I wish to clarify certain matters mentioned in your report of my recent speech to the Healthcare Computing conference in Harrogate (news focus, page 6, 8 April).
The Data Protection Act 1998, hopefully to be implemented later this year, does not place any additional duty of confidentiality on those processing personal health information.
The act does require that personal data be processed lawfully, and in determining lawfulness I will consider common law as well as statutory obligations. The common law duty of medical confidentiality has been established over a long period, and the healthcare community should already be aware that they have certain legal and professional obligations in respect of confidential information about patients, particularly concerning the disclosure of that information.
Concerning the Department of Health's national patient survey, it was not the case that the DoH had planned to disclose information about individuals. As I understand it, it was health authorities which were asked to make the disclosure.
My view of conducting such surveys is that the organisation that holds the information should contact patients initially to seek their participation in the survey and to request any necessary consent. This seems to be a practical way of putting researchers and others in touch with patients without information about those patients being non-consensually disclosed.
The NHS is a complex series of entities, and I intend to use the provision of the Data Protection Act 1998 to ensure that patients using the NHS are given proper information about how information about them will be processed and to ensure that patients' confidences are respected by those responsible for caring for them.
Data Protection Registrar