GUIDANCE FOR THE HPSS


The ease with which personal information can be passed within the HPSS - often by
computer - is an undoubted benefit for patients and clients and for those involved in their care
and treatment. But all those concerned need to be aware that there is a legal duty to protect
the confidentiality of patient and client information.

The Charter for Patients and Clients underlines the rights which people have to privacy, and
confirms that information about them will be treated as confidential. The guidance in this
document acknowledges that staff must have strictly controlled access to patient and client
information, anonymised wherever possible.

In clarifying how and when personal information may be shared this guidance identifies the
need to make patients and clients aware of the ways in which their information might be
used. It emphasises the use wherever possible of anonymised information, and it confirms
that a duty of confidentiality applies to everyone working for or with the HPSS.

                                       PAUL SIMPSON
                                        Chief Executive


                                GUIDANCE FOR THE HPSS


1      1        Introduction

       1.5     Purpose of the guidance

2      General Principles

       2.2     EU Directive on data protection
       2.8     Patient and Client Information
    2.9    The relationship with patients and clients
    2.10   When information may be passed on

3   Keeping patients and clients informed

    3.1    Providing advice on how patient and client information is used
    3.7    Patients' and clients' right of access to their own records

4   Safeguarding information required for HPSS and related purposes

    4.1    Who has a duty of confidence?
    4.2    4.2     Data Protection Act 1998
    4.3    4.3     Caldicott Report 1997
    4.4    Responsibility for passing on information
    4.6    Types of information
    4.7    Anonymised non-identifiable information
    4.9    Aggregated non-identifiable information
    4.11   If confidence is breached
    4.13   Patients and clients unable to give consent
    4.14   Children and young people
    4.16   Security measures
    4.18   Patients and clients who are offenders
    4.19   Patients and clients receiving social security benefits
    4.20   Protecting public health
    4.21   Teaching and research
    4.23   Particular restrictions on passing on information
5     Passing on information for other purposes or as a legal requirement

      5.1    Relatives, friends and carers
      5.2    Statutory requirements
      5.4    Litigation
      5.6    Release of information to protect the public
      5.8    5.8      Tackling serious crime
      5.10   Press and broadcasting

6     6       Implementation and Personal Data Confidentiality Group


A     Data Protection Act
B     The Caldicott Report
C     Passing on information in connection with serious crime
D     Personal Data Confidentiality Group


A     Specimen notice for patients and clients
B     Guidance on the transfer of information by HPSS staff to RUC
C     Guidance on approving use of patient-identifiable data
                                        CHAPTER 1


1.1   This guidance is based on:

      i. patients' and clients' expectation that information about them will be treated as
         confidential; and

      ii. the importance of making patients and clients fully aware that HPSS staff and
         sometimes staff of other agencies need to have strictly controlled access to such
         information, anonymised wherever possible (see paragraphs 1.3 and 4.4).

1.2   It is in everyone's interests that the HPSS functions efficiently and effectively and
      makes best use of the resources available to it. To that end personal information about
      patients and clients is not only essential for the prime task of delivering personal care
      and treatment. It is necessary for a number of other purposes:

      i. assuring and improving the quality of care and treatment (eg through clinical

      ii. monitoring and protecting public health;

      iii. coordinating HPSS care with that of other agencies (eg voluntary and
         independent services);

      iv. effective health and social care administration, in particular:

         -   managing and planning services;

         -   contracting for HPSS services, including the payment of staff, independent
             contractors and health and social service units for services and the authorisation
             of extra-contractual referrals;

         -   auditing HPSS accounts (including fraud investigation/detection and the work
             of external auditors appointed by HPSS Health Service Audit) and accounting
             for HPSS performance;
             -   risk management (eg health and safety);

             -   investigating complaints and notified or potential legal claims;

       v. teaching;

       vi. statistical analysis and medical or health and social services research to support
             (i)-(v) above.

1.3    1.3        As a consequence, patient and client information will be seen and used by a
       number of HPSS professional and administrative staff, as well as staff of other agencies
       contributing to a patient's or client's care. Most patients and clients would be unlikely to
       trust staff with detailed information about themselves and their clinical condition or
       social circumstances if they thought this might be passed on to others without proper
       controls. It is therefore a central tenet of the HPSS that “everyone working for the
       HPSS is under a legal duty to keep your records confidential". In addition the
       present guidance makes clear that personal information should be anonymised wherever

1.4    1.4        Previous guidance was issued under the same title “Protection and Use of
       Patient and Client Information” in April 1997. Although the basic principles have not
       changed, there have been a number of developments since then eg Data Protection Act
       (1998) and the Caldicott Report which warrant amendment to the guidance. Future
       amendments will be issued as necessary.

Purpose of the guidance

1.5    1.5       This guidance sets out:

             the basic principles governing the use of patient and client information
             (chapter 2);

             informing patients and clients why information is needed, how it is used and
             their own rights of access to it (chapter 3);

             safeguarding information required for HPSS and related purposes (chapter 4);
                the circumstances in which information may be passed on for other
            purposes or as a legal requirement (chapter 5) .

1.6   1.6       It also contains appendices and annexes addressing specific issues in more

1.7   1.7       The guidance is intended to support existing professional standards.
                                         CHAPTER 2

                                  GENERAL PRINCIPLES

2.1    2.1     In general - and in all walks of life - any personal information given or received
       in confidence for one purpose may not be used for a different purpose or passed to
       anyone else without the consent of the provider of the information. This duty of
       confidence is long-established at common law, but with proper safeguards, need not be
       construed so rigidly that, when applied to the HPSS or related services, there is a risk of
       its operating to a patient's or client's disadvantage or that of the public generally.
       Indeed, as a number of inquiry reports have shown, the prompt flow of accurate
       information in sensitive areas such as mental health and child care can often be for the
       benefit and safety of all concerned.

EU Directive on Data Protection

2.2    The Directive on Data Protection, adopted by the Council of the European Union in
       October 1995, has implications for personal information generally, not only that relating
       to health and social services. Member states were required to give effect to its
       provisions by 24 October 1998, and the Data Protection Act 1998 formally took effect
       on that date, although full implementation of the act will be undertaken over a number
       of years.
2.2   2.2       One of the Directive's main purposes is to safeguard "the fundamental rights of
      individuals". As with our existing domestic law, the Directive:

            establishes a set of principles with which users of personal information must
            comply (eg fair and lawful "processing" of information; information to be collected
            and processed only for specific purposes; information to be accurate and up to date,
            and retained in a form which identifies the subject only for as long as is necessary
            for the purpose);

            gives individuals the right to gain access to information held about them; and

            provides for a supervisory authority to oversee and enforce the law.

      The Directive also:

      i. permits the processing of health information where this is required "for the
            purposes of preventive medicine, medical diagnosis, the provision of care or
            treatment or the management of health care services, and where those data are
            processed by a health professional subject under national law or rules established by
            national competent bodies to the obligation of professional secrecy or by another
            person also subject to an equivalent obligation of secrecy" (Article 8, paragraph 3);

      ii. requires information to be provided to those whose personal information is

      iii. iii. applies both to computerised and manual records, and to some existing records
            as well as those made after implementation.

2.4   2.4       Under the Data Protection Act 1984, personal information held on a registered
      computer system was placed under specific safeguards. The Data Protection Act 1998,
      which now replaces the 1984 Act, extends that protection to personal information held
      in manual filing systems and to any information to which subject access is guaranteed
      by statute (see paragraph 4.2). Records held in even a loosely structured form will come
      under the Act, if they make the data subject identifiable. This places obligations on
      those who record or use information, while at the same time giving specified rights to
      people about whom information is held. The Computer Misuse Act 1990 provides
          criminal sanctions against unauthorised access ("hacking") or damage to computerised

2.5       2.5       In addition health professionals have ethical duties of confidence.

2.6       2.6        In recent times, the security of personal health information stored and
          transmitted electronically has been a major issue of concern between the NHS
          Executive in England and the clinical professions (particularly the BMA). To address
          this issue, a committee was established under Dame Fiona Caldicott to review patient
          identifiable information. The Caldicott report, published in 1997 made a series of
          recommendations concerning confidentiality. These recommendations do not in
          themselves have any direct legal or ethical status, but they have to be given appropriate
          consideration as specific means to achieve the objective of confidentiality.

2.7       2.7       Table 2.1, at the end of this chapter, is drawn out of the Data Protection
          Principles and the General Principles of the Caldicott Report. It sets out some general
          overarching principles that should inform any policies and procedures in the area of

Patient and Client information

2.8       In this guidance the term, "patient or client information", applies to all personal
          information about members of the public held in whatever form by or for HPSS bodies
          or staff. As well as obvious material such as medical records, it includes personal "non-
          health" information (eg a patient's or client's name and address or details of his or her
          financial or domestic circumstances). In most instances such information will have been
          provided by the patient or client or added by HPSS staff, but sometimes a relative or
          other person will be the source.

The relationship with patients and clients

2.9 2.9         It is neither practicable nor necessary to seek a patient's or client's (or other
      informant's) specific consent each time information needs to be passed on for a particular
      purpose. The public expects the HPSS, often in conjunction with other agencies, to respond
      effectively to its needs; it can do so only if it has the necessary information. Therefore, an
      essential feature of the relationship between patients and clients and the HPSS is the
   need for patients and clients to be fully informed of the uses to which information
   about them may be put: see chapter 3 and paragraph 4.4.

When information may be passed on

2.10   In summary, information may be passed to someone else:

          with the patient's or client's consent for a particular purpose; or
on a "need to know" basis if the following circumstances apply:

i. for HPSS purposes (including where services are either provided under
   contract to the HPSS or are being planned or provided with other agencies):

   a. the recipient needs the information because he or she is or may be
       concerned with the patient's or client's care and treatment (or that of
       another patient or client whose health may be affected by the condition of
       the original patient, such as a blood or organ donor); or

   b. the use of the information can be justified for the sort of wider purposes
       described at paragraph 1.2; or

ii. the information is required by statute or court order; or

iii. iii. passing on the information can be justified for other reasons, usually for
   the protection of the public: see chapter 5.

The following ten basic principles (derived from the Data Protection Act (DPA) Principles and
the Caldicott Report (CR) Principles) should inform the establishment of procedures and
protocols. The origins of these principles (not always in identical form) are shown.

1. 1. Personal data should not shall be collected or used unless there is some justification
   both legally and practically for doing so [DPA 1, CR 1].

2. 2. Personal data should be used in a manner compatible with the reason(s) for which
   they were collected [DPA 2, CR 2].

3. 3. Personal data should be adequate, relevant and not excessive in relation to the
   reason(s) for which they are collected or used [DPA 3, CR 3].

4. 4. Personal data should be accurate and where necessary, kept up to date [DPA 4].

5. 5. Personal data should not be kept for longer than is necessary for the reason(s) for
   which they were collected [DPA 5].

6. 6. Personal data should be used in a way compatible with the data subject’s legal rights
   [DPA 6].

7. 7. Personal data should be protected by appropriate security measures [DPA 7, CR 4].

8. 8. Personal data should not be transferred to places where they will not receive an
   adequate level of protection [DPA 8].

9. 9. Personal data should be handled only by staff who are aware of their responsibilities
   in this area [CR 5].

10. 10. Personal data should be handled in a way that is based on understanding of and
    compliance with the law [CR 6].

                                       CHAPTER 3


Providing advice on how patient and client information is used

3.1    All HPSS organisations and individual contractors employed by the HPSS must
       have an active policy for informing patients and clients of the kind of purposes for
       which information about them is collected and the categories of people or
       organisations to which information may need to be passed. Where other bodies are
      providing services for or in conjunction with the HPSS, those concerned must be aware
      of each others' information policies.

3.2   How best to inform patients and clients is primarily for local decision, taking account of
      views expressed by health and social services councils, local patient groups, staff, and
      agencies with which the HPSS body is in close contact. GPs, as major gatekeepers to
      the HPSS, should give special consideration to this issue. However, those concerned
      should bear in mind that:

      i. patients and clients should be told how information would be used before they are
         asked to provide it and must have the opportunity to discuss any aspects that are
         special to their treatment or circumstances;

      ii. advice must be presented in a convenient form and be available both for general
         purposes and before a particular programme of care or treatment begins.

3.3   Methods of providing advice include:

         leaflets enclosed with patients' and clients' appointment letters or provided when
         prescriptions are dispensed;

         GP practice leaflets and/or notification on initial registration with a GP;

         routinely providing patients and clients with necessary information as a part of care

         identifying someone to provide further information if patients and clients want it.

3.4   There must be arrangements for people who have restricted vision or reading skills.

3.5   Notices in waiting areas, newsletters, and other publicity materials can help to reinforce
      the general approach, but are insufficient on their own.

3.6   A specimen notice for patients and clients is at Annex A. This may be adapted to
      local circumstances, though the core messages it contains are standard across the HPSS
      and must always be identified. Patients registering with a GP should be made aware
      that certain basic personal information will be kept on a central register.
Patient's and Client's right of access to their own records

3.7    Subject to certain safeguards, patients and clients may at present see their own manual
       health records made after 30 May 1994 and earlier records if they are necessary to
       understand the later ones (Access to Health Records (Northern Ireland) Order 1993:
       see HPSS ME document, Access to Health Records (Northern Ireland) Order 1993: A
       Guide for the Health Service).          The time limitation will be removed by the
       implementation of the Data Protection Act (1998). There is also a right of access to
       social work records. Patients do not have to give reasons for seeking access to their

       i. until the implementation of the Data Protection Act, although there is no general
           statutory right to see manual records made before 30 May 1994, access should be
           given whenever possible, subject to the judgment of the health or social care
           professionals responsible for the patient's or client's care and safeguards for other
           people who may have provided information about the patient or client;

       ii. there is specific guidance on access to records made at any time sought in
           connection with legal proceedings : see paragraph 5.5;

       iii. there are also rights of access under:

           a. the Data Protection Act 1998 which, with some exemptions, entitles
               individuals to a copy of information held about them (whether manual or

           b. the Access to Personal Files and Medical Reports (Northern Ireland) Order
               1991 which concerns manual records held by the Northern Ireland Housing
               Executive and Health and Social Services Boards for the purposes of these
               housing and social services functions. The Order also applies to medical reports
               sought by employers or insurance companies.
                                         CHAPTER 4


Who has a duty of confidence?

4.1    The duty of confidence derives from the personal nature of the information recorded. It
       is unaffected by questions of who owns or holds particular records. Consequently, the
       following all have responsibilities for protecting information:

       i. all HPSS bodies and those carrying out functions on behalf of the HPSS have a
          common law duty of confidence to patients and clients and a duty to support
          professional ethical standards of confidentiality;

       ii. everyone working for or with the HPSS who records, handles, stores or otherwise
          comes across information has a personal common law duty of confidence to patients
          and clients and to his or her employer. This applies equally to those, such as
          students or trainees, on temporary placements;

       iii. health professionals have, by virtue of professional regulation, an ethical duty of
          confidence which, when considering whether information should be passed on,
          includes paying special regard to the health needs of the patient and to his or her

       iv. other individuals and agencies to whom information is passed legitimately may
          use it only as authorised for specific purposes and possibly subject to particular

Data Protection Act 1998

4.2    All "personal data" (including patient and client information) relating to living
       individuals that are held on computer system or a manual filing system or to
       which data subjects are given access under statute are subject to the Data
       Protection Act 1998.. The Act is underpinned by the eight principles at Annex A.
       HPSS bodies that hold personal information must notify the Data Protection
       Commissioner of the general purposes for which they process it. It is a criminal offence
       to process data in breach of the data protection principles of the Act.

Caldicott Report 1997

4.3    The Caldicott Committee was established by the NHS in England, to review all patient-
       identifiable information which passes from NHS organisations to other NHS or non-
       NHS bodies for purposes other than direct care, medical research or where there is a
       statutory requirement for information. It reported in December 1997, putting forward
       a number of recommendations. These are not directly binding on the HPSS, as the
       Caldicott Committee did not take into account the specific circumstances of Northern
       Ireland. Nonetheless, the principles laid down by the Committee should certainly be
       applied in Northern Ireland, as should the non-specific recommendations, since these
       align very closely with best practice. The specific recommendations may require some
       modification, in light of NI circumstances or the English response, but provision
       should be made to give appropriate consideration to these recommendations. It may
       be helpful to consult the Personal Data Confidentiality Group (see paragraph 4.8) on
       the point.

Responsibility for passing on information

4.4    HPSS bodies (and others performing HPSS functions) are accountable for their
       decisions to pass on information. Such decisions should usually be taken by the
       health or social care professional responsible for a patient's or clients's care and
       treatment or on the advice of a nominated senior professional within that body.
       Only the minimum identifiable information should be used: see paragraphs 4.7 and 4.9.

4.5    If a patient or client wants information withheld from someone who might otherwise
       have received it in connection with his or her care or treatment, the patient or client
       should be informed of any health or social care implications or of other relevant factors
       (eg the importance for the patient of the long-term record held by the GP). The patient's
       or client's wishes should be respected unless, as, for example, at paragraphs 5.2-9, there
       are overriding considerations to the contrary. The reason for not passing on information
       must be noted.
Types of information

4.6   There are four generic types of information which can refer to an individual:

      a) a) Direct identifiers. These are items from which an individual can be identified
          without further work eg name, address;

      b) b)    Indirect identifiers. These are items which do not normally identify the
          individual without use of some kind of reference database eg UPCI, telephone

      c) c) Identifiable. Many items can permit precise or approximate identification of an
          individual, particularly when taken in conjunction with other information that may
          be available eg occupation, religion, postcode;

      d) d)    Non-identifiable. Items from which no identification of an individual is
          possible. The boundary between identifiable and non-identifiable items is
          particularly fuzzy, since much depends on the other information that is available to
          someone attempting identification.

Anonymised non-identifiable information

4.7   Where anonymised information would be sufficient for a particular purpose, direct
      patient identifiers should be omitted wherever possible, and this is a major theme of the
      Caldicott Report. In that event, all reasonable steps must be taken to ensure that the
      recipient is unable to trace the patient's or client's identity. However, the fact that
      information has been anonymised does not of itself remove the duty of confidence. It
      may still be passed on only for a justifiable purpose. The removal of personal details
      may in any case be insufficient to protect a patient's or client's identity: for example, in
      some instances where the information relates to rare conditions, other characteristics or
      maybe to particular units or areas of the country. Those with control of the information
      must make a judgement, taking into account clinical and other relevant considerations,
      about the risk that the anonymised data could be “re-personalised” by reference to
      identifiable information, whether contained within the dataset itself or brought from
      outside. Where there is no reasonable likelihood of anonymised material being re-
      personalised, it should no longer be regarded as personal and identifiable "patient or
       client information". In these circumstances, provided that patients and clients in
       general are made aware that anonymised personal information may be used to
       prepare statistics to support the sort of purposes at paragraph 1.2, the anonymised
       information may be used or passed on for those purposes. The Data Protection Act does
       not apply to data so anonymised .

4.8    It is recognised that those who have to make such a judgement may well find difficulty
       in assessing the wide range of factors which will impact on it. A Personal Data
       Confidentiality Group has been established to assist staff with this issue, and its
       secretariat will be available to give advice (see Chapter 6 and Appendix D).

Aggregated non-identifiable information

4.9    4.9     Making available aggregated information about performance and activity in the
       HPSS is an important aspect of accountability and a means of fostering public
       awareness of how taxpayers’ money is spent and the range of services provided.
       Aggregated information is also vital for much research and development (see paragraph
       4.21) and for certain pharmaceutical and other health-related purposes. However,
       aggregating selective information about a small number of patients or clients may not
       always safeguard confidence adequately. Those with control of the information must
       make a judgement, taking into account clinical and other relevant considerations, as to
       the point at which aggregated material on its own cannot be regarded as personal and
       identifiable “patient or client information”. In these circumstances, provided that
       patients and clients in general are made aware that personal information may be
       used to prepare statistics to support the sort of purposes at paragraph 1.2, the
       aggregated information may be used or passed on for those purposes.

4.10   4.10    As noted under 4.8, there may be difficulty in assessing all the relevant factors.
       The Personal Data Confidentiality Group has been established to assist HPSS staff.

If confidence is breached

4.11   The unauthorised passing on of patient or client information by any member of staff or
       person in contract with the HPSS is a serious matter, always warranting consideration
       of disciplinary action and possibly risking legal action by others. In addition health
       professionals may be subject to action by their regulatory bodies. In their own
       interests and those of patients and clients, all staff must be made aware of the
       possibly severe consequences of breaching patient and client confidence. HPSS
       bodies are strongly advised to include a duty of confidence requirement in
       employment contracts or other documents setting out terms and conditions. Staff
       should be assured that this is not intended to detract from the general climate of
       openness in the HPSS and that, subject to their duty of confidence to patients and
       clients, they have both rights and responsibilities to raise concerns about health care

4.12   Patients and clients who feel that confidence has been breached may want to use the
       HPSS complaints procedures.         They have a right under the HPSS Complaints
       Procedures to be told how to complain or how to make comments or suggestions. There
       is a statutory right to complain to the Data Protection Commissioner (see DPR leaflet,
       Your Complaint: What happens when you complain to the Data Protection Registrar),
       as well as rights to take action for compensation if the individual has suffered damage
       and to correct or erase inaccurate personal data, or to have their challenge to the
       accuracy of      personal data recorded, if the data controller does not accept the
       correctness of the challenge.

Patients and Clients unable to give consent

4.13   As the law stands, nobody is empowered to give consent on behalf of an adult.
       However, if a patient or client is unconscious or unable due to his or her mental or
       physical condition to give informed consent or to communicate a decision, decisions to
       pass on information will in practice usually be taken by the health or social care
       professionals concerned, taking into account the patient's or client's best interests and,
       as necessary, the views of partners, relatives or carers. Such circumstances will usually
       arise when a patient or client has been unable to give informed consent to treatment or
       care. An earlier refusal to particular information being passed on, given while a patient
       or client had the capacity to decide, should, unless there are overriding considerations to
       the contrary, be regarded as decisive in circumstances similar to those envisaged by the
       patient or client.
Children and young people

4.14   Young people aged 16 or 17 are regarded as adults for purposes of consent to
       treatment and are therefore entitled to the same duty of confidence as adults. Children
       under 16 who have the capacity and understanding to take decisions about their own
       treatment are entitled also to decide whether personal information may be passed on
       and generally to have their confidence respected (eg they may be receiving treatment or
       counselling about which they do not wish their parents to know). Where a child aged
       under 16 does not have the necessary capacity or understanding, decisions to pass on
       personal information may be taken by a person with parental responsibility in
       consultation with the health or social care professionals involved.

4.15   In child protection cases the overriding principle is to secure the best interests of the
       child. Therefore, if a health or social care professional (or other member of staff) has
       of abuse or neglect it may be necessary to share this with others on a strictly controlled
       basis so that decisions relating to the child's welfare can be taken in the light of all
       relevant information.

Security measures

4.16   Ensuring the security and accuracy of patient and client information is a responsibility
       of management and staff at all levels: see         Directorate of Information Systems
       document Statement of HPSS IT Security Policy. In addition;

       i. arrangements for the storage and disposal of all patient information (both
          manually recorded and computer based) must protect confidentiality;

       ii. under the Data Protection Act appropriate security measures must be in place
          to protect computerised information, manual filing systems and records to
          which the subject has access under other statutes: see Strategy and Intelligence
          Group Manual, Introduction of Data Protection in the HPSS.

       iii. care should be taken to ensure that unintentional breaches of confidence do
          not occur: for example, by not leaving files, fax machines or computer terminals
          unattended, double-checking to avoid transmitting information to the wrong person,
          not allowing sensitive conversations to be overheard, and guarding against people
          seeking information by deception (the Personal Data Confidentiality Group will
          provide guidance on appropriate measures as required);

       iv. where a non HPSS agency or individual is contracted to carry out HPSS
          functions, the contract must draw attention to obligations on confidentiality
          and require that patient and client information is:

          a. treated and stored according to specified security standards; and

          b. used only for purposes consistent with the terms of the contract.

          Action in the event of confidence being breached (eg termination of contract)
          should be specified.

4.17   There are stipulated periods for which personal health and social services records
       should be retained before being considered for destruction. A minimum of eight years
       is the general rule for hospital and community health services, but there are exceptions:
       maternity records should be retained for at least 25 years, those relating to patients
       under 18 at least until their 25th birthday (or 26th if a record was made when they were
       17), and some mental health records for 20 years after care or treatment has ended. EC
       guidance is that patient records used in connection with clinical trials should be kept for
       at least 15 years. GP records should be retained for a minimum of ten years, and for
       longer if the record falls within one of the exceptions described above. Records relating
       to the Children Order should be held for at least 75 years (15 years from the date of
       death in the case of a child who dies before the age of 18 years).
Patients and clients who are offenders

4.18   The prison medical service, the probation service, police and other criminal justice
       agencies may be involved in the assessment and care (or continuing care following
       discharge from hospital or release from prison) of patients or clients who have
       committed offences or have otherwise been involved with those agencies. This often
       applies to mentally disordered offenders and others with similar needs, including
       people seen by HPSS or multi-agency assessment teams before or as a result of a court
       appearance. There should be agreed liaison arrangements which:

       i. enable the passage of essential information between agencies that patients and
           clients know are contributing to their care and support;

       ii. can handle sensitively the passing on of information that (as described in chapter 5)
           may be required by court order or can be justified to protect the public;

       iii. iii. ensure that information passed on is used only for an authorised purpose;

Patients receiving social security benefits

4.19   When clients register a claim with the Social Security Agency (SSA), they agree that
       the SSA may obtain information about hospitalisation or treatment which is relevant to
       the client's benefit entitlement. Hospitals can therefore supply such information that is
       necessary on receipt of a request from the Social Security Agency.

Protecting public health

4.20   The surveillance of communicable diseases is essential to maintain high levels of
       disease prevention, to detect outbreaks and to inform and evaluate immunisation and
       other policies. This is dependent on the flow of information on a "need to know" basis
       between health professionals, microbiologists, Consultants in Communicable Disease
       Control (CCDCs), the Public Health Laboratory Service and Environmental Health
       Officers. The Public Health Act (NI) 1967, makes provision for the notification and
       prevention of certain infectious diseases.

Teaching and research
4.21   Advice to patients and clients about the use of personal information must emphasise:

       i. the importance of teaching and research to the maintenance and improvement of
           care within the HPSS, inter-agency care and public health generally;

       ii. that such information, anonymised or aggregated wherever possible, may
           sometimes be used for teaching and research (and that universities or other bodies
           carrying out approved research are required to treat it in confidence and must not
           use it for other purposes);

       iii. that their specific consent will be sought to any activity relating to teaching or
           research that would involve them personally;

       iv. that any published research findings will not identify them without their specific

4.22   Arrangements for securing ethical approval to research proposals involving patients and
       clients or access to their records will be covered in new guidance on Research Ethics
       Committees which is currently being prepared by the Department,

Particular restrictions on passing on information

4.23   HPSS bodies or those carrying out HPSS functions must not allow personal details of
       patients or clients (most obviously names and addresses or the medical condition of
       named individuals) to be passed on or sold for fundraising or commercial marketing

4.24   There are some statutory restrictions on the disclosure of information relating to
       assisted conception. Regulations have also being developed to bring Northern Ireland
       into line with statutory restrictions in England and Wales relating to disclosure of
       information on sexually transmitted diseases.

                                         CHAPTER 5

Relatives, friends and carers

5.1    The Charter for Patients and Clients states that "your relatives and friends are entitled
       to be informed [about your progress] subject of course to your own wishes". It is
       important to ensure that the wishes of patient or client about this are established at first
       contact. With the patient's or client's consent, the significant role of carers may need to
       be recognised in the type of information provided: for example, on discharge from
       hospital and to make arrangements for continuing care.

Statutory requirements

5.2    In certain instances an HPSS body or member of staff may have a statutory
       responsibility to pass on patient or client information. If so, prior consultation with the
       patient or client is not required. However, if the health or social care professionals
       responsible for his or her care are not those required to pass on the information, the
       former should usually be consulted as to whether the facts do indeed mean that
       disclosure is necessary. If in doubt, legal advice should be sought. The patient or client
       and relevant health professional should be informed as soon as possible that information
       has been passed on, and a note made in the patient's or client's record.

5.3    The majority of statutory requirements concern forms of notification: for example, of
       births and deaths, communicable disease (see paragraph 4.20), substance misuse and
       serious accidents. There are also certain obligations to pass on information under the
       Mental Health (Northern Ireland) Order 1986.


5.4    The High Court has statutory powers to order:

       i. the disclosure of documents before and during proceedings for personal injury or
       ii. the production of information to an applicant and his or her legal, medical and
           professional advisers.

       Such orders should specify clearly what information is required and by whom. If any
       aspect is unclear, clarification and/or legal advice should be sought without delay. The
       health and social care professionals responsible for a patient's or client's care and
       treatment should be consulted about the disclosure in case of a risk to the patient's or
       client's (or someone else's) health or well-being. If there is a risk, legal advice should be
       sought on the possibility of seeking an amendment to the order. Where an order
       requires information about a patient or client who has not instigated a court action, that
       patient or client should be notified immediately in case he or she wishes to consider an

5.5    It is well-established practice that, at the patient's or client's request, information
       relevant to legal proceedings may be released, usually to the patient's or client's legal,
       medical or social work adviser. The information should also be passed to lawyers acting
       for the HPSS body concerned where the action involves the health board, Trust or a
       member of staff. Where health or social care matters arise the relevant professional (if
       he or she is not the patient's or client's medical or social work adviser) should be
       informed and, if necessary, given the opportunity to comment. If the patient or client
       agrees, information may also be released to a third party involved in proceedings.

Release of information to protect the public

5.6    It may sometimes be justifiable to pass on patient or client information without consent
       or statutory authority. Disclosures for the "discovery of iniquity" are traditionally cited.
       Most commonly these involve the prevention and detection of serious crime, but can
       extend to other dangers to the general public, such as a public health risk or risk of
       violence, where, as already noted, essential information may need to be shared with
       other agencies.

5.7    Each case must be considered on its merits, the main criterion being whether the release
       of information to protect the public should prevail over the duty of confidence to the
       patient or client. The possible consequences for the patient or client must be considered
       whatever the outcome. Decisions will sometimes be finely balanced and may concern
       matters on which HPSS staff find it difficult to make a judgement. Therefore it may be
       necessary to seek legal or other specialist advice or to await or seek a court order. It is
       important not to equate "the public interest" with what may be "of interest" to the

Tackling serious crime

5.8    Passing on information to help tackle serious crime (see examples at Appendix C) may
       be justified if the following conditions are satisfied:

       i. without disclosure, the task of preventing, detecting or prosecuting the crime would
           be seriously prejudiced, delayed or obstructed;

       ii. information is limited to what is strictly relevant to a specific investigation or other
           crimes which may have been uncovered in the course of the investigation;

       iii. there are satisfactory undertakings that the information will not be passed on or used
           for any purpose other than the present investigation or other crimes which may have
           been uncovered in the course of the investigation.

5.9    Requests for information relating to a number of patients or clients in order to identify
       one or more of them is likely to be justified only if there is a very strong public interest.

Press and broadcasting

5.10   The maintenance of good relations with the press and broadcasting organisations is
       important. HPSS bodies should ensure that someone with suitable experience and level
       of responsibility is available or contactable at all times to answer enquiries.

5.11   In law the same general rules apply to the passing of personal information to the media
       as in other circumstances. The patient's or client's consent must therefore be obtained if
       he or she is capable of taking a decision. This applies whether or not the patient or
       client is a celebrity or public figure.

5.12   Where the patient or client is unable to take a decision, the provision of basic
       information may sometimes be judged to be in his or her best interests (eg by correcting
       misleading or damaging speculation). Where possible, relatives should be consulted,
       having regard, of course, to their own feelings and possible distress. For example,
       where knowledge of the names and addresses of accident victimes has become public,
       the practice in most hospitals is to confirm the presence of a patient unless the patient or
       relatives have requested no publicity. In all such circumstances, the HPSS body must
       be prepared to justify a decision to release information, which should usually be
       confined to a brief indication of progress in terms authorised by the relevant

5.13   If a patient or client or former patient or client has invited the media to report his or her
       treatment, the HPSS body may comment in public, but should confine itself to factual
       information or the correction of any misleading assertions or published comment. The
       duty of confidence to the patient or client still applies. If in doubt, legal advice should
       be sought.
                                        CHAPTER 6


6.1   The establishment and implementation of a single coherent policy on the confidentiality
      of patient and client information poses considerable problems, since it extends to every
      aspect of the work of HPSS. With the implementation of the Data Protection Act 1998,
      with its extended definition of personal data and explicit legal requirements,
      confidentiality can no longer be regarded as the special concern of one group of staff, be
      it medical (driving the Caldicott review) or IT (implementing the Data Protection Act

6.2   There are a number of major issues to be addressed, and these are highlighted in the
      following table:

                             Justification    Subject        Data          Transfer of
                              for holding     Consent       Security        Data to
                                                                         HPSS Others

Data Protection
           (Appendix A)           *          *              *            *         *
            (Appendix B)          *                         *            *         *
Serious Crime
           (Appendix C)                                                            *
Obtaining Consent
           (Annex A)                         *
Information Transfer to
RUC        (Annex B)                                                               *
Using Patient-Identifiable
Data       (Annex C)              *                          *           *         *

6.3   A Personal Data Confidentiality Group has been established. Information and
      Research Policy Branch will provide a secretariat for the Group (for details, see
      Appendix D) and can be consulted by those wishing to obtain advice and detailed
      guidance. Where it becomes clear that some issue is causing general difficulty for the
      HPSS, the Branch will be responsible for initiating discussion by the Group, involving
      HPSS organisations both jointly and separately as appropriate, and disseminating
      agreed detailed guidance. It will be available to answer queries from HPSS staff as
      these arise, and it is hoped to develop a body of “case law” and agreed policy.

6.4   6.4      HPSS bodies should give consideration, in consultation with the Personal Data
      Confidentiality Group, to a range of issues:

      a) a)       Appointment of data guardians. Each HPSS body should appoint a data
            guardian to take responsibility for the development and implementation of
            organisational policies, in the light of this guidance. The Caldicott Report suggests
            that a senior health professional be appointed to this role, but subsequent work in
            the NHS has moved towards the view that someone in senior management is
            equally acceptable. Given the social work dimension of the HPSS, the case for this
            alternative approach is even stronger in the NI context.

      b) b)      Establishment of confidentiality policies. These should carry forward within
            the context of the body, the major themes of this guidance eg consent, disclosure,
            transfer of data, security, Data Protection Act and Caldicott Report

      c) c)      Appointment of data scrutineers. In order to ensure that the issues raised by
            this guidance and subsequently established policies are addressed at an appropriate
            level throughout the organisation, appropriately placed and qualified staff should be
            appointed in all parts of the organisation to take responsibility for implementation
            of organisational policies.

      d) d)      Training. The organisation should ensure that all staff handling personal data
            are aware of the general principles governing such data (see Table 2.1). In addition,
            data guardians and scrutineers should receive the specific training necessary to
            carry out their roles.
                                         Appendix A

This Appendix is intended to give an overview of the impact of the Data Protection Act
1998. It states the basic principles, before looking at definitions, security, exemptions and
implementation. It should be used as a general reference document for any officer handling

                                DATA PROTECTION ACT 1998


A.1      The eight data protection principles set out in the Data Protection Act 1998 are as

1. Personal data shall be processed fairly and lawfully, and in particular, shall not be
processed unless-

      a) a)     at least one of the conditions in Schedule 2 is met, and
      b) b)     in the case of sensitive personal data, at least one of the conditions in
           Schedule 3 is met.

2. 2.      Personal data shall be obtained only for one or more specified and lawful
      purposes, and shall not be further processed in a manner incompatible with that
      purpose or these purposes

3. 3.      Personal data shall be adequate, relevant and not excessive in relation to the
      purpose or purposes for which they are processed

4. 4. Personal data shall be accurate and where necessary, kept up to date
5. 5. Personal data processed for any purpose or purposes shall not be kept for longer
      than is necessary for that purpose or purposes

6. 6.     Personal data shall be processed in accordance with the rights of data subjects
      under the Act

7. 7.      Appropriate technical and organisational measures shall be taken against
      unauthorised or unlawful processing of personal data and against accidental loss of or
      destruction of, or damage to personal data

8. 8.     Personal data shall not be transferred to a country or territory outside the
      European Economic Area unless that country or territory ensures an adequate level of
      protection for the rights and freedoms of data subjects in relation to the processing of
      personal data

A.2      Schedules 2 and 3 (mentioned in Principle 1) are attached as Table 1, showing the
grounds which can be used to justify processing. Health and social services data are
sensitive data, and consequently require grounds drawn from both schedules to justify
processing. In legal terms, if data subject consent, explicit or otherwise, (item 1 on each
schedule) is lacking, then performance of functions under enactment, or of government
functions (item 5 on Schedule 2, item 7 on Schedule 3) or performance of a medical
function (item 8 on Schedule 3) would suffice.


B.1      Data is information held on a computer or information held on a filing system or
information to which people have access under other legislation

B.2      Personal data are data which relate to a living individual who can be identified
-     -   from these data or
-     -   from these data and other information in the possession of the data controller or
      likely to come into the possession of the data controller

           There is a distinction between a certain identification (“This record relates to
           X”) based on information likely to come into the possession of the data
           controller and a likely identification (“I think this record probably relates to X”)
           based on information certain to come into the possession of the data controller.
           Strictly speaking, the legal definition relates to the first category. Given that the
           impact on the individual is very much the same, and there is no difference in the
           methods used to assess the likelihoods involved, HPSS staff should adhere to the
           spirit of the law and protect against both categories of identification.


C.1       It has been recognised by the Data Protection Commissioner that “personal data”
is not something that is rigidly defined. One data controller might be unable to identify
individiduals from an information set, whilst the same information in the hands of
another data controller could be quite likely to lead to identification ie the information is
not personal data whilst it remains in the hands of the first controller, but becomes
personal data when transferred to the second.

C.2       A data set including name and address, or similar, is plainly personal data. A data
set including UPCI number is personal data if the data controller has access to the UPCI
system, but not otherwise, unless the other data in the set indicate a different conclusion.

C.3       Items of data other than name and address and UPCI are in themselves
anonymous, but they may permit re-personalisation of the data set to which they belong.
Taken in conjunction with other information in the data set, or information otherwise
available to the data controller, they may allow identification of individuals thereby
converting an anonymous data set into personal data.

C.4    The legislation imposes a test of likelihood on such re-personalisation. Given
sufficient additional information, individuals in any anonymous data set can be identified,
but is it likely that such a situation will happen? It is probable that no definition of the
key term “likely” can be forthcoming from the Data Protection Commissioner in advance
of decisions by the courts.

C.5    The intention of the data controller has a bearing on likelihood. An anonymised
data set held by an HPSS body is much less likely to be subjected to attempts at re-
personalisation than the same data set in the hands of an investigative journalist, hence
(all else being equal) less likely to be re-personalised.


D.1    Data Protection Principle 7 requires appropriate security measures for personal
data. Again, there is no definition of the key term, “appropriate”.

D.2    To treat all data on living individuals as personal data if identification is
theoretically possible effectively means treating all individual data as personal. This is
contrary to the plain meaning of the Act, and such over-classification tends to produce a
degradation of security for truly sensitive data.

D.3    HPSS should proceed on the assumption that an appropriate level of security is
one that takes some account of the level of probability that identification will be possible
eg if the data is currently personal data, a higher level of security is appropriate than if it
is currently anonymised data with a small risk of re-personalisation.
D.4     The level of security should also take account of the level of damage or distress
that might reasonably be expected to be caused to the data subject if disclosure were to
occur. For example, whilst the fact of a medical consultation and the outcome of that
consultation are both confidential, disclosure of the latter is likely, in general, to be more
harmful than disclosure of the former and the level of security applied to appointment
lists and to medical files should reflect that consideration.


E.1     Exemptions from the provisions of specific principles and provisions may apply.
In particular:

1.      1.       Personal data processed for the prevention or detection of crime or the
        apprehension or prosecution of offenders are exempt from subject access and
        from the requirements of the first principle (other than the justification for holding
        data at all)

2.      2.       Data held in connection with health and social work may be exempted
        from subject information access provisions by order of the Secretary of State.

3.      3.       The use of data for research (including historical and statistical purposes)
        is not legally incompatible with the purposes specified at collection (whatever
        they may have been), and data held for such purposes may be held indefinitely.
        There is no automatic right of subject access to such data and the data can be
        passed to other persons for research purposes.

F.1     The Data Protection Act (1998) mostly imposes general rather than specific
requirements.A partial exception is the requirement to notify the Data Protection
Commissioner of data held. The detail required in this notification (one only per
organisation) has yet to be determined but will certainly be less than required under the
1984 Act. All organisations will need to arrange for notification to occur as current
registrations expire.

F.2     As regards the rest of the Act, it will be necessary to ensure staff are aware of
their responsibilities under the legislation and that they are able either to meet those
responsibilities themselves or to seek out expert help in order to do so. Given the wide
scope of the Act, compared to the 1984 Act, it seems unlikely that implementation
responsibility can be placed solely in the hands of staff who have substantial personal



1. 1. Consent of data subject
2. 2. Establishment or performance of contract to which data subject is a party
3. 3. Compliance with legal obligation of data controller (other than contractual)
4. 4. Protection of vital interests of data subject
5. 5. Administration of justice, exercise of functions under enactment, exercise of
   government function, exercise of public function
6. 6. For purposes of legitimate interests of data controller or third party, save where
   this is prejudicial to the interests of the data subject


1. 1. Explicit consent of data subject
2. 2. Exercising or performing rights and obligations of data controller conferrred or
   imposed by law in connection with employment
3. 3. Protection of vital interests of data subject or third party in situations where there
   are difficulties in obtaining consent
4. 4. Performed by non-profit making political or religious body in connection with its
    own members and contacts
5. 5. Data made public by data subject
6. 6. In connection with legal action
7. 7. Administration of justice, exercise of functions under enactment, exercise of
    government function.
8. 8. Processing for medical purposes** carried out by a health professional or a
    person with an equivalent duty of confidentiality
9. 9. Racial and ethnic monitoring
10. 10. Specific order by Secretary of State

* This includes information on the health and on the religion of the data subject.
** This includes preventative medicine, medical diagnosis, medical research, provision
of care and treatment and the management of healthcare services.
                                        Appendix B

This Appendix sets out the terms of reference and findings of the Caldicott Committee,
linking these to Data Protection Principles. It also addresses implementation issues. The
document should be used by officers responsible for ensuring that Caldicott
recommendations are implemented.

                              THE CALDICOTT REPORT

A.     TERMS            OF        REFERENCE                   FOR    CALDICOTT

To review all patient-identifiable information which passes from NHS organisations to
other NHS or non-NHS bodies for purposes other than direct care, medical research or
where there is a statutory requirement for information.

The Committee will consider each flow of patient-identifiable information and will
advise the NHS Executive:-

whether patient-identification is justified by the purpose;

whether action to minimise risks of breach of confidentiality is desirable eg reduction,
  elimination, or separate storage of information
B.       CALDICOTT GENERAL PRINCIPLES (related to Data Protection

B.1      The Caldicott committee established the following principles, shown with the
     relevant Data Protection Principle:

1. Justify the purpose(s) for holding patient-identifiable data [2]

2. Don’t use patient-identifiable information unless it is absolutely necessary [3]

3. Use the minimum necessary patient-identifiable information [3]

4. Access to patient-identifiable information should be on a strict need-to-know basis [7]

5. Everyone with access to patient-identifiable information should be aware of their
     responsibilities [All]

6. Understand and comply with the law [All]

Reference in [ ] denotes relevant Data Protection Principles

(Related to Data Protection Principles)

C.1      The Caldicott Committee put forward the following recommendations, which
have been grouped under broad headings, with the relevant Data Protection Principle
1.       Every dataflow, current or proposed, should be tested against basic principles of
         good practice. Continuing flows should be re-tested regularly [All]
10.      Where particularly sensitive information is transferred, privacy enhancing
         technologies (eg encrypting identifiers of “patient identifying information”) must
         be explored [7]
11.      Those involved in developing health information systems should ensure that best
         practice principles are incorporated during design stage. [All]
12.      Where practicable, the internal structure and administration of databases holding
         patient identifiable information should reflect the principles developed in this
         report. [All]

Persons and protocols
2. A programme of work should be established to reinforce awareness of confidentiality
     and information security requirements amongst all staff within the NHS. [7]
3. A senior person, preferably a health professional, should be nominated in each health
     organisation to act as a guardian, responsible for safeguarding the confidentiality of
     patient information. [7]
4. Clear guidance should be provided for those individuals/bodies responsible for
     approving uses of patient-identifiable information. [All]
5. Protocols should be developed to protect the exchange of patient-identifiable
     information between NHS and non-NHS bodies. [7]
6. The identity of those responsible for monitoring the sharing and transfer of information
     within agreed local protocols should be clearly communicated. [All]
7. An accreditation system which recognises those organisations following good practice
     with respect to confidentiality should be considered.
9. Strict protocols should define who is authorised to gain access to patient identity where
     the NHS number or other coded identifier is used. [7]
8. The new NHS number* should replace patient identifiable data, as soon as practically
  possible, in every data flow where there is a need to distingush between individuals
  but where there is no immediate corresponding need to identify those individuals.
  Continued use of additional patient identifiable data items for other purposes must be
  robustly justified [3, 7]

13. The NHS number* should replace the patient’s name on Items of Service Claims
  made by General Practitioners as soon as practically possible. [7]
14. The design of new systems for the transfer of prescription data should incorporate the
  principles developed in this report. [3, 7]
15. Future negotiations on pay and conditions for General Practitioners should, where
  possible, avoid systems of payment which require patient identifying details to be
  transferred. [3, 7]
16. Consideration should be given to procedures for General Practice claims and
  payments which do not require patient-identifying information to be transferred, which
  can then be piloted. [3, 7]

Reference in [ ] denotes relevant Data Protection Principles
* UPCI in Northern Ireland

C.2    The relationship between data protection principles and Caldicott principles and
recommendations is summarised in Table 1. This shows that the majority of Caldicott
measures should be regarded as falling under:

a) a) personal data should be adequate, relevant and not excessive (Principle 3)
b) b) personal data should be subject to appropriate security measures (Principle 7)

D.1    It should be noted that the Caldicott recommendations divide between general
principles and specific projects. Some of the latter may not lie within the control of a
local HPSS unit (eg implementation of UPCI [Northern Ireland equivalent of NHS
number]), or may not be considered appropriate. In particular, it is now recognised in
England that the data guardian need not necessarily be a medical professional, and given
the personal social services dimension of the HPSS, that conclusion is particularly strong
for Northern Ireland.

D.2    The general principles are however applicable, and can be regarded for the most
part as data protection. Annex C gives an indication of how the use of patient-identifiable
data should be assessed.
Table 1 RELATIONSHIP                    OF      DATA        PROTECTION            AND

Reference to          By 6 Caldicott        By 16 Caldicott               By
Data Protection       Principles            Recommendations               Caldicott
Principle No

       1                     -                     -                             -
       2                     1                     -                             1
       3                     2                     4                             6
       4                     -                     -                             -
       5                     -                     -                             -
       6                     -                     -                             -
       7                     1                     10                            11
       8                     8                          -                 -
       All                   2                     4                             6
       None                  -                     1                             1

The emphasis in the Caldicott principles and recommendations leans heavily towards
Data Principles 3 and 7 (or else recommends compliance with all Principles). These two
principles are:

     personal data should be adequate, relevant and not excessive;
     personal data should be subject to appropriate security measures

With the exception of recommendation 7 (accreditation of organisations following good
practice with regard to confidentiality), no Caldicott recommendation can be regarded as
falling outside Data Protection, and even recommendation 7 is intended as an incentive to
meet Data Protection Principle 7.
                                        Appendix C

                                (see paragraph 5.8 and Annex B)

This Appendix addresses the definition of serious crime. It should be used by those officers
becoming aware of crime in the course of their duties, or considering requests from the
RUC for information.

Passing on information to help prevent, detect or prosecute serious crime may sometimes
be justified to protect the public. There is no absolute definition of "serious" crime, but The
Police and Criminal Evidence (NI) Order 1989 identifies some "serious arrestable
offences". These include:






       offences under prevention of terrorism legislation (disclosures now covered by the
       Prevention of Terrorism Act 1989)
       making a threat which if carried out would be likely to lead to:

       ·   serious threat to the security of the state or to public order

       ·   serious interference with the administration of justice or with the investigation
           of an offence

       ·   death or serious injury

       ·   substantial financial gain or serious financial loss to any person.

In addition other offences may be regarded as serious crime depending on the
circumstances and consequences (eg grievous bodily harm, taking and driving away,
robbery and theft). This will be the case where acts are committed which are likely to lead

       ·   serious threat to the security of the state or to public order

       ·   serious interference with the administration of justice or with the investigation
           of an offence

       ·   death or serious injury

       ·   substantial financial gain or serious financial loss to any person.

In other cases, it may be as well to seek legal advice before taking a decision to release
                                          Appendix D


1. 1. The area of data confidentiality is complex, taking account of a wide range of ethics,
   legislation and practice. There are implications for virtually all areas of HPSS work, and
   it is not possible to give precise guidance. Many of the terms used have no exact
   definition, and are unlikely to have any until case law develops. Furthermore, the data
   handled is very variable and guidance that might be appropriate in one context would
   not necessarily be so in another context.

2. 2.     Accordingly, a Personal Data Confidentiality Group has been established. Its
   function is:

              a) a)    to disseminate information to HPSS on developments in the area of data
              b) b) to develop specific guidance for the HPSS, as the need arises; and
              c) c) to advise the HPSS on risk assessment in connection with disclosure.

3. 3. The membership of the Group will consist of:

        DHSS                     2 members
        Boards and Trusts        6 members
        CSA                      1 member
        Primary Care             1 member

        Drawn from Statistician, Information, IT, professional and administrativestaff

    The secretariat of the Group will be provided by the Information and Research Policy
    Branch, which will be available to assist with queries.
    Information and Research Policy Branch
    Annexe 2
    Castle Buildings
    BT4 3UD

Telephone: 01232- 522684
                                          Annex A


We ask you for information about yourself so that you can receive proper care and

We keep this information, together with details of your care, because it may be needed if
we see you again.

We may use some of this information for other reasons: for example, to help us protect
public health generally and to see that the HPSS runs efficiently, plans for the future, trains
its staff, pays its bills and can account for its actions. Information may also be needed to
help carry out medical or other health and social services research for the benefit of

Sometimes the law requires us to pass on information: for example, to notify a birth.
The HPSS Central Health Index contains basic personal details of all patients registered
with a practitioner. The Register contains demographic rather than clinical information.

                     You have a right of access to your health records.


You may be receiving care from other people as well as the HPSS. So that we can all
work together for your benefit we may need to share some information about you.

We only ever use or pass on information about you if people have a genuine need for
it in your and everyone's interests. Whenever we can we shall remove details which
identify you. The sharing of some types of very sensitive personal information is
strictly controlled by law.

Anyone who receives information from us is also under a legal duty to keep it
confidential .

       giving you health care, treatment and social care

       looking after the health and social welfare of the general public

       managing and planning the HPSS. For example:

          making sure that our services can meet patient and client needs in the future

          paying your doctor, nurse, dentist, or other staff, and the hospital which treats
           you for the care they provide

          auditing accounts, detecting and investigating fraud

          preparing statistics on HPSS performance and activity (where steps will to be
           taken to ensure you cannot be identified)

          investigating complaints or legal claims

       helping staff to review the care they provide to make sure it is of the highest

       training and educating staff (but you can choose whether or not to be involved
        research (If anything to do with the research would involve you personally,
        you will be contacted to see if you are willing to take part. You will not be
        identified in any published results without your agreement.)

If you agree your relatives, friends and carers will be kept up to date with the
progress of your treatment.

If at any time you would like to know more about how we use your information you can
speak to the person in charge of your care or to ........
                                        Annex B

This Annex sets out the issues governing the transfer of information to the RUC. It should
be used by those officers becoming aware of crime in the course of their duties, or
considering requests from the RUC for information.


1. 1. It must be emphasised that this guidance cannot be definitive, and is not intended
   to set down procedures. There is a need to balance the general duty of confidentiality
   to patients against the public interest in the detection and prosecution of crime. For
   more serious crimes, the public interest argument becomes more weighty, but the
   balance between the two can only be assessed in the light of the facts relating to the
   crime, the patient and other relevant circumstances. These are immensely varied and
   to set down rigid or simplistic procedures could be misleading. It is necessary for
   those involved to use their judgement in individual situations, taking account of
   general principles and, if necessary, seeking legal advice.

2. 2.   This guidance should be read in conjunction with “The Protection and Use of
   Patient and Client Information”, as reissued in June 1999, to which it is attached as an
   annex. Although the issue of transfer of information to the RUC is most likely to arise
   in the context of Ambulance Services, of Hospital Accident and Emergency Units,
   and of Social Services, it could arise in any situation within the HPSS where patient
   or client information is held.

3. 3.   Certain items of legislation (including the Prevention of Terrorism Act, Road
   Traffic Order, Police and Criminal Evidence Order (NI), Criminal Law(NI) Act) may
   impose a duty on HPSS staff to volunteer information, where they have reason to
   suppose that an offence has been committed. Whilst the RUC have no legal powers to
   require the information, there is a legal duty to supply the information in certain

4. 4. Some specific circumstances may have been the subject of detailed consideration
   by a professional body, so that a more specific code of practice has been developed.
   Where some such code of practice, protocol arrangement or memorandum of
   understanding is in place relating to particular types of situation, that code, protocol
   or memorandum should take precedence over the guidance put forward here.

5. 5. There is no limitation on the kind of information that may be transferred to the
   RUC, subject to the provision of paragraph 5.8 ii of “The Protection and Use of
   Patient and Client Information” that it must be strictly relevant to a specific
   investigation or to other crimes which may be uncovered in the course of the
   investigation. The issue of relevance must be judged on the facts of individual

6. 6. It might be difficult to justify the provision of information on an individual where
   neither RUC nor HPSS staff have some reason to believe that a particular individual
   (as opposed to someone who falls in a general category) may be involved in a crime.
   Provision of information on a group of individuals defined on some sort of general
   basis (eg attendance at A&E on a particular night) would mean that information was
   being given on individuals who were not involved in a crime.

7. 7.   Where a patient or client consents to information being passed to the RUC,
   confidentiality no longer applies (an approach to a patient or client for consent should
   be agreed with the RUC first, to avoid prejudice either to the interests of the
   patient/client or to the investigations of the RUC). Information that does not relate to
   an identifiable patient or client (eg ambulance service records of conversations with
   third parties) may not be protected by confidentiality at all.
8. 8. The attached matrix of responses (Table 1) gives some indication of the sort of
   responses which may be considered appropriate. They are phrased in a somewhat
   tentative manner, to reflect the fact that definitive guidance cannot be given. Some
   guidance on the difference between serious and non-serious offences is given in
   Appendix C of “The Protection and Use of Patient and Client Information”. The
   presumption is that HPSS staff will not normally even consider passing information
   to the RUC in connection with non-serious offences unless the individual concerned
   is very clearly and specifically identified (ie by name or unmistakeable description)
   and the RUC have made a formal request.

9. 9.   A blanket exclusion on passing information relating to non-serious offences is
   however not suggested since there may be instances where the balance of public
   interest shifts eg under the Sex Offenders Act 1997, it is an offence for a sex offender
   to fail to register with the police. Although this offence is not in itself a serious crime,
   the associated circumstances could justify a hospital in passing on relevant
   information. A more widely occurring issue is investigation of non-serious crime
   which directly involves the HPSS. For example, it would probably not be desirable
   for a patient who commits an assault on HPSS staff (a crime which is not defined as
   “serious”) to avoid police investigation on the grounds of confidentiality. Similarly,
   it could be considered inequitable if confidentiality considerations were to protect one
   group of people using HPSS property from investigation, but not other groups. As in
   all cases, those involved must exercise their judgement as the circumstances suggest,
   seeking legal advice as necessary.

10. 10. The guidance has been discussed with the RUC, who consider it acceptable from
   their point of view.

11. 11. Further guidance may be issued as relevant issues arise. Feedback on the
   operation of this guidance should be addressed to the Information and Research
   Policy Branch of the Information and Analysis Unit.
                                      RUC seek information on a person about whom
                                      they know:

                                          Name       Description    Fact of       Nothing
Concerning a serious offence
      HPSS staff
      know patient involved in an             Y            Y            ++            +
      suspect patient involved in             Y            Y            ++            +
      have no knowledge that patient          Y            Y             N            N
      involved in offence

Concerning a non-serious offence
      HPSS staff
      know patient involved in an            ++            +             -            --
      suspect patient involved in            ++            +             -            --
      have no knowledge that patient         ++            +             N            N
      involved in offence


Y       Almost certainly pass information to RUC
++      Very probably pass information to RUC
+       Probably pass information to RUC
-       Probably do not pass information to RUC, except by consent or on court order
--      Very probably do not pass information to RUC, except by consent or on court
N       Almost certainly do not pass information to RUC, except by consent or on court

Y, ++, and + denote situations where it may be appropriate to pass information to the
        RUC. In the specific circumstances of the situation, a contrary view may be
N, --, and - denote situations where it may be appropriate not to pass information to the
        RUC. In the specific circumstances of the situation, a contrary view may be
1. The column headings should be interpreted as follows:

 “Name” - a specific request for information on a named individual
 “Description” - a specific request for information on a specific unnamed individual,
   described in sufficient detail to permit identification
 “Fact of Existence” - a specific request for information on an unnamed and undescribed
   individual who was or may have been involved in specific circumstances.
  “Nothing” - HPSS staff become aware of a situation about which RUC have made no
   specific request. This includes all generic requests from the RUC for information.

2. The term “involved” covers victims, suspects and witnesses.

3. For a guidance on serious offences, see Appendix C of “The Protection and Use of
   Patient and Client Information”
                                        Annex C

This Annex provides some guidance for those officers charged with responsibility for
approving data access requests, or for ensuring that current data transfers comply with the
Caldicott recommendations. It should be used as a reference document.


1. The Caldicott Report on the Review of Patient-Identifiable Information recommends
  that clear guidance be provided for those individuals/bodies responsible for approving
  uses of patient-identifiable information (Recommendation 4). This guidance is
  intended to meet that requirement. It sets out general rather than detailed guidance,
  based on general principles.

2. The intent of the recommendation is that the confidentiality of information on
  individuals should be enhanced by ensuring that information which could be used to
  identify an individual should not be linked to other information on that individual
  without reason, and that where such linkage does occur, appropriate procedures are in
  place to handle the data. There are three types of information which can be used to
  identify individuals and these require somewhat different handling, as outlined below
  and in Schedule A of this Annex.

3. In all health and personal social services (HPSS) organisations, the data guardian (see
  Caldicott recommendation 3), or an authorised representative of the data guardian,
  should be responsible for granting approval for use of personal-identifiable data. All
  existing datasets (see Schedule A for definition) and all plans for the formation of new
  datasets (including data transfers) are subject to such approval before personal-
  identifiable data may be used. In order to establish the need for such approval, the data
  guardian in person or a representative authorised by the data guardian should act as a
  scrutineer for the dataset in question. The scrutineer should assess the status of the
  dataset, placing it in one of the four following categories as most appropriate (See
  Schedule A for definitions of categories):

     A. Direct Patient/Client Identifier Dataset (see 4 below)
     B. General Patient/Client Identifiable Dataset (see 7 below)
     C. Indirect Patient/Client Identifier Dataset (see 5 below)
     D. Non-Identifying Dataset (see 6 below)

Identifier and Non-Identifying Datasets

4. Direct Patient/Client Identifier Datasets. Direct patient/client identifiers (such as name)
  should not be included in any dataset unless a robust case can be made for their
  retention on operational grounds. This case should not be made on an organisation-
  wide basis - the fact that Clinical Records have a clear operational requirement for
  inclusion of name and address does not imply that Finance also have a clear
  requirement for this information. If a case cannot be made, the items in question
  should be removed as soon as practical, and the dataset then reassessed. Where there is
  a robust operational case for retention, the scrutineer should ensure, before giving
  approval for use, that procedures are in place to ensure that the dataset is accessible
  only to authorised users, with appropriate security arrangements and training to ensure
  the maintenance of confidentiality. These procedures should also address the issues of
  onward data transfer and dataset formation (see paragraphs 13 and 14). In assessing
  what is appropriate, the scrutineer should take account of relevant legislative
  requirements, existing protocols, and the sensitivity of the information concerned. For
  example, a record holding a name, a date and a clinical code should be used only with
  good reason. If the clinical condition were one such as AIDS, the reason would have to
  be very strong, and the security very tight.

  If the scrutineer is not satisfied on these points, approval for use should be withheld.
5. Indirect Patient/Client Identifier Datasets. These can be approved for use with no
  procedures in place beyond normal operating procedures, but by definition, there is an
  implication of access to some direct patient identifier dataset, and and proper
  procedures should be in place to govern access to that dataset (Caldicott
  Recommendation 9). For example, a record containing a UPCI Number, a date and a
  clinical code could be used freely, but access to the UCPI system would have to be
  sufficiently secure to prevent the curious from looking up the name of the subject on
  that system.

  The scrutineer should be satisfied that a proper scrutiny of access to the relevant
  direct patient/client identifier dataset has been carried out by an appropriate
  scrutineer, before giving approval for use of the indirect patient/client identifier data.

6. Non-Identifying Datasets. These should be approved for use, with no procedures in
  place beyond normal operating procedures eg a record showing a date and a clinical
  code could be used, without restriction.

  The scrutineer should give approval for use of the data
General Patient/Client Identifiable Datasets

7. The presence of direct and indirect patient/client identifiers is easily established.
  Unfortunately,   assessment of general patient/client identifiable data is much less
  clearcut. Any information held on a dataset carries some risk that, given sufficient
  supplementary information, the dataset user will be able to identify a patient/client.
  This supplementary information might be drawn from the same dataset, another
  dataset, public knowledge or personal knowledge. Identification can occur even when
  the dataset relates to aggregated individuals.

8. On the other hand, it is plainly impractical to withhold approval for use, or to impose
  special procedures on the production, holding and transfer of all information, on the
  remote chance that some convergence of theoretical circumstances might result in an
  individual being identified. Rather, it is necessary to form an assessment of the risk
  that such an occurrence might happen, and whether such a risk is acceptable (see
  Schedule B of this Annex).

9. If, in the opinion of the scrutineer, the risk is unacceptably high, then the dataset
  should be treated for approval purposes as if it were a direct patient/client identifier
  dataset. If the risk is not unacceptably high, then the dataset should be treated for
  approval purposes as an indirect patient/client identifier dataset or a non-identifying
  dataset, as appropriate.

  The scrutineer should assign general patient-identifiable datasets to one of the other
  three categories of dataset on the basis of risk, and then assess the case for approval
  on the basis of the guidance relevant to that type of dataset

11. The scrutineer should be prepared to suggest ways to reduce the risk of identification
  to acceptable levels, thereby allowing less onerous handling procedures.
12. This is an area where HPSS organisations are not expected to develop expertise. The
  Personal Data Confidentiality Group should be consulted when difficulties arise (see
  Appendix D of “The Protection and Use of Patient and Client Information”).

Creation and transfers of datasets

13. Care is needed in approving the creation of new datasets through the matching of
  extracts from existing datasets. Two datasets which separately have acceptable levels
  of identification risk may have an unacceptable level when they are combined. This is
  particularly the case where matching is done on the basis of a unique coded identifier
  such as UPCI Number. Because such matches are precise and certain, the new dataset
  is similarly precise and certain.

14. Where datasets are formed for the purpose of transfer of information, the scrutineer
  should be satisfied that:

   a) there are sufficient grounds for transfer
   b) the recipients have in place adequate procedures and safeguards appropriate to the
     nature of the dataset. These should include

     i) a procedure to ensure that any subsequent recipients of the data through onward
         transfer also have in place adequate procedures and safeguards (including this
         safeguard). In many instances, it may be appropriate to meet this requirement
         through a simple prohibition on any onward transfer of data by the recipient.
     ii) adequate procedures and safeguards for the creation of new datasets through
         matching with the transferred dataset.

15. Unless there is evidence from past experience that a recipient organisation is failing
to implement procedures that are in themselves adequate, the scrutineer should accept the
existence of adequate procedures and safeguards in the recipient organisation, without
further inquiry into their operation. The implementation or otherwise of those procedures
is the responsibility of the recipient organisation.
                          Schedule A


Data Guardian   A senior person appointed to take responsibility for
                safeguarding confidentiality of dataflows. Normally a senior
                health or other professional, or closely supported by such a
                person (see Caldicott Recommendation 3).

Dataset         A dataset, for the purposes of this guidance, is an ordered
                structure of information relating to one or more individuals.
                If there is no ordered structure in the information held (eg a
                file of letters each containing different sorts of information)
                , the same principles of confidentiality apply, but there is no
                basis for assessing the appropriate treatment for the
                information as a whole. It should be noted that:

                  a) A dataset may be held as manual or computer records.
                  b) Information derived from the aggregation of
                      information on individuals can also form a dataset.
                  c) An extract of information from a dataset will itself be a

                Examples include computer databases and sets of pro forma

Dataset Type    There are four different kinds of dataset:

                A. Direct Patient/Client Identifier Dataset. At least one
                item of information is a direct patient identifier.

                B. General Patient/Client Identifiable Dataset. At least
                one item of information is patient-identifiable data and none
                is a direct patient identifier

                C. Indirect Patient/Client Identifier Dataset. At least one
                item of information is an indirect patient identifier, and none
                are direct patient identifiers or general patient-identifiable

                D. Non-Identifying Dataset. There are no items which are
                direct patient identifiers, general patient-identifiable data or
                indirect patient identifiers
Direct patient/client identifier     This allows the dataset user to identify precisely an
                             individual without taking further action. Examples are name
                             and address
General Patient/client identifiable data This affords the opportunity for the dataset
                            user, with some level of probability of success (but not
                            necessarily absolute certainty), to identify an individual
                            through correlation with some other information, whether
                            held on the same dataset, on some other dataset or available
                            otherwise. Examples are age, sex, occupation, locality of

Indirect patient/client identifier This does not itself identify an individual, but does
                             allow the dataset user to identify precisely the individual
                             concerned through access to some other dataset. Examples
                             are National Insurance number, CHI and UPCI Number

Scrutineer                  The data guardian, or an authorised representative of the
                            data guardian, when carrying out an assessment of a dataset,
                            to determine the category to which it most appropriately
                            belongs, or granting approval for its use.
                                         Schedule B


1.   There is no simple way to determine the risk that a patient/client will prove
     identifiable from the information held in the dataset. The risk varies from situation to

     a) A public figure is more likely to be identified than a private person. Information
        on public figures is frequently more widely diffused.
     b) Unusual characteristics or groups of characteristics carry a higher risk of
        identification. A patient with Marfan’s syndrome is more at risk of identification
        than one with angina.
     c) The risk of identification increases with the level of certainty that a given
        individual must be included in the dataset. It is highly likely that an individual
        will feature on some GP list, but by no means so certain that they will appear on
        some hospital record.
     d) The more easy that it is to identify individuals of given characteristics, the greater
        the risk of identification. The sex of an individual is a less precise, but more
        useful, identifier than blood group.
     e) The larger the number of people falling within any group, however defined, the
        less the risk of identifying a single individual.

2.   A useful line of approach, where sufficient data exist to permit it, is the estimation of
     the number of people who will match a given set of characteristics drawn from the
     dataset eg religion: Church of Ireland, occupation: Minister of Religion, postcode:
     BT99 3ZZ. If the numbers yielded by a quantitative approach are less than 3, the risk
     of identification is certainly unacceptably high; if they approach 100, it is probably
     acceptably low. In many instances, however, the data will not be available for a
     precise approach, and the assessment will be an evaluation or even an opinion.
     Provided that it is recognised and recorded as such, this is acceptable.

3.   The highest risks that can be identified from any group of individuals, defined on the
     basis of three or four data items in combination, should determine the status of the
     dataset. Particularly powerful identifiers are date of birth (age to a lesser extent), sex,
     and locality (postcode in particular). Occupation and religion can also be powerful.

4. 4. The scrutineer should be prepared to suggest the use of less precise data eg age
     rather than date of birth, postal zone rather than postcode, in order to reduce the risk
     of identification to acceptable levels.

5. 5.     The scrutineer should make the best risk assessment possible under the
     circumstances, given data available at the time. If better information later becomes
     available, it may be appropriate to revise the assessment, but it would not be
     appropriate to criticise the original assessment. A single adverse outcome of
     identification is not in itself sufficient grounds for revising the assessment, since low
     probability events do occur (several adverse outcomes should however be regarded as
     “better information”, and so as grounds for revision).

                                           [ HOME

To top