This site is intended for health professionals only

Legal aspects of protecting patient data

16 December 2009

Share this article


Head of Medical Services (Edinburgh)
Medical Protection Society

Having been a partner in a GP practice in Scotland for more than 10 years, Rob is now Head of Medical Services (Edinburgh) at the MPS. He has particular interests in dispute management and clinican risk management in primary care

As the General Medical Council (GMC) makes clear, confidentiality is central to the trust between doctors and patients, but appropriate information-sharing plays an essential role in the efficient provision of care, both for the individual patient and for the wider community of patients.

Knowing how best to protect and share confidential data is a complex area, which creates a number of dilemmas for practice managers.

Legal background
Before the 1980s, there was little in the way of statutory regulation regarding the public’s right to have their information protected and accessed. Information documented in records was often seen as the property of the record holder, and doctors would often only disclose information to patients if they thought it was good for them. Things have changed considerably since then, as a result of the following legislation:

Data Protection Act 1984
This Act set out an individual’s rights to access personal data, to ask for explanations of un­intelligible terms and seek rectification or erasure of erroneous information, in relation to computerised data, for the first time.

Access to Medical Reports Act 1988
This Act gave individuals the right to review reports prepared by medical practitioners at the request of a third party for employment and insurance purposes. It also obliges doctors to retain copies of the reports for at least six months.

Access to Health Records Act 1990
For the first time, patients were given the legal right of access, albeit with some caveats, to information that was held about them relating to their physical or mental health. Again, there was provision for the correction of inaccuracies. Access could be excluded if the medical practitioner believed it would seriously injure the individual’s health, or that of a third party.

Data Protection Act 1998
This Act, which came into force on 1 March 2000, represented a significant move forward in the way information about individuals was processed and how such information would be disclosed. The Act gave living persons the right of access to their health records in computerised and manual forms. The previous date restrictions that applied in the Access of Health Records Act 1990 were swept away.

The Act does not apply to data that have been anonymised or to data relating to deceased patients. As will be discussed later, the right of access to records of deceased patients is still gained through provisions of the Access to Health Records Act 1990. The right of access to medical reports remains through the Access to Medical Reports Act 1988.

Data protection principles
The Data Protection Act 1998 has a number of overarching principles that are worth considering. These apply to data relating to a living individual who can be identified either directly or indirectly from the data held within a relevant filing system.
There has been some debate about what a relevant filing system is, but in essence this is a system that allows ready access to the information and is likely to cover the sorts of files held in medical practices about patients. In summary, the principles are that data held must be:

  • Fairly and lawfully processed.
  • Processed for limited purposes.
  • Adequate, relevant and not excessive.
  • Accurate and up-to-date.
  • Not kept for longer than necessary.
  • Processed in line with individuals’ rights
  • Held securely.
  • Not transferred to countries outside the EU without adequate protection.

What does the Act say about patients having access to their records?
Access must be given promptly and within 40 days of a request and payment of fee.

Circumstances when data ought not to be disclosed
Information relating to identifiable third parties cannot be disclosed, unless those individuals have given their express consent. Access should not be given if it is likely to cause serious harm to the data subject or another person.

Just because it is legal does not mean to say it is ethical
Practices will be very aware that not only are they subject to the Data Protection Act, but they must also be mindful of the GMC’s guidelines on confidentiality, which set out the standard expected of doctors who work in practices. This has recently been revised.(1)

The GMC says that when disclosing information about a patient you must:

  • Use anonymised or coded information, if practicable, and if it will serve the purpose. Be satisfied that the patient:
    • Has ready access to information explaining that their personal information might be disclosed for the sake of their own care, or for local clinical audit, and that they can object to this disclosure.
    • Has not objected.
  • Get the patient’s express consent if identifiable information is to be disclosed for purposes other than their care or local clinical audit, unless the disclosure is required by law, or can be justified in the public interest.
  • Keep disclosure to the minimum necessary.
  • Keep up-to-date and observe all relevant legal requirements, including the common law and data-protection legislation.

Many practices find it helpful to set out their policy on sharing information within the healthcare team and with others providing care, detailing their right to object in a practice leaflet and on their website.

Some tricky situations
The following case studies illustrate some of the common areas of difficulty that practices encounter in relation to confidentiality.

Scenario One
Two policemen come into the practice and ask to speak to the practice manager. They request to see the practice’s appointment book, as a patient’s car was damaged in the surgery car park by someone reversing into it. The policemen are keen to track down who may have been parking in the surgery car park that day. Is it appropriate to release this information in the public interest?

Practitioners have an obligation to balance their duty of confidentiality to patients with the public interest in disclosing information, which may protect individuals or society from the risk of serious harm. The GMC gives detailed advice on the issue of disclosure in the public interest. In essence, before disclosing personal information, doctors must weigh the harm that may arise from non-disclosure against the harm caused by breaching confidence.

Ultimately, each decision must be made on its own merits, but it is likely that the balance would only tip in the direction of disclosing the sort of information police may be seeking in relation to much more serious crimes, such as murder or child abuse. Where a decision is made to disclose information in the public interest without seeking a patient’s consent, clear records must be made of the reasons for disclosing the information, including what steps have been taken, either to inform the patient about the disclosure or the reasons for not doing so.
In this situation it would not generally be considered justified to breach the confidence of a number of patients.

Scenario Two
At a practice meeting, one of the GPs comments that he has concerns about one of his patients who is not following his advice, and he wonders what to do. The patient is an HGV driver who had recently attended the practice with a history of loss of consciousness, possible convulsions associated with tongue-biting, and incontinence of urine. The GP had referred the patient for investigations and advised him not to drive. He was concerned as he had spotted the patient driving a lorry that morning. What would your advice to the practice be?

The GMC website contains guidance on reporting concerns about patients to the Driver and Vehicle Licensing Agency (DVLA). Ultimately, it is for the DVLA and the Driver and Vehicle Agency (DVA), in Northern Ireland, to decide if a person is medically fit to drive.

In this case, the GP believes that the patient may not be fit to drive. The GP has arranged for appropriate treatment and investigation, and has given the patient clear advice not to drive. If a patient continues to drive when they may not be fit to do so, the GMC advises that the doctor should make every reasonable effort to persuade them to stop.

The GMC also states that as long as the patient agrees, you may discuss your concerns with their relatives, family or carers. If, however, the doctor is unable to persuade the patient to stop driving or, as in this case, has discovered that they are continuing to drive against clear advice, then the doctor ought to contact the DVLA or DVA immediately, disclosing any relevant medical information in confidence to the medical adviser.

Before doing so, the doctor ought to try to inform the patient of the decision to disclose personal information and should also inform the patient in writing, once they have done so. This would be an example of where the public interest outweighs the duty of confidentiality to the patient.

Scenario Three
One of the practice’s patients tells you he is the father of a three-year-old girl, who is also a patient at the practice. He says that he and the child’s mother, who were never married, have now separated. He says he has assumed parental responsibility and is anxious at the way his ex-partner is caring for his daughter. He asks to see her medical records. Can he?

Clearly, a three-year-old will not be in a position to give meaningful consent to disclosure. In such a situation, the following people have the right to request access to a child’s records:

  • All mothers.
  • All fathers who are, or who have been, married to the mothers of their children.
  • All fathers who have signed and registered a parental responsibilities and parental rights agreement.
  • All guardians.
  • Anyone who has been given parental responsibilities by a court.
  • For children whose births were registered from 15 April 2002 in Northern Ireland, from 1 December 2003 in England and Wales, and from 4 May 2006 in Scotland, parental responsibility rests with both parents, provided they are named on the birth certificate, regardless of whether they are married or not.

Unmarried fathers can acquire parental rights by applying to the appropriate court or register. Mechanisms are slightly different in England, Scotland, Wales and Northern Ireland. In this case, you should ask to see proof that he has in fact been awarded parental responsibility. The consent of the child’s mother is then not necessary. You must satisfy yourself that the release of the information would not be harmful to the child.

Maintaining trust with patients requires practices to manage the information they hold about them in a safe and lawful way. Practice managers need to be aware of the legal framework and the guidelines that exist. When unusual or complicated issues arise, it is often wise for managers to discuss these issues with their medical defence organisation.

1. General Medical Council. Confidentiality. [This guidance came into effect on 12 October 2009.] Available from: