The Information Commissioner’s response to the General Medical Council’s consultation “Confidentiality: draft guidance” The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 (“DPA”), the Freedom of Information Act 2000 (“FOIA”), the Environmental Information Regulations (“EIR”) and the Privacy and Electronic Communications Regulations 2003 (“PECR”). He also deals with complaints under the Reuse of Public Sector Information Regulations 2015 (“RPSI”) and the INSPIRE Regulations 2009. He is independent from government and upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken. The Information Commissioner’s Office (ICO) welcomes the opportunity to comment on this consultation, and would be pleased to be contacted by the GMC should any further clarification be required. Only those questions relevant to the ICO’s remit have been answered. 3. Do you have any other comments on paragraphs 1-35? Paragraph 17 states that "When you are satisfied that information should be disclosed, you should act promptly to disclose all relevant information." When information is shared it is also important to consider how that information can be shared in an appropriately secure way. This would assist doctors in complying with the seventh principle of the DPA, which requires that when processing personal data, appropriate technical and organisational measures to protect that data are in place. An acknowledgement of this might assist here. Paragraph 19 sets out some examples of situations where it is not practicable to seek explicit consent for the disclosure of identifiable information for purposes other than direct care or local clinical audit. From a DPA perspective, if explicit consent is not being obtained for disclosing, allowing access to, or indeed any other processing of sensitive personal data then an alternative schedule 2 and schedule 3 condition 10.02.2016 v1.0 must apply if the processing is to be in compliance with the first principle of the DPA. This may be simple to achieve for some of the examples, but more difficult for others depending on the purpose for which the data is being processed. The first reference to disclosures made under section 251 of the National Health Service Act 2006 are made in paragraph 27 and then in paragraphs 96 and 97. It is not until paragraph 97 that the guidance clarifies that this section only applies in England and Wales. To avoid reliance on legislation that does not apply geographically, it would seem more appropriate that this is set out clearly at the first reference. Paragraph 28 to 34 set out how disclosures in the public interest can be appropriate, together guidance on what doctors should consider in such situations. Again from a DPA perspective, as with any disclosure of sensitive personal data, disclosures in the public interest need an applicable schedule 2 and 3 condition for the purposes of the first principle of the DPA. As mentioned previously, how simple this will be to achieve will depend on the purpose for the disclosure. Paragraph 29 highlights one area where difficulties in the interplay between the DPA and the common law of confidence can arise. It states that "Personal information may be disclosed in the public interest, without a patient's consent, and in exceptional cases where a patient has refused consent.." From a DPA point of view, if consent is sought and subsequently refused then to disclose personal data would be unfair. If it is anticipated that the disclosure has a legal basis to take place anyway, regardless of consent, then for the purposes of the DPA another schedule condition should be applied and consent not sought - patients should simply be clearly informed that the disclosure will take place, to whom and for what purpose. The same applies to paragraph 31. 4. Do you agree that a doctor should be able to rely on a patient’s implied consent to share information about their direct care when all of these conditions are met? Although the DPA does not contain any references to the notion of implied consent, a doctor considering the sharing of information for the purposes of direct medical care should be able to point to an applicable schedule 2 and 3 condition other than consent. This would mean that obtaining consent for the purposes of the DPA would be unlikely to be necessary. Whether or not consent under the DPA is obtained, the first DPA principle requires that information is processed fairly, so doctors would have to also ensure that patients would reasonably expect their information to be shared in this way. 10.02.2016 v1.0 The same applies in other situations where doctors wish to rely on implied consent for the purposes of the common law of confidentiality; they should also ensure they have a DPA schedule 2 and 3 condition, and should ensure that the disclosure is one the patient would reasonably expect. 8. Do you think that there may be circumstances in which there is a public interest justification for disclosing information about an adult who has capacity without their consent, even when nobody else is at risk of serious harm? As per the comments made above about paragraphs 28 to 34, another schedule 2 and 3 condition should be applicable for such disclosures to comply with the DPA, unless a relevant DPA exemption applies. For example, the DPA provides a schedule 3 condition for processing that is in the substantial public interest, is necessary for the purposes of the prevention or detection of any unlawful act, and must necessarily be carried out without explicit consent in The Data Protection (Processing of Sensitive Personal Data) Order 2000.1 Consideration should also be given to whether the disclosure would be fair. Whether both of the above is the case would depend on the particular circumstances. 11. Is the guidance on using anonymised and de-identified information helpful? It is good to see that the guidance makes the important point in paragraph 82 that anonymised or de-identified information will often be sufficient for many purposes and must be used in preference to identifiable patient information. It is also good to see the reference and link to the ICO’s Anonymisation: managing data protection risk code of practice2. From a DPA perspective, if there is a reasonable likelihood of identification of living individuals then the data in question is personal data and the DPA will therefore be engaged. 15. Do you have any other comments on the ‘indirect care uses and disclosure’ section of the guidance (paragraphs 81–109)? The difficulty with sharing information for indirect care uses is that whereas for direct care, a DPA schedule 3 condition can almost always be identified (schedule condition 3(8) provides for processing that is necessary for medical purposes), this is not always the case for indirect 1 2 http://www.legislation.gov.uk/uksi/2000/417/pdfs/uksi_20000417_en.pdf https://ico.org.uk/for-organisations/guide-to-data-protection/anonymisation/ 10.02.2016 v1.0 care. Some of the examples given in paragraph 81 (research for example) are likely to be covered by schedule 3(8) but others may not be so an alternative condition for processing would have to be found. 18 Do you have any other comments on the ‘non-care uses and disclosures’ section of the guidance (paragraphs 110–132)? Paragraph 112 deals with requests for information from third parties such as insurers. We are pleased to see that reference is made to the requirement to “obtain or have seen written consent from the patient or a person properly authorised to act on the patient’s behalf” and the general rule of thumb that doctors “should not usually disclose the whole record.” However, based on recent ICO concerns about insurers obtaining medical records via subject access rights, and the related risks of their obtaining excessive and irrelevant information in a way that was not intended by those rights, it may be helpful to make this paragraph stronger and more explicit. Paragraphs 113 and 124 refer to the possibility of disclosures after consent has been sought and subsequently refused. For the ICO view on this please see the comments about paragraph 29, in response to question 3 above. 19. Do you agree with the inclusion of these duties on information governance and compliance with data protection legislation? When we previously commented on this guidance, we made the point that it is important to consider the context that the guidance will apply in. The legal regime which applies to confidential information operates in parallel with the DPA, and we are keen to ensure that the guidance acknowledges that doctors must take the requirements of the DPA into account as well as those of confidentiality, where the information processed is personal data or sensitive personal data. We considered that if the guidance does not include some acknowledgement of DPA responsibilities there is a risk that some doctors might see the guidance as the complete approach to managing personal health information and could disregard the requirements of the DPA. Of course we do recognise that the guidance is not intended to cover the requirements of the DPA in detail, as its focus is confidentiality, but we did suggest it is important that the guidance makes a clear and explicit reference to the fact the organisations will also have to take into account the requirements of the DPA where the information processed is personal data or sensitive personal data. We are pleased to see that this approach has, in the main, been adopted. 10.02.2016 v1.0 20. Do you agree with the guidance on improper access and disclosure? The guidance in this section reflects the importance of ensuring that appropriate measures, both technical and organisational, are put in place to protect personal data from inappropriate disclosure and other security risks that may exist in the day-to-day management of that data. We agree that it is important to remind doctors of this point. 21. Do you agree with the inclusion of these duties for doctors who have responsibilities for managing or recruiting staff? Data controllers have a responsibility to ensure that appropriate organisational measures are in place to protect the personal data they process. If doctors have responsibility within the data controller organisation for employment contracts, or staff training, it makes sense that they ensure that the contracts include appropriate obligations for all staff to process personal data in line with the DPA and other legislation, and that they ensure staff are properly trained to do so. Specifying management responsibilities in this way could assist as one such appropriate measure. 22. Do you agree with the guidance on disclosing information after a patient has died? For the avoidance of doubt it might assist to clarify at some point in this section that DPA obligations only apply to living individuals. 23. Do you have any other comments on the ‘managing and protecting personal information’ section of the guidance (paragraphs 133–156)? Paragraph 138 states that “Whether or not you are a data controller, you must process patient information fairly.” This is of course true – whilst the data controller is ultimately responsible for DPA compliance, those doctors working within data controller organisations must process any personal data they deal with fairly, it is more accurate to say that they must process personal data in compliance with the DPA as a whole, and in particular all the DPA principles, not just the first one. In paragraph 149, for the sake of accuracy the reference to the "Office of the Information Commissioner" should be the "Information Commissioner's Office". 10.02.2016 v1.0 26. Do you think there are any inaccuracies or important omissions from the legal annex? On page 32 the DPA section begins by stating that “The Data Protection Act 1998 regulates the processing of personal data about living individuals in the UK.” The phrasing of the sentence could imply that the DPA applies only to personal data about living individuals in the UK, whereas it actually applies to the processing of personal data by data controllers established in the UK about living individuals, wherever those individuals are. We are pleased to see references to fair processing both on page 33 and throughout the guidance. As the regulator for the DPA the ICO is often asked what this practically means, and how proactive data controllers should be in providing fair processing information. It might therefore be helpful to link to our Privacy notices code of practice3, which sets out how organisations can use a layered approach, which in this context might include giving simple, clear and accessible information directly to new patients, appropriate reminders such as posters and leaflets, together with individual (verbal or otherwise) communications where any disclosures may be particularly unexpected or intrusive. Please also note however that we are currently consulting on a revised draft of the Privacy notices code.4 On page 34 reference is made to the Freedom of Information Act 2000. It would be helpful for doctors in Scotland if reference to the Freedom of Information (Scotland) Act 2002 were also made, together with clarification that this legislation is regulated by the Scottish Information Commissioner.5 Although not strictly within the ICO’s remit, we understand that The Children & Young People (Scotland) Act 2014 places a duty on doctors in Scotland to assist the Named Person when asked, which may include disclosure of patient information. It may be worth considering whether this legislation should also be included in the section on “Statutes that require, permit or prevent disclosure of patient information.” Similarly we understand that the Public Health Acts across the UK may also be relevant. Finally and for future reference, we understand that some draft legislation currently being considered by the Northern Ireland Assembly may also be relevant, including the Health and Social Care (Control of data processing) Bill and the NI Mental Health Bill. 3 https://ico.org.uk/media/for-organisations/documents/1610/privacy_notices_cop.pdf https://ico.org.uk/about-the-ico/consultations/privacy-notices-transparency-andcontrol-a-code-of-practice-on-communicating-privacy-information-to-individuals/ 5 http://www.itspublicknowledge.info/home/ScottishInformationCommissioner.aspx 4 10.02.2016 v1.0 Endnotes 27. Do you have any comments on the endnotes? The ICO’s technical guidance note referred to in endnote 21 is no longer available. The point is now covered on page 3 of the ICO guidance “Advice for elected and prospective councillors”.6 Technical guidance such as that referred to in endnote 30 has in the main been incorporated into the Guide to data protection. Security guidance is covered under principle seven.7 The ICO guidance referred to in endnote 33 has been withdrawn and is now covered on page 30-33 of the ICO’s Subject access code of practice.8 Flowchart On the back cover of the draft guidance we have included a flowchart that is intended to help doctors to structure their decision making in relation to disclosing information. 28. Do you think this is helpful? Flowcharts are helpful to set out relevant considerations when making decisions such as whether to disclose information. We would comment though that whilst of course the flowchart understandably focuses on the common law of confidentiality, there is a risk that DPA considerations might be ignored if doctors follow the flowchart without further reference to the guidance. This risk is especially apparent in the box about implied consent, as per the comments made in our response to question 4. 6 https://ico.org.uk/media/for-organisations/documents/1432067/advice-for-electedand-prospective-councillors.pdf 7 https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/ 8 https://ico.org.uk/media/for-organisations/documents/1065/subject-access-code-ofpractice.pdf 10.02.2016 v1.0
© Copyright 2024 Paperzz