Data protection: constituency casework
The Information Commissioner's Office has published guidance for Members of Parliament on what they must do to comply with data protection law when handling casework.
House of Commons Library briefing on access to patient health records, electronic patient records, NHS data security, and the use of confidential information by the NHS.
Patient health records: Access, sharing and confidentiality (596 KB , PDF)
Individuals have a right to access their own health records and in limited circumstances, to access information about other people. Since 25 May 2018 this has been governed by the Data Protection Act 2018. Record holders cannot charge patients for accessing records, the exception to this is where requests are “manifestly unfounded or excessive”. In these cases, the data controller can charge a fee to cover administrative costs or refuse to act on the request. There are also certain circumstances in which full access to a patient’s health record may be denied, such as where the release is likely to cause serious harm to the physical or mental health of the individual or another person.
Children aged 12 or over are generally expected to have capacity to give or withhold consent to the release of information. However, the guidance says every reasonable effort must be made to persuade the child to involve parents or guardians. A deceased patient’s health records are still protected under the Access to Health Records Act 1990 and someone will only be entitled to access a deceased person’s records if they are either a personal representative of the patient or have a claim resulting from the death.
Policies on confidential patient data seek to strike a balance between the protection of patient information and the use and sharing of information to improve care, such as for research purposes. Patients have the right to privacy and confidentiality and to expect the NHS to keep their confidential information safe and secure. Patients also have the right to request that their confidential information is not used beyond their own treatment. The Health and Care Act 2022 includes measures relating to the collection and sharing of health and care data.
It should be noted that there are exceptional circumstances in which a health or social care professional may be obliged to share confidential patient information in line with the “public interest” or when they are required by law to disclose medical information, regardless of a patient’s consent.
For the most part, the law on confidentiality applies in the same way to patients detained under the Mental Health Act 1983 as to any other type of patient. However, under the Act, there are some situations, such as to manage serious risks, where information can be shared without the patient’s consent. Also, if a patient lacks mental capacity to give or withhold their consent medical information may need to be shared with relatives, friends and carers to enable health professionals to determine their best interests.
Since 2014 the NHS has committed to making patient records largely paperless with the introduction of various online records. The initial target for this transition was 2020 but this was pushed back to 2023. In February 2022, the then Secretary of State for Health and Social Care, Sajid Javid, set a target for 90 per cent of NHS trusts to use Electronic Patient Records (EPRs) by the end of 2023, with the remaining 10 per cent needing to be in an ‘implementation phase’. The NHS has created various electronic records, these include:
The National Data Guardian (NDG) for health and care undertook a review of NHS data security in 2016 which set out a number of recommendations to improve cyber security. In the wake of the 2017 WannaCry cyber attack, which impacted on 80 of the 236 NHS Trusts in England and is estimated to have cost the NHS £92 million, the Government accepted the Review’s recommendations. In 2018, the Government launched the Data Security and Protection Toolkit to implement the data security standards.
In June 2022 the Government published a strategy, Data saves lives, setting out the Secretary of State’s vision for how patient data should be used “to bring benefits to all parts of health and social care” and to “demonstrate that the health and care system is a trustworthy data custodian”. The strategy also makes reference to patient involvement in AI in health and care.
The NHS App was launched on 31 December 2018 and at 31 December 2021 it had over 22 million users. The Government committed to continue to develop the NHS App so 75% of the adult population will be registered to use it and the NHS website by March 2024. Additionally, individuals can access a digital version of their Covid-19 vaccination status in two ways, either by using the NHS App or the NHS COVID Pass service.
This briefing relates to the NHS in England unless otherwise stated.
Patient health records: Access, sharing and confidentiality (596 KB , PDF)
The Information Commissioner's Office has published guidance for Members of Parliament on what they must do to comply with data protection law when handling casework.
A Westminster Hall debate on employment rights of people with a terminal illness is scheduled for Wednesday 18 December 2024, from 9:30 to 11:00am. The debate will be led by Lee Baron MP.
A debate has been scheduled in the Commons Chamber for 12 December on a motion on the performance of the Medicines and healthcare products regulatory agency. The subject for the debate has been chosen by the Backbench Business Committee, and the debate will be opened by Esther McVey MP.