The Data Protection Act 1998
The Pharmaceutical Journal Vol 265 No 7106p131
July 22, 2000 Articles
The Data Protection Act 1998
By Joy Wingfield, LLM, FRPharmS
A new Act extends the scope of controls over information held by pharmacists about patients
The Data Protection Act 1998 came into force on March 1, 2000, and regulates the "processing" of "personal data". "Personal data" means any information whereby a living individual can be identified. "Processing" means virtually any activity, such as obtaining, recording or holding the data, carrying out operations or sets of operations on the data, organisation, adaptation or alteration of the data, retrieval, consultation or use of the data and alignment, combination, blocking, erasure or destruction of the data. Unlike the earlier Act of 1984, which applied only to "computerised" data, the 1998 Act additionally covers paper records and filing systems and, indeed, any storage system structured so that data relating to a living individual can be retrieved.
The person to whom the data relate is called the data subject. The person who determines how and for what purposes the personal data are processed is called the data controller; anyone else who processes the data is called a data processor. The 1998 Act also imposes additional controls on sensitive personal data that include any information, including opinion, relating to the physical or mental health or condition of the data subject.
The Act is administered by the Data Protection Commissioner (formerly the Registrar) who maintains a register of registrable particulars notified by data controllers, who pay an annual fee. Processing personal data without notification is a criminal offence. Data controllers must comply with the eight data protection principles set out in the Act. These principles have the force of law. Briefly, the principles require that personal data shall be:
- 1.Obtained and processed fairly and lawfully and shall not be processed at all unless certain conditions are met (see below)
- 2.Obtained and processed for, or in ways compatible with, one or more lawful purposes
- 3.Adequate, relevant and not excessive in relation to that purpose or purposes
- 4.Accurate and kept up to date
- 5.Kept for no longer than necessary
- 6.Processed in accordance with the rights of data subjects under the Act (see below)
- 7.Protected against unauthorised or unlawful processing and against accidental loss, destruction or damage
- 8.Not transferred (with certain exceptions) outside the European Economic Area unless the recipient country operates the same controls on data protection as applies within the EEA
The Act imposes conditions which must be met even before processing of personal data can be contemplated (see Principle 1 above). Generally, personal data may not be processed at all unless either the data subject has given consent or one of a series of other conditions has been met. In the case of pharmacy patient medication records, the data are classed as sensitive personal data, for which either explicit consent must be obtained from the data subject or such consent may not be needed if the processing is "necessary for medical purposes and is undertaken by (a) a health professional [the definition includes pharmacists] or (b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional".
"Medical purposes" includes the purposes of preventive medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health care services.
Thus, virtually all personal data used in pharmacy practice are "sensitive" but "explicit consent" (which implies a written explanation, a consent form and a decision freely made in appreciation of all its consequences) is not deemed necessary, for patient medication records at least, provided all personnel who may process such data are bound by the pharmacist's duty of confidentiality.
The Act sets out explicit rights of data subjects and others (see Principle 6 above). Data controllers must, on receipt of a written request accompanied by a fee:
- (a)Inform the data subject if personal data are being processed
- (b)Give data subjects a description of the data which are being processed, for what purposes and to whom they will be disclosed
- (c)Provide data subjects with that information in an intelligible form within 40 days of the request
Data subjects also have a right to prevent processing of their data for marketing purposes and can claim compensation from the data controller for failure to comply with any of the requirements of the Act or failure to rectify, block, erase or destroy any inaccurate data.
There are exemptions allowing the data controller to exclude information relating to an individual other than the data subject, to allow some latitude where provision of copy records is very difficult or impossible to achieve and to protect trade secrets.
Regulations also allow data controllers to decline to disclose data if that disclosure would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person. Information should not normally be disclosed without data subject consent unless it has been established that the data subject is incapable of managing his or her own affairs and the person requesting disclosure has been appointed by a court to manage those affairs. Parents, guardians and carers may seek disclosure of information about data subjects other than themselves (ie, patients) for whom they undertake parental or carer responsibility. If the data subject is a child who is likely to understand fully his or her rights to confidentiality, then consent should be established if at all possible.
The maximum fee for arranging access to automated health records remains at £10, the figure set in 1984, although £50 is the maximum if paper records are included. Disclosure may be permitted where it is necessary for the prevention or detection of crime or for protecting the public against dishonesty, malpractice, incompetence or mismanagement, where seeking the consent of the data subject would prejudice those purposes.
Generally speaking, the requirements of data protection legislation do not apply to any information which relates to a data subject who has died, although a personal representative of a deceased person or anyone who has a claim arising out of a patient's death can also claim access to "sensitive personal data" maintained in health records. The professional duty of confidentiality, however, does extend to information about deceased patients.
The Act does not normally cover data which have been anonymised (ie, have been detached from any details or any links whatsoever which could identify a living individual). Several legal cases have been brought to clarify the limits on the use of anonymised data when derived from patient medication records held by community pharmacists, but the final outcome has not yet been determined.
Joy Wingfield is assistant pharmacy superintendent at Boots the Chemists Ltd, Head Office, D90 East FO8, 1 Thane Road West, Nottingham NG90 1BS (e-mail firstname.lastname@example.org). She is also professor of pharmacy law and ethics at the University of Nottingham
Citation: The Pharmaceutical Journal URI: 20002263
Recommended from Pharmaceutical Press