Dr Natalie Blakely and specialist lawyer Mandy Lucian answer key questions about the ethical and legal issues involved in storing patient data
Protecting your patient’s details isn’t just crucial for your business but also for your reputation. If you record, handle and store medical information, then you are liable under the Data Protection Act 1998 to protect that information. The Act states you should only collect the information you need, keep it secure, ensure it is up-to-date, only hold as much as you need and for as long as you need it and allow the patient to see it on request. With data protection breaches for unauthorised disclosure and for lost and stolen paperwork higher in healthcare than in other sectors, collecting good quality data and storing it securely demonstrates good practice and could help to protect you against litigation.
Appropriate technical and organisational measures should be taken against accidental loss. Therefore it is advisable to store confidential data in a safe secure environment or electronically where appropriate security protections are in place. The Data Protection Act advises that you should have security that is appropriate to the nature of the information in question and the harm that might result from its improper use, or from its accidental loss or destruction.2 Since photographs pertaining to medical treatment may be particularly sensitive there will be a greater requirement for security. Guidance given by the Information Commissioner’s Office states that physical and technological security is likely to be essential as well as management and organisational security measures3. Physical security includes considering the quality of doors and locks, and whether premises are protected by alarms, security lighting or CCTV. It also includes how you control access to premises, supervise visitors, dispose of paper waste, and keep portable equipment secure. Technological security involves use of secure servers, firewalls and encryption.
The movement and location of records should be controlled so that a record can be easily retrieved at any time, any outstanding issues can be dealt with, and there is an auditable trail of record transactions.
Ideally, all records should be reviewed before they are destroyed, and it is sensible to keep any patient records where there has been an adverse incident or complaint. Disposal should be carried out in such a way that protects patient confidentiality, for example, by shredding paper records. Computer-held records may be difficult to delete entirely from a hard drive and it is advisable to seek appropriate advice from a specialist IT company. The Information Commissioner’s Office advised that data retention and review schedules should be in place for categories of personal data to help practitioners comply with this principle. After a set period of time the data should be reviewed, and destroyed when it no longer needs to be retained.10 When paper records are no longer required, their placement in a designated secondary storage area may be a more economical and efficient form of storage. There are several accredited documentary storage facilities, which are able to securely store NHS, medical and pharmaceutical records.
Legally, although the patient owns the information contained within the medical records, the healthcare provider owns the paperwork that contains this information. The records should therefore be retained by the treating clinician, though patients have a legal right to access their medical records under the Data Protection Act 1998.11 This means that any individual is able to obtain a copy of their own medical records upon request, subject to paying reasonable copying charges up to a cost of £50.12
Under current law, the Information Commissioner’s Office can issue a maximum penalty of up to £500,000 for the most serious breaches of the Data Protection Act.13 Moreover the Information Commissioning Officer can decide to apply fines or not at their own discretion based on the severity of the consequences of such breaches. Fines have been imposed in the past for incidents such as transfer of personal data using unencrypted memory sticks and loss of electronic devices containing personal data.14 The draft proposal introduces a requirement for supervisory authorities to impose prescribed fines of up to €1 million (£0.9 million) or 2% of a company’s annual global turnover in the event of a violation of the Regulation (Article 79), regardless of the harm caused. More serious breaches are likely to involve deliberate misuse of data leading to substantial damage or substantial distress.15
Other key changes in the new EU directive include:
Upgrade to become a Full Member to read all of this article.