Information Commissioner issues legal guidance on the use of confidential medical data 22/5/02. By the Public Health Genetics Unit The Information Commissioner has issued legal guidance on the application of the Data Protection Act 1998 to the use and disclosure of health data.

In response to concern and questions from many in the medical profession and the health service, the Information Commissioner has issued legal guidance on the application of the Data Protection Act 1998 to the use and disclosure of health data. Her report aims in particular to clarify the conditions under which patient consent is required for processing health data.

Problems have arisen because, although the Data Protection Act makes provision for some situations in which it may be necessary to process an individual's health data without explicit consent (for example, for some types of epidemiological research where it would be impractical to obtain consent for the use of old health records), the first data protection principle of the Act states that data must be processed lawfully. 'Lawfully' here means in compliance with the common law on confidentiality, which binds all health professionals not to release medical data to third parties without consent.

The Information Commissioner's guidance aims to resolve this apparent difficulty. The guidance states that consent is almost always required to comply with the common law, but for many routine uses of data within the health service (for example, routine record-keeping, clinical audit, or disclosure by one health professional to another), consent need not be "explicit" for each use in the terms of the Data Protection Act, but may be "implied" by the general understanding most people have of how the health service works and how their personal data may be used within that system - provided that information about such potential uses has been given to the individual at some point, under the "fair processing" requirement set out in the Act.

In deciding whether individuals should be given the opportunity to opt out of allowing their data to be used for a particular purpose, health service professionals should decide whether the purpose is essential (for example, for the patient's care or for health service administration) or optional (for example, disclosure to a hospital chaplain); in the latter case, opting out should be allowed.

The common law obligation of confidentiality is considered as having been met, without the need to seek consent, if disclosure is made under section 60 of the Health and Social Care Act 2001, which gives the Secretary of State for Health power to authorise the processing of personal medical data without consent for specific purposes such as the diagnosis and treatment of cancer, communicable disease surveillance and a limited set of activities associated with medical research.

Wherever possible, however, anonymised data should be used. Appendix 1 of the Information Commissioner's Guidance sets out in tabular form some examples of uses and disclosures of information, and how they can be carried out lawfully.

Article courtesy of the Public Health Genetics Unit .