What the law in the UK and Europe says
The first UK Data Protection Act was established in 1984 to deal with protection of data held on computers. This was replaced by the much more comprehensive 1998 Act which actually came into force in 2000. This Act harmonised UK practice with the rest of Europe.
The major differences for those working with health data are:
- The Act now covers certain types of manual records (including all health records) as well as electronic records. There were transitional arrangements concerning manual records which expired in 2007.
- The definition of ‘processing’ is wider than that in the 1984 Act, and includes the concepts of obtaining, storing and disclosing data. Most actions involving data, including storage, will be included within this definition;
- Although both the 1984 and 1998 Act include eight Data Protection Principles, the nature of the principles differs between the two Acts;
- The Access to Health Records Act 1990 permitted access to manual health records made after the Act came into force (1 November 1991). The Data Protection Act 1998 permits access to all manual health records whenever made, subject to specified exceptions;
- changes to the requirements for notification of processing to the Data Protection Commissioner (formerly the Data Protection Registrar).
Source: Guidance on the 1998 Act from the UK Department of Health
The law now states that anyone processing personal data including personal health data must comply with the eight enforceable data protection principles. They say that data must be:
- Fairly and lawfully processed;
- Processed for limited purposes;
- Adequate, relevant and not excessive;
- Not kept longer than necessary;
- Processed in accordance with the data subject’s rights;
- Not transferred to countries without adequate protection.
Source, the UK Information Commissioner
Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before.
All processing of data to which the Act applies must comply with the eight principles. The first principle is particularly important as it emphasises that processing must be fair and lawful in the context of the common law and other UK legislation. Generally for those dealing with personal health information, it will be complied with if all the following conditions are met:
- The common law of confidentiality and any other applicable statutory restrictions on the use of information are complied with;
- The data subject was not misled or deceived into giving the data;
- The data subject is given basic information about who will process the data and or what purpose;
All health care professionals must operate within the legal data protection framework of their jurisdiction, and their professional codes of conduct in respect of record keeping and privacy. Perceived benefits for patients is never a legal defence following a breach.
Data Protection Act (1998) Chapter 29, The Stationery Office, London
Gillies AC (2006) The Clinicians Guide for Surviving IT, Radcliffe Publishing, Abingdon