General Data Protection Regulation protects the use of information that identifies individuals. There are 8 principles, which the practice adhere to:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained for one or more specified and lawful purposes
- Personal data should be adequate, relevant and not excessive
- Personal data shall be accurate and where necessary kept up to date
- Personal data processed for any purpose shall not be kept for longer than is necessary
- Personal data shall be processed in accordance with the rights of data subjects
- Appropriate measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction of, or damage to personal data
- Personal data shall not be transferred outside the European Economic Area unless there is adequate level of data protection
The Act dictates that information should be disclosed only on a need-to-know basis. Printouts and paper records must be treated carefully and disposed of in a secure manner.
Rights of Individuals
People have the following rights:
- To see information recorded about them and to make amendments should they not agree with the content. Any amendments should be made with the agreement of the clinician who completed the record.
- The Access to Health Records Act 1980 will remain to provide access rights to relatives, or those who may have a claim to deceased patients records
- The right to prevent processing for the purposes of direct marketing
Consent is a patient’s agreement for a process to be undertaken, whether this be the sharing of information or the provision of care. For the consent to be valid, the patient must:
- Be competent to take that particular decision
- Have received sufficient information to take it
- Not be acting under duress
Consent can be written, verbal or implied
Children over the age of 16 are classed as an adult and as such can be presumed to have the capacity to decide. Where a competent child refuses treatment, a person with parental responsibility or a court may authorise investigation or treatment, which is in the child’s best interest. Legal advice should be sought in such cases.
The principles of Caldicott are:
- Formal justification of purpose
- Information only processed when necessary
- Only the minimum information necessary
- Need to know access controls
- All staff must understand their responsibilities
- Comply with and understand Law
Disclosure of Information
This should only be made with the understanding and agreement of the patient.
The practice can disclose information to other agencies:
- Social Services
- Benefits Agency
- Pension Agency
The Police can also be given the information when required
Disclosure Of Information To Patients And Their Relatives
Every effort should be made to disclose information to patients in a private area.
If the patient is in agreement, health issues can be discussed with relatives.
Relatives do not have an automatic right to information. In the event of an emergency or accident the relatives have the right to receive information to prevent unnecessary distress. Decisions of this nature should be made by the authorised health professional.
Outside Agencies Working Within The Practice
PCT Staff – these colleagues will already have signed a confidentiality agreement and as such can have access to patient’s records, but only on a need to know basis.
Should you have any issues, concerns or worries regarding your personal data, please feel free to speak to the Practice Manager who will happy to go through this with you.
Freedom of Information
The ICO has published a new Model Publication Scheme that all public authorities are required to adopt.
Model Publication Scheme - further information