Handling Patient Data: Current Data Protection Issues - October 2012

The delivery of high quality healthcare relies, to a considerable extent, on the ability to share patient data with relevant clinicians, social care providers and regulators. Patient confidence in healthcare provision is, however, heavily dependent on the ability of providers to hold data securely and to share this information only in accordance with appropriate information governance arrangements and the law.

Enforcement action taken against healthcare providers by the Information Commissioner's Office in recent months, which has included the imposition of fines of up to £325,000, highlights the importance for NHS bodies of ensuring that arrangements for the handling of patient data are at all times well informed, robust and appropriate.

Patient data is "sensitive personal data" for the purposes of the 1998 Data Protection Act. As such, patient data is subject to a particular set of controls to guard against inappropriate disclosure and unfair use. Because of the inherent sensitivity of patient data, otherwise simple administrative errors can have serious consequences for affected patients and tend to attract critical scrutiny from both the ICO and the press.

In the healthcare context, (and with certain limited exceptions) patient data should be used only:

with specific consent; or to protect a person's vital interests in circumstances where it is not possible to obtain consent; or where necessary for the purpose of legal proceedings or for obtaining legal advice; or where necessary for the purpose of exercising statutory (or similar functions); or for medical purposes by or on behalf of a medical practitioner (or someone owing an equivalent duty of confidentiality. In addition patient data is subject to the DPA's general obligations which include the requirement to inform individuals about any proposed use of their data which would not otherwise be obvious to them and the requirement to have in place appropriate and proportionate data security safeguards.

Data sharing

Data sharing between organisations can play a crucial role in providing enhanced and more efficient service to patients. However a recent case involving the Bournemouth and Poole NHS Trust illustrates the pitfalls that can arise when patient data is shared without sufficient regard to data protection principles.

The Trust was the subject of a complaint to the ICO after it passed patient information to a company that it had commissioned to carry out NHS health checks without...