|
Our policy at Experian, when dealing with requests from the police etc.,
was to require a formal request, on police headed notepaper, including a
S28(3) declaration and giving name , rank, serial number and signature. If
they were not prepared to provide this audit trail we would not provide the
information. Hope this helps.
Alasdair Warwood
--------
> From: Leif Wilks <[log in to unmask]>
> To: [log in to unmask]; [log in to unmask]
> Subject: Re: Requests for Personal Data by the Police - Policy
andProcedures
> Date: 18 October 2000 13:15
>
> Any request for personal information from an outside agency, not only the
police, should be made in writing with the statutory basis for the request
made clear. It is then up to the data controller to take the time to assess
the validity of the request according to the particular circumstances and
the appropriateness of the statute quoted. The fact that the police have a
special form for the purpose shows that they are fully aware of how they
should make information requests, and it should be insisted upon.
>
> Leif
>
>
>
> >>> "Smith Mervyn, IM&T Security Officer"
<[log in to unmask]> 10/18 11:32 am >>>
> Has any contributor to this discussion group got a policy / procedure for
> dealing with requests for personal data by the police which they would be
> prepared to share with me and others? I have already put quite a lot of
> time and effort into researching the issues, but I always find it easier
to
> have something to start with!
>
> As you can see, I work in the NHS and the situation is potentially more
> difficult than say with those of you working in academic institutions,
> because of the confidential nature of health information. I have
appended
> the 1996 from the Department of Health 'The Protection and Use of Patient
> Information' which does seem to tie our hands somewhat!
>
> I would also be interested in knowing whether any of you are insisting on
> the police using the ACPO form when making inquiries, the one which
refers
> to exemption from the non-disclosure provisions under S.29(3) of the Data
> Protection Act 1998, and before that to S.28(3) of the DPA 1984.
>
> Mervyn Smith
> IM&T Security Officer
> Dept. of Information
> Wensley Court
> Rotherham District General Hospital
> Moorgate Road
> ROTHERHAM S60 2UD
> Tel: 01709 820000 Ext. 6272
> Fax: 01709 304303
> Email: [log in to unmask]
>
>
> The Protection And Use of Patient Information
> Guidance from the Department of Health
>
> Status of the guidance
> 2. The guidance is based on two fundamental considerations:
> i. patients' expectation, set out in the Patient's Charter, that
> information about them will be treated as confidential;
> ii. the importance of making patients fully aware that NHS staff and
> sometimes staff of other agencies need to have strictly controlled access
to
> such information, anonymised wherever possible, in order to deliver, plan
> and manage services effectively.
> 3. Patient information is currently protected by the common law duty of
> confidence and, in the case of computerised information, by the Data
> Protection Act 1984. There are some other specific statutory provisions
(for
> example, relating to information about sexually transmitted diseases), as
> well as professional ethical , duties of confidence.
> Guidance
> 1.3. As a consequence, patient information will be seen and used by a
number
> of NHS professional and administrative staff, as well as staff of other
> agencies contributing to a patient's care. Most patients would be
unlikely
> to trust staff with detailed information about themselves and their
clinical
> condition if they thought this might be passed on to others without
proper
> controls. It is therefore a central tenet of the NHS that, in the words
of
> the Patient's Charter and you (1995), "everyone working for the NHS is
under
> a legal duty to keep your records confidential".
> BASIC PRINCIPLES
> 2.1. In general - and in all walks of life - any personal information
given
> or received in confidence for one purpose may not be used for a different
> purpose or passed to anyone else without the consent of the provider of
the
> information. This duty of confidence is long- established at common law
..
> 2.2. Personal information held on a computer system is safeguarded by the
> Data Protection Act ...
> 2.3. In addition health professionals have ethical duties of confidence.
> Patient information
> 2.4. In this guidance the term, "patient information", applies to all
> personal information about members of the public held in whatever form by
or
> for NHS bodies or staff. As well as obvious material such as medical
> records, it includes personal "non-health" information (e.g. a patient's
> name and address or details of his or her financial or domestic
> circumstances) ...(my emphasis)
> The relationship with patients
> 2.5. It is neither practicable nor necessary to seek a patient's (or
other
> informant's) specific consent each time information needs to be passed on
> for a particular purpose. The public expects the NHS, often in
conjunction
> with other agencies, to respond effectively to its needs; it can do so
only
> if it has the necessary information. Therefore, an essential feature of
the
> relationship between patients and the NHS is the need for patients to be
> fully informed of the uses to which information about them may be put:
see
> section 3 and paragraph 4.4.
> When information may be passed on
> 2.6. In summary, information may be passed to someone else:
> * with the patient's consent for a particular purpose; or
> * on a "need to know" basis if the following circumstances apply:
> for NHS purposes ... or
> the information is required by statute or
> court order; or
> passing on the information can be justified
> for other reasons, usually for the protection of the public: see section
5.
>
> SAFEGUARDING INFORMATION REQUIRED FOR NHS AND RELATED PURPOSES
> Who has a duty of confidence?
> 4.1. The duty of confidence derives from the personal nature of the
> information recorded. It is unaffected by questions of who owns or holds
> particular records. Consequently, the following all have responsibilities
> for protecting information:
> all NHS bodies and those carrying out functions on behalf of the NHS
> have a common law duty of confidence to patients and a duty to support
> professional ethical standards of confidentiality;
> everyone working for or with the NHS who records, handles, stores or
> otherwise comes across information has a personal common law duty of
> confidence to patients and to his or her employer. This applies equally
to
> those, such as students or trainees, on temporary placements;
> health professionals have, by virtue of professional regulation, an
> ethical duty of confidence which, when considering whether information
> should be passed on, includes paying special regard to the health needs
of
> the patient and to his or her wishes;
> other individuals and agencies to whom information is passed
> legitimately may use it only as authorised for specific purposes and
> possibly subject to particular conditions.
>
> PASSING ON INFORMATION FOR OTHER PURPOSES OR AS A LEGAL REQUIREMENT
> Release of information to protect the public
> 5.6. It may sometimes be justifiable to pass on patient information
without
> consent or statutory authority. Disclosures for the "discovery of
iniquity"
> are traditionally cited. Most commonly these involve the prevention of
> serious crime, but can extend to other dangers to the general public,
such
> as a public health risk or risk of violence, where, as already noted,
> essential information may need to be shared with other agencies.
> 5.7. Each case must be considered on its merits, the main criterion being
> whether the release of information to protect the public should prevail
over
> the duty of confidence to the patient. The possible therapeutic
consequences
> for the patient must be considered whatever the outcome. Decisions will
> sometimes be finely balanced and may concern matters on which NHS staff
find
> it difficult to make a judgement. Therefore it may be necessary to seek
> legal or other specialist advice or to await or seek a court order. It is
> important not to equate "the public interest" with what may be "of
interest"
> to the public.
> Tackling serious crime
> 5.8. Passing on information to help tackle serious crime (see examples at
> Annex D) may be justified if the following conditions are satisfied:
> without disclosure, the task of preventing, detecting or prosecuting the
> crime would be seriously prejudiced or delayed; information is limited
to
> what is strictly relevant to a specific investigation; there are
> satisfactory undertakings that the information will not be passed on or
used
> for any purpose other than the present investigation.
> 5.9. Requests for information relating to a number of patients in order
to
> identify one or more is likely to be justified only if there is a very
> strong public interest.
> Annex D PASSING ON INFORMATION IN CONNECTION WITH SERIOUS CRIME
> Passing on information to help prevent, detect or prosecute serious
crime
> may sometimes be justified to protect the public. There is no absolute
> definition of "serious" crime, but section 116 of the Police and Criminal
> Evidence Act 1984 identifies some "serious arrestable offences". These
> include: Treason, murder, manslaughter, rape, kidnapping, certain sexual
> offences, causing an explosion ,certain firearms offences, taking of
> hostages, hijacking, causing death by reckless driving, offences under
> prevention of terrorism legislation (disclosures now covered by the
> Prevention of Terrorism Act 1989)
> making a threat which if carried out would be likely to lead to: serious
> threat to the security of the state or to public order, serious
interference
> with the administration of justice or with the investigation of an
offence,
> death or serious injury, substantial financial gain or serious financial
> loss to any person. In other cases, it may be as well to seek legal
advice
> before taking a decision to release information.
>
>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
