Any request for personal information from an outside agency, not only the police, should be made in writing with the statutory basis for the request made clear. It is then up to the data controller to take the time to assess the validity of the request according to the particular circumstances and the appropriateness of the statute quoted. The fact that the police have a special form for the purpose shows that they are fully aware of how they should make information requests, and it should be insisted upon.

Leif



>>> "Smith Mervyn, IM&T Security Officer" <[log in to unmask]> 10/18 11:32 am >>>
Has any contributor to this discussion group got a policy / procedure for
dealing with requests for personal data by the police which they would be
prepared to share with me and others?  I have already put quite a lot of
time and effort into researching the issues, but I always find it easier to
have something to start with!

As you can see, I work in the NHS and the situation is potentially more
difficult than say with those of you working in academic institutions,
because of the confidential nature of health information.  I have appended
the 1996 from the Department of Health 'The Protection and Use of Patient
Information' which does seem to tie our hands somewhat! 

I would also be interested in knowing whether any of you are insisting on
the police using the ACPO form when making inquiries, the one which refers
to exemption from the non-disclosure provisions under S.29(3) of the Data
Protection Act 1998, and before that to S.28(3) of the DPA 1984.

Mervyn Smith
IM&T Security Officer
Dept. of Information
Wensley Court
Rotherham District General Hospital
Moorgate Road
ROTHERHAM  S60 2UD
Tel:  01709 820000 Ext. 6272
Fax: 01709 304303
Email: [log in to unmask] 


The Protection And Use of Patient Information
Guidance from the Department of Health 

Status of the guidance
2. The guidance is based on two fundamental considerations:
	i. patients' expectation, set out in the Patient's Charter, that
information about them will be treated as confidential;
	ii. the importance of making patients fully aware that NHS staff and
sometimes staff of other agencies need to have strictly controlled access to
such information, anonymised wherever possible, in order to deliver, plan
and manage services effectively.
3. Patient information is currently protected by the common law duty of
confidence and, in the case of computerised information, by the Data
Protection Act 1984. There are some other specific statutory provisions (for
example, relating to information about sexually transmitted diseases), as
well as professional ethical , duties of confidence.
Guidance
1.3. As a consequence, patient information will be seen and used by a number
of NHS professional and administrative staff, as well as staff of other
agencies contributing to a patient's care. Most patients would be unlikely
to trust staff with detailed information about themselves and their clinical
condition if they thought this might be passed on to others without proper
controls. It is therefore a central tenet of the NHS that, in the words of
the Patient's Charter and you (1995), "everyone working for the NHS is under
a legal duty to keep your records confidential". 
BASIC PRINCIPLES
2.1. In general - and in all walks of life - any personal information given
or received in confidence for one purpose may not be used for a different
purpose or passed to anyone else without the consent of the provider of the
information. This duty of confidence is long- established at common law ...
2.2. Personal information held on a computer system is safeguarded by the
Data Protection Act  ...
2.3. In addition health professionals have ethical duties of confidence.
Patient information
2.4. In this guidance the term, "patient information", applies to all
personal information about members of the public held in whatever form by or
for NHS bodies or staff.  As well as obvious material such as medical
records, it includes personal "non-health" information (e.g. a patient's
name and address or details of his or her financial or domestic
circumstances) ...(my emphasis)
The relationship with patients
2.5. It is neither practicable nor necessary to seek a patient's (or other
informant's) specific consent each time information needs to be passed on
for a particular purpose. The public expects the NHS, often in conjunction
with other agencies, to respond effectively to its needs; it can do so only
if it has the necessary information. Therefore, an essential feature of the
relationship between patients and the NHS is the need for patients to be
fully informed of the uses to which information about them may be put: see
section 3 and paragraph 4.4.
When information may be passed on
2.6. In summary, information may be passed to someone else:
*	with the patient's consent for a particular purpose; or 
*	on a "need to know" basis if the following circumstances apply:
				for NHS purposes  ... or
				the information is required by statute or
court order; or
				passing on the information can be justified
for other reasons, usually for the protection of the public: see section 5. 

SAFEGUARDING INFORMATION REQUIRED FOR NHS AND RELATED PURPOSES
Who has a duty of confidence?
4.1. The duty of confidence derives from the personal nature of the
information recorded. It is unaffected by questions of who owns or holds
particular records. Consequently, the following all have responsibilities
for protecting information:
	all NHS bodies and those carrying out functions on behalf of the NHS
have a common law duty of confidence to patients and a duty to support
professional ethical standards of confidentiality;
	everyone working for or with the NHS who records, handles, stores or
otherwise comes across information has a personal common law duty of
confidence to patients and to his or her employer. This applies equally to
those, such as students or trainees, on temporary placements; 
	health professionals have, by virtue of professional regulation, an
ethical duty of confidence which, when considering whether information
should be passed on, includes paying special regard to the health needs of
the patient and to his or her wishes; 
	other individuals and agencies to whom information is passed
legitimately may use it only as authorised for specific purposes and
possibly subject to particular conditions. 

PASSING ON INFORMATION FOR OTHER PURPOSES OR AS A LEGAL REQUIREMENT 
Release of information to protect the public
5.6. It may sometimes be justifiable to pass on patient information without
consent or statutory authority. Disclosures for the "discovery of iniquity"
are traditionally cited. Most commonly these involve the prevention of
serious crime, but can extend to other dangers to the general public, such
as a public health risk or risk of violence, where, as already noted,
essential information may need to be shared with other agencies. 
5.7. Each case must be considered on its merits, the main criterion being
whether the release of information to protect the public should prevail over
the duty of confidence to the patient. The possible therapeutic consequences
for the patient must be considered whatever the outcome. Decisions will
sometimes be finely balanced and may concern matters on which NHS staff find
it difficult to make a judgement. Therefore it may be necessary to seek
legal or other specialist advice or to await or seek a court order. It is
important not to equate "the public interest" with what may be "of interest"
to the public. 
Tackling serious crime 
5.8. Passing on information to help tackle serious crime (see examples at
Annex D) may be justified if the following conditions are satisfied: 
without disclosure, the task of preventing, detecting or prosecuting the
crime would be seriously prejudiced or delayed;   information is limited to
what is strictly relevant to a specific investigation;   there are
satisfactory undertakings that the information will not be passed on or used
for any purpose other than the present investigation. 
5.9. Requests for information relating to a number of patients in order to
identify one or more is likely to be justified only if there is a very
strong public interest. 
Annex D PASSING ON INFORMATION IN CONNECTION WITH SERIOUS CRIME 
 Passing on information to help prevent, detect or prosecute serious crime
may sometimes be justified to protect the public. There is no absolute
definition of "serious" crime, but section 116 of the Police and Criminal
Evidence Act 1984 identifies some "serious arrestable offences". These
include: Treason, murder, manslaughter, rape, kidnapping, certain sexual
offences, causing an explosion ,certain firearms offences, taking of
hostages, hijacking, causing death by reckless driving, offences under
prevention of terrorism legislation (disclosures now covered by the
Prevention of Terrorism Act 1989) 
making a threat which if carried out would be likely to lead to: serious
threat to the security of the state or to public order, serious interference
with the administration of justice or with the investigation of an offence,
death or serious injury, substantial financial gain or serious financial
loss to any person. In other cases, it may be as well to seek legal advice
before taking a decision to release information.





%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%