The Information Commissioner’s response to the General Medical
Council’s consultation “Confidentiality: draft guidance”
The Information Commissioner has responsibility for promoting and
enforcing the Data Protection Act 1998 (“DPA”), the Freedom of
Information Act 2000 (“FOIA”), the Environmental Information
Regulations (“EIR”) and the Privacy and Electronic Communications
Regulations 2003 (“PECR”). He also deals with complaints under the Reuse of Public Sector Information Regulations 2015 (“RPSI”) and the
INSPIRE Regulations 2009. He is independent from government and
upholds information rights in the public interest, promoting openness by
public bodies and data privacy for individuals. The Commissioner does this
by providing guidance to individuals and organisations, solving problems
where he can, and taking appropriate action where the law is broken.
The Information Commissioner’s Office (ICO) welcomes the opportunity to
comment on this consultation, and would be pleased to be contacted by
the GMC should any further clarification be required. Only those questions
relevant to the ICO’s remit have been answered.
3. Do you have any other comments on paragraphs 1-35?
Paragraph 17 states that "When you are satisfied that information should
be disclosed, you should act promptly to disclose all relevant information."
When information is shared it is also important to consider how that
information can be shared in an appropriately secure way. This would
assist doctors in complying with the seventh principle of the DPA, which
requires that when processing personal data, appropriate technical and
organisational measures to protect that data are in place. An
acknowledgement of this might assist here.
Paragraph 19 sets out some examples of situations where it is not
practicable to seek explicit consent for the disclosure of identifiable
information for purposes other than direct care or local clinical audit.
From a DPA perspective, if explicit consent is not being obtained for
disclosing, allowing access to, or indeed any other processing of sensitive
personal data then an alternative schedule 2 and schedule 3 condition
10.02.2016 v1.0
must apply if the processing is to be in compliance with the first principle
of the DPA. This may be simple to achieve for some of the examples, but
more difficult for others depending on the purpose for which the data is
being processed.
The first reference to disclosures made under section 251 of the National
Health Service Act 2006 are made in paragraph 27 and then in
paragraphs 96 and 97. It is not until paragraph 97 that the guidance
clarifies that this section only applies in England and Wales. To avoid
reliance on legislation that does not apply geographically, it would seem
more appropriate that this is set out clearly at the first reference.
Paragraph 28 to 34 set out how disclosures in the public interest can be
appropriate, together guidance on what doctors should consider in such
situations. Again from a DPA perspective, as with any disclosure of
sensitive personal data, disclosures in the public interest need an
applicable schedule 2 and 3 condition for the purposes of the first
principle of the DPA. As mentioned previously, how simple this will be to
achieve will depend on the purpose for the disclosure.
Paragraph 29 highlights one area where difficulties in the interplay
between the DPA and the common law of confidence can arise. It states
that "Personal information may be disclosed in the public interest, without
a patient's consent, and in exceptional cases where a patient has refused
consent.." From a DPA point of view, if consent is sought and
subsequently refused then to disclose personal data would be unfair. If it
is anticipated that the disclosure has a legal basis to take place anyway,
regardless of consent, then for the purposes of the DPA another schedule
condition should be applied and consent not sought - patients should
simply be clearly informed that the disclosure will take place, to whom
and for what purpose. The same applies to paragraph 31.
4. Do you agree that a doctor should be able to rely on a patient’s implied
consent to share information about their direct care when all of these
conditions are met?
Although the DPA does not contain any references to the notion of implied
consent, a doctor considering the sharing of information for the purposes
of direct medical care should be able to point to an applicable schedule 2
and 3 condition other than consent. This would mean that obtaining
consent for the purposes of the DPA would be unlikely to be necessary.
Whether or not consent under the DPA is obtained, the first DPA principle
requires that information is processed fairly, so doctors would have to
also ensure that patients would reasonably expect their information to be
shared in this way.
10.02.2016 v1.0
The same applies in other situations where doctors wish to rely on implied
consent for the purposes of the common law of confidentiality; they
should also ensure they have a DPA schedule 2 and 3 condition, and
should ensure that the disclosure is one the patient would reasonably
expect.
8. Do you think that there may be circumstances in which there is a
public interest justification for disclosing information about an adult
who has capacity without their consent, even when nobody else is at risk
of serious harm?
As per the comments made above about paragraphs 28 to 34, another
schedule 2 and 3 condition should be applicable for such disclosures to
comply with the DPA, unless a relevant DPA exemption applies. For
example, the DPA provides a schedule 3 condition for processing that is in
the substantial public interest, is necessary for the purposes of the
prevention or detection of any unlawful act, and must necessarily be
carried out without explicit consent in The Data Protection (Processing of
Sensitive Personal Data) Order 2000.1 Consideration should also be given
to whether the disclosure would be fair. Whether both of the above is the
case would depend on the particular circumstances.
11. Is the guidance on using anonymised and de-identified information
helpful?
It is good to see that the guidance makes the important point in
paragraph 82 that anonymised or de-identified information will often be
sufficient for many purposes and must be used in preference to
identifiable patient information. It is also good to see the reference and
link to the ICO’s Anonymisation: managing data protection risk code of
practice2. From a DPA perspective, if there is a reasonable likelihood of
identification of living individuals then the data in question is personal
data and the DPA will therefore be engaged.
15. Do you have any other comments on the ‘indirect care uses and
disclosure’ section of the guidance (paragraphs 81–109)?
The difficulty with sharing information for indirect care uses is that
whereas for direct care, a DPA schedule 3 condition can almost always be
identified (schedule condition 3(8) provides for processing that is
necessary for medical purposes), this is not always the case for indirect
1
2
http://www.legislation.gov.uk/uksi/2000/417/pdfs/uksi_20000417_en.pdf
https://ico.org.uk/for-organisations/guide-to-data-protection/anonymisation/
10.02.2016 v1.0
care. Some of the examples given in paragraph 81 (research for
example) are likely to be covered by schedule 3(8) but others may not be
so an alternative condition for processing would have to be found.
18 Do you have any other comments on the ‘non-care uses and
disclosures’ section of the guidance (paragraphs 110–132)?
Paragraph 112 deals with requests for information from third parties such
as insurers. We are pleased to see that reference is made to the
requirement to “obtain or have seen written consent from the patient or a
person properly authorised to act on the patient’s behalf” and the general
rule of thumb that doctors “should not usually disclose the whole record.”
However, based on recent ICO concerns about insurers obtaining medical
records via subject access rights, and the related risks of their obtaining
excessive and irrelevant information in a way that was not intended by
those rights, it may be helpful to make this paragraph stronger and more
explicit.
Paragraphs 113 and 124 refer to the possibility of disclosures after
consent has been sought and subsequently refused. For the ICO view on
this please see the comments about paragraph 29, in response to
question 3 above.
19. Do you agree with the inclusion of these duties on information
governance and compliance with data protection legislation?
When we previously commented on this guidance, we made the point that
it is important to consider the context that the guidance will apply in. The
legal regime which applies to confidential information operates in parallel
with the DPA, and we are keen to ensure that the guidance acknowledges
that doctors must take the requirements of the DPA into account as well
as those of confidentiality, where the information processed is personal
data or sensitive personal data. We considered that if the guidance does
not include some acknowledgement of DPA responsibilities there is a risk
that some doctors might see the guidance as the complete approach to
managing personal health information and could disregard the
requirements of the DPA. Of course we do recognise that the guidance is
not intended to cover the requirements of the DPA in detail, as its focus is
confidentiality, but we did suggest it is important that the guidance makes
a clear and explicit reference to the fact the organisations will also have
to take into account the requirements of the DPA where the information
processed is personal data or sensitive personal data. We are pleased to
see that this approach has, in the main, been adopted.
10.02.2016 v1.0
20. Do you agree with the guidance on improper access and disclosure?
The guidance in this section reflects the importance of ensuring that
appropriate measures, both technical and organisational, are put in place
to protect personal data from inappropriate disclosure and other security
risks that may exist in the day-to-day management of that data. We
agree that it is important to remind doctors of this point.
21. Do you agree with the inclusion of these duties for doctors who have
responsibilities for managing or recruiting staff?
Data controllers have a responsibility to ensure that appropriate
organisational measures are in place to protect the personal data they
process. If doctors have responsibility within the data controller
organisation for employment contracts, or staff training, it makes sense
that they ensure that the contracts include appropriate obligations for all
staff to process personal data in line with the DPA and other legislation,
and that they ensure staff are properly trained to do so. Specifying
management responsibilities in this way could assist as one such
appropriate measure.
22. Do you agree with the guidance on disclosing information after a
patient has died?
For the avoidance of doubt it might assist to clarify at some point in this
section that DPA obligations only apply to living individuals.
23. Do you have any other comments on the ‘managing and protecting
personal information’ section of the guidance (paragraphs 133–156)?
Paragraph 138 states that “Whether or not you are a data controller, you
must process patient information fairly.” This is of course true – whilst the
data controller is ultimately responsible for DPA compliance, those doctors
working within data controller organisations must process any personal
data they deal with fairly, it is more accurate to say that they must
process personal data in compliance with the DPA as a whole, and in
particular all the DPA principles, not just the first one.
In paragraph 149, for the sake of accuracy the reference to the "Office of
the Information Commissioner" should be the "Information
Commissioner's Office".
10.02.2016 v1.0
26. Do you think there are any inaccuracies or important omissions from
the legal annex?
On page 32 the DPA section begins by stating that “The Data Protection
Act 1998 regulates the processing of personal data about living individuals
in the UK.” The phrasing of the sentence could imply that the DPA applies
only to personal data about living individuals in the UK, whereas it
actually applies to the processing of personal data by data controllers
established in the UK about living individuals, wherever those individuals
are.
We are pleased to see references to fair processing both on page 33 and
throughout the guidance. As the regulator for the DPA the ICO is often
asked what this practically means, and how proactive data controllers
should be in providing fair processing information. It might therefore be
helpful to link to our Privacy notices code of practice3, which sets out how
organisations can use a layered approach, which in this context might
include giving simple, clear and accessible information directly to new
patients, appropriate reminders such as posters and leaflets, together
with individual (verbal or otherwise) communications where any
disclosures may be particularly unexpected or intrusive. Please also note
however that we are currently consulting on a revised draft of the Privacy
notices code.4
On page 34 reference is made to the Freedom of Information Act 2000. It
would be helpful for doctors in Scotland if reference to the Freedom of
Information (Scotland) Act 2002 were also made, together with
clarification that this legislation is regulated by the Scottish Information
Commissioner.5
Although not strictly within the ICO’s remit, we understand that The
Children & Young People (Scotland) Act 2014 places a duty on doctors in
Scotland to assist the Named Person when asked, which may include
disclosure of patient information. It may be worth considering whether
this legislation should also be included in the section on “Statutes that
require, permit or prevent disclosure of patient information.” Similarly we
understand that the Public Health Acts across the UK may also be
relevant. Finally and for future reference, we understand that some draft
legislation currently being considered by the Northern Ireland Assembly
may also be relevant, including the Health and Social Care (Control of
data processing) Bill and the NI Mental Health Bill.
3
https://ico.org.uk/media/for-organisations/documents/1610/privacy_notices_cop.pdf
https://ico.org.uk/about-the-ico/consultations/privacy-notices-transparency-andcontrol-a-code-of-practice-on-communicating-privacy-information-to-individuals/
5
http://www.itspublicknowledge.info/home/ScottishInformationCommissioner.aspx
4
10.02.2016 v1.0
Endnotes
27. Do you have any comments on the endnotes?
The ICO’s technical guidance note referred to in endnote 21 is no longer
available. The point is now covered on page 3 of the ICO guidance
“Advice for elected and prospective councillors”.6
Technical guidance such as that referred to in endnote 30 has in the main
been incorporated into the Guide to data protection. Security guidance is
covered under principle seven.7
The ICO guidance referred to in endnote 33 has been withdrawn and is
now covered on page 30-33 of the ICO’s Subject access code of practice.8
Flowchart
On the back cover of the draft guidance we have included a flowchart
that is intended to help doctors to structure their decision making in
relation to disclosing information.
28. Do you think this is helpful?
Flowcharts are helpful to set out relevant considerations when making
decisions such as whether to disclose information. We would comment
though that whilst of course the flowchart understandably focuses on the
common law of confidentiality, there is a risk that DPA considerations
might be ignored if doctors follow the flowchart without further reference
to the guidance. This risk is especially apparent in the box about implied
consent, as per the comments made in our response to question 4.
6
https://ico.org.uk/media/for-organisations/documents/1432067/advice-for-electedand-prospective-councillors.pdf
7
https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
8
https://ico.org.uk/media/for-organisations/documents/1065/subject-access-code-ofpractice.pdf
10.02.2016 v1.0