The Data Protection Act 1998 (DPA) requires a clear direction on Policy for security of information within the Practice.
The policy provides direction on security against unauthorised access, unlawful processing, and loss or destruction of personal information.
The following is a Statement of Policy which will apply:
- The Practice is committed to security of patient and staff records.
- The Practice will display a poster in the waiting room, explaining the practice policy to patients.
- The Practice will make available a brochure on Access to Medical Records and Data Protection for the information of patients.
- The Practice will take steps to ensure that individual patient information is not deliberately or accidentally released or (by default) made available or accessible to a third party without the patient’s consent, unless otherwise legally compliant.
- This will include training on Confidentiality issues, DPA principles, working security procedures, and the application of Best Practice in the workplace.
- The Practice will undertake prudence in the use of, and testing of, arrangements for the backup and recovery of data in the event of an adverse event.
- The Practice will maintain a system of “Significant Event Reporting” through a no-blame culture to capture and address incidents which threaten compliance.
- DPA issues will form part of the Practice general procedures for the Management of Risk.
Specific instructions will be documented within confidentiality and security instructions and will be promoted to all staff.
Data Protection Act - Patient Information
We need to hold personal information about you on our Computer system and in paper records to help us to look after your health needs.
Please help to keep your record up to date by informing us of any changes to your circumstances.
Doctors and staff in the practice have access to your medical records to enable them to do their jobs. Your doctor is responsible for their accuracy and safe-keeping.
From time to time, it may be necessary to share information with others involved in your care. Anyone with access to your record is properly trained in confidentiality issues and is governed by both a legal and contractual duty to keep your details private.
All information about you is held securely and appropriate safeguards are in place to prevent accidental loss.
In some circumstances we may be required by law to release your details to statutory or other official bodies, for example if a court order is presented, or in the case of public health issues. In other circumstances you may be required to give written consent before information is released – such as for medical reports for insurance, solicitors etc.
To ensure your privacy, we will not disclose information over the telephone or fax unless we are sure that we are talking to you.
Information will not be disclosed to family, friends, or spouses unless we have prior written consent, and we do not leave messages with others.
You have a right to see your records if you wish. Please ask at reception if you would like further details and our patient information leaflet. An appointment will be required. In some circumstances a fee may be payable.
Access to Health Records Under the Data Protection Act 1998
The Data Protection Act 1998 gives every living person the right to apply for access to their health records or have factual errors corrected. Any request for access to health records must be made in writing on the relevant form obtained from the practice and sent to the Practice Director. Under the Data Protection Act 1998 (Fees and Miscellaneous Provisions) Regulations 2001, you will be charged to view or be provided with copies of your health records.
Applicants may be:
- A representative of the patient with their written permission
- A person having parental responsibility for a child, if it is in the child's best interests and not contrary to a competent child's wishes
- A person appointed by a court when the patient is incapable of managing his own affairs. When a patient has died, an application for access to the medical records can only be accepted with the written permission of the patient's personal representative. That person will either be an executer of the estate or, if the patient died intestate, the administrator of the estate.
- To provide copies of patient health records the costs are:
- Health records held totally on computer: up to a maximum £10 charge
- Health records held in part on computer and in part manually: up to a maximum £50 charge
- Health records held totally manually: up to a maximum £50 charge
- To allow patients to view their health records (where no copy is required) the costs are:
- Health records held totally on computer: up to a maximum £10 charge, unless the records have been added to in the last 40 days.
- Health records held manually: up to a maximum £10 charge, unless the records have been added to in the last 40 days.
- Health records held in part on computer and in part manually: a maximum of £10 unless the records have been added to in the last 40 days.
Note: if a person wishes to view their health records and then wants to be provided with copies, the £10 maximum fee for viewing records would be included within the £50 maximum fee for copies of health records.
Under the Data Protection Act 1998, there is no obligation to comply with an access request unless the practice has enough information to identify the applicant and locate the information and unless the required fee has been paid. You will therefore be asked to complete an application form. When coming to the surgery to view or collect a copy of the records you will be asked to provide a form of photographic identification such as a passport.
Once the practice has all the relevant information and fee where relevant, we will comply with the request promptly, within 21 days and by no later than forty days after the request has been made. In exceptional circumstances if it is not possible to comply within the forty-day period you will be informed. A senior member of the Practice staff will be present when you view the records to assist you in understanding the information in the records.
Under the Data Protection Act 1998 there are certain circumstances in which the practice may withhold information. Access may be denied, or limited, where the information might cause serious harm to the physical or mental health or condition of the patient, or any other person. Access may also be denied where it would involve disclosing information relating to or provided by a third person who had not consented to the disclosure.
The practice complies with Data Protection and Access to Medical Records legislation. Identifiable information about you will be shared with others in the following circumstances:
- To provide further medical treatment for you e.g. from district nurses and hospital services.
- To help you get other services e.g. from the social work department. This requires your consent.
- When we have a duty to others e.g. in child protection cases.
- Anonymised patient information will also be used at local and national level to help the Health Board and Government plan services e.g. for diabetic care.
If you do not wish anonymous information about you to be used in such a way, please let us know.
Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.