Text Size:
Page Width:
NHS West Midlands
  Search

Access to Data and Information

Minimize

Disclaimer: These notes are for guidance only. We cannot be held responsible for any action taken as a direct result of information contained herewith. we would always recommend that expert legal advice is sought. Please see our introduction page for more information.

Definitions

As there are numerous interpretations of the terms ‘data’ and ‘information’, it is important to ensure that the legal definitions of the terms are clear and unambiguous. In the United Kingdom, the Data Protection Act 1998 is the defining legislation and describes them as follows:

data means information which -

  • is being processed by means of equipment operating automatically in response to instructions given for that purpose,
  • is recorded with the intention that it should be processed by means of such equipment,
  • is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or
  • does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68 of the Act;
  • even though it doesn’t fall within one of the above categories, is recorded information held by a public authority.

personal data means data that relate to a living individual who can be identified -

  • from those data, or
  • from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

sensitive personal data means personal data consisting of information as to -

  • the racial or ethnic origin of the data subject,
  • his political opinions,
  • his religious beliefs or other beliefs of a similar nature,
  • whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
  • his physical or mental health or condition,
  • his sexual life,
  • the commission or alleged commission by him of any offence, or
  • any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Anonymised Data

The Data Protection Act does not specify a definition for anonymised data but Confidentiality; NHS Code of Practice describes this as data or information that does not identify an individual directly and which cannot reasonably be used to determine identity. Anonymisation requires removal of name, address, full post-code and any other detail or combination of details that might support identification. Properly anonymised data should not be confused with Pseudo-anonymised or coded data. In this case, the original provider may retain a means of identifying individuals. This is often achieved by applying codes or unique references so that the data will only be identifiable to those with access to the key or index, but is still identifiable and linkable to an individual.

Access to data is constrained by:

  • the type of information being sought,
  • the originally stated purposes for why that data was collected,
  • the consent of the person on who the information is being held i.e. the (data subject)
  • questions about whether a person’s rights to confidentiality can be overridden by considerations of their best interest or the public interest.

The provisions of the Data Protection Act 1998 primarily refer to personal data and sensitive data, i.e. that which is identifiable to an individual. The processing, including disclosure, of such data is covered by the eight Data Protection Principles:

  • Principle 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless the processing is necessary and -
    (a) at least one of the conditions in Schedule 2 is met, and
    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  • Principle 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Principle 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Principle 4. Personal data shall be accurate and, where necessary, kept up to date.
  • Principle 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • Principle 6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  • Principle 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Principle 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Schedule 2 Conditions

  • Consent of the data subject
  • Necessary for the performance of a contract with the data subject
  • Compliance with a legal obligation (other than one imposed by contract)
  • To protect vital interests of the data subject
  • For the administration of justice or the carrying out of public functions, in the public interest
  • To pursue the legitimate interests of the data controller (except where processing is prejudicial to the rights, freedoms and interests of the data subject).

Schedule 3 Conditions

  • Explicit consent of the data subject
  • To comply with employers legal duty
  • To protect vital interests of data subject or another person
  • Carried out by certain non-profit bodies
  • The information has been made public by the data subject
  • In legal proceedings
  • Exercising legal rights
  • To carry out public functions
  • For medical purposes
  • For equal opportunities monitoring
  • As specified by order

NB: This is merely a summary of the conditions for the lawful processing of personal data (or sensitive personal data), and legal advice should be sought if there is any doubt as to the requirements of the law or the lawful basis for the disclosure of information. Access by an individual (the data subject) to personal and sensitive information held on them is subject to the Data Protection Act 1998 and the which entitles the data subject to ask the data controller if personal or sensitive data is held on them.

NB: It should be noted that in the case of a deceased person the external link icon Access to Health Records Act 1990, still applies.

Everyone has the right to know if personal data on them is being held or processed whether this is in computerised or manual form and whenever the record was made. However, the data controller does not have to comply unless, if asked to do so, the applicant makes the request in writing, pays the appropriate fee and makes available enough information for the data controller to be able to identify where the personal data is held. The data controller also has to be supplied with enough information in order to satisfy himself with the identity of the applicant.


The Act allows individuals to apply for access to data about them that is held by someone else.
Those about whom information is held (the data subject), can complain to the Information Commissioner, apply for copies of the information held and apply to the court for disclosure.

Freedom of Information Act 2000

The Freedom of Information Act 2000 strengthens the rights of access to information held by public bodies and enables people to obtain information in two ways:

Publication Schemes - Every public authority must make some information available through a publication scheme. Information that is included in such a scheme must be routinely made available to the public. A publication scheme is both a public commitment to make certain information available and a guide to how that information can be obtained.

General Right of Access - People also have the right to make a request for any information (known as the ‘right to know’) held by a public authority and the authority has to comply with the Act by responding. This right came into force on the 1st January 2005.

Exemptions - The Freedom of Information Act 2000 recognises that there are grounds for withholding information and provides 23 exemptions from the ‘right to know’, some absolute where the harm to the public interest of disclosure has already been decided and some qualified, which are subject to a public interest test. In these latter instances the public authority can only withhold the information if it is felt that the public interest in doing so is greater than the public interest in disclosure. An example of an absolute exemption would be regarding the need to confirm or deny if the information is held or communicate that information to an applicant if it has been filed or placed in the custody of a Court. More in-depth guidance on exemptions on documents held by Courts can be obtained from the Information Commissioners office.

The Act also sets out procedures for dealing with requests, for example, time limits and fee that can be charged for dealing with a request and so on. The NHS Care Record Guarantee is a useful guide for patients regarding access to their clinical records.

What are the constraints on information disclosure?

If applications are being made on someone else's behalf, the data controller has the right to check that the applicant has permission to do so. Only in exceptional circumstances would it be seen as reasonable to comply with an application without the person’s permission. Guidance issued by the Information Commissioner states that it will be lawful to allow someone else to exercise a person’s rights under the Data Protection Act 1998 where (i) there is a valid Enduring Power of Attorney or (ii) the Court of Protection is involved.

Where the data controller is unable to disclose personal data without identifying information relating to another individual, he is not obliged to do so unless consent has been given by that person or there are exceptional circumstances similar to the above.

The data controller may refuse to disclose information from health records when a Health Professional thinks access is likely to cause the data subject or anyone else serious physical and mental harm.

Under Part IV of the Data Protection Act, there are certain circumstances in which a person may be prevented from having access to information about him/her or their information may be disclosed to someone else without their consent. Those circumstances include: where it is in the interests of national security; where it will help to tackle crime; and in health, education and social work. Section 35 of the Act provides specific exemptions from the non-disclosure provisions for personal data required by any enactment, rule of law or order of a court and for legal proceedings.

 
© Copyright 2011 by NHS West Midlands Privacy Statement Terms Of Use Web Developer