THE PROTECTION AND USE OF PATIENT AND CLIENT INFORMATION
GUIDANCE FOR THE HPSS
The ease with which personal information can be passed within the HPSS - often by
computer - is an undoubted benefit for patients and clients and for those involved in their care
and treatment. But all those concerned need to be aware that there is a legal duty to protect
the confidentiality of patient and client information.
The Charter for Patients and Clients underlines the rights which people have to privacy, and
confirms that information about them will be treated as confidential. The guidance in this
document acknowledges that staff must have strictly controlled access to patient and client
information, anonymised wherever possible.
In clarifying how and when personal information may be shared this guidance identifies the
need to make patients and clients aware of the ways in which their information might be
used. It emphasises the use wherever possible of anonymised information, and it confirms
that a duty of confidentiality applies to everyone working for or with the HPSS.
THE PROTECTION AND USE OF PATIENT AND CLIENT INFORMATION
GUIDANCE FOR THE HPSS
1 1 Introduction
1.5 Purpose of the guidance
2 General Principles
2.2 EU Directive on data protection
2.8 Patient and Client Information
2.9 The relationship with patients and clients
2.10 When information may be passed on
3 Keeping patients and clients informed
3.1 Providing advice on how patient and client information is used
3.7 Patients' and clients' right of access to their own records
4 Safeguarding information required for HPSS and related purposes
4.1 Who has a duty of confidence?
4.2 4.2 Data Protection Act 1998
4.3 4.3 Caldicott Report 1997
4.4 Responsibility for passing on information
4.6 Types of information
4.7 Anonymised non-identifiable information
4.9 Aggregated non-identifiable information
4.11 If confidence is breached
4.13 Patients and clients unable to give consent
4.14 Children and young people
4.16 Security measures
4.18 Patients and clients who are offenders
4.19 Patients and clients receiving social security benefits
4.20 Protecting public health
4.21 Teaching and research
4.23 Particular restrictions on passing on information
5 Passing on information for other purposes or as a legal requirement
5.1 Relatives, friends and carers
5.2 Statutory requirements
5.6 Release of information to protect the public
5.8 5.8 Tackling serious crime
5.10 Press and broadcasting
6 6 Implementation and Personal Data Confidentiality Group
A Data Protection Act
B The Caldicott Report
C Passing on information in connection with serious crime
D Personal Data Confidentiality Group
A Specimen notice for patients and clients
B Guidance on the transfer of information by HPSS staff to RUC
C Guidance on approving use of patient-identifiable data
1.1 This guidance is based on:
i. patients' and clients' expectation that information about them will be treated as
ii. the importance of making patients and clients fully aware that HPSS staff and
sometimes staff of other agencies need to have strictly controlled access to such
information, anonymised wherever possible (see paragraphs 1.3 and 4.4).
1.2 It is in everyone's interests that the HPSS functions efficiently and effectively and
makes best use of the resources available to it. To that end personal information about
patients and clients is not only essential for the prime task of delivering personal care
and treatment. It is necessary for a number of other purposes:
i. assuring and improving the quality of care and treatment (eg through clinical
ii. monitoring and protecting public health;
iii. coordinating HPSS care with that of other agencies (eg voluntary and
iv. effective health and social care administration, in particular:
- managing and planning services;
- contracting for HPSS services, including the payment of staff, independent
contractors and health and social service units for services and the authorisation
of extra-contractual referrals;
- auditing HPSS accounts (including fraud investigation/detection and the work
of external auditors appointed by HPSS Health Service Audit) and accounting
for HPSS performance;
- risk management (eg health and safety);
- investigating complaints and notified or potential legal claims;
vi. statistical analysis and medical or health and social services research to support
1.3 1.3 As a consequence, patient and client information will be seen and used by a
number of HPSS professional and administrative staff, as well as staff of other agencies
contributing to a patient's or client's care. Most patients and clients would be unlikely to
trust staff with detailed information about themselves and their clinical condition or
social circumstances if they thought this might be passed on to others without proper
controls. It is therefore a central tenet of the HPSS that “everyone working for the
HPSS is under a legal duty to keep your records confidential". In addition the
present guidance makes clear that personal information should be anonymised wherever
1.4 1.4 Previous guidance was issued under the same title “Protection and Use of
Patient and Client Information” in April 1997. Although the basic principles have not
changed, there have been a number of developments since then eg Data Protection Act
(1998) and the Caldicott Report which warrant amendment to the guidance. Future
amendments will be issued as necessary.
Purpose of the guidance
1.5 1.5 This guidance sets out:
the basic principles governing the use of patient and client information
informing patients and clients why information is needed, how it is used and
their own rights of access to it (chapter 3);
safeguarding information required for HPSS and related purposes (chapter 4);
the circumstances in which information may be passed on for other
purposes or as a legal requirement (chapter 5) .
1.6 1.6 It also contains appendices and annexes addressing specific issues in more
1.7 1.7 The guidance is intended to support existing professional standards.
2.1 2.1 In general - and in all walks of life - any personal information given or received
in confidence for one purpose may not be used for a different purpose or passed to
anyone else without the consent of the provider of the information. This duty of
confidence is long-established at common law, but with proper safeguards, need not be
construed so rigidly that, when applied to the HPSS or related services, there is a risk of
its operating to a patient's or client's disadvantage or that of the public generally.
Indeed, as a number of inquiry reports have shown, the prompt flow of accurate
information in sensitive areas such as mental health and child care can often be for the
benefit and safety of all concerned.
EU Directive on Data Protection
2.2 The Directive on Data Protection, adopted by the Council of the European Union in
October 1995, has implications for personal information generally, not only that relating
to health and social services. Member states were required to give effect to its
provisions by 24 October 1998, and the Data Protection Act 1998 formally took effect
on that date, although full implementation of the act will be undertaken over a number
2.2 2.2 One of the Directive's main purposes is to safeguard "the fundamental rights of
individuals". As with our existing domestic law, the Directive:
establishes a set of principles with which users of personal information must
comply (eg fair and lawful "processing" of information; information to be collected
and processed only for specific purposes; information to be accurate and up to date,
and retained in a form which identifies the subject only for as long as is necessary
for the purpose);
gives individuals the right to gain access to information held about them; and
provides for a supervisory authority to oversee and enforce the law.
The Directive also:
i. permits the processing of health information where this is required "for the
purposes of preventive medicine, medical diagnosis, the provision of care or
treatment or the management of health care services, and where those data are
processed by a health professional subject under national law or rules established by
national competent bodies to the obligation of professional secrecy or by another
person also subject to an equivalent obligation of secrecy" (Article 8, paragraph 3);
ii. requires information to be provided to those whose personal information is
iii. iii. applies both to computerised and manual records, and to some existing records
as well as those made after implementation.
2.4 2.4 Under the Data Protection Act 1984, personal information held on a registered
computer system was placed under specific safeguards. The Data Protection Act 1998,
which now replaces the 1984 Act, extends that protection to personal information held
in manual filing systems and to any information to which subject access is guaranteed
by statute (see paragraph 4.2). Records held in even a loosely structured form will come
under the Act, if they make the data subject identifiable. This places obligations on
those who record or use information, while at the same time giving specified rights to
people about whom information is held. The Computer Misuse Act 1990 provides
criminal sanctions against unauthorised access ("hacking") or damage to computerised
2.5 2.5 In addition health professionals have ethical duties of confidence.
2.6 2.6 In recent times, the security of personal health information stored and
transmitted electronically has been a major issue of concern between the NHS
Executive in England and the clinical professions (particularly the BMA). To address
this issue, a committee was established under Dame Fiona Caldicott to review patient
identifiable information. The Caldicott report, published in 1997 made a series of
recommendations concerning confidentiality. These recommendations do not in
themselves have any direct legal or ethical status, but they have to be given appropriate
consideration as specific means to achieve the objective of confidentiality.
2.7 2.7 Table 2.1, at the end of this chapter, is drawn out of the Data Protection
Principles and the General Principles of the Caldicott Report. It sets out some general
overarching principles that should inform any policies and procedures in the area of
Patient and Client information
2.8 In this guidance the term, "patient or client information", applies to all personal
information about members of the public held in whatever form by or for HPSS bodies
or staff. As well as obvious material such as medical records, it includes personal "non-
health" information (eg a patient's or client's name and address or details of his or her
financial or domestic circumstances). In most instances such information will have been
provided by the patient or client or added by HPSS staff, but sometimes a relative or
other person will be the source.
The relationship with patients and clients
2.9 2.9 It is neither practicable nor necessary to seek a patient's or client's (or other
informant's) specific consent each time information needs to be passed on for a particular
purpose. The public expects the HPSS, often in conjunction with other agencies, to respond
effectively to its needs; it can do so only if it has the necessary information. Therefore, an
essential feature of the relationship between patients and clients and the HPSS is the
need for patients and clients to be fully informed of the uses to which information
about them may be put: see chapter 3 and paragraph 4.4.
When information may be passed on
2.10 In summary, information may be passed to someone else:
with the patient's or client's consent for a particular purpose; or
on a "need to know" basis if the following circumstances apply:
i. for HPSS purposes (including where services are either provided under
contract to the HPSS or are being planned or provided with other agencies):
a. the recipient needs the information because he or she is or may be
concerned with the patient's or client's care and treatment (or that of
another patient or client whose health may be affected by the condition of
the original patient, such as a blood or organ donor); or
b. the use of the information can be justified for the sort of wider purposes
described at paragraph 1.2; or
ii. the information is required by statute or court order; or
iii. iii. passing on the information can be justified for other reasons, usually for
the protection of the public: see chapter 5.
TABLE 2.1 TEN PERSONAL DATA PRINCIPLES
The following ten basic principles (derived from the Data Protection Act (DPA) Principles and
the Caldicott Report (CR) Principles) should inform the establishment of procedures and
protocols. The origins of these principles (not always in identical form) are shown.
1. 1. Personal data should not shall be collected or used unless there is some justification
both legally and practically for doing so [DPA 1, CR 1].
2. 2. Personal data should be used in a manner compatible with the reason(s) for which
they were collected [DPA 2, CR 2].
3. 3. Personal data should be adequate, relevant and not excessive in relation to the
reason(s) for which they are collected or used [DPA 3, CR 3].
4. 4. Personal data should be accurate and where necessary, kept up to date [DPA 4].
5. 5. Personal data should not be kept for longer than is necessary for the reason(s) for
which they were collected [DPA 5].
6. 6. Personal data should be used in a way compatible with the data subject’s legal rights
7. 7. Personal data should be protected by appropriate security measures [DPA 7, CR 4].
8. 8. Personal data should not be transferred to places where they will not receive an
adequate level of protection [DPA 8].
9. 9. Personal data should be handled only by staff who are aware of their responsibilities
in this area [CR 5].
10. 10. Personal data should be handled in a way that is based on understanding of and
compliance with the law [CR 6].
KEEPING PATIENTS AND CLIENTS INFORMED
Providing advice on how patient and client information is used
3.1 All HPSS organisations and individual contractors employed by the HPSS must
have an active policy for informing patients and clients of the kind of purposes for
which information about them is collected and the categories of people or
organisations to which information may need to be passed. Where other bodies are
providing services for or in conjunction with the HPSS, those concerned must be aware
of each others' information policies.
3.2 How best to inform patients and clients is primarily for local decision, taking account of
views expressed by health and social services councils, local patient groups, staff, and
agencies with which the HPSS body is in close contact. GPs, as major gatekeepers to
the HPSS, should give special consideration to this issue. However, those concerned
should bear in mind that:
i. patients and clients should be told how information would be used before they are
asked to provide it and must have the opportunity to discuss any aspects that are
special to their treatment or circumstances;
ii. advice must be presented in a convenient form and be available both for general
purposes and before a particular programme of care or treatment begins.
3.3 Methods of providing advice include:
leaflets enclosed with patients' and clients' appointment letters or provided when
prescriptions are dispensed;
GP practice leaflets and/or notification on initial registration with a GP;
routinely providing patients and clients with necessary information as a part of care
identifying someone to provide further information if patients and clients want it.
3.4 There must be arrangements for people who have restricted vision or reading skills.
3.5 Notices in waiting areas, newsletters, and other publicity materials can help to reinforce
the general approach, but are insufficient on their own.
3.6 A specimen notice for patients and clients is at Annex A. This may be adapted to
local circumstances, though the core messages it contains are standard across the HPSS
and must always be identified. Patients registering with a GP should be made aware
that certain basic personal information will be kept on a central register.
Patient's and Client's right of access to their own records
3.7 Subject to certain safeguards, patients and clients may at present see their own manual
health records made after 30 May 1994 and earlier records if they are necessary to
understand the later ones (Access to Health Records (Northern Ireland) Order 1993:
see HPSS ME document, Access to Health Records (Northern Ireland) Order 1993: A
Guide for the Health Service). The time limitation will be removed by the
implementation of the Data Protection Act (1998). There is also a right of access to
social work records. Patients do not have to give reasons for seeking access to their
i. until the implementation of the Data Protection Act, although there is no general
statutory right to see manual records made before 30 May 1994, access should be
given whenever possible, subject to the judgment of the health or social care
professionals responsible for the patient's or client's care and safeguards for other
people who may have provided information about the patient or client;
ii. there is specific guidance on access to records made at any time sought in
connection with legal proceedings : see paragraph 5.5;
iii. there are also rights of access under:
a. the Data Protection Act 1998 which, with some exemptions, entitles
individuals to a copy of information held about them (whether manual or
b. the Access to Personal Files and Medical Reports (Northern Ireland) Order
1991 which concerns manual records held by the Northern Ireland Housing
Executive and Health and Social Services Boards for the purposes of these
housing and social services functions. The Order also applies to medical reports
sought by employers or insurance companies.
SAFEGUARDING INFORMATION REQUIRED FOR HPSS AND RELATED
Who has a duty of confidence?
4.1 The duty of confidence derives from the personal nature of the information recorded. It
is unaffected by questions of who owns or holds particular records. Consequently, the
following all have responsibilities for protecting information:
i. all HPSS bodies and those carrying out functions on behalf of the HPSS have a
common law duty of confidence to patients and clients and a duty to support
professional ethical standards of confidentiality;
ii. everyone working for or with the HPSS who records, handles, stores or otherwise
comes across information has a personal common law duty of confidence to patients
and clients and to his or her employer. This applies equally to those, such as
students or trainees, on temporary placements;
iii. health professionals have, by virtue of professional regulation, an ethical duty of
confidence which, when considering whether information should be passed on,
includes paying special regard to the health needs of the patient and to his or her
iv. other individuals and agencies to whom information is passed legitimately may
use it only as authorised for specific purposes and possibly subject to particular
Data Protection Act 1998
4.2 All "personal data" (including patient and client information) relating to living
individuals that are held on computer system or a manual filing system or to
which data subjects are given access under statute are subject to the Data
Protection Act 1998.. The Act is underpinned by the eight principles at Annex A.
HPSS bodies that hold personal information must notify the Data Protection
Commissioner of the general purposes for which they process it. It is a criminal offence
to process data in breach of the data protection principles of the Act.
Caldicott Report 1997
4.3 The Caldicott Committee was established by the NHS in England, to review all patient-
identifiable information which passes from NHS organisations to other NHS or non-
NHS bodies for purposes other than direct care, medical research or where there is a
statutory requirement for information. It reported in December 1997, putting forward
a number of recommendations. These are not directly binding on the HPSS, as the
Caldicott Committee did not take into account the specific circumstances of Northern
Ireland. Nonetheless, the principles laid down by the Committee should certainly be
applied in Northern Ireland, as should the non-specific recommendations, since these
align very closely with best practice. The specific recommendations may require some
modification, in light of NI circumstances or the English response, but provision
should be made to give appropriate consideration to these recommendations. It may
be helpful to consult the Personal Data Confidentiality Group (see paragraph 4.8) on
Responsibility for passing on information
4.4 HPSS bodies (and others performing HPSS functions) are accountable for their
decisions to pass on information. Such decisions should usually be taken by the
health or social care professional responsible for a patient's or clients's care and
treatment or on the advice of a nominated senior professional within that body.
Only the minimum identifiable information should be used: see paragraphs 4.7 and 4.9.
4.5 If a patient or client wants information withheld from someone who might otherwise
have received it in connection with his or her care or treatment, the patient or client
should be informed of any health or social care implications or of other relevant factors
(eg the importance for the patient of the long-term record held by the GP). The patient's
or client's wishes should be respected unless, as, for example, at paragraphs 5.2-9, there
are overriding considerations to the contrary. The reason for not passing on information
must be noted.
Types of information
4.6 There are four generic types of information which can refer to an individual:
a) a) Direct identifiers. These are items from which an individual can be identified
without further work eg name, address;
b) b) Indirect identifiers. These are items which do not normally identify the
individual without use of some kind of reference database eg UPCI, telephone
c) c) Identifiable. Many items can permit precise or approximate identification of an
individual, particularly when taken in conjunction with other information that may
be available eg occupation, religion, postcode;
d) d) Non-identifiable. Items from which no identification of an individual is
possible. The boundary between identifiable and non-identifiable items is
particularly fuzzy, since much depends on the other information that is available to
someone attempting identification.
Anonymised non-identifiable information
4.7 Where anonymised information would be sufficient for a particular purpose, direct
patient identifiers should be omitted wherever possible, and this is a major theme of the
Caldicott Report. In that event, all reasonable steps must be taken to ensure that the
recipient is unable to trace the patient's or client's identity. However, the fact that
information has been anonymised does not of itself remove the duty of confidence. It
may still be passed on only for a justifiable purpose. The removal of personal details
may in any case be insufficient to protect a patient's or client's identity: for example, in
some instances where the information relates to rare conditions, other characteristics or
maybe to particular units or areas of the country. Those with control of the information
must make a judgement, taking into account clinical and other relevant considerations,
about the risk that the anonymised data could be “re-personalised” by reference to
identifiable information, whether contained within the dataset itself or brought from
outside. Where there is no reasonable likelihood of anonymised material being re-
personalised, it should no longer be regarded as personal and identifiable "patient or
client information". In these circumstances, provided that patients and clients in
general are made aware that anonymised personal information may be used to
prepare statistics to support the sort of purposes at paragraph 1.2, the anonymised
information may be used or passed on for those purposes. The Data Protection Act does
not apply to data so anonymised .
4.8 It is recognised that those who have to make such a judgement may well find difficulty
in assessing the wide range of factors which will impact on it. A Personal Data
Confidentiality Group has been established to assist staff with this issue, and its
secretariat will be available to give advice (see Chapter 6 and Appendix D).
Aggregated non-identifiable information
4.9 4.9 Making available aggregated information about performance and activity in the
HPSS is an important aspect of accountability and a means of fostering public
awareness of how taxpayers’ money is spent and the range of services provided.
Aggregated information is also vital for much research and development (see paragraph
4.21) and for certain pharmaceutical and other health-related purposes. However,
aggregating selective information about a small number of patients or clients may not
always safeguard confidence adequately. Those with control of the information must
make a judgement, taking into account clinical and other relevant considerations, as to
the point at which aggregated material on its own cannot be regarded as personal and
identifiable “patient or client information”. In these circumstances, provided that
patients and clients in general are made aware that personal information may be
used to prepare statistics to support the sort of purposes at paragraph 1.2, the
aggregated information may be used or passed on for those purposes.
4.10 4.10 As noted under 4.8, there may be difficulty in assessing all the relevant factors.
The Personal Data Confidentiality Group has been established to assist HPSS staff.
If confidence is breached
4.11 The unauthorised passing on of patient or client information by any member of staff or
person in contract with the HPSS is a serious matter, always warranting consideration
of disciplinary action and possibly risking legal action by others. In addition health
professionals may be subject to action by their regulatory bodies. In their own
interests and those of patients and clients, all staff must be made aware of the
possibly severe consequences of breaching patient and client confidence. HPSS
bodies are strongly advised to include a duty of confidence requirement in
employment contracts or other documents setting out terms and conditions. Staff
should be assured that this is not intended to detract from the general climate of
openness in the HPSS and that, subject to their duty of confidence to patients and
clients, they have both rights and responsibilities to raise concerns about health care
4.12 Patients and clients who feel that confidence has been breached may want to use the
HPSS complaints procedures. They have a right under the HPSS Complaints
Procedures to be told how to complain or how to make comments or suggestions. There
is a statutory right to complain to the Data Protection Commissioner (see DPR leaflet,
Your Complaint: What happens when you complain to the Data Protection Registrar),
as well as rights to take action for compensation if the individual has suffered damage
and to correct or erase inaccurate personal data, or to have their challenge to the
accuracy of personal data recorded, if the data controller does not accept the
correctness of the challenge.
Patients and Clients unable to give consent
4.13 As the law stands, nobody is empowered to give consent on behalf of an adult.
However, if a patient or client is unconscious or unable due to his or her mental or
physical condition to give informed consent or to communicate a decision, decisions to
pass on information will in practice usually be taken by the health or social care
professionals concerned, taking into account the patient's or client's best interests and,
as necessary, the views of partners, relatives or carers. Such circumstances will usually
arise when a patient or client has been unable to give informed consent to treatment or
care. An earlier refusal to particular information being passed on, given while a patient
or client had the capacity to decide, should, unless there are overriding considerations to
the contrary, be regarded as decisive in circumstances similar to those envisaged by the
patient or client.
Children and young people
4.14 Young people aged 16 or 17 are regarded as adults for purposes of consent to
treatment and are therefore entitled to the same duty of confidence as adults. Children
under 16 who have the capacity and understanding to take decisions about their own
treatment are entitled also to decide whether personal information may be passed on
and generally to have their confidence respected (eg they may be receiving treatment or
counselling about which they do not wish their parents to know). Where a child aged
under 16 does not have the necessary capacity or understanding, decisions to pass on
personal information may be taken by a person with parental responsibility in
consultation with the health or social care professionals involved.
4.15 In child protection cases the overriding principle is to secure the best interests of the
child. Therefore, if a health or social care professional (or other member of staff) has
of abuse or neglect it may be necessary to share this with others on a strictly controlled
basis so that decisions relating to the child's welfare can be taken in the light of all
4.16 Ensuring the security and accuracy of patient and client information is a responsibility
of management and staff at all levels: see Directorate of Information Systems
document Statement of HPSS IT Security Policy. In addition;
i. arrangements for the storage and disposal of all patient information (both
manually recorded and computer based) must protect confidentiality;
ii. under the Data Protection Act appropriate security measures must be in place
to protect computerised information, manual filing systems and records to
which the subject has access under other statutes: see Strategy and Intelligence
Group Manual, Introduction of Data Protection in the HPSS.
iii. care should be taken to ensure that unintentional breaches of confidence do
not occur: for example, by not leaving files, fax machines or computer terminals
unattended, double-checking to avoid transmitting information to the wrong person,
not allowing sensitive conversations to be overheard, and guarding against people
seeking information by deception (the Personal Data Confidentiality Group will
provide guidance on appropriate measures as required);
iv. where a non HPSS agency or individual is contracted to carry out HPSS
functions, the contract must draw attention to obligations on confidentiality
and require that patient and client information is:
a. treated and stored according to specified security standards; and
b. used only for purposes consistent with the terms of the contract.
Action in the event of confidence being breached (eg termination of contract)
should be specified.
4.17 There are stipulated periods for which personal health and social services records
should be retained before being considered for destruction. A minimum of eight years
is the general rule for hospital and community health services, but there are exceptions:
maternity records should be retained for at least 25 years, those relating to patients
under 18 at least until their 25th birthday (or 26th if a record was made when they were
17), and some mental health records for 20 years after care or treatment has ended. EC
guidance is that patient records used in connection with clinical trials should be kept for
at least 15 years. GP records should be retained for a minimum of ten years, and for
longer if the record falls within one of the exceptions described above. Records relating
to the Children Order should be held for at least 75 years (15 years from the date of
death in the case of a child who dies before the age of 18 years).
Patients and clients who are offenders
4.18 The prison medical service, the probation service, police and other criminal justice
agencies may be involved in the assessment and care (or continuing care following
discharge from hospital or release from prison) of patients or clients who have
committed offences or have otherwise been involved with those agencies. This often
applies to mentally disordered offenders and others with similar needs, including
people seen by HPSS or multi-agency assessment teams before or as a result of a court
appearance. There should be agreed liaison arrangements which:
i. enable the passage of essential information between agencies that patients and
clients know are contributing to their care and support;
ii. can handle sensitively the passing on of information that (as described in chapter 5)
may be required by court order or can be justified to protect the public;
iii. iii. ensure that information passed on is used only for an authorised purpose;
Patients receiving social security benefits
4.19 When clients register a claim with the Social Security Agency (SSA), they agree that
the SSA may obtain information about hospitalisation or treatment which is relevant to
the client's benefit entitlement. Hospitals can therefore supply such information that is
necessary on receipt of a request from the Social Security Agency.
Protecting public health
4.20 The surveillance of communicable diseases is essential to maintain high levels of
disease prevention, to detect outbreaks and to inform and evaluate immunisation and
other policies. This is dependent on the flow of information on a "need to know" basis
between health professionals, microbiologists, Consultants in Communicable Disease
Control (CCDCs), the Public Health Laboratory Service and Environmental Health
Officers. The Public Health Act (NI) 1967, makes provision for the notification and
prevention of certain infectious diseases.
Teaching and research
4.21 Advice to patients and clients about the use of personal information must emphasise:
i. the importance of teaching and research to the maintenance and improvement of
care within the HPSS, inter-agency care and public health generally;
ii. that such information, anonymised or aggregated wherever possible, may
sometimes be used for teaching and research (and that universities or other bodies
carrying out approved research are required to treat it in confidence and must not
use it for other purposes);
iii. that their specific consent will be sought to any activity relating to teaching or
research that would involve them personally;
iv. that any published research findings will not identify them without their specific
4.22 Arrangements for securing ethical approval to research proposals involving patients and
clients or access to their records will be covered in new guidance on Research Ethics
Committees which is currently being prepared by the Department,
Particular restrictions on passing on information
4.23 HPSS bodies or those carrying out HPSS functions must not allow personal details of
patients or clients (most obviously names and addresses or the medical condition of
named individuals) to be passed on or sold for fundraising or commercial marketing
4.24 There are some statutory restrictions on the disclosure of information relating to
assisted conception. Regulations have also being developed to bring Northern Ireland
into line with statutory restrictions in England and Wales relating to disclosure of
information on sexually transmitted diseases.
PASSING ON INFORMATION FOR OTHER PURPOSES OR AS A LEGAL
Relatives, friends and carers
5.1 The Charter for Patients and Clients states that "your relatives and friends are entitled
to be informed [about your progress] subject of course to your own wishes". It is
important to ensure that the wishes of patient or client about this are established at first
contact. With the patient's or client's consent, the significant role of carers may need to
be recognised in the type of information provided: for example, on discharge from
hospital and to make arrangements for continuing care.
5.2 In certain instances an HPSS body or member of staff may have a statutory
responsibility to pass on patient or client information. If so, prior consultation with the
patient or client is not required. However, if the health or social care professionals
responsible for his or her care are not those required to pass on the information, the
former should usually be consulted as to whether the facts do indeed mean that
disclosure is necessary. If in doubt, legal advice should be sought. The patient or client
and relevant health professional should be informed as soon as possible that information
has been passed on, and a note made in the patient's or client's record.
5.3 The majority of statutory requirements concern forms of notification: for example, of
births and deaths, communicable disease (see paragraph 4.20), substance misuse and
serious accidents. There are also certain obligations to pass on information under the
Mental Health (Northern Ireland) Order 1986.
5.4 The High Court has statutory powers to order:
i. the disclosure of documents before and during proceedings for personal injury or
ii. the production of information to an applicant and his or her legal, medical and
Such orders should specify clearly what information is required and by whom. If any
aspect is unclear, clarification and/or legal advice should be sought without delay. The
health and social care professionals responsible for a patient's or client's care and
treatment should be consulted about the disclosure in case of a risk to the patient's or
client's (or someone else's) health or well-being. If there is a risk, legal advice should be
sought on the possibility of seeking an amendment to the order. Where an order
requires information about a patient or client who has not instigated a court action, that
patient or client should be notified immediately in case he or she wishes to consider an
5.5 It is well-established practice that, at the patient's or client's request, information
relevant to legal proceedings may be released, usually to the patient's or client's legal,
medical or social work adviser. The information should also be passed to lawyers acting
for the HPSS body concerned where the action involves the health board, Trust or a
member of staff. Where health or social care matters arise the relevant professional (if
he or she is not the patient's or client's medical or social work adviser) should be
informed and, if necessary, given the opportunity to comment. If the patient or client
agrees, information may also be released to a third party involved in proceedings.
Release of information to protect the public
5.6 It may sometimes be justifiable to pass on patient or client information without consent
or statutory authority. Disclosures for the "discovery of iniquity" are traditionally cited.
Most commonly these involve the prevention and detection of serious crime, but can
extend to other dangers to the general public, such as a public health risk or risk of
violence, where, as already noted, essential information may need to be shared with
5.7 Each case must be considered on its merits, the main criterion being whether the release
of information to protect the public should prevail over the duty of confidence to the
patient or client. The possible consequences for the patient or client must be considered
whatever the outcome. Decisions will sometimes be finely balanced and may concern
matters on which HPSS staff find it difficult to make a judgement. Therefore it may be
necessary to seek legal or other specialist advice or to await or seek a court order. It is
important not to equate "the public interest" with what may be "of interest" to the
Tackling serious crime
5.8 Passing on information to help tackle serious crime (see examples at Appendix C) may
be justified if the following conditions are satisfied:
i. without disclosure, the task of preventing, detecting or prosecuting the crime would
be seriously prejudiced, delayed or obstructed;
ii. information is limited to what is strictly relevant to a specific investigation or other
crimes which may have been uncovered in the course of the investigation;
iii. there are satisfactory undertakings that the information will not be passed on or used
for any purpose other than the present investigation or other crimes which may have
been uncovered in the course of the investigation.
5.9 Requests for information relating to a number of patients or clients in order to identify
one or more of them is likely to be justified only if there is a very strong public interest.
Press and broadcasting
5.10 The maintenance of good relations with the press and broadcasting organisations is
important. HPSS bodies should ensure that someone with suitable experience and level
of responsibility is available or contactable at all times to answer enquiries.
5.11 In law the same general rules apply to the passing of personal information to the media
as in other circumstances. The patient's or client's consent must therefore be obtained if
he or she is capable of taking a decision. This applies whether or not the patient or
client is a celebrity or public figure.
5.12 Where the patient or client is unable to take a decision, the provision of basic
information may sometimes be judged to be in his or her best interests (eg by correcting
misleading or damaging speculation). Where possible, relatives should be consulted,
having regard, of course, to their own feelings and possible distress. For example,
where knowledge of the names and addresses of accident victimes has become public,
the practice in most hospitals is to confirm the presence of a patient unless the patient or
relatives have requested no publicity. In all such circumstances, the HPSS body must
be prepared to justify a decision to release information, which should usually be
confined to a brief indication of progress in terms authorised by the relevant
5.13 If a patient or client or former patient or client has invited the media to report his or her
treatment, the HPSS body may comment in public, but should confine itself to factual
information or the correction of any misleading assertions or published comment. The
duty of confidence to the patient or client still applies. If in doubt, legal advice should
IMPLEMENTATION AND THE PERSONAL DATA CONFIDENTIALITY GROUP
6.1 The establishment and implementation of a single coherent policy on the confidentiality
of patient and client information poses considerable problems, since it extends to every
aspect of the work of HPSS. With the implementation of the Data Protection Act 1998,
with its extended definition of personal data and explicit legal requirements,
confidentiality can no longer be regarded as the special concern of one group of staff, be
it medical (driving the Caldicott review) or IT (implementing the Data Protection Act
6.2 There are a number of major issues to be addressed, and these are highlighted in the
Justification Subject Data Transfer of
for holding Consent Security Data to
(Appendix A) * * * * *
(Appendix B) * * * *
(Appendix C) *
(Annex A) *
Information Transfer to
RUC (Annex B) *
Data (Annex C) * * * *
6.3 A Personal Data Confidentiality Group has been established. Information and
Research Policy Branch will provide a secretariat for the Group (for details, see
Appendix D) and can be consulted by those wishing to obtain advice and detailed
guidance. Where it becomes clear that some issue is causing general difficulty for the
HPSS, the Branch will be responsible for initiating discussion by the Group, involving
HPSS organisations both jointly and separately as appropriate, and disseminating
agreed detailed guidance. It will be available to answer queries from HPSS staff as
these arise, and it is hoped to develop a body of “case law” and agreed policy.
6.4 6.4 HPSS bodies should give consideration, in consultation with the Personal Data
Confidentiality Group, to a range of issues:
a) a) Appointment of data guardians. Each HPSS body should appoint a data
guardian to take responsibility for the development and implementation of
organisational policies, in the light of this guidance. The Caldicott Report suggests
that a senior health professional be appointed to this role, but subsequent work in
the NHS has moved towards the view that someone in senior management is
equally acceptable. Given the social work dimension of the HPSS, the case for this
alternative approach is even stronger in the NI context.
b) b) Establishment of confidentiality policies. These should carry forward within
the context of the body, the major themes of this guidance eg consent, disclosure,
transfer of data, security, Data Protection Act and Caldicott Report
c) c) Appointment of data scrutineers. In order to ensure that the issues raised by
this guidance and subsequently established policies are addressed at an appropriate
level throughout the organisation, appropriately placed and qualified staff should be
appointed in all parts of the organisation to take responsibility for implementation
of organisational policies.
d) d) Training. The organisation should ensure that all staff handling personal data
are aware of the general principles governing such data (see Table 2.1). In addition,
data guardians and scrutineers should receive the specific training necessary to
carry out their roles.
This Appendix is intended to give an overview of the impact of the Data Protection Act
1998. It states the basic principles, before looking at definitions, security, exemptions and
implementation. It should be used as a general reference document for any officer handling
DATA PROTECTION ACT 1998
A. THE EIGHT PRINCIPLES
A.1 The eight data protection principles set out in the Data Protection Act 1998 are as
1. Personal data shall be processed fairly and lawfully, and in particular, shall not be
a) a) at least one of the conditions in Schedule 2 is met, and
b) b) in the case of sensitive personal data, at least one of the conditions in
Schedule 3 is met.
2. 2. Personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in a manner incompatible with that
purpose or these purposes
3. 3. Personal data shall be adequate, relevant and not excessive in relation to the
purpose or purposes for which they are processed
4. 4. Personal data shall be accurate and where necessary, kept up to date
5. 5. Personal data processed for any purpose or purposes shall not be kept for longer
than is necessary for that purpose or purposes
6. 6. Personal data shall be processed in accordance with the rights of data subjects
under the Act
7. 7. Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss of or
destruction of, or damage to personal data
8. 8. Personal data shall not be transferred to a country or territory outside the
European Economic Area unless that country or territory ensures an adequate level of
protection for the rights and freedoms of data subjects in relation to the processing of
A.2 Schedules 2 and 3 (mentioned in Principle 1) are attached as Table 1, showing the
grounds which can be used to justify processing. Health and social services data are
sensitive data, and consequently require grounds drawn from both schedules to justify
processing. In legal terms, if data subject consent, explicit or otherwise, (item 1 on each
schedule) is lacking, then performance of functions under enactment, or of government
functions (item 5 on Schedule 2, item 7 on Schedule 3) or performance of a medical
function (item 8 on Schedule 3) would suffice.
B.1 Data is information held on a computer or information held on a filing system or
information to which people have access under other legislation
B.2 Personal data are data which relate to a living individual who can be identified
- - from these data or
- - from these data and other information in the possession of the data controller or
likely to come into the possession of the data controller
There is a distinction between a certain identification (“This record relates to
X”) based on information likely to come into the possession of the data
controller and a likely identification (“I think this record probably relates to X”)
based on information certain to come into the possession of the data controller.
Strictly speaking, the legal definition relates to the first category. Given that the
impact on the individual is very much the same, and there is no difference in the
methods used to assess the likelihoods involved, HPSS staff should adhere to the
spirit of the law and protect against both categories of identification.
C. APPLICATION OF DEFINITIONS
C.1 It has been recognised by the Data Protection Commissioner that “personal data”
is not something that is rigidly defined. One data controller might be unable to identify
individiduals from an information set, whilst the same information in the hands of
another data controller could be quite likely to lead to identification ie the information is
not personal data whilst it remains in the hands of the first controller, but becomes
personal data when transferred to the second.
C.2 A data set including name and address, or similar, is plainly personal data. A data
set including UPCI number is personal data if the data controller has access to the UPCI
system, but not otherwise, unless the other data in the set indicate a different conclusion.
C.3 Items of data other than name and address and UPCI are in themselves
anonymous, but they may permit re-personalisation of the data set to which they belong.
Taken in conjunction with other information in the data set, or information otherwise
available to the data controller, they may allow identification of individuals thereby
converting an anonymous data set into personal data.
C.4 The legislation imposes a test of likelihood on such re-personalisation. Given
sufficient additional information, individuals in any anonymous data set can be identified,
but is it likely that such a situation will happen? It is probable that no definition of the
key term “likely” can be forthcoming from the Data Protection Commissioner in advance
of decisions by the courts.
C.5 The intention of the data controller has a bearing on likelihood. An anonymised
data set held by an HPSS body is much less likely to be subjected to attempts at re-
personalisation than the same data set in the hands of an investigative journalist, hence
(all else being equal) less likely to be re-personalised.
D.1 Data Protection Principle 7 requires appropriate security measures for personal
data. Again, there is no definition of the key term, “appropriate”.
D.2 To treat all data on living individuals as personal data if identification is
theoretically possible effectively means treating all individual data as personal. This is
contrary to the plain meaning of the Act, and such over-classification tends to produce a
degradation of security for truly sensitive data.
D.3 HPSS should proceed on the assumption that an appropriate level of security is
one that takes some account of the level of probability that identification will be possible
eg if the data is currently personal data, a higher level of security is appropriate than if it
is currently anonymised data with a small risk of re-personalisation.
D.4 The level of security should also take account of the level of damage or distress
that might reasonably be expected to be caused to the data subject if disclosure were to
occur. For example, whilst the fact of a medical consultation and the outcome of that
consultation are both confidential, disclosure of the latter is likely, in general, to be more
harmful than disclosure of the former and the level of security applied to appointment
lists and to medical files should reflect that consideration.
E.1 Exemptions from the provisions of specific principles and provisions may apply.
1. 1. Personal data processed for the prevention or detection of crime or the
apprehension or prosecution of offenders are exempt from subject access and
from the requirements of the first principle (other than the justification for holding
data at all)
2. 2. Data held in connection with health and social work may be exempted
from subject information access provisions by order of the Secretary of State.
3. 3. The use of data for research (including historical and statistical purposes)
is not legally incompatible with the purposes specified at collection (whatever
they may have been), and data held for such purposes may be held indefinitely.
There is no automatic right of subject access to such data and the data can be
passed to other persons for research purposes.
F.1 The Data Protection Act (1998) mostly imposes general rather than specific
requirements.A partial exception is the requirement to notify the Data Protection
Commissioner of data held. The detail required in this notification (one only per
organisation) has yet to be determined but will certainly be less than required under the
1984 Act. All organisations will need to arrange for notification to occur as current
F.2 As regards the rest of the Act, it will be necessary to ensure staff are aware of
their responsibilities under the legislation and that they are able either to meet those
responsibilities themselves or to seek out expert help in order to do so. Given the wide
scope of the Act, compared to the 1984 Act, it seems unlikely that implementation
responsibility can be placed solely in the hands of staff who have substantial personal
TABLE 1 SCHEDULES 2 AND 3 OF THE DATA PROTECTION ACT 1998
SUMMARY OF SCHEDULE 2 (CONDITIONS FOR PROCESSING OF ANY
1. 1. Consent of data subject
2. 2. Establishment or performance of contract to which data subject is a party
3. 3. Compliance with legal obligation of data controller (other than contractual)
4. 4. Protection of vital interests of data subject
5. 5. Administration of justice, exercise of functions under enactment, exercise of
government function, exercise of public function
6. 6. For purposes of legitimate interests of data controller or third party, save where
this is prejudicial to the interests of the data subject
SUMMARY OF SCHEDULE 3 (CONDITIONS FOR PROCESSING OF
SENSITIVE PERSONAL DATA *)
1. 1. Explicit consent of data subject
2. 2. Exercising or performing rights and obligations of data controller conferrred or
imposed by law in connection with employment
3. 3. Protection of vital interests of data subject or third party in situations where there
are difficulties in obtaining consent
4. 4. Performed by non-profit making political or religious body in connection with its
own members and contacts
5. 5. Data made public by data subject
6. 6. In connection with legal action
7. 7. Administration of justice, exercise of functions under enactment, exercise of
8. 8. Processing for medical purposes** carried out by a health professional or a
person with an equivalent duty of confidentiality
9. 9. Racial and ethnic monitoring
10. 10. Specific order by Secretary of State
* This includes information on the health and on the religion of the data subject.
** This includes preventative medicine, medical diagnosis, medical research, provision
of care and treatment and the management of healthcare services.
This Appendix sets out the terms of reference and findings of the Caldicott Committee,
linking these to Data Protection Principles. It also addresses implementation issues. The
document should be used by officers responsible for ensuring that Caldicott
recommendations are implemented.
THE CALDICOTT REPORT
A. TERMS OF REFERENCE FOR CALDICOTT
To review all patient-identifiable information which passes from NHS organisations to
other NHS or non-NHS bodies for purposes other than direct care, medical research or
where there is a statutory requirement for information.
The Committee will consider each flow of patient-identifiable information and will
advise the NHS Executive:-
whether patient-identification is justified by the purpose;
whether action to minimise risks of breach of confidentiality is desirable eg reduction,
elimination, or separate storage of information
B. CALDICOTT GENERAL PRINCIPLES (related to Data Protection
B.1 The Caldicott committee established the following principles, shown with the
relevant Data Protection Principle:
1. Justify the purpose(s) for holding patient-identifiable data 
2. Don’t use patient-identifiable information unless it is absolutely necessary 
3. Use the minimum necessary patient-identifiable information 
4. Access to patient-identifiable information should be on a strict need-to-know basis 
5. Everyone with access to patient-identifiable information should be aware of their
6. Understand and comply with the law [All]
Reference in [ ] denotes relevant Data Protection Principles
C. SUMMARY OF RECOMMENDATIONS IN CALDICOTT REPORT
(Related to Data Protection Principles)
C.1 The Caldicott Committee put forward the following recommendations, which
have been grouped under broad headings, with the relevant Data Protection Principle
1. Every dataflow, current or proposed, should be tested against basic principles of
good practice. Continuing flows should be re-tested regularly [All]
10. Where particularly sensitive information is transferred, privacy enhancing
technologies (eg encrypting identifiers of “patient identifying information”) must
be explored 
11. Those involved in developing health information systems should ensure that best
practice principles are incorporated during design stage. [All]
12. Where practicable, the internal structure and administration of databases holding
patient identifiable information should reflect the principles developed in this
Persons and protocols
2. A programme of work should be established to reinforce awareness of confidentiality
and information security requirements amongst all staff within the NHS. 
3. A senior person, preferably a health professional, should be nominated in each health
organisation to act as a guardian, responsible for safeguarding the confidentiality of
patient information. 
4. Clear guidance should be provided for those individuals/bodies responsible for
approving uses of patient-identifiable information. [All]
5. Protocols should be developed to protect the exchange of patient-identifiable
information between NHS and non-NHS bodies. 
6. The identity of those responsible for monitoring the sharing and transfer of information
within agreed local protocols should be clearly communicated. [All]
7. An accreditation system which recognises those organisations following good practice
with respect to confidentiality should be considered.
9. Strict protocols should define who is authorised to gain access to patient identity where
the NHS number or other coded identifier is used. 
8. The new NHS number* should replace patient identifiable data, as soon as practically
possible, in every data flow where there is a need to distingush between individuals
but where there is no immediate corresponding need to identify those individuals.
Continued use of additional patient identifiable data items for other purposes must be
robustly justified [3, 7]
13. The NHS number* should replace the patient’s name on Items of Service Claims
made by General Practitioners as soon as practically possible. 
14. The design of new systems for the transfer of prescription data should incorporate the
principles developed in this report. [3, 7]
15. Future negotiations on pay and conditions for General Practitioners should, where
possible, avoid systems of payment which require patient identifying details to be
transferred. [3, 7]
16. Consideration should be given to procedures for General Practice claims and
payments which do not require patient-identifying information to be transferred, which
can then be piloted. [3, 7]
Reference in [ ] denotes relevant Data Protection Principles
* UPCI in Northern Ireland
C.2 The relationship between data protection principles and Caldicott principles and
recommendations is summarised in Table 1. This shows that the majority of Caldicott
measures should be regarded as falling under:
a) a) personal data should be adequate, relevant and not excessive (Principle 3)
b) b) personal data should be subject to appropriate security measures (Principle 7)
D.1 It should be noted that the Caldicott recommendations divide between general
principles and specific projects. Some of the latter may not lie within the control of a
local HPSS unit (eg implementation of UPCI [Northern Ireland equivalent of NHS
number]), or may not be considered appropriate. In particular, it is now recognised in
England that the data guardian need not necessarily be a medical professional, and given
the personal social services dimension of the HPSS, that conclusion is particularly strong
for Northern Ireland.
D.2 The general principles are however applicable, and can be regarded for the most
part as data protection. Annex C gives an indication of how the use of patient-identifiable
data should be assessed.
Table 1 RELATIONSHIP OF DATA PROTECTION AND
Reference to By 6 Caldicott By 16 Caldicott By
Data Protection Principles Recommendations Caldicott
1 - - -
2 1 - 1
3 2 4 6
4 - - -
5 - - -
6 - - -
7 1 10 11
8 8 - -
All 2 4 6
None - 1 1
The emphasis in the Caldicott principles and recommendations leans heavily towards
Data Principles 3 and 7 (or else recommends compliance with all Principles). These two
personal data should be adequate, relevant and not excessive;
personal data should be subject to appropriate security measures
With the exception of recommendation 7 (accreditation of organisations following good
practice with regard to confidentiality), no Caldicott recommendation can be regarded as
falling outside Data Protection, and even recommendation 7 is intended as an incentive to
meet Data Protection Principle 7.
PASSING ON INFORMATION IN CONNECTION WITH SERIOUS CRIME
(see paragraph 5.8 and Annex B)
This Appendix addresses the definition of serious crime. It should be used by those officers
becoming aware of crime in the course of their duties, or considering requests from the
RUC for information.
Passing on information to help prevent, detect or prosecute serious crime may sometimes
be justified to protect the public. There is no absolute definition of "serious" crime, but The
Police and Criminal Evidence (NI) Order 1989 identifies some "serious arrestable
offences". These include:
offences under prevention of terrorism legislation (disclosures now covered by the
Prevention of Terrorism Act 1989)
making a threat which if carried out would be likely to lead to:
· serious threat to the security of the state or to public order
· serious interference with the administration of justice or with the investigation
of an offence
· death or serious injury
· substantial financial gain or serious financial loss to any person.
In addition other offences may be regarded as serious crime depending on the
circumstances and consequences (eg grievous bodily harm, taking and driving away,
robbery and theft). This will be the case where acts are committed which are likely to lead
· serious threat to the security of the state or to public order
· serious interference with the administration of justice or with the investigation
of an offence
· death or serious injury
· substantial financial gain or serious financial loss to any person.
In other cases, it may be as well to seek legal advice before taking a decision to release
PERSONAL DATA CONFIDENTIALITY GROUP
1. 1. The area of data confidentiality is complex, taking account of a wide range of ethics,
legislation and practice. There are implications for virtually all areas of HPSS work, and
it is not possible to give precise guidance. Many of the terms used have no exact
definition, and are unlikely to have any until case law develops. Furthermore, the data
handled is very variable and guidance that might be appropriate in one context would
not necessarily be so in another context.
2. 2. Accordingly, a Personal Data Confidentiality Group has been established. Its
a) a) to disseminate information to HPSS on developments in the area of data
b) b) to develop specific guidance for the HPSS, as the need arises; and
c) c) to advise the HPSS on risk assessment in connection with disclosure.
3. 3. The membership of the Group will consist of:
DHSS 2 members
Boards and Trusts 6 members
CSA 1 member
Primary Care 1 member
Drawn from Statistician, Information, IT, professional and administrativestaff
The secretariat of the Group will be provided by the Information and Research Policy
Branch, which will be available to assist with queries.
Information and Research Policy Branch
Telephone: 01232- 522684
SPECIMEN NOTICE FOR PATIENTS AND CLIENTS
We ask you for information about yourself so that you can receive proper care and
We keep this information, together with details of your care, because it may be needed if
we see you again.
We may use some of this information for other reasons: for example, to help us protect
public health generally and to see that the HPSS runs efficiently, plans for the future, trains
its staff, pays its bills and can account for its actions. Information may also be needed to
help carry out medical or other health and social services research for the benefit of
Sometimes the law requires us to pass on information: for example, to notify a birth.
The HPSS Central Health Index contains basic personal details of all patients registered
with a practitioner. The Register contains demographic rather than clinical information.
You have a right of access to your health records.
EVERYONE WORKING FOR THE HPSS HAS A LEGAL DUTY TO KEEP
INFORMATION ABOUT YOU CONFIDENTIAL.
You may be receiving care from other people as well as the HPSS. So that we can all
work together for your benefit we may need to share some information about you.
We only ever use or pass on information about you if people have a genuine need for
it in your and everyone's interests. Whenever we can we shall remove details which
identify you. The sharing of some types of very sensitive personal information is
strictly controlled by law.
Anyone who receives information from us is also under a legal duty to keep it
THE MAIN REASONS FOR WHICH YOUR INFORMATION MAY BE NEEDED
giving you health care, treatment and social care
looking after the health and social welfare of the general public
managing and planning the HPSS. For example:
making sure that our services can meet patient and client needs in the future
paying your doctor, nurse, dentist, or other staff, and the hospital which treats
you for the care they provide
auditing accounts, detecting and investigating fraud
preparing statistics on HPSS performance and activity (where steps will to be
taken to ensure you cannot be identified)
investigating complaints or legal claims
helping staff to review the care they provide to make sure it is of the highest
training and educating staff (but you can choose whether or not to be involved
research (If anything to do with the research would involve you personally,
you will be contacted to see if you are willing to take part. You will not be
identified in any published results without your agreement.)
If you agree your relatives, friends and carers will be kept up to date with the
progress of your treatment.
If at any time you would like to know more about how we use your information you can
speak to the person in charge of your care or to ........
This Annex sets out the issues governing the transfer of information to the RUC. It should
be used by those officers becoming aware of crime in the course of their duties, or
considering requests from the RUC for information.
GUIDANCE ON THE TRANSFER OF INFORMATION BY HPSS STAFF TO
1. 1. It must be emphasised that this guidance cannot be definitive, and is not intended
to set down procedures. There is a need to balance the general duty of confidentiality
to patients against the public interest in the detection and prosecution of crime. For
more serious crimes, the public interest argument becomes more weighty, but the
balance between the two can only be assessed in the light of the facts relating to the
crime, the patient and other relevant circumstances. These are immensely varied and
to set down rigid or simplistic procedures could be misleading. It is necessary for
those involved to use their judgement in individual situations, taking account of
general principles and, if necessary, seeking legal advice.
2. 2. This guidance should be read in conjunction with “The Protection and Use of
Patient and Client Information”, as reissued in June 1999, to which it is attached as an
annex. Although the issue of transfer of information to the RUC is most likely to arise
in the context of Ambulance Services, of Hospital Accident and Emergency Units,
and of Social Services, it could arise in any situation within the HPSS where patient
or client information is held.
3. 3. Certain items of legislation (including the Prevention of Terrorism Act, Road
Traffic Order, Police and Criminal Evidence Order (NI), Criminal Law(NI) Act) may
impose a duty on HPSS staff to volunteer information, where they have reason to
suppose that an offence has been committed. Whilst the RUC have no legal powers to
require the information, there is a legal duty to supply the information in certain
4. 4. Some specific circumstances may have been the subject of detailed consideration
by a professional body, so that a more specific code of practice has been developed.
Where some such code of practice, protocol arrangement or memorandum of
understanding is in place relating to particular types of situation, that code, protocol
or memorandum should take precedence over the guidance put forward here.
5. 5. There is no limitation on the kind of information that may be transferred to the
RUC, subject to the provision of paragraph 5.8 ii of “The Protection and Use of
Patient and Client Information” that it must be strictly relevant to a specific
investigation or to other crimes which may be uncovered in the course of the
investigation. The issue of relevance must be judged on the facts of individual
6. 6. It might be difficult to justify the provision of information on an individual where
neither RUC nor HPSS staff have some reason to believe that a particular individual
(as opposed to someone who falls in a general category) may be involved in a crime.
Provision of information on a group of individuals defined on some sort of general
basis (eg attendance at A&E on a particular night) would mean that information was
being given on individuals who were not involved in a crime.
7. 7. Where a patient or client consents to information being passed to the RUC,
confidentiality no longer applies (an approach to a patient or client for consent should
be agreed with the RUC first, to avoid prejudice either to the interests of the
patient/client or to the investigations of the RUC). Information that does not relate to
an identifiable patient or client (eg ambulance service records of conversations with
third parties) may not be protected by confidentiality at all.
8. 8. The attached matrix of responses (Table 1) gives some indication of the sort of
responses which may be considered appropriate. They are phrased in a somewhat
tentative manner, to reflect the fact that definitive guidance cannot be given. Some
guidance on the difference between serious and non-serious offences is given in
Appendix C of “The Protection and Use of Patient and Client Information”. The
presumption is that HPSS staff will not normally even consider passing information
to the RUC in connection with non-serious offences unless the individual concerned
is very clearly and specifically identified (ie by name or unmistakeable description)
and the RUC have made a formal request.
9. 9. A blanket exclusion on passing information relating to non-serious offences is
however not suggested since there may be instances where the balance of public
interest shifts eg under the Sex Offenders Act 1997, it is an offence for a sex offender
to fail to register with the police. Although this offence is not in itself a serious crime,
the associated circumstances could justify a hospital in passing on relevant
information. A more widely occurring issue is investigation of non-serious crime
which directly involves the HPSS. For example, it would probably not be desirable
for a patient who commits an assault on HPSS staff (a crime which is not defined as
“serious”) to avoid police investigation on the grounds of confidentiality. Similarly,
it could be considered inequitable if confidentiality considerations were to protect one
group of people using HPSS property from investigation, but not other groups. As in
all cases, those involved must exercise their judgement as the circumstances suggest,
seeking legal advice as necessary.
10. 10. The guidance has been discussed with the RUC, who consider it acceptable from
their point of view.
11. 11. Further guidance may be issued as relevant issues arise. Feedback on the
operation of this guidance should be addressed to the Information and Research
Policy Branch of the Information and Analysis Unit.
TABLE 1 ACTION TO BE CONSIDERED IN RESPECT OF TRANSFER OF
INFORMATION FROM HPSS TO RUC
RUC seek information on a person about whom
Name Description Fact of Nothing
Concerning a serious offence
know patient involved in an Y Y ++ +
suspect patient involved in Y Y ++ +
have no knowledge that patient Y Y N N
involved in offence
Concerning a non-serious offence
know patient involved in an ++ + - --
suspect patient involved in ++ + - --
have no knowledge that patient ++ + N N
involved in offence
Y Almost certainly pass information to RUC
++ Very probably pass information to RUC
+ Probably pass information to RUC
- Probably do not pass information to RUC, except by consent or on court order
-- Very probably do not pass information to RUC, except by consent or on court
N Almost certainly do not pass information to RUC, except by consent or on court
Y, ++, and + denote situations where it may be appropriate to pass information to the
RUC. In the specific circumstances of the situation, a contrary view may be
N, --, and - denote situations where it may be appropriate not to pass information to the
RUC. In the specific circumstances of the situation, a contrary view may be
1. The column headings should be interpreted as follows:
“Name” - a specific request for information on a named individual
“Description” - a specific request for information on a specific unnamed individual,
described in sufficient detail to permit identification
“Fact of Existence” - a specific request for information on an unnamed and undescribed
individual who was or may have been involved in specific circumstances.
“Nothing” - HPSS staff become aware of a situation about which RUC have made no
specific request. This includes all generic requests from the RUC for information.
2. The term “involved” covers victims, suspects and witnesses.
3. For a guidance on serious offences, see Appendix C of “The Protection and Use of
Patient and Client Information”
This Annex provides some guidance for those officers charged with responsibility for
approving data access requests, or for ensuring that current data transfers comply with the
Caldicott recommendations. It should be used as a reference document.
GUIDANCE ON APPROVING USE OF PATIENT-IDENTIFIABLE DATA
1. The Caldicott Report on the Review of Patient-Identifiable Information recommends
that clear guidance be provided for those individuals/bodies responsible for approving
uses of patient-identifiable information (Recommendation 4). This guidance is
intended to meet that requirement. It sets out general rather than detailed guidance,
based on general principles.
2. The intent of the recommendation is that the confidentiality of information on
individuals should be enhanced by ensuring that information which could be used to
identify an individual should not be linked to other information on that individual
without reason, and that where such linkage does occur, appropriate procedures are in
place to handle the data. There are three types of information which can be used to
identify individuals and these require somewhat different handling, as outlined below
and in Schedule A of this Annex.
3. In all health and personal social services (HPSS) organisations, the data guardian (see
Caldicott recommendation 3), or an authorised representative of the data guardian,
should be responsible for granting approval for use of personal-identifiable data. All
existing datasets (see Schedule A for definition) and all plans for the formation of new
datasets (including data transfers) are subject to such approval before personal-
identifiable data may be used. In order to establish the need for such approval, the data
guardian in person or a representative authorised by the data guardian should act as a
scrutineer for the dataset in question. The scrutineer should assess the status of the
dataset, placing it in one of the four following categories as most appropriate (See
Schedule A for definitions of categories):
A. Direct Patient/Client Identifier Dataset (see 4 below)
B. General Patient/Client Identifiable Dataset (see 7 below)
C. Indirect Patient/Client Identifier Dataset (see 5 below)
D. Non-Identifying Dataset (see 6 below)
Identifier and Non-Identifying Datasets
4. Direct Patient/Client Identifier Datasets. Direct patient/client identifiers (such as name)
should not be included in any dataset unless a robust case can be made for their
retention on operational grounds. This case should not be made on an organisation-
wide basis - the fact that Clinical Records have a clear operational requirement for
inclusion of name and address does not imply that Finance also have a clear
requirement for this information. If a case cannot be made, the items in question
should be removed as soon as practical, and the dataset then reassessed. Where there is
a robust operational case for retention, the scrutineer should ensure, before giving
approval for use, that procedures are in place to ensure that the dataset is accessible
only to authorised users, with appropriate security arrangements and training to ensure
the maintenance of confidentiality. These procedures should also address the issues of
onward data transfer and dataset formation (see paragraphs 13 and 14). In assessing
what is appropriate, the scrutineer should take account of relevant legislative
requirements, existing protocols, and the sensitivity of the information concerned. For
example, a record holding a name, a date and a clinical code should be used only with
good reason. If the clinical condition were one such as AIDS, the reason would have to
be very strong, and the security very tight.
If the scrutineer is not satisfied on these points, approval for use should be withheld.
5. Indirect Patient/Client Identifier Datasets. These can be approved for use with no
procedures in place beyond normal operating procedures, but by definition, there is an
implication of access to some direct patient identifier dataset, and and proper
procedures should be in place to govern access to that dataset (Caldicott
Recommendation 9). For example, a record containing a UPCI Number, a date and a
clinical code could be used freely, but access to the UCPI system would have to be
sufficiently secure to prevent the curious from looking up the name of the subject on
The scrutineer should be satisfied that a proper scrutiny of access to the relevant
direct patient/client identifier dataset has been carried out by an appropriate
scrutineer, before giving approval for use of the indirect patient/client identifier data.
6. Non-Identifying Datasets. These should be approved for use, with no procedures in
place beyond normal operating procedures eg a record showing a date and a clinical
code could be used, without restriction.
The scrutineer should give approval for use of the data
General Patient/Client Identifiable Datasets
7. The presence of direct and indirect patient/client identifiers is easily established.
Unfortunately, assessment of general patient/client identifiable data is much less
clearcut. Any information held on a dataset carries some risk that, given sufficient
supplementary information, the dataset user will be able to identify a patient/client.
This supplementary information might be drawn from the same dataset, another
dataset, public knowledge or personal knowledge. Identification can occur even when
the dataset relates to aggregated individuals.
8. On the other hand, it is plainly impractical to withhold approval for use, or to impose
special procedures on the production, holding and transfer of all information, on the
remote chance that some convergence of theoretical circumstances might result in an
individual being identified. Rather, it is necessary to form an assessment of the risk
that such an occurrence might happen, and whether such a risk is acceptable (see
Schedule B of this Annex).
9. If, in the opinion of the scrutineer, the risk is unacceptably high, then the dataset
should be treated for approval purposes as if it were a direct patient/client identifier
dataset. If the risk is not unacceptably high, then the dataset should be treated for
approval purposes as an indirect patient/client identifier dataset or a non-identifying
dataset, as appropriate.
The scrutineer should assign general patient-identifiable datasets to one of the other
three categories of dataset on the basis of risk, and then assess the case for approval
on the basis of the guidance relevant to that type of dataset
11. The scrutineer should be prepared to suggest ways to reduce the risk of identification
to acceptable levels, thereby allowing less onerous handling procedures.
12. This is an area where HPSS organisations are not expected to develop expertise. The
Personal Data Confidentiality Group should be consulted when difficulties arise (see
Appendix D of “The Protection and Use of Patient and Client Information”).
Creation and transfers of datasets
13. Care is needed in approving the creation of new datasets through the matching of
extracts from existing datasets. Two datasets which separately have acceptable levels
of identification risk may have an unacceptable level when they are combined. This is
particularly the case where matching is done on the basis of a unique coded identifier
such as UPCI Number. Because such matches are precise and certain, the new dataset
is similarly precise and certain.
14. Where datasets are formed for the purpose of transfer of information, the scrutineer
should be satisfied that:
a) there are sufficient grounds for transfer
b) the recipients have in place adequate procedures and safeguards appropriate to the
nature of the dataset. These should include
i) a procedure to ensure that any subsequent recipients of the data through onward
transfer also have in place adequate procedures and safeguards (including this
safeguard). In many instances, it may be appropriate to meet this requirement
through a simple prohibition on any onward transfer of data by the recipient.
ii) adequate procedures and safeguards for the creation of new datasets through
matching with the transferred dataset.
15. Unless there is evidence from past experience that a recipient organisation is failing
to implement procedures that are in themselves adequate, the scrutineer should accept the
existence of adequate procedures and safeguards in the recipient organisation, without
further inquiry into their operation. The implementation or otherwise of those procedures
is the responsibility of the recipient organisation.
Data Guardian A senior person appointed to take responsibility for
safeguarding confidentiality of dataflows. Normally a senior
health or other professional, or closely supported by such a
person (see Caldicott Recommendation 3).
Dataset A dataset, for the purposes of this guidance, is an ordered
structure of information relating to one or more individuals.
If there is no ordered structure in the information held (eg a
file of letters each containing different sorts of information)
, the same principles of confidentiality apply, but there is no
basis for assessing the appropriate treatment for the
information as a whole. It should be noted that:
a) A dataset may be held as manual or computer records.
b) Information derived from the aggregation of
information on individuals can also form a dataset.
c) An extract of information from a dataset will itself be a
Examples include computer databases and sets of pro forma
Dataset Type There are four different kinds of dataset:
A. Direct Patient/Client Identifier Dataset. At least one
item of information is a direct patient identifier.
B. General Patient/Client Identifiable Dataset. At least
one item of information is patient-identifiable data and none
is a direct patient identifier
C. Indirect Patient/Client Identifier Dataset. At least one
item of information is an indirect patient identifier, and none
are direct patient identifiers or general patient-identifiable
D. Non-Identifying Dataset. There are no items which are
direct patient identifiers, general patient-identifiable data or
indirect patient identifiers
Direct patient/client identifier This allows the dataset user to identify precisely an
individual without taking further action. Examples are name
General Patient/client identifiable data This affords the opportunity for the dataset
user, with some level of probability of success (but not
necessarily absolute certainty), to identify an individual
through correlation with some other information, whether
held on the same dataset, on some other dataset or available
otherwise. Examples are age, sex, occupation, locality of
Indirect patient/client identifier This does not itself identify an individual, but does
allow the dataset user to identify precisely the individual
concerned through access to some other dataset. Examples
are National Insurance number, CHI and UPCI Number
Scrutineer The data guardian, or an authorised representative of the
data guardian, when carrying out an assessment of a dataset,
to determine the category to which it most appropriately
belongs, or granting approval for its use.
1. There is no simple way to determine the risk that a patient/client will prove
identifiable from the information held in the dataset. The risk varies from situation to
a) A public figure is more likely to be identified than a private person. Information
on public figures is frequently more widely diffused.
b) Unusual characteristics or groups of characteristics carry a higher risk of
identification. A patient with Marfan’s syndrome is more at risk of identification
than one with angina.
c) The risk of identification increases with the level of certainty that a given
individual must be included in the dataset. It is highly likely that an individual
will feature on some GP list, but by no means so certain that they will appear on
some hospital record.
d) The more easy that it is to identify individuals of given characteristics, the greater
the risk of identification. The sex of an individual is a less precise, but more
useful, identifier than blood group.
e) The larger the number of people falling within any group, however defined, the
less the risk of identifying a single individual.
2. A useful line of approach, where sufficient data exist to permit it, is the estimation of
the number of people who will match a given set of characteristics drawn from the
dataset eg religion: Church of Ireland, occupation: Minister of Religion, postcode:
BT99 3ZZ. If the numbers yielded by a quantitative approach are less than 3, the risk
of identification is certainly unacceptably high; if they approach 100, it is probably
acceptably low. In many instances, however, the data will not be available for a
precise approach, and the assessment will be an evaluation or even an opinion.
Provided that it is recognised and recorded as such, this is acceptable.
3. The highest risks that can be identified from any group of individuals, defined on the
basis of three or four data items in combination, should determine the status of the
dataset. Particularly powerful identifiers are date of birth (age to a lesser extent), sex,
and locality (postcode in particular). Occupation and religion can also be powerful.
4. 4. The scrutineer should be prepared to suggest the use of less precise data eg age
rather than date of birth, postal zone rather than postcode, in order to reduce the risk
of identification to acceptable levels.
5. 5. The scrutineer should make the best risk assessment possible under the
circumstances, given data available at the time. If better information later becomes
available, it may be appropriate to revise the assessment, but it would not be
appropriate to criticise the original assessment. A single adverse outcome of
identification is not in itself sufficient grounds for revising the assessment, since low
probability events do occur (several adverse outcomes should however be regarded as
“better information”, and so as grounds for revision).