Relevant legislation

Public Records Act 1958

All NHS records are public records as defined by the Public Records Act 1958, and as such should not normally be retained for more than 30 years unless they are of archival value. Chief executives and senior managers have a duty to make arrangements for their safe-keeping.

Data Protection Act 1998

Putting the Act into practice boils down to complying with the eight data protection principles

The Data Protection Act places a number of responsibilities on individuals and organisations who hold data on identifiable living individuals, and corresponding rights to data subjects, who are, in the clinical context, patients. The Act and its supporting statutory instruments form a complex legal framework designed to protect people’s privacy by preventing unauthorised or inappropriate use of their personal details.

Putting the Act into practice boils down to complying with the eight data protection principles, which are relatively straightforward (see Box 3, below).

It is up to everybody working in an organisation that holds records containing personal information to comply with the spirit of the Act – ie, respect the subject’s privacy, keep the use of information to the minimum necessary and allow appropriate access.

One member of staff will need to take on the further responsibility of ensuring that the practice as a whole is complying with the Act

In smaller organisations, such as GP practices, one member of staff will need to take on the further responsibility of ensuring that the practice as a whole is complying with the Act. They can be reasonably sure that they are complying with the requirements of the Act as long as they: 

  • have registered as a data controller
  • hold no more information about patients than is needed for their medical care, and its use is only for that purpose
  • store records securely and confine access to authorised personnel
  • comply with patients’ legitimate requirements for access.

Medical records (both computerised and manual) must be kept in a secure environment.

Suitable safeguards for electronic storage include passwords, careful positioning of monitors so that information cannot be read by unauthorised personnel, ensuring that sensitive personal data are not transmitted via the internet without use of encryption software and ensuring that all personnel are aware of their duty not to allow unauthorised disclosure of personal or sensitive data.

To notify the authorities that you hold personal information electronically (the equivalent of registration under the old Act), telephone 01625 545 740 and ask for a notification form, which must be completed, checked and returned to the Information Commissioner.

Box 3: Data Protection Act principles regarding personal data

  1. It should be processed fairly and lawfully.
  2. It should be obtained for one or more specified and lawful purposes.
  3. It should be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
  4. It should be accurate and, where necessary, kept up to date.
  5. It should not be kept for longer than is necessary for the purpose or purposes for which it was processed.
  6. It should be processed in accordance with the rights of data subjects under the Act.
  7. Appropriate technical and organisational measures should be taken against unauthorised or unlawful personal processing of personal data, and against accidental loss or destruction of or damage to personal data.
  8. It should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.*

* This does not apply if the patient has consented to information being sent overseas …or if the information is to protect the patient’s vital interests – ie, if it is a matter of life and death.

 

Case 4

A 56-year-old man saw a printout of his clinical records in connection with a claim following a road traffic accident. He was surprised to see in his records a reference to the local GUM clinic and asked that this be removed. Further investigation confirmed that he had never been to a GUM clinic so the record was clearly incorrect.

The computerised record was amended with a note stating that the relevant data was deleted by his GP on the basis of it being inaccurate; the archived paper records were retrieved and the reference to the GUM clinic blocked out in black ink with a signed and dated note explaining that an incorrect entry had been deleted.

 

Access to Medical Reports Act 1988

This Act provided patients with rights of access to reports for insurers and employers, written by doctors who were, or had been, responsible for the patient’s care. The Act requires the organisation commissioning the report to obtain the patient’s consent and to inform them of their rights under the Act.

These are:

  • To see the report before it is despatched.
  • To ask for corrections to be made if there are factual inaccuracies.
  • To append comments of their own if the report was not amended to their satisfaction.
  • To withdraw consent to the report being submitted to the insurer or employer.

Doctors are required to keep the reports for six months and patients can also seek access to the report after its submission.

This Act provided patients with rights of access to reports for insurers and employers, written by doctors who were, or had been, responsible for the patient’s care. The Act requires the organisation commissioning the report to obtain the patient’s consent and to inform them of their rights under the Act. These are: 

  • To see the report before it is despatched.
  • To ask for corrections to be made if there are factual inaccuracies.
  • To append comments of their own if the report was not amended to their satisfaction.
  • To withdraw consent to the report being submitted to the insurer or employer.

Doctors are required to keep the reports for six months and patients can also seek access to the report after its submission.

Access to Health Records Act 1990

Anyone with a claim arising out of the patient’s death can apply for access to the records, but this may be declined if, during life, the patient forbade such disclosure

This Act has, to a great extent, been superseded by the Data Protection Act 1998.

When first enacted, it allowed patients access to their non-computerised medical records and to ask for inaccurate or misleading information to be corrected, but it is now confined to governing rights of access to the records of patients who have died (the DPA only provides access to information about identifiable, living individuals).

Essentially, anyone with a claim arising out of the patient’s death can apply for access to the records, but this may be declined if, during life, the patient forbade such disclosure or if the patient’s doctor believes that the patient would not have consented to disclosure.

Disputed claims to access must be resolved through the courts.

Case 5

Following a road traffic accident, a patient claimed compensation for a whiplash injury. Her insurers requested a report from her GP, but the patient exercised her right under the Access to Medical Reports Act 1988 to view the report before it was despatched. Unhappy with its contents, she asked the GP to change it. He declined, saying that it was factually accurate and the details given were relevant so it was inappropriate for him to make the requested alterations. He explained that her options were (a) to refuse to allow the report to be sent to the insurance company, (b) to allow the report to be sent but to add a statement of her own to it, or (c), to allow the report to be sent as it was.

   

Tags