Display Single Record

FOI Request

Disclosure ID
FOI/02531
Request Date
June 28, 2018
Subject
DPA & Policies
Description
  1. Do you agree that records and notes relating to an accusation of a Patient viewing illegal material online would fall under the definition of The Data protection Act 1998, Section 2, sub-section G: the commission or alleged commission by him of any offence?
    1. Please outline your reasons as to why you agree or disagree with this.
  2. What is your policy on how notes should be recorded, handled, stored, transmitted and secured which detail or regard an allegation of the Patient having committed a crime?
    1. Who would have access to these notes?
    2. What condition(s) under Section 3 of the DPA 1998 would you cite for processing data (such as notes, etc) regarding the commission or alleged commission by the Patient of an offence?
  3. Would details of a Patient allegedly committing a crime ever be included and noted in explicit detail in a Patients medical record?
  4. Would actions between staff members and the Police regarding an investigation into the criminal allegation against a Patient ever be included in the Patients medical records? Such as a note in their medical records that a staff member has given a statement to the Police? Etc.
    1. Would you agree that a note stating that a statement has been given to the Police by a member of staff (whether noted in the Patients medical records or any other medium) falls under The Data Protection Act 1998, Section 2, sub-section H: any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
    2. Please outline your reasons as to why you agree or disagree with this.
  5. Would the details of the allegation against the Patient be given to other NHS trusts, such as when the Patient moves trust?
Response
  1. To agree/disagree would represent opinion rather than held data, as such this is not subject to the Freedom of Information Act.

    ICO guidance states: “Your request can be in the form of a question, rather than a request for specific documents, but the authority does not have to answer your question if this would mean creating new information or giving an opinion or judgment that is not already recorded.”
    https://ico.org.uk/your-data-matters/official-information/

    Please note, the Data Protection Act 1998 is no longer current legislation; as such we would not cite this legislation. The DPA 1998 was replaced by the General Data Protection Regulation and Data Protection Act 2018 in May this year.

     

    1. Please see response to A
  2. The Trust has a Health Records Life Cycle Management Policy.
    1. Staff members involved in the patient healthcare and administrative duties.
    2. “The Data Protection Act 1998 is no longer current legislation; as such we would not cite this legislation. The DPA 1998 was replaced by the General Data Protection Regulation and Data Protection Act 2018 in May this year.

      Article 23(1)(d) of GDPR establishes the legal basis for member states (e.g. the UK) to, by legislation, restrict the scope of the obligations and rights to which a data controller (e.g. our Trust) is subject to when this is necessary and proportionate for “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.

      The subsequent legislation in UK law is Schedule 2, Part 1(2)(1)(a and b) of the DPA 2018 which restrict the rights of the data subject (e.g. a patient) and the obligations of the data controller (e.g. our Trust) to enable data to be processed for “the prevention or detection of crime” and “the apprehension or prosecution of offenders”. This includes the sharing of information with the police and other law enforcement bodies.

  3. We would only record information that is relevant to the Trust e.g. if the alleged criminal activity involved the Trust or we may need to record Safeguarding issues or episodes of Violent behaviour. The principle is that we will only record the minimal amount of information necessary for the purpose and because each circumstance will be different this would have a bearing on what needs to be recorded.

    There are a number of different purposes and legal bases for including such details in a patient’s medical record some  examples of which are below:

    • If a patient was alleged to have committed an offence during an attendance at the Trust, then this may constitute part of a contemporaneous record of their attendance.
    • For safeguarding purposes where a child lives at the same house as an alleged or convicted offender then there may be justification for including this in the records to ensure the safety and proper care of the child.
    • For protecting staff and other patients if a patient was known to be violent during attendances.

    Or, if a patient suffered from a mental health condition which contributed to illegal behaviours, such as violence or arson.

  4. Yes. The Trust keeps records of when information has been disclosed to a third party, including the Police. Requests for copies of medical records by the Police are normally handled by the Data Access team, who would create a log of the processing of this request. Requests for statements are handled by the healthcare professional, and the subsequent actions would be recorded.
    1. Please see response to A.
    2. Please see response to A.
  5. Yes. As per question C, there a number of different purposes and legal bases for sharing such information in this way, safeguarding for example; where a child lives at the same house as an alleged or convicted offender then there may be justification for sharing this information if the child moves to the care of another NHS body; to not share this information could put the child at risk of harm.
Attachment 1
Attachment 2
Attachment 3
Attachment 4
Attachment 5
Attachment 6
Attachment 7
Attachment 8
Attachment 9