Confidentiality and data protection - legal briefing
This legal briefing summarises the law on confidential information and the principles under which such information may be disclosed under the Data Protection Act 1998.
Position under common law
Position under common law
Traditionally, the English common law has protected an individual's right to expect that personal information about him or her will be kept confidential. Information will be protected if it has "the necessary quality of confidence about it" and has been imparted in circumstances importing an obligation of confidence. For example, information given to a doctor, social worker or lawyer would normally be considered to have this quality of confidence, but a conversation with a friend would not. A duty of confidentiality may also arise as a result of a contract where one party agrees to keep confidential information provided by the other party.
A court can prevent the disclosure of confidential information by injunction and, where appropriate, award damages if unlawful disclosure has been made.
There are two main exceptions to the duty of confidence. Firstly, public interest can override the duty. For example, a psychiatrist could pass on information about a patient to the police if it was felt that the patient was a danger to third parties. Secondly, disclosure of confidential information may be permitted or required by statute or court order.
Doctor and patient
In general, information disclosed by a patient to his or her doctor or therapist is regarded as confidential. However, in the NHS the information may be passed to someone else:
- with the patient's consent for a particular purpose; or
- on a "need to know" basis as follows:
(a) for NHS purposes where the recipient needs the information because he or she is or may be concerned with the patient's care or treatment or the use of the information can be justified for wider purposes such as improving quality of treatment, promoting effective healthcare administration or research; or
(b) where the information is required by statute or court order; or
(c) where passing on the information can be justified for reasons of public interest.
This means that where a patient needs the care of more than one healthcare professional, information given to a psychiatrist or psychotherapist, for example, may be shared with other members of a multidisciplinary team which could include a social worker, nurse, psychologist or occupational therapist.
Where information is shared, there is an implied understanding that the information will not be used except where it is strictly needed to help the professional provide the service. Each member of the team, and any person who provides administrative or secretarial support, has an obligation to treat the information as confidential. The obligation of confidence owed by a professional covers not only information provided by the patient, but also information relating to the patient which the professional obtains from others. There is nothing in the above which authorises disclosure of confidential information to relatives, carers or friends (unless it can be justified on public policy grounds, for example for that person's protection).
A third party is liable to be restrained from disclosing or using information which he or she knows, or ought to know, is confidential. For example, if an employer obtains information from a doctor about an individual, the employer is required to treat that information as confidential.
Data Protection Act
The Data Protection Act 1998
The Data Protection Act 1998 (the "Act") regulates the processing and disclosure of information and provides individuals with rights of access to such information. The Act repeals the Data Protection Act 1984 and is now fully in force except for some transitional provisions (see later). There are a number of important definitions and principles which are set out below.
(a) Basic definitions
The most important definitions are those in respect of "data", "personal data", "sensitive personal data", "processing", "data subject", "data controller" and "data processor".
Data means information which is being processed by computer or word processor, or is recorded with the intention that it should be processed by such equipment, or is recorded as part of a relevant filing system or with the intention that it should form part of such a filing system, or otherwise forms part of an accessible record such as a health record, an educational record or an accessible public record. Data can be in automated or manual form.
A 'relevant filing system' means that information about an individual which is kept in a 'hard copy', e.g. a paper file, is as easy to locate as it would be on a computer. This means that information about a person which is kept in a general file, or even in a named file which contains no new information about him or her, may not be covered by the Act .
- Personal data
Personal data means information which relates to a living individual who can be identified from that information, or other information held by the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. The definition does not cover information relating to someone who has died. Access to health records relating to deceased individuals is still covered by the Access to Health Records Act 1990.
- Sensitive personal data
Sensitive personal data includes information relating to ethnic or racial origin, religious or political beliefs, physical or mental health, sexual matters and criminal offences.
Processing has an extensive definition. It means obtaining, recording or holding information or any handling of the information, including organising, altering, retrieving, using, disclosing or destroying the information.
- Data subject
Data subject means the individual to whom the information refers. A data subject must be a living individual. Organisations such as companies and other corporate and unincorporated bodies of persons cannot, therefore, be data subjects.
- Data controller
Data controller means the person who determines the purposes for which and the manner in which any information is to be processed (broadly speaking, the person who holds the data). It is the duty of the data controller to comply with the Data Protection Principles. The definition of data controller comprises individuals, companies and other organisations including corporate and unincorporated entities. More than one person can be a data controller.
- Data processor
Data processor means any person (other than an employee of the data controller) who processes personal information on behalf of the data controller.
(b) Scope of the Act
The Act replaces the Access to Health Records Act 1990 (except for records relating to people who have died) and allows patients to have access to their medical records subject to certain limited exceptions. However, the Act is extensive and covers all types of data whether held on computer database or in manual form.
It is important to note that the Act does not allow information to be disclosed which at common law could not lawfully be disclosed because it is confidential, unless there is a common law or statutory exception available. The Act only regulates the disclosure of information which can already be lawfully disclosed.
Note also that, even where disclosure without consent may be justifiable (see below), the Act generally only allows it if it is necessary. If the objective can be achieved in some other way it may not be permissible to breach confidentiality.
(c) The Data Protection Principles
There are eight principles governing the proper handling of data under the Act. They are as follows:
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
- at least one of the conditions in Schedule 2 is met, and
- in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met; or
- processing is permitted in the public interest (see below).
The conditions in Schedule 2 are that:
- the data subject has given his consent to the processing;
- the processing is necessary for performing or entering into a contract with the data subject;
- the processing is necessary for the data controller to comply with a legal obligation;
- the processing is necessary in order to protect the vital interests of the data subject (i.e. where the processing is necessary for matters of life and death);
- the processing is necessary for the administration of justice or the exercise of functions of a public nature in the public interest; or
- the processing is necessary for the pursuit of legitimate interests by the data controller or the person to whom the information is being disclosed, unless such processing is unwarranted because of prejudice to the rights, freedoms or legitimate interests of the data subject.
Sensitive personal data may only be processed if at least one of the stricter conditions in Schedule 3 is satisfied, in addition to at least one of the conditions in Schedule 2 (unless it is necessary in the public interest; see below).
The conditions in Schedule 3 include the following (among others):
- the data subject has given his or her explicit consent to the processing (implied consent is not sufficient);
- the processing is necessary for the purposes of exercising or performing any right or obligation relating to employment;
- the processing is necessary to protect the "vital interests" of the data subject or another person (see above);
- the processing is carried out, with appropriate safeguards, by certain non-profit making organisations;
- the information has already been made public by the data subject;
- the processing is necessary for legal proceedings or the administration of justice; or
- the processing is necessary for medical purposes (including diagnosis, research and treatment) and is undertaken by a healthcare professional or a person who owes an equivalent duty of confidentiality.
Processing without consent in the public interest
Data may also be processed without consent if it is 'in the substantial public interest' and is necessary to prevent or help detect an unlawful act, or to provide protection against other forms of improper behaviour, if seeking the person's consent would interfere with these purposes . So, for example, if someone is suspected of criminal behaviour there is no need to seek permission before passing his or her confidential information to the police, provided such disclosure is necessary for the investigation.
'The substantial public interest' means that the potential benefit from the disclosure must outweigh the harm done to the individual by breaching his or her confidentiality; disclosure without consent following a minor piece of misbehaviour may not be reasonable.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. The concept of incompatibility is viewed strictly by the Information Commissioner.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
It is therefore not acceptable to hold information on the basis that it might possibly be useful at some time in the future without a view of how it will be used.
Personal data shall be accurate and, where necessary, kept up to date. Information is inaccurate if it is incorrect or misleading as to any matter of fact.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes. Data controllers must therefore review the information they hold on a regular basis and delete any information no longer required.
Personal data shall be processed in accordance with the rights of data subjects under the Act. This means that a data controller must comply with the provisions of the Act relating to access to information, the prevention of processing which causes distress and the correction of inaccurate data. These are explained below.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Data controllers must ensure that adequate safeguards are taken to protect information and keep it confidential.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Right of access to data
Right of access to data
The Act provides that, upon making a request in writing and payment of a fee (currently no more than £10 for computer records and £50 for paper records), an individual is entitled to be told by the data controller whether they or someone else on their behalf is processing that individual's personal data and, if so, to be given a description of the information, the purposes for which it is being processed and the people to whom it is or may be disclosed. The individual is also entitled to be given a copy of the information in an intelligible and permanent form unless this would involve "disproportionate effort". The data controller must comply with a request for access as soon as possible and, in any event, within 40 days of the request.
The data controller must consider whether the information in question contains information relating to an identifiable third party (who is not a health professional). If it does, then where the data controller cannot comply with the request without disclosing information relating to such other party, he is not obliged to comply unless the other individual has consented to the disclosure. However, he can do so if it is reasonable in all the circumstances to comply without the consent of the other individual.
Where the application is made on behalf of a child or an incapacitated adult, the data controller may also withhold any information which was provided on the understanding that it would not be disclosed to that person. Where information can be disclosed, the courts have held that there is a discretion to disclose information to carers in order to allow them to exercise their rights as carers, even if the consent of the person being cared for cannot be obtained. A balance needs to be struck between the individual's right to confidentiality and the rights of the carer to be able to exercise his or her responsibilities.
(c) Accessing health and social work records
Special rules apply to health and social work records. Access to health records may be refused on medical advice by the data controller where disclosure would be "likely to cause serious harm to the physical or mental health or condition of the data subject or another person". However, the data controller can only do this after consulting the "appropriate health professional" (meaning the person most recently responsible for the patient's clinical care in connection with the subject matter of the request). There is a similar provision in relation to social work records. In this case, however, the decision rests with the social work authority alone, with no obligation to consult any other professional.
Challenging decisions about your information
If an individual has concerns about information relating to him or her, the individual can, generally, complain to the organisation concerned, refer the matter to the Information Commissioner (see below) or, in certain circumstances, apply to the Court.
(a) Processing causing distress
If an individual believes that a data controller is processing personal data in a way that causes, or is likely to cause, substantial unwarranted damage or distress, the Act provides that the individual can send a notice to the data controller requiring him or her to stop the processing.
When the data controller receives such a notice he or she must, within 21 days, reply to the individual stating either that he or she has complied with the request or explaining what he or she intends to do. If the individual is not happy with the decision of the data controller, he or she can appeal to the Information Commissioner. Ultimately, it is for the Court to decide what is 'substantial unwarranted damage or distress'. It should also be noted that an individual cannot complain if he or she has given a valid consent to the processing, or in certain other circumstances such as where the processing is to comply with a legal obligation.
An individual may also require a data controller to stop processing personal data for the purpose of direct marketing and a data controller must comply with such a request. In addition, an individual may require a data controller to ensure that no decision, which significantly affects that individual, is based solely on the processing by computer of personal data.
(b) Dealing with inaccurate facts
An individual may feel aggrieved about errors, omissions or other inaccuracies which may be contained in personal data. If the complaint is about inaccurate facts as opposed to disputed opinions, the individual may apply to the Court for an order requiring the data controller to rectify, block, erase or destroy the inaccurate data, together with any other personal data which contain an expression of opinion which the Court finds is based on the inaccurate data. Data are only inaccurate if they are incorrect or misleading as to any matter of fact.
The Court may also make such an order if the data subject has suffered damage due to any breach of the Act and there is a substantial risk of further breaches occurring.
In either of these cases the Court may order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.
(c) Dealing with disputed opinions
It is far more difficult to alter statements of opinion such as medical diagnoses, unless these have clearly been formed from obviously incorrect facts. In these circumstances, the practical solution may be for the data subject to submit to the data controller his or her own statement of facts, with or without a second opinion. This can then be added to the file. If the data controller refuses to record such statement, the data subject may apply to the Court, which can order that the data be supplemented by an approved statement of the true facts or make any other order as it sees fit.
(d) Right to compensation
An individual who suffers damage or distress, as the result of any contravention of the requirements of the Act by a data controller, is entitled to compensation where the data controller is unable to prove that he or she has taken reasonable care to comply with the relevant requirement. Damage includes financial loss or physical injury. Compensation for distress alone can only be claimed where the contravention relates to the processing of personal data for special purposes such as journalistic, artistic or literary purposes. However, if the individual can prove that damage has been suffered, the Court may award compensation for any distress suffered as well.
(e) Exemptions and transitional provisions
There are a number of exemptions from the various provisions of the Act. The most important of these relate to national security, the prevention of crime, the collection of tax, research, disclosures required by law and certain statutory provisions relating to health, education and social work (see above).
For a transitional period until 23 October 2007 certain manual data are also exempt from some of the data processing requirements. The exemption applies to (a) manual data processed (i.e. used or recorded) before 24 October 1998 and (b) manual data processed at any time if not recorded as part of a relevant filing system (as defined above).
Data to which this exemption applies are exempt from the First Principle (except for the fair processing requirements of the Act, such as giving the identity of the data controller and explaining the purposes for which the information is being used). Such data are also exempt from the Second, Third, Fourth and Fifth Principles and certain of the rights to rectification and erasure of inaccurate data. (These provisions are not easy to understand, so if relevant you should seek advice upon them.)
(f) The Information Commissioner
The Information Commissioner is an independent officer who reports directly to Parliament. The Commissioner's duties are to promote good practice and observance of the Act, encourage the development of Codes of Practice, maintain a register of data controllers who are required to notify their processing, prepare an annual report for Parliament and prosecute persons for offences committed under the Act.
The Act establishes a system of notification whereby a data controller is required to inform the Commissioner of certain details about the processing of personal data carried out by that data controller. Those details are used by the Commissioner to make an entry describing the processing in a register which is available to the public for inspection. This system provides a mechanism for data controllers to publicise details of their activities and helps data subjects to understand how personal data is being processed.
Further information on the Data Protection Act may be obtained from the Information Commissioner's Office (0303 123 1113).
Other relevant legislation
Other relevant legislation
Health and Social Care Act 2001
Section 60 of this Act gives the Secretary of State for Health the power to make regulations to authorise or require health service bodies to disclose patient information, including data which is patient-identifiable, which is needed to support essential NHS activity, in the interests of improving patient care or in the wider public interest. Proposed regulations have been drafted to authorise or require disclosure in order to monitor diseases, including communicable diseases, for occupational health purposes and for medical research.
Terrorism and fraud
Legislation dealing with terrorism and financial services is beyond the scope of this briefing note. However, sweeping powers have been given to the authorities to inspect documents and intercept emails in order to combat terrorism and fraud.
Article 8 of the European Convention on Human Rights
The European Convention was brought into UK law by the Human Rights Act 1998. Article 8 states:
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
This means that an individual's wish to protect his or her privacy must be balanced against the needs of the relevant public authority to obtain or use specified information.
This legal briefing relates only to the law of England and Wales in force at the time of writing. It is a brief outline of the law and is not a substitute for detailed advice.
For more detailed advice on any of the issues discussed in this briefing you should take advice from a solicitor specialising in this area of the law. Details of where to seek specialist advice can be obtained from the Law Society (0870 606 2555) or from Community Legal Advice (0845 345 4345). Alternatively, you could contact your local Law Centre or Citizens Advice Bureau, who may be able to help.
Mind legal unit
Published January 2005