[Previous] [Contents] [Next]



3.1 Patient identifying information is defined as a data set which may include some or all of the following: a picture of the patient, the patient's name, address, full post code or date of birth. As we explain in section 2 the use of patient identifying information by NHSScotland is subject to:


3.2 The Data Protection Act 1998 came into force in March 2000. Its purpose is to protect the right of the individual to privacy with respect to the processing of personal data. As far as NHSScotland is concerned, a key requirement is in Schedule 1 of the Act. This requires organisations to process fairly and lawfully any information which might enable a patient to be identified.

3.3 To be fair, organisations must comply with the Fair Processing Code. Amongst other things, this Code requires patients to be informed of the identity of the 'data controller'. The term 'Data Controller' is used in the 1998 Act to describe organisations that process personal data. In the case of NHSScotland, data controllers will be the organisation that collects information from patients. It might be a general practice, a NHS Trust, a NHS Board or a Special Health Board. Responsibility for complying with the 1998 Act rests with each organisation as a whole, with chief executives bearing the ultimate responsibility for the actions of their staff. Other requirements of the Fair Processing Code are dealt with in detail in section 6 of this report.

3.4 In order to be lawful, the Information Commissioner takes the view that data controllers must comply both with statute and with the common law. This has a bearing on the need for patients to give consent before patient identifying information is shared.

3.5 The requirement to process data fairly and lawfully is not the only requirement of the 1998 Act. For example, the Act requires organisations that wish to process patient identifying information to use the minimum amount of information necessary and to retain it only for as long as is needed for the purpose for which it was originally collected. This is referred to as the Third Data Processing Principle. Draft guidance on the retention periods for health records has now been published for consultation by SEHD and can be found on www.show.scot.nhs.uk

3.6 A guide to the Data Protection Act 1998 is available from the Office of the Information Commissioner at: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Tel: 01625 545700 or on the Web at www.dataprotection.gov.uk .


3.7 This Act implements the provisions of the European Convention of Human Rights (ECHR). Article 8 of the ECHR guarantees respect for a person's private and family life. Disclosure of personal medical information would be a breach of that right unless it was 'in accordance with the law' and necessary for the protection of health. This means that patient identifying information should not be disclosed unless there is a lawful basis to do so, such as the consent of the patient, compliance with a legal requirement or the need to protect life.

3.8 An example of the need to comply with a legal requirement is the Infectious Disease (Notification) Act 1889. This Act requires that in the interests of wider public health, both relatives and practitioners who become aware that someone is suffering from a notifiable disease (such as measles or chickenpox) must notify the local Director of Public Health of that fact.


3.9 The common law in Scotland is based on precedent. As a result its impact is not always clear and it may change over time. Whilst various interpretations of the common law may be possible, there is widespread acceptance that it reinforces the need to obtain consent from patients before sharing information about them.


3.10 All healthcare professionals must maintain standards of confidentiality laid down by their professional body, such as the General Medical Council. As a rule, such standards have been developed to clarify what the law means in a healthcare setting and to set out any additional principles or ethical standards for that profession. NHSScotland must ensure that its systems and procedures enable healthcare professionals to comply with the requirements of their professional body.


3.11 CSAGS understands that the Scottish Executive aims to ensure that patients are fully involved in decisions about the use of information about them and that information provided by patients is kept confidential. A wide range of organisational rules and standards already exist to support this policy. An important example is the Caldicott Framework that was set up in March 1999 to respond to the recommendations of the Caldicott Committee in its 'Report on the Review of Patient-Identifiable Information'. The Framework requires each NHSScotland organisation to appoint a senior clinician such as the medical director as 'Caldicott Guardian'. The Guardian's responsibility is to:

3.12 In addition to these functions, Caldicott Guardians are involved in making decisions about how their organisation uses patient identifying information. For instance, it will be the Caldicott Guardian who decides whether to provide patient identifying information to a health research project. The Caldicott process is now under review and CSAGS expects that over the summer the Health Department will work with NHSScotland on a new system for ensuring that local organisations meet the broader confidentiality standards expected of them. This will include a new framework for making decisions on using data where more than one NHS organisation is involved.

3.13 All NHSScotland employees and contractors are contractually obliged to respect a patient's right to confidentiality. It is policy that all members of staff are provided with a copy of the Code of Practice on Protecting Patient Confidentiality. Failure to comply with the Code of Practice is a disciplinary offence.

3.14 There is also a series of rules for specific situations such as the use of faxes for confidential information, the retention and storage of records and IT security. CSAGS understands that NHSScotland is reviewing these documents to confirm that they take into account data protection and human rights legislation.


3.15 Patient care often involves health and social care organisations. NHSScotland undertakes joint work with a variety of agencies, on a mix of health and social care problems which face many patients. The managed sharing of patient identifying information necessarily accompanies these day-to-day activities, and any effective strategy for preserving patient confidentiality must embrace this.


3.16 Local research ethics committees in each NHS area and a multi-centre national committee are responsible for ensuring that all research meets agreed ethical standards. Research ethics committees provide an additional check that research projects respect patient confidentiality and meet requirements on consent for uses of identifiable information.

3.17 At a national level, the use of data by The General Register Office for Scotland (GROS) and Information and Statistics Division (ISD) of the Common Services Agency (CSA) is scrutinised by the Privacy Advisory Committee. This is an independent body, set up to advise on the release of any health data which are potentially identifying. The Committee consists of a professor of public health, a clinician, and three lay members. New requests for ISD or GROS to release data are examined by the Committee, using the '3R' principles. These are:

3.18 Researchers who use patient identifying data are subject to the same requirements to protect privacy and confidentiality as a health care professional. These requirements are laid down by agencies that fund research such as the Medical Research Council or the Scottish Chief Scientist Office. Infringements are likely to lead to the loss of employment.


3.19 The Data Protection Act 1998 places a legal duty on data controllers to process data fairly and lawfully, to use no more data than is necessary for the task and to retain it for only as long as it is needed.

3.20 The Human Rights Act 1998 guarantees respect for a person's private and family life. Under the terms of the Act, this right to privacy may be overridden, but only when there is a lawful reason do so.

3.21 The common law further reinforces the need to obtain patient consent before sharing information.

3.22 Professional guidelines require clinicians to ensure that patients are informed about how information about them is used and that consent requirements are met.

3.23 A substantial organisational framework for protecting the use of patient identifying information already exists in Scotland.

[Previous] [Contents] [Next]