Thursday 24 January 2008

Criminal Conduct

I've spent the last few months working with criminals.

No, not the patients. Us, the staff. My colleagues, and me.

We receive referrals from our neighbouring acute hospital Trust. They've an endless stream of delirium, dementia, depression (and placement issues and capacity assessments) to sort out, frequently with disturbed patients battering their staff. We accept the appropriate referrals, we go to their hospital, we can't park, we return home. But sometimes, just sometimes, we get to see their patients. We speak with the ward staff, read the notes, meet the patient then document our contact contemporaneously in their medical records in keeping with the GMC's direction, "Good Medical Practice" document, Good Clinical Care, "In providing care you must . . . make records at the same time as the events you are recording or as soon as possible afterwards."

I heard today from a Caldicott Guardian (the chap responsible for protecting patient information) from another Trust that the Data Protection Act makes this unlawful. We can't read or see or use their notes at all. Clinical details of their Trust's patients (including referral details) are protected by the Data Protection Act. It's unlawful to rummage around in them.

Whoops.

8 comments:

Dr Andrew Brown said...

It's hard to believe, but if true it would be yet another example of the law of unintended consequences.

The car park thing is a bugger. Fortunately I've found a spot where I can park (without charge) for up to three hours, just ten minutes' brisk walk away from the enormous hospital where I sometimes have to do Mental Health exams.

julie said...

I'm not sure he has that right, other wise where does that put the single assessment process and the common assessment framework for children? What about when all of our details are stored on the national spine / NPfit thing?

I reckon that is about interpretation rather than of the rules themselves. I'd talk to your own Caldicott Guardian person

delcatto said...

"The legitimate use, disclosure or sharing of personal data does not constitute a breach of confidentiality. Sharing between organisations can take place with appropriate safeguards".

From the DoH website for Caldicott Guardians.

I think your local guardian (Does he/she have a shiny sheriffs badge?) is misinterpreting the document.

The Shrink said...

Apparently we need "honorary contracts" to make it legal . . . but this is a bit of legislation I'm wholly clueless about.

As such I'm beliving the guidance we've been given since 3 Caldicott Guardians have all said this to me now. What the statue or code on it's implementation says is a mystery to me, I'd be keen if anyone does know the "official" line on this!

Surreptitious Evil said...
This comment has been removed by the author.
Surreptitious Evil said...

The Data Protection Act says some interesting things. Clinical records are indeed protected by the DPA - in fact, they are Schedule 3 - "Sensitive" information. However, the question is what form does the protection take.

Your use of the records is clearly legal under Principle 1 of the Act: Schedule 3, Paragraph 8 clearly applies to you as "health professionals" (paras 1 and 3 may also apply). So the issue is what other principles may have been broken.

Looking at it from the view of the trust as data controller, rather than the doctor patient relationship - in fact, let us forget this is a hospital - you also have Schedule 1, Para 12. Here, it comes down to whether or not you are a "data processor":

in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;

If you are a data processor rather than a temporary employee of the other trust, then in order to comply with Principle 7, a contract is probably required.

Also, certain trusts may have not put in their notification to the Information Commissioner that they would share patient information as necessary outwith the organisation for the purpose of providing specialist clinical care not available within their trust and then gone on and done that. In which case they, not you, would be committing a s21 offence (failure to notify changes to registration particulars.)

The problem with the DPA is that as well as binding you to the Principles of the Act - it also binds you to do what you say you are going to do. So if you say, for a non-medical example, "No Data Transfers outside the EEA" and outsource your expenses processing to an internet company whose service is hosting in the USA, you are in breach - regardless of whether or not this is a reasonable thing to do and is in fact covered under Principle 1.

In terms of you being criminals, you are not committing a s55 offence - the other trust has consented; you are not committing a s47 offence - there is no IC enforcement notice you are breaching.

Surreptitious Evil said...

Sorry, the actual paragraph:

12 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a) the processing is carried out under a contract—

(i) which is made or evidenced in writing, and

(ii) under which the data processor is to act only on instructions from the data controller, and

(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

The Shrink said...

Ah ha!

Surreptitious Evil, many thanks for such detail!

Indeed, when seeing someone outside our hospital Trust, because we're a Foundation Trust so are a separate organisation rather than part of the one big happy NHS family, we're not employed by the acute hospital Trust. As such when we go and visit their patients, we're seeing patients for a different organisation who doesn't employ us and (at present) doesn't have any contracts with us, yet we're accessing and ammending their (electronic and written) data.

It seems clear from your citations that as we're an external agency (so not employees of the other hospital's data controller) we should have a contract.

And it's good to know it's the Trust and not us being wayward!