The Data Protection Act 1998 is a wide ranging piece of legislation setting out the obligations of all individuals and organisations that hold data about identifiable individuals. It provides data subjects with a degree of control over the information held about them. The act is not specifically about clinical records, but some specific provisions that relate to clinical records do exist within it and in subordinate legislation (Statutory Instruments).
The act extends to manual and computerised data files. Data controllers (in the medical context this can include individual doctors) are required to comply with the Data Protection principles and, with some exceptions, inform data subjects when their data are processed.
Putting the act into practice boils down to complying with its eight central principles, but you can be reasonably sure that you are complying with the requirements of the act as long as you:
- Are validly registered as a data controller by notifying the Information Commissioner's head office at: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (telephone: 01625 545 745). There are also offices in Scotland, Wales, and Northern Ireland. Only doctors who personally hold patient records need to be registered)
- Ensure that the data you hold are accurate and up to date
- Hold no more information about patients than you need for their medical care and use it only for that purpose
- Store records securely and confine access to authorised personnel
- Comply with patients' legitimate requests for access.
The principal terms in the Data Protection Act are defined as follows:
Data that relate to a living individual who can be identified either from the data alone or from combining the data with other information held by or likely to be held by the data controller. It includes any recorded expression of opinion by or about the individual. Personal data may be held in electronic or manual form, or both.
Sensitive personal data
Data consisting of information about a person's racial or ethnic origin, political opinions, religious beliefs, membership of a trade union, physical or mental health or condition, sexual life, criminal record, or legal proceedings pending. Sensitive personal data may be held in electronic or manual form, or both.
The person who is the subject of the personal and sensitive data.
A person who (either alone or jointly with others) determines the purposes for which, and the manner in which, any personal data are processed or are to be processed.
Notification to the Information Commissioner sets out what data are held and the purposes for which they are held. Medical practitioners are not exempt from the notification requirements.