The NHS will soon have to ask patients before sharing their medical records, this year's Healthcare Computing conference heard. Peter Mitchell reports

The days of sharing patients' medical records around the NHS's 'extended family' are over, this year's Healthcare Computing conference in Harrogate heard.

By this summer, health authorities and trusts would have to seek patients' explicit consent before using their records for any purpose other than medical treatment, warned data protection registrar Elizabeth France.

'The NHS has always worked on a flimsy basis that patients have granted implied consent,' Mrs France told the conference. 'That will not stand up any more and it has to be sharpened up.'

In future, before passing on any piece of information, NHS bodies would have to look at how they obtained it, she said. 'You must think these things through before riding roughshod over people's privacy.'

The NHS had to look carefully at the meaning of the word 'consent', she added. 'I take it to mean the patient must have the right to say no, that we must explain to patients who controls their data and exactly what we intend to do with it.

'Informed consent is the safest way forward - consent, choice, and confidentiality.'

Failure to get it would risk breaching the duty of confidence imposed by the new Data Protection Act, Ms France warned.

'We have to be bold and clear, and not shy away from telling individuals exactly what we do with their records.'

In addition, NHS staff with access to sensitive data would soon face investigations into their trustworthiness. 'You must look closely at the reliability of your staff in the light of their duties of confidentiality,' she said.

'I can and will enforce these measures once we have all got used to them.'

The new act - prompted by a 1995 European directive - has not yet become law because of its immense complexity. Twenty-two additional pieces of secondary legislation need to be drafted before it can take effect.

But two weeks ago home secretary Jack Straw announced that he hoped to bring the new regime into force 'by the end of June or as soon thereafter as we can'.

The act will not be rigorously enforced until a statutory settling-in period ends in October 2001.

But by then, the NHS must have systems in place to comply both with new security precautions and requests from patients for information.

'My office will be taking very seriously our duty to make people more assertive about what they are now allowed to see.'

NHS managers in the audience expressed worries that the advent of multi- agency electronic health records was bound to push them into more and more sharing of patient information.

In such a fast-changing climate it would be no easy matter to predict exactly what the act would require their systems to do. But Ms France offered a partial solution in the form of an agreed code of practice for interpreting the act's effect on medical data.

'Organisations in the health sector can draft such a code themselves. I would then check that data subjects themselves (patients) are happy with it.'

Such a code would not be directly enforceable, but the data protection registrar would use it as a guide on when to take legal action. NHS bodies could avoid prosecution by showing they had followed the code.

Ms France dismissed complaints that the new rules would cripple medical research. 'Constraints on research in Europe have been much stricter than ours for some time, but standards of care have not suffered.'

She revealed that her office is investigating a case in which a medical research group had obtained personal data about her own father. The group had written to him indicating that they knew his age - data which they had obtained improperly, he believes, from his HA.

Recently, the registrar stopped the Department of Health from committing a massive breach of patient confidentiality in the course of its national patient satisfaction survey.

The DoH had planned to disclose the addresses of thousands of NHS patients to the independent research firm which conducted the survey. Instead, at the registrar's insistence, the forms had to be sent out by HAs.

In another case, she advised HAs not to comply with a demand from the Ministry of Defence to disclose the names and addresses of all ex-servicemen on their GPs' lists as part of the Gulf War syndrome investigation.

The NHS Executive finally announced that it has awarded the£12m contract for the National Strategic Tracing Service to SEMA Group. NSTS will allow staff to find the unique NHS number, using the name of each patient, and vice versa.

The aim is to be able to collect records of every episode of care relating to an individual, and to automatically retrieve their demographic details. The service should start operation before the end of this year.

SEMA will be paid a fee every time a health authority or trust makes a tracing request on the service. But the Executive will pay the fees from a central fund: trusts will only have to notify the Executive of how many traces they make.