students?                                               (22/10/03) 

Answer - Every doctor has both a professional duty and a legal obligation under the common law, the DPA and the Human Rights Act to maintain the confidentiality of sensitive medical information about his or her patients. This may be breached with the explicit and legally valid consent of the patient. In the context of college students, a young person would probably be competent to give consent.

In other circumstances, the court, a coroner and some tribunals may require the disclosure of medical records, without consent if necessary.

However, it may be possible to breach confidentiality in other exceptional circumstances where it is totally impracticable to seek consent. This is always a matter for a sophisticated judgement on the part of the data controller, based upon whether the disclosure is necessary, appropriate and proportionate. For example it may be permissible under section 60 of the Health and Social Care Act, or if it is overwhelmingly in the public interest, if it is a matter of life and death or if it is necessary to prevent serious harm to the data subject or another person. 

In these circumstances the data disclosed must be limited to the minimum that will serve the specific purpose and should be disclosed only to a person who shares a similar duty with regard to confidentiality. If possible the data should be anonymised before disclosure if that would be sufficient to serve the purpose. 

You may be permitted to breach confidentiality in order to permit a statutory function to be carried out, but you are generally not required to do so and as a doctor you could well be required to defend any such disclosure in a court of law or before the GMC! 

Even a statutory requirement to disclose is not absolute and may be challenged by the data controller if, for example, he or she believes disclosure would be harmful.

It is always advisable to determine the exact legal basis for any allegedly required disclosure of identifiable sensitive personal data and to challenge the basis for any legal obligation to breach confidentiality if you are not entirely satisfied.  

Generally you should inform the patient as soon as possible if any breach of confidentiality has occurred.

You should check who authorised this disclosure in your absence and ensure that all members of staff are aware of their duty to guard confidentiality and to seek proper authorisation before any disclosure without legally valid consent. It would be sensible to take this opportunity to review the procedures and training that are in place to protect the confidentiality of all medical records at the college.  

Further information is available in Confidentiality - The Common Law Duty of Confidence which includes a link to the recently published Confidentiality: NHS code of practice.  

CED

Return to Top

Q DPA61 - Disclosure to guardian - I have had a request from the father of an adult patient for information relating to his son's visit to the surgery and his subsequent management. The patient is severely mentally disabled and the father claims he is the legal guardian. How do I stand about giving information to the father in this case?
                                                                                 (09/10/03) 

Answer - You must obviously be sure that the person requesting the information is indeed the legal guardian and then be guided by your legal and professional duty to act in the best interests of your patient. Your knowledge of the specific situation should then point the way to the correct course of action. 

Your question, however, raises some potentially very complex legal issues and you may well require specific legal advice from your medical defence organisation regarding not only the disclosure of confidential information to the father, but also the patient's consent to his management following the visit to your surgery.  

It is important to bear in mind that nobody can give consent on behalf of an incompetent adult, although you may still treat such a patient if the treatment would be in their 'best interests'. This may include the wishes and beliefs of the patient when competent, their current wishes, their general well-being and their spiritual and religious welfare.  

The relatives, carers and friends of a patient who has never been competent will generally be best placed to advise on the patient's needs and preferences. 

See LMC guidance on Consent to investigation or treatment which includes key references.  

The following extract is taken from GMC guidance on Seeking patients' consent: the ethical considerations  

Withholding information
10. You should not withhold information necessary for decision making unless you judge that disclosure of some relevant information would cause the patient serious harm. In this context serious harm does not mean the patient would become upset, or decide to refuse treatment.

Disclosure of information to the father may help him to assess whether he believes his son's current treatment is what his son would have wished and be in his best interests.

GMC guidance sets out that a doctor may compulsorily treat a mentally incapacitated patient only within the safeguards laid down by the Mental Health Act 1983 and the guidance in the Code of Practice of the Mental Health Commission. The courts' approval is required for any non-therapeutic or controversial treatments that are not directed at their mental disorder.

CED

Return to Top

 

 

 

Site designed & built by:
Mackell Productions Ltd.

Site last updated on : 14h July 2006

All data on this site is subject to our Disclaimer

Copyright  © 2000 - 2006  Wessex LMCs