Data Flashcards
Audit cycle - 6 steps
- identify the issues
- Obtain / define standards
- Collect data
- Compare performance with standards
- Implement change
- Re-audit
Six data protection principles (GDPR )
Be processed lawfully, fairly and in a transparent manner
Be processed for specified, explicit and legitimate purposes (and nil outside this)
Be adequate, relevant and limited to what is necessary in relation to the purposes
Be accurate and up to date
Not be kept for longer than is necessary
Be secure
GDPR Article 6
FOR PERSONAL DATA
Subjects must have consented to use of their data (Consent is not recommended for use in the health sector as consent cannot be considered freely given if access to health and social care depends on it: use of Common Law Duty of Confidentiality instead. )
OR processing of data must be necessary in for one of the following:
1. For contract
2. For legal obligation
3. For vital interests
4. For task in public interest or official authority
5. For legitimate interests
GDPR Article 9
FOR HEALTH DATA “special data category” (need one from category 6 plus one of the following):
The processing is NECESSARY FOR MEDICAL PURPOSES where the processing is undertaken by a health professional or someone else who owes an equivalent duty of confidentiality.
Information on a patient’s health record is likely to be special category data (Article 9)*
Common Law Duty of Confidentiality (CLDC)
Used by the health service to store and share patient information, with and without patient consent.
Consent under the CLDC falls into 2 categories:
Implied consent – the case for most healthcare services where patients must assume their data is being used to support their care and treatment ie discussion at MDT meetings, referral to other clinicians/ specialties
Explicit consent – where the patient has agreed for the use of their data for an additional specific purpose after they have been fully informed ie research or teaching
Breaking confidentiality and sharing information under the CLDC must meet one of the following conditions:
(1) Explicit or implied consent to do so (most cases)
(2) Mandatory legal requirement / power that enables the CLDC to be set aside
(a) Safeguarding concerns (Children’s Act 1989)
(b) Notifiable illnesses and reporting of food poisoning.
(c) Care Quality Commission inspections
(d) Sharing to Health and Social Care Information Centre (HSCIC): Under the powers given to NHS Digital through section 259 of the Health and Social Care Act 2012
(3) An overriding public interest to share : Benefits of sharing the information deemed to outweigh the right to privacy of the patient and the possibility of damage to trust in the profession by breaking confidentiality
(4) A court order for the sharing of specific information and to whom
(5) The Confidentiality Advisory Group (CAG) has given Section 251 approval for the use of confidential information by the Health Research Authority (HRA) or Secretary of State for Health and Social Care
Legal support for the use of confidential patient information without consent is given
(1) Under the Health Services (Control of Patient Information) Regulations 2002
(2) Within section 251 of the NHS Act 2006
- Protects the interests of patients/ the public whilst also making sure relevant information can be used when it is appropriate for reasons beyond individual care
- Usually only granted when it would be very difficult or impractical to seek the consent of every individual whose data they wish to use: National data opt-out is offered to members of the public; Only applies to data being shared under Section 251
Patient request for medical records
Subject Access Requests (SARs) are made under the Data Protection Act 1998
The SAR does not need to be in writing, it can be verbally or electronically
You must be provide the information within 28 days. Unless exceptional – 2 month extension can be granted. The patient must be informed of this extension prior to the initial 28 days.
It is a criminal offense to amend or delete records in response to a SAR.
Exemptions and information that can be redacted:
(1) Anything that you believe may cause serious harm to the patient
(2) Any third party information
(3) Information relating to the storage of gametes / embryos (Human Fertilisation and Embryology Act 1990 UK – Section 33A)
(4) Information relating to an individual being born as a result of IVF (Human Fertilisation and Embryology Act 1990 UK – Section 33A)
(5) Where disclosure is prohibited by law ie adoption records
Legal parent’s have access to children’s records providing this is not contrary to the child’s best interests or a competent child’s wishes
Children and young people with capacity have the right to request access to their own records and also to block access to their records by parents
- In England anyone over the age of 16 is legally presumed to have capacity, and for children younger than 16 capacity should be assessed on a case by case basis
- In Scotland anyone over the age of 12 is legally presumed to have capacity
‘Next of kin’ have no right to request record access or consent to information sharing on the patients behalf (unless legally in place ie Advanced Decision/LPA)
A patient with capacity can authorise a solicitor to request access to their records, but in this instance the patient’s written consent must be gained before release
Gender Recognition Act – Section 22
protects information relating to a person’s gender history after they have legally changed gender
NHS (Venereal Diseases) Regulations 1974 & NHS and PCT (Sexually Transmitted Diseases) Direction 2000:
protect patient identifiable information relating to examination or diagnosis of STIs including HIV
Unless to another medical practitioner for the purposes of treatment
OR to prevent the spread of disease
