Data protection and freedom of information
http://www.100md.com
《英国医生杂志》
The protection and use of confidential information about patients has had welcome priority in the government's thinking in recent years1-3 and becomes more important with the planned introduction of the new NHS care records service.4 The legal framework for the processing and use of personal information is set out in the Data Protection Act 1998, which makes provision for the protection of privacy and confidentiality of people's personal information.5 At the other end of the privacy spectrum, openness and accountability in the NHS have been given a boost with the implementation in January 2005 of the Freedom of Information Act 2000.6 Many members of the public and healthcare professionals are unclear about the details—perhaps even the existence—of both laws and what they mean in practice.
The Freedom of Information Acts (Scotland's was passed in 2002) give people a general right of access to information held by or on behalf of public bodies, which include NHS trusts, primary care trusts, strategic and special health authorities, and others—general practitioners, dentists, opticians, and pharmacists—providing services under parts II or 28C of the NHS Act 1977. The act creates an obligation on these bodies to have a publication scheme showing what information they publish and how it can be obtained. They have to reply to a request under the act for specific information, saying whether that information is held and making it available—subject to some exemptions.
Individuals seeking information about different aspects of their healthcare will draw on the provisions of both acts depending on the nature of the request. For example, a patient's request to see his or her own health record is not covered by the Freedom of Information Act. Section 40 specifically exempts personal information of the person making the request within the meaning of the Data Protection Act 1998. Even if the request is received as a request under the Freedom of Information Act, public bodies are obliged to treat it as one made under the provisions of the Data Protection Act, which gives people the right of access to their own electronic and paper based health records, subject in most instances to a prescribed fee. Patients do not have an automatic right to see everything—data controllers (the holders of the record) should not reveal confidential information about a third party without that person's consent; and they do not have to reveal information that they judge would be harmful to the patient.
But in addition to personal information, patients and members of the public have a legitimate right to know more about the activities of arranging and providing NHS services. They can now make a request under the Freedom of Information Act about how decisions were made, for instance on service allocation, overall prescribing patterns, or major capital expenditure. The act is fully retrospective, so people can request information about events at any time in the past.
Not all such information will be open to scrutiny. We do not know as yet whether the many exemptions in the Freedom of Information Act will serve as reasonable grounds for restricting access to information or be used as excuses for avoiding the openness the act is intended to achieve.
In addition to personal data of the individual making the request, specific exemptions (subject to a judgment about public interest) include among others the likelihood of creating an actionable breach of confidence around information provided by a third party (section 41) and revealing of trade secrets, or prejudicing commercial interests of any person or body (section 43). A request under the Freedom of Information Act can also be refused if the cost of meeting it would exceed the sums laid down in regulations or would cause unjustifiable workload.7
The acts are symbolic of the need in modern societies to protect the privacy and confidentiality of individuals and at the same time ensure appropriate accountability of publicly funded services. At their best the acts should promote improved communication and management of records. The more that is published and the more easily and frequently patients have routine access to information about their health care, the less likely they are to need recourse to the law to get the information they seek.
Examples exist across the NHS of hospitals and practices routinely making information available to patients. These include general practices that invite patients to look at their own records or clinicians who routinely copy letters to patients, according to the policy of the Department of Health.8 Where healthcare professionals have developed such schemes, they and their patients have been rewarded with improved consultations, better understanding of treatment options, and the chance to correct mistakes in records.9
In time the national programme for information technology will open "Healthspace," in which patients will be able to look at their records at their own convenience (www.healthspace.nhs.uk). This will be a major advance for patients and will go some way to creating more meaningful partnerships between patients and clinicians.
Many clinicians and health managers are unused to providing information about their performance, which is now open to scrutiny. Some may grudgingly seek to comply only with the letter of the law, and in doing so they may miss the wider potential of the acts to contribute to a patient centred NHS.
Legislation on its own cannot bring about a major change in culture. But it can act as a catalyst for improved performance in many ways. At its best, freedom of information should be a marker for openness and accountability in public services. It complements provisions for data protection for improving people's access to information about themselves, alongside the protection of their confidentiality and privacy. Both acts should help maintain progress to an NHS built on a "three-way partnership of respect, honesty and openness—between the NHS and the public, professionals and patients, and professionals and professionals."9
Barbara Meredith
Epsom, Surrey KT17 4HQ (blmeredith@tiscali.co.uk)
Competing interests: BM chaired the working group on Copying Letters to Patients, which reported to the Department of Health in 2002. She is a member of the Patient Information Advisory Group, and of the Ethics Advisory Group of the Care Records Development Board. She is also part time project manager in the Patient Involvement Unit of the National Institute for Clinical Excellence. The views in this editorial are her personal views and not those of any organisation with which she is associated.
References
Protecting and using patient information. A manual for Caldicott guardians. Department of Health, London NHS Executive, Leeds, 1999. http://www.dh.gov.uk/assetRoot/04/06/81/36/04068136.pdf (accessed 27 Feb 05).
Building the Information Core. Protecting and Using Confidential Patient Information. A Strategy for the NHS. Department of Health Information Policy Unit, London, 2001 http://www.publications.doh.gov.uk/ipu/confiden/strategyv7.pdf (accessed 27 Feb 05).
Confidentiality NHS Code of Practice, Department of Health, London, 2003. http://www.dh.gov.uk/assetRoot/04/06/92/54/04069254.pdf (accessed 27 Feb 05).
NHS Care Records Service. http://www.npfit.nhs.uk/programmes/nhscrs/
Data Protection Act 1998. www.hmso.gov.uk/acts/acts1998/19980029.htm (accessed 23 Feb 2005).
Freedom of Information Act 2000. www.hmso.gov.uk/acts/acts2000/20000036.htm (accessed 23 Feb 2005).
Statutory Instrument 2004 No. 3244. The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004. www.legislation.hmso.gov.uk/si/si2004/20043244.htm (accessed 23 Feb 2005).
Copying Letters to Patients. Good Practice guidelines. Department of Health, London, 2003. http://www.dh.gov.uk/assetRoot/04/08/60/54/04086054.pdf
Learning from Bristol: the report of the public inquiry into children's heart surgery at the Bristol Royal Infirmary 1984-1995. London: Stationery Office, 2001. (CM 5207) www.bristol-inquiry.org.uk/final_report/index.htm (accessed 23 Feb 2005).
The Freedom of Information Acts (Scotland's was passed in 2002) give people a general right of access to information held by or on behalf of public bodies, which include NHS trusts, primary care trusts, strategic and special health authorities, and others—general practitioners, dentists, opticians, and pharmacists—providing services under parts II or 28C of the NHS Act 1977. The act creates an obligation on these bodies to have a publication scheme showing what information they publish and how it can be obtained. They have to reply to a request under the act for specific information, saying whether that information is held and making it available—subject to some exemptions.
Individuals seeking information about different aspects of their healthcare will draw on the provisions of both acts depending on the nature of the request. For example, a patient's request to see his or her own health record is not covered by the Freedom of Information Act. Section 40 specifically exempts personal information of the person making the request within the meaning of the Data Protection Act 1998. Even if the request is received as a request under the Freedom of Information Act, public bodies are obliged to treat it as one made under the provisions of the Data Protection Act, which gives people the right of access to their own electronic and paper based health records, subject in most instances to a prescribed fee. Patients do not have an automatic right to see everything—data controllers (the holders of the record) should not reveal confidential information about a third party without that person's consent; and they do not have to reveal information that they judge would be harmful to the patient.
But in addition to personal information, patients and members of the public have a legitimate right to know more about the activities of arranging and providing NHS services. They can now make a request under the Freedom of Information Act about how decisions were made, for instance on service allocation, overall prescribing patterns, or major capital expenditure. The act is fully retrospective, so people can request information about events at any time in the past.
Not all such information will be open to scrutiny. We do not know as yet whether the many exemptions in the Freedom of Information Act will serve as reasonable grounds for restricting access to information or be used as excuses for avoiding the openness the act is intended to achieve.
In addition to personal data of the individual making the request, specific exemptions (subject to a judgment about public interest) include among others the likelihood of creating an actionable breach of confidence around information provided by a third party (section 41) and revealing of trade secrets, or prejudicing commercial interests of any person or body (section 43). A request under the Freedom of Information Act can also be refused if the cost of meeting it would exceed the sums laid down in regulations or would cause unjustifiable workload.7
The acts are symbolic of the need in modern societies to protect the privacy and confidentiality of individuals and at the same time ensure appropriate accountability of publicly funded services. At their best the acts should promote improved communication and management of records. The more that is published and the more easily and frequently patients have routine access to information about their health care, the less likely they are to need recourse to the law to get the information they seek.
Examples exist across the NHS of hospitals and practices routinely making information available to patients. These include general practices that invite patients to look at their own records or clinicians who routinely copy letters to patients, according to the policy of the Department of Health.8 Where healthcare professionals have developed such schemes, they and their patients have been rewarded with improved consultations, better understanding of treatment options, and the chance to correct mistakes in records.9
In time the national programme for information technology will open "Healthspace," in which patients will be able to look at their records at their own convenience (www.healthspace.nhs.uk). This will be a major advance for patients and will go some way to creating more meaningful partnerships between patients and clinicians.
Many clinicians and health managers are unused to providing information about their performance, which is now open to scrutiny. Some may grudgingly seek to comply only with the letter of the law, and in doing so they may miss the wider potential of the acts to contribute to a patient centred NHS.
Legislation on its own cannot bring about a major change in culture. But it can act as a catalyst for improved performance in many ways. At its best, freedom of information should be a marker for openness and accountability in public services. It complements provisions for data protection for improving people's access to information about themselves, alongside the protection of their confidentiality and privacy. Both acts should help maintain progress to an NHS built on a "three-way partnership of respect, honesty and openness—between the NHS and the public, professionals and patients, and professionals and professionals."9
Barbara Meredith
Epsom, Surrey KT17 4HQ (blmeredith@tiscali.co.uk)
Competing interests: BM chaired the working group on Copying Letters to Patients, which reported to the Department of Health in 2002. She is a member of the Patient Information Advisory Group, and of the Ethics Advisory Group of the Care Records Development Board. She is also part time project manager in the Patient Involvement Unit of the National Institute for Clinical Excellence. The views in this editorial are her personal views and not those of any organisation with which she is associated.
References
Protecting and using patient information. A manual for Caldicott guardians. Department of Health, London NHS Executive, Leeds, 1999. http://www.dh.gov.uk/assetRoot/04/06/81/36/04068136.pdf (accessed 27 Feb 05).
Building the Information Core. Protecting and Using Confidential Patient Information. A Strategy for the NHS. Department of Health Information Policy Unit, London, 2001 http://www.publications.doh.gov.uk/ipu/confiden/strategyv7.pdf (accessed 27 Feb 05).
Confidentiality NHS Code of Practice, Department of Health, London, 2003. http://www.dh.gov.uk/assetRoot/04/06/92/54/04069254.pdf (accessed 27 Feb 05).
NHS Care Records Service. http://www.npfit.nhs.uk/programmes/nhscrs/
Data Protection Act 1998. www.hmso.gov.uk/acts/acts1998/19980029.htm (accessed 23 Feb 2005).
Freedom of Information Act 2000. www.hmso.gov.uk/acts/acts2000/20000036.htm (accessed 23 Feb 2005).
Statutory Instrument 2004 No. 3244. The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004. www.legislation.hmso.gov.uk/si/si2004/20043244.htm (accessed 23 Feb 2005).
Copying Letters to Patients. Good Practice guidelines. Department of Health, London, 2003. http://www.dh.gov.uk/assetRoot/04/08/60/54/04086054.pdf
Learning from Bristol: the report of the public inquiry into children's heart surgery at the Bristol Royal Infirmary 1984-1995. London: Stationery Office, 2001. (CM 5207) www.bristol-inquiry.org.uk/final_report/index.htm (accessed 23 Feb 2005).