that one of the major routes to patient empowerment is the immediate access
and copies of any documentation/test results relating to health care. One
of the biggest advances to this end was the introduction of the Access
to Health Records Act 1990. This Act has now been superseded by the Data
Protection Act 1998, which came into force on 1st. March 2000, and also
replaces the former 1984 Data Protection Act. However, the Access to Health
Records Act 1990 still applies for access to records relating to the deceased
The Data Protection
Act 1998 applies to paper records as well as those held on computer. It
is supervised by the Data Protection Commissioner, who is currently Elizabeth
France. The Commissioner has the powers to consider individual complaints
about the alleged infringement of rights and powers to ensure compliance.
There are eight
enforceable principles of Data Protection as found at htp://www.dataprotection.gov.uk/principl.htm.
They say that the data must be:
covers both facts and opinions about the individual.It also includes information
regarding the intentions of the data controller towards the individual,
although in some limited circumstances exemptions will apply. With processing
the definition is far wider than before. For example, it incorporates the
concepts of "obtaining", "holding" and "disclosing"." The full explanation
of the principles can be found on the above website.
fairly and lawfully
processed for limited
and not excessive
not kept for longer
processed in accordance
with the data subject's rights.
to countries without adequate protection
8 and 14 of the Act.are the relevant sections for health records.SIN's
: Right of Access to Personal Data
to be no rights for third parties to make applications for access
on behalf of others eg. any individual who is without the mental capacity
to make an application in his or her own right -whether adult or child.Compliance
advice from The Office of the Data Protection Commissioner re: charges
for granting subject access, is rather difficult to understand.
It would appear
that there will be a standard charge of £10 for processing the automated
records ( computer generated records). A £50 maximum fee for accessing
and being supplied with copies in permanent form of manual or a combination
of manual and automated records.
No charge to
be made for a visual inspection of manual medical records provided that
at least some of these were updated within a period of 40 days prior to
the date of the application being made.
Supplementary to Section Seven
If any information
supplied under Section Seven (1) (c) (i) is supplied in an unintelligble
terms, then the data must be accompanied by an explanation of these
Blocking, Erasure & Destruction
of the Act makes provision for inaccuracies to be rectified or removed
the DPA a patient is entitled to inspect their medical records. At the
moment the maximum charge for copies of records appears to be £50
although it is not clear. The Data Controller must supply the information
in 'permanent form'. This normally means a print -out or photocopy, but
could also include copies of microfiches, x-rays or audio/video cassettes
. The data Controller should normally give access within 40 days. Any unintelligble
terms, such as computer codes, must be explained. The patient does not
need to say why they want it. The Data Controller cannot
refuse access because you might use the data to criticise the controller,
complain or take legal action. This seems to be an important step forward
in patients' gaining control over their own medical records.
DPA covers all personal data kept in manual or computerised form. Such
data covers both facts and opinions held about an individual.
Data Controller has a statutory obligation that whatever data is held on
an individual must be accurate. The individual ( patient) can request
for correction, providing the data is incorrect or misleading about a matter
of fact, or contains an opinion based on data which is
inaccurate or misleading. In such cases the Controller is obliged by Law
to correct, erase, destroy or block the use of such information.
Opinions cannot be challenged unless they are based on wrong facts
Thirteen (1) An individual who suffers damage by reason of any
contravention by a data controller of any of the requirements of the Act
is entitled to compensation from the data controller for that damage.
DPA does not appear to allow patients themselves to add a Section 6(b)
type notice. In our experience such Section 6(b) type notices were held
in little regard by doctors or hospitals. Therefore, if the Trust or Heath
Authorities are now obliged by Law to correct inaccurate records, this
would seem to be an improvement. However, if they refuse to comply then
the patient can seek advice from the Data Protection Information Commissioner,
who can force the Trust or HA to correct the records. But the Information
Commissioner has discretionary powers and may not act in favour of the
patient, who would then have to resort to Court action.