The new Data Protection Act has brought together a variety of legislation and guidance on dealing with patient information. While many aspects of the act are reassuringly familiar, it has made a number of important, and sometimes subtle, changes.
Significantly, the previous data protection act only regulated the use of computer records, whereas the new act also applies to manual records. NHS organisations will need to extend their procedures to cover these.
In future, all patient requests for access to their health records must be made under the Data Protection Act, with the Access to Health Records Act now applying only to records of patients who are deceased.
As previously, any competent adult can apply for access to his or her records, though access can be refused if it is likely to cause serious harm to the patient's physical or mental health or that of any other person. Applications can also be made by a person with parental responsibility for a child or a person appointed by the court to manage the affairs of an incapable adult. In these cases, access can also be refused if the record's information was originally given in the expectation that it would not be disclosed to the applicant - for example, teenage pregnancy or child abuse cases.
However, there are some notable changes. From 24 October 2001, patients will be able to apply for records containing any information about them - whether or not they were created by a health professional. This may cover, for example, internal investigation reports and complaints correspondence, although legal privilege will still apply where appropriate. Hospital managers need to be aware that such documents, created now, will be accessible by patients from October next year, without them having to resort to litigation.
From the same date, health bodies will only be allowed to charge a£10 administration fee with no photocopying charges , though up until next October they may charge up to£50 for administration and copying, including x-rays.
It may now be more difficult to resist applications for access to children's records. Under the Access to Health Records Act, access could be refused if it was not in the child's best interests. But the test is now the same as for adults - that is, whether disclosure is likely to cause serious harm.
The act emphasises that non-health professionals must not give access to records, unless they have first consulted the appropriate health professional to find whether any grounds for refusing disclosure apply.
Under the new act, patients must be told how information about them may be used. This is similar to existing guidance, which requires that patients are informed in general terms about possible uses (for example, for teaching or research).
The new act will also affect decisions about when information can lawfully be disclosed to other agencies, such as the police and social services. A patient who suffers damage due to unauthorised disclosure may be entitled to compensation.
Information which concerns the physical or mental health of an identifiable patient can only be disclosed with the patient's explicit consent - preferably in writing. However, explicit consent will not be required in certain circumstances.
These include situations where disclosing the information is necessary to protect a person's vital interests (for example, where non-disclosure may result in serious harm), or for medical purposes, including a patient's care and treatment. In practice, this is likely to be substantially the same as the present basis for disclosure without consent - for 'NHS purposes' as set out in guidance.
Disclosure without consent will also be permitted in the 'substantial public interest', including the prevention or detection of any unlawful act.
This may, however, be narrowed by guidance, which generally permits disclosure without consent only where the crime is serious.
The act also requires that patients must be informed of the identity of the 'data controller', the body (or bodies) holding their records.
Compliance with the act is overseen by the data protection commissioner, who can serve an enforcement notice on a body believed to be contravening the act.
Where NHS bodies already comply with existing rules on patient confidentiality, the changes introduced by the act should not fundamentally affect the way patient records are dealt with.
Managers should now ensure that their procedures are updated to reflect the new provisions - particularly the extension to manual records - and that staff are appropriately trained.