Scottish Government Records Management: NHS Code of Practice (Scotland) Version 2.0

Records Management Code of Practice


ANNEX C - LEGAL AND PROFESSIONAL OBLIGATIONS

There are a range of legal and professional obligations that limit, prohibit or set conditions in respect of the management, use and disclosure of information and, similarly, a range of statutes that permit or require information to be used or disclosed. Where necessary, organisations should obtain professional legal advice on the application of these provisions. A list of key legal and professional obligations covering personal and other information listed in this Annex is below:

Legislation contents

1. Anti-Terrorism, Crime and Security Act 2001

2. The Abortion (Scotland) Regulations 1991

3. The Access to Health Records Act 1990

4. The Access to Medical Reports Act 1988

5. The Census (Confidentiality) Act 1991

6. The Computer Misuse Act 1990

7. The Consumer Protection Act ( CPA) 1987

8. The Control of Substances Hazardous to Health Regulations 2002

9. The Copyright, Designs and Patents Acts 1990

10. The Crime and Disorder Act 1998

  • Section 115 relates to the disclosure of information

11. The Data Protection Act ( DPA) 1998

  • The Data Protection (Processing of Sensitive Personal Data) Order 2000

12. The Disability Discrimination Act 1995

13. The Electronic Communications Act 2000

14. The Environmental Information (Scotland) Regulations 2004

15. The Freedom of Information (Scotland) Act 2002 ( FOISA)

16. The Gender Recognition (Disclosure of Information) (Scotland) Order 2005

17. The Health and Safety at Work Act 1974

18. The Human Fertilisation and Embryology Act 1990, as Amended by the Human Fertilisation and Embryology Act 2008

19. The Human Rights Act 1998

20. The Human Tissue (Scotland) Act 2006 - Part 1 Section 19 and Part 3 (Maintenance of Records and Supply of Information Regarding the Removal and Use of Body Parts) Regulations 2006 ( SSI 2006 No. 344)

21. The Local Electoral Administration and Registration Services (Scotland) Act 2006

22. The Mental Health (Care and Treatment) (Scotland) Act 2003

23. The Prescription and Limitation (Scotland) Act 1973

24. The Privacy and Electronic Communications ( EC Directive) Regulations 2003

25. Public Health Legislation in Scotland

26. The Public Interest Disclosure Act 1998

27. Public Records (Scotland) Act 1937

28. The Radioactive Substances Act 1993

  • The High-activity Sealed Radioactive Sources and Orphan Sources Regulations

29. The Re-use of Public Sector Information Regulations 2005

Other Obligations contents

30. Administrative Law

31. The Blood Safety and Quality Regulations 2005

  • Directive 2002/98/ EC of the European Parliament and of the Council of 27 January 2003
  • Commission Directive 2005/61/ EC of 30 September 2005

32. The Common Law Duty of Confidentiality

33. NHS Scotland Code of Practice on Protecting Patient Confidentiality

34. Directive 2001/83/ EC of the European Parliament and of the Council of 6 November 2001 on the Community Code Relating to Medicinal Products for Human Use

Relevant Standards and Guidelines contents

1.BSISO 15489-1: Designing and Implementing Records Keeping Systems - DIRKS

2.BSIPD 0016: 2001: Document Scanning. Guide to scanning business documents

3.BSIBIP 0008: Evidential Weight and Legal Admissibility of Information Transferred Electronically

4.BS 4783-8:1994: Storage, Transportation and Maintenance of Media for Use in Data Processing and Information Storage

5.BS 5454:2000: Recommendations for the Storage and Exhibition of Archival Documents

6.BSISO/ IEC 17799:2005 BSISO/ IEC 27001:2005 BS 7799-2:2005: Information Security Management

7.PDISO/ TR 15489-2:2001: Best Practice in Records Management

8.BSISO 19005-1:2005: Document Management

Professional Codes of Conduct and Guidance

35. The General Dental Council, Standards for Dental Professionals (06/05)

36. The General Medical Council: Good Medical Practice (2006)

37. Health Professionals Council: Standards for Conduct, Performance and Ethics (07/08)

38. The code: Standards of conduct, performance and ethics for nurses and midwives NMC (01/08)

39. Nursing and Midwifery Council, Record Keeping Guidance (07/09)

40. Nursing and Midwifery Council: Midwives Rules and Standards (05/04)

41. The Chartered Society of Physiotherapy: Rules of Professional Conduct (2005)

42. The Chartered Society of Physiotherapy: General Principles of Record Keeping and Access to Health Records (2000)

43. Scottish Social Services Council: Codes of Practice for Social Service Workers and Employers (2009)

Legislation

Note: this section contains links to the ' OPSI' website. The opsi web version of legislation is as originally enacted, and does not include subsequent amendments. The links should therefore be treated with caution, and legal advice obtained when necessary.

1. Anti-Terrorism, Crime and Security Act 2001

Schedule 2 (part 3) covers disclosures on personal information in relation to suspected terrorists. See here

2. The Abortion ( Scotland) Regulations 1991

The regulations set out the terms on which certificates of opinion must be issued and held by medical practitioners in order to comply with the Abortion Act 1967. The practitioner who carried out the termination must notify the Chief Medical Officer ( CMO) of this fact within seven days of the termination. Under the regulations, these certificates must be retained by the practitioner who carried out the termination for a period of at least three years. Find out more here

Records management considerations:

To meet the requirements of these regulations, organisations must ensure that they have processes in place to ensure that certificates are retained in a secure area for at least three years, and that they are confidentially destroyed once they are no longer required.

3. The Access to Health Records Act 1990

Access to the health records of a deceased person is governed by the Access to Health Records Act 1990. It applies only to records created since 1 November 1991.

The Act allows access to:

a) the deceased's personal representatives (both executors or administrators) to enable them to carry out their duties; and

b) anyone who has a claim resulting from the death.

However, this is not a general right of access, it is a restricted right and the following circumstances could limit the applicant's access:

if there is evidence that the deceased did not wish for any or part of their information to be disclosed; or

  • if disclosure of the information would cause serious harm to the physical or mental health of any person; or
  • if disclosure would identify a third party ( i.e. not the patient nor a healthcare professional) who has not consented to that disclosure.

As with the Data Protection Act, a medical professional may be required to screen the notes before release.

Under the Act, if the record has been updated during the 40 days preceding the access request, access must be given within 21 days of the request. Where the record concerns information all of which was recorded more than 40 days before the application, access must be given within 40 days, however, as with the Data Protection Act 1998, organisations should endeavour to supply the information within 21 days.

FEE STRUCTURE

The following maximum fees apply:

Record Type

Fee

Viewings

< 40 days

£0

>40 days

£10

Photocopies for Deceased patient records

All

£10 admin fee + cost of making the copies @ 10p per sheet + p&p - to not exceed a maximum of £50

Health professionals may charge a professional fee to cover the costs of giving access to the records of deceased patients that is not covered by legislation.

TIMING: The information should be provided once the relevant information, including evidence of identity and fee has been received.

PHOTOCOPYING CHARGES: This will be charged at 10p per page of copy.

Records management considerations:

Organisations should have processes that address where and how the records of deceased persons are stored. Secure and environmentally safe storage is vital to ensure that records are maintained in good order and are available if required. It is essential that organisations put in place processes and procedures to enable the efficient and effective retrieval of such records within the timescales specified by the Act.

4. The Access to Medical Records Act 1988

The aim of the Act is to allow individuals to see medical reports written about them, for employment or insurance purposes, by a doctor who they usually see in a 'normal' doctor/patient capacity. This right can be exercised either before or after the report is sent. The chief medical officer of the employer/insurer is the applicant and he/she will send a request for a report to the doctor. The request must be accompanied by a written and signed patient consent. The patient may view the report by obtaining a photocopy, or by attending the organisation to read the report without taking a copy away. The patient has a right to view the report from the time it is written and has a window to do so before the report is supplied, or he/she may view it after supply for up to six months.

However, in certain circumstances the patient may be prohibited from viewing all or part of the report if:

  • in the opinion of the doctor, viewing the report may cause serious harm to the physical or mental health of the patient; or
  • access to the report would disclose third-party information where that third party has not consented to the disclosure.

The patient retains the right to withdraw consent to the report's preparation and/or supply at any time. Therefore, if the patient is unable to view any of the report due to one of the circumstances listed above, he/she can refuse to allow it to be supplied. If a patient disagrees with the content of the report, he/she has several options. He/she can:

a) refuse to allow its supply;

b) ask the doctor to correct agreed inaccuracies; or

c) have a note added addressing the point(s) of disagreement.

Records management considerations:

It is important that these reports remain accessible to the patient for at least six months after they have been supplied to the employer or insurer. After six months, organisations should consider whether retention is necessary; however, if they do decide to retain the report it must be accessible should a subsequent subject access request be made. In some organisations it may be easier to hold the report as part of the health record However private medical reports carried out on NHS patients, usually for legal cases, should not be filed in NHS records. Find out more here

5. The Census (Confidentiality) Act 1991

The Act makes it a criminal offence to unlawfully disclose personal census information. If the Registrar-General or any person currently or previously employed or contracted to supply services to him, discloses such information they are committing an offence. If any person further discloses information knowingly acquired by unlawful disclosure, they are committing an offence.

The defences to a charge of unlawful disclosure are that at the time of the alleged offence the person believed:

  • that he was acting with lawful authority; or
  • that the information in question was not personal census information and that he had no reasonable cause to believe otherwise.

The penalties if convicted are:

  • in the sheriff court, up to twelve months' imprisonment and/or a fine; or
  • in the high court, two years' maximum imprisonment and/or a fine.

Records management considerations:

Any staff that may use census information for their work must be instructed on the lawful way in which they may use it and the processes put in place to ensure that unlawful disclosure does not occur.

6. The Computer Misuse Act 1990

The Act is relevant to electronic records in that it creates three offences of unlawfully gaining access to computer programmes.

The offences are:

  • unauthorised access to computer material;
  • unauthorised access with intent to commit or cause commission of further offences;
  • unauthorised modification of computer material.

Access is defined in the Act as:

altering or erasing the computer program or data;

copying or moving the program or data;

using the program or data; or

outputting the program or data from the computer in which it is held (whether by having it displayed or in any other manner).

Unlawful access is committed if the individual intentionally gains access; knowing he is not entitled to do so; and aware he does not have consent to gain access. The 'further offence' applies if unauthorised access is carried out with intent to commit or cause an offence. The 'modification' offence applies if an individual does any act causing unlawful modification of computer material and does so in the knowledge that such modification is unlawful, and with the intent to:

  • impair the operation of any computer;
  • prevent or hinder access to any program or data held in any computer; or
  • impair the operation of any such program or the reliability of any such data.

Records management considerations:

It is important that all staff members are aware of and comply with all security measures put in place to protect all health records. The organisation should have policies and procedures in place to facilitate compliance alongside disciplinary measures for failure to comply.

See here (section 13 covers proceedings in Scotland)

7. The Consumer Protection Act ( CPA) 1987

The Act was modified slightly for Scotland under The Consumer Protection Act 1987 (Product Liability) (Modification) (Scotland) Order 2001:

The Act allows persons who have suffered damage/injury to themselves or to their private property to make a compensation claim against the manufacturer or supplier of a product. The claimant does not need to prove that the manufacturer/supplier was negligent; merely that it was the product that caused the damage. An obligation for liability lasts for 10 years.

The general limitation period in respect of personal injury actions under the Prescription and Limitation (Scotland) Act 1973 is:

  • three years from the date on which the cause of action accrued -effectively, the date the accident took place; or
  • three years from the date of knowledge that a cause of action had accrued. When a person dies, the limitation period runs from:
  • three years from the date of death; or
  • three years from the date when the personal representative had knowledge that a cause of action had accrued - i.e. the date when they realised that someone was potentially liable for the death.

Records management considerations:

The NHS is affected by these provisions and may be liable as a supplier or user of a product. Therefore, it is important that accurate records are maintained for all products that may fall into this category in order that any claim can be defended

8. The Control of Substances Hazardous to Health Regulations ( COSHH) 2002

The COSHH regulations specify the eight measures that employers must follow to prevent or limit their employees' exposure to hazardous substances.

The measures are:

  • assess the risks;
  • decide what precautions are needed;
  • prevent or adequately control exposure;
  • ensure that control measures are used and maintained;
  • monitor the exposure;
  • carry out appropriate health surveillance;
  • prepare plans and procedures to deal with accidents, incidents and emergencies;
  • ensure employees are properly informed, trained and supervised.

Records management considerations:

The regulations require that organisations retain records of risk assessments, control measures, exposure monitoring and health surveillance. Some of these records must be kept for specified periods; these are detailed in the retention schedule at Annex D and E.

9. The Copyright, Designs and Patents Act 1988

The Act protects the intellectual property of individuals and requires that permission of the owner of the intellectual property is sought before any use of it is made - this includes storage and display on the NHS net and internet or other electronic information services. Organisation web pages should not contain, or distribute, text or images to which a third party holds an intellectual property right, without the express written permission of the author. The author may have quoted other people's material and if this is the case, such a third party would also need to give permission.

Records management considerations:

Corporate web pages where information is published should be checked for infringement of the Act and/or that necessary permissions or acknowledgements have been given. If there is any doubt, check with your legal advisers.

10. The Crime and Disorder Act 1998

The Act provides for anti-social behaviour orders to be applied for by a police authority or a local authority against an individual aged 10 years and over.

The Anti-Social Behaviour Act (2003).

amends the 1998 Act, but Part 5 (misuse of air weapons) and Part 10 (general provisions) are the only parts of the act which extend to Scotland.

Records management considerations:

Any request for disclosure under this Act must be referred to the Caldicott Guardian and possibly the organisation's legal advisors, who should decide whether such disclosure is necessary or proportionate.

See here (chapter II of Part I and chapter II of Part IV) are specific to Scotland).

11. The Data Protection Act ( DPA) 1998

The Act regulates the processing of personal data, held manually and on computer. It applies to personal information generally, not just to health records, therefore the same principles apply to records of employees held by employers, for example in finance, personnel and occupational health departments.

Personal data is defined as data relating to a living individual that enables him/her to be identified either from that data alone or from that data in conjunction with other information in the data controller's possession. It therefore includes such items of information as an individual's name, address, age, race, religion, gender, and physical, mental or sexual health.

Sensitive Personal data is defined as personal information consisting of information as to:

a) the racial or ethnic origin of the data subject;

b) his political opinions;

c) his religious beliefs or other beliefs of a similar nature;

d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);

e) his physical or mental health or condition;

f) his sexual life;

g) the commission or alleged commission by him of any offence; or

h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

In order to lawfully process sensitive personal data one of 19 conditions must be met. These are set out in schedule 3 of the Data Protection Act and include:

  • explicit consent of the data subject;
  • legal advice and establishing or defending legal rights;
  • religion and health data for equality of treatment monitoring;
  • detection of unlawful activity;
  • records on racial equality.

Processing includes everything done with that information, i.e. holding, obtaining, recording, using, disclosure and sharing it. Using includes disposal, i.e. closure of the record, transfer to an archive or destruction of the record.

The Act contains three key strands. These deal with:

  • notification by a data controller to the Information Commissioner;
  • compliance with the eight data protection principles; and
  • observing the rights of data subjects.

Notification by a data controller

The data controller is the person who determines how and why personal information is processed. In practice, for NHS organisations the Health Board or practice is the data controller. This means that ultimate responsibility for notification will usually rest with the Chief Executive or GP. The action of notification can be delegated to the most appropriate person within the organisation, for example the Head of Information Management, or the Information Governance Lead. Notification is the process of informing the Information Commissioner of the fact that processing of personal data is being carried out within a particular organisation. Its purpose is to achieve openness and transparency - notification entries are placed in a register so that members of the public can check the type of processing being carried out by a particular organisation. The notification process involves completion of a form stating the name of the data controller and detailing the types of processing being carried out.

Notification can be done in one of three ways:

1. By completing the online form here then printing it and posting to the Information Commissioner;

2. By requesting a notification form here

3. By phoning the notification helpline on 01625 545 740

Code of Practice for Archivists and Records Managers under Section 51(4) of the Data Protection Act 1998

The National Archives of the United Kingdom, the Society of Archivists, the Records Management Society and the National Association for Information Management published a 'Code of Practice for Archivists and Records Managers under Section 51(4) of the Data Protection Act 1998' in October 2007. Chapter 3 summarises the particular responsibilities of records managers in relation to personal data.

Compliance with the eight data protection principles

The eight principles advocate fairness and openness in the processing of personal information. The principles state that:

1. personal data shall be processed fairly and lawfully and must be processed in accordance with at least one of the conditions in schedule 2 of the Act. Where the data being processed is sensitive personal information (such as data relating to the physical or mental health of an individual), it must also be processed in accordance with at least one of the conditions in schedule 3 of the Act;

2. personal data shall be obtained only for one or more specified and lawful purpose;

3. personal data shall be adequate, relevant and not excessive for its purpose(s);

4. personal data shall be accurate and where necessary kept up to date;

5. personal data shall not be kept for longer than is necessary for its purpose(s);

6. personal data shall be processed in accordance with the rights of data subjects under this Act;

7. appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;

8. personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.

Records management considerations:

Principle 1

The aim of this principle is to ensure that personal data are processed fairly and lawfully and in accordance with a relevant condition from the schedules to the Act.

To meet the fair processing requirement, individuals must be informed of the fact of processing, including what information will be collected, and how it will be held, recorded, used and shared.

The Information Commissioner has issued guidance about the meaning of fair processing which indicates that the processing of personal data for purposes other than those for which the data has been provided may be unfair.

To meet the lawful processing requirement, personal data must be processed in accordance with all relevant laws, that is, other statutes such as Article 8 of the European Convention on Human Rights or the common law, such as the duty of confidence.

Health records contain both personal and sensitive data within the terms of the Act, therefore processing can only be carried out if a condition from both schedules 2 and 3 is met.

The relevant condition to be satisfied for schedule 2 is likely to be one of the following:

  • where the processing is necessary for the exercise of any functions conferred on any person by or under any enactment;
  • where the processing is necessary for the exercise of any other functions of a public nature exercised in the public by any person;
  • where the processing is necessary to protect the vital interests of the patient, ie a 'life or death' situation; or
  • with the consent of the patient.

The relevant condition to be satisfied for schedule 3 is likely to be one of the following:

  • for medical purposes by a health professional or by a person who owes the same duty of confidentiality as a health professional;
  • where the processing is necessary to protect the vital interests of the patient or another person, i.e. a 'life or death' situation, where consent cannot be obtained or the data controller cannot reasonably be expected to obtain consent;
  • where the processing is necessary to protect another person, where consent of the patient has been unreasonably withheld; or
  • with the explicit consent of the patient.

Although the Act does not state that explicit consent is required for the processing of health information, compliance with the 'lawful' requirement means that the common law duty of confidence must be taken into account. This duty requires that information given in confidence may not be disclosed without the consent of the giver of that information. Therefore, where health information will be disclosed to someone outside the care team, consent to the processing is necessary - see Common Law Duty of Confidentiality.

Principle 2

This principle requires that personal data is not processed in a way that is incompatible with the purpose for which it was obtained. Organisations need to specify how they process information in their notification to the Information Commissioner. They are then required to ensure that all processing carried out is in accordance with those stated purposes. Patients should be fully informed about the reason that their information is required, ie they are not misled into providing information for purposes of which they have no knowledge. If information is obtained for a specific purpose, it must not be used for anything else unless consent is obtained for further uses of the information. For example, identifiable patient information gathered to provide healthcare cannot be used for research unless patient consent is obtained or the information is anonymised. Similarly, employee information collected to enable salary payment should not be used for purposes unrelated to this, for example marketing of products and services, unless consent is obtained. This principle reinforces the first principle in that it enables patients and the public to find out how a particular organisation states it will use their information.

Principle 3

The aim of this principle is to ensure that organisational records management policies and procedures are in place to support the gathering of relevant, adequate information that is not excessive for its purpose. Organisations should therefore ensure that the information collection procedures in place enable relevant questions to be asked and that training on information collection is made available to all relevant employees. Systems and processes should be designed to ensure only relevant information is captured and processed. The organisation should have procedures in place setting out 'need to know' access controls alongside processes that enable conformance to those controls for each member of staff.

Principle 4

To ensure good data quality organisations should follow all the procedures and processes described in the Information Quality Assurance requirements of the Information Governance Toolkit here The requirements describe the procedures and processes that organisations should put in place to ensure that information is accurate and kept up to date.

Principle 5

The organisation should have procedures and processes in place for records appraisal so that records are kept for no longer than necessary for the purpose for which they are processed. However, organisations should ensure that records are retained for the minimum periods specified in this Code.

The organisation should put in place arrangements for the closure and disposal (whether destruction or archiving) of records, and secure procedures to prevent unnecessary copying of information. Section 33 and schedule 8 part IV of the Act specifically provide that personal data can be retained for 30 years (or longer) for historical and research purposes. This is reinforced by the further detail given in the Data Protection (Processing of Sensitive Personal Data) Order 2000. GPs currently have an exemption under the Act from having to delete the records of patients no longer registered. This was negotiated by the Joint GPIT Committee to maintain the integrity of clinical system audit trails, whilst they are not transferable between clinical systems.

Principle 6

See Rights of the Individual (below).

Principle 7

Records storage conditions must provide environmentally safe protection for current and archived records.

Records must be protected by effective information security management and records management staff members should be aware of and comply with measures put in place. In the guidance issued by the Information Commissioner, certified compliance with ISO 7799-2005 is cited as one of the obvious ways of demonstrating conformance.

Principle 8

This principle is not infringed if the explicit informed consent of the individual is obtained for the transfer. However organisations must ensure that their contract includes terms to cover the protection of the data by the agency to the equivalent of the protection provided by the Data Protection Act 1998.

Rights of the individual

The Data Protection Act gives an individual several rights in relation to the information held about him/ her. This includes:

  • The right of individuals to seek access to their records held by the health provider.
  • Access covers the right to obtain a copy of the record in permanent form, unless the supply of a copy would involve disproportionate effort or the individual agrees that his/her access rights can be met some other way, for example by viewing the record.

Access must be given promptly and in any event within 40 days of receipt of the fee and request. If the application does not include sufficient details to identify the person making the request or to locate the information, those details should be sought promptly and the 40-day period begins when the details have been supplied.

Although DPA states 40 days to comply, the Department of Health (England) has given a commitment that health records requests (especially those to newly compiled records) are dealt within 21 days unless there are exceptional circumstances. This reflects the time period for compliance in the Access To Health Records Act (1990) which was replaced by the Data Protection Act (1998). Whilst requests recieved in Scotland from data subjects and solicitors in England may make reference to the 21 day period, this commitment has never been adopted in Scotland.

If access has been given, there is no obligation to give access again until a reasonable period has elapsed. What is reasonable depends on the nature of the data, the purposes for which it is processed and the frequency with which it has been altered.

The right of access is exercisable by the individual:

  • making a written application to the organisation holding the records;
  • providing such further information as the organisation may require to sufficiently identify the individual; and
  • paying the relevant fee.

The fee for providing the individual with a copy of a computerised record is £10. For healthcare records held partially or entirely on paper, the maximum amount that can be charged is £50.

DEFINITION OF A HEALTH RECORD:

A "health record" is defined as being any record which consists of information relating to the physical or mental health or condition of an individual, and has been made by or on behalf of a health professional in connection with the care of that individual.

A "health record" can be held electronically or on paper or mix of both, including X-rays, MRI scan, videos or tape recordings. This means that whenever a subject access request is made, the information contained in such material must be supplied to the applicant within the fee structure described below:

FEE STRUCTURE:

Record Type

Max Fee

View Only

< 40 days

£0

>40 days

£10

All Electronic

All

£10

Part Electronic and other media

Core Notes inc X-Rays

£50

All paper

Core Notes inc X-Rays

£50

If a patient wishes to view their records and subsequently makes a request for copies, the patient will be charged as per one access request, to a maximum of £50. The fees should be paid in advance. The above are the maximum fees, and cover all costs associated with labour, copying, postage or other forms of delivery.

Value Added Tax ( VAT) should not be charged on the fee charged for responding to a subject access request.

There are two main exemptions from the requirement to provide access to personal data in response to a subject access request. These are:

  • if the record contains third-party information ( i.e. not about the patient or the treating clinician) where that third party is not a healthcare professional and has not consented to their information being disclosed. If possible, the individual should be provided with access to the part of the record that does not contain the third-party identifier;
  • if access to all or part of the record will seriously harm the physical or mental well-being of the individual or any other person. If possible, the individual should be provided with access to that part of the record that does not pose the risk of serious harm.

Records management considerations:

Records management staff members have a key role in ensuring that health records can be located, retrieved and supplied in a timely manner. It is important that document management structures are set up in such a way as to enable them to carry out this role.

NHS Board record keeping policies include processes for ensuring that any changes or revisions made to patients written notes are reflected in any subsequent records systems manual or electronic. Whenever a change is considered significant the responsible recipient record holder should be informed in order that corrective action can be taken.

The Data Protection (Processing of Sensitive Personal Data) Order 2000

This Order amends the DPA 1998 and provides that sensitive personal data (for example information relating to physical or mental health) may be lawfully processed without explicit consent where there is a substantial public interest in disclosing the data for any of the following purposes:

  • for the detection and prevention of crime;
  • for the protection of members of the public against malpractice, incompetence,
  • mismanagement etc;
  • to publicise the fact of malpractice, incompetence, mismanagement etc, for the protection of the public;
  • to provide confidential counselling and advice where explicit consent cannot be given nor reasonably obtained, or where the processing must be carried out without explicit consent so as not to prejudice that confidential counselling or advice; or
  • to undertake research that does not support measures or decisions with respect to any particular data subject unless the data subject has explicitly consented and does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person Sensitive personal data may also be lawfully processed where: the information relates to the data subject or to specific relatives of the data subject and the processing is for the purposes of administering defined insurance business or occupational pensions schemes;
  • the processing is carried out by a person authorised under the Registration of Political Parties Act 1998 in the course of their legitimate political business as long as the processing does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person; or
  • the processing is necessary for the exercise of any functions conferred on a constable by any rule of law. Find out more here

12. The Disability Discrimination Act 1995

Providers of goods and services must not treat a person with a disability less favourably than a person to whom such a disability does not apply. One practical interpretation is that where, because of a disability, a data subject is unable to complete a written subject access request, their request should be handled in a way that enables them to enjoy their right of subject access in a similar way to those who do not have a disability preventing them from submitting a request in writing. Find out more here

13. The Electronic Communications Act 2000

The purpose of the Act is to increase confidence in electronic transactions by providing:

  • legal admissibility for digital signatures;
  • registration of cryptography services providers; and
  • repeal of and amendments to legislation that places limits on electronic communication and electronic storage of information.

The Act refers to cryptographic service providers who may employ Public Key Infrastructure ( PKI) technology. This technology can be used to limit access to information to those authorised to access it (via a private key), provide a legal basis for the use of digital signatures to verify the identity of the sender and/or to authenticate digital access credentials.

Records management considerations:

Organisations should ensure that electronic information is held and transferred in accordance with the Act and other provisions to ensure that confidential information is accessed only by those with a need to know it in order to carry out their role.

Organisations should be aware of the need to ensure the retention and protection of any cryptographic keys that have been used to protect records, as they may have evidential value over the lifetime of the record. Find out more here

14. The Environmental Information (Scotland) Regulations 2004

The Environmental Information Regulations 2004 came into force on 1 January 2005 and update and extend previous rights to environmental information.

Any request for information held by/on behalf of a public authority is initially treated as a Freedom of Information request. However, section 39 of the Freedom of Information (Scotland) Act 2002 exempts environmental information from being dealt with under freedom of information and provides for it to be dealt with under the Environment Information (Scotland) Regulations ( EIR) 2004. This means that there may be cases where information is exempt under freedom of information but has to be released under these regulations. (Where there is a conflict between EU regulation and UK legislation, the EU law takes precedence.)

The regulations are very similar to the Freedom of Information (Scotland) Act 2002 and requests for environmental information are dealt with in a similar way to those for other information.

The key differences between EIR and the Freedom of Information Act are:

  • a wider range of organisations are covered by the EIR, including some private organisations;
  • the EIR relates to environmental information only;
  • requests for information do not have to be in writing under the EIR; they can be verbal;
  • EIRs have exceptions rather than exemptions and all of these are subject to the public interest test;
  • the 20 day time period for responding to requests can be extended to 40 days where the request is complex and voluminous and would involve a considerable amount of work;
  • provision for charging of fees is different - there is no upper or lower threshold and authorities can recover, in full, the cost of supplying the information;
  • information relating to emissions has special status and will have to be supplied in most cases.

Find out more here

A comparative guide to dealing with requests under the Freedom of Information (Scotland) Act and the Environmental Information Regulations is available on the Scottish Information Commissioners website here

Personal information of the applicant continues to be dealt with under data protection.

Records management considerations:

As with the Freedom of Information (Scotland) Act 2002 the organisation needs a robust records management programme. The requirements of the two pieces of legislation are similar so it is advised that organisations deal with requests in a like manner. The main difference is that requests for environmental information need not be in writing.

15. The Freedom of Information (Scotland) Act 2002 ( FOISA)

The FOISA provides the right to access the information that is held by Scottish public authorities and requires a commitment from public authorities to proactively publish information.

For further information, guidance and resources on FOISA see here

The new rights of access in the FOISA signal a new recognition of, and commitment to, the public interest in openness about government. They are additional to other access rights, such as access to personal information under the Data Protection Act 1998, and access to environmental information under the EIR 2004.

The main features of the Act are:

  • a general right of access to recorded information held by public authorities, regardless of the age of the record/document;
  • a duty on every public authority to adopt and maintain a publication scheme, which sets out what information will be made available and how it can be accessed; and
  • the establishment of the Scottish Information Commissioner, whose role is to promote and to enforce FOISA.

Section 61 of the Act places a duty on Scottish Ministers to issue a Code of Practice on records management. Although compliance with the Code is not obligatory, it provides guidance to all public authorities as to the practice which it would, in the opinion of Scottish Ministers, be desirable for them to follow in connection with the discharge of their functions under the FOI(S)A. Additionally, the Code may be used by the Information Commissioner when deciding whether a public authority has properly dealt with a case (in the event of a complaint).

General right of access

The Act provides a general right of access to all information held by Scottish public authorities.

However, the Act recognises that there can be valid grounds for withholding information and provides a number of exemptions from the right to know, some of which are absolute exemptions and some of which are subject to a public interest test.

As regards exemptions subject to the public interest test, organisations must weigh up whether the public interest in maintaining the exemption in question outweighs the public interest in disclosure.

The request for information must:

  • be in writing or other permanently recorded format;
  • state the name of the applicant and an address for correspondence; and
  • describe the information requested.

The applicant can request that information be communicated by:

  • a copy in permanent form (or other form acceptable to them, for example on CD- ROM or audio tape);
  • inspection of records; or
  • a summary or digest of the information held.

Public Authorities must comply to a request promptly; and in any event by not later the 20th working day following receipt of the request and/or the appropriate fee if required. A public authority need not comply with vexatious requests or repeated requests for information already supplied unless a reasonable period has elapsed between requests. A fee may be charged by the public authority to cover the costs of locating, retrieving and providing the information requested.

This may include:

  • staff time, up to a maximum charge of £15 per hour;
  • the cost of putting the information into the applicant's requested format, for example CD, or audio tape;
  • photocopying and printing costs and;
  • postage or other transmission costs.

Where it is estimated that the costs of responding to a request will exceed £600 (the 'upper cost limit') a request for information may be refused. The first £100 of costs may not be charged to the applicant, and thereafter a charge of 10% can be made. The maximum charge is therefore £50. Public authorities are not obliged to make a charge and in many cases may not find it practical to do so.

Publication scheme

A publication scheme must be published by each public authority and approved by the Scottish Information Commissioner.

Publication Schemes must specify:

  • the classes of information published, or intended to be published;
  • the manner in which publication is, or is intended to be made;
  • whether the information is available free of charge or whether payment is required.

Records management considerations:

The organisation should carry out a records audit to determine what records it holds, the locations of the records and whether they need to be kept - this should lead to a review of the organisation's retention schedules and provide information for its publication scheme.

As with Data Protection Act subject access requests, records management staff and procedures are crucial to compliance with this Act. There is a duty imposed on organisations to supply information in a timely fashion - currently within 20 working days. To facilitate this obligation to provide information within these time limits the organisation must ensure that all employees are aware of how an FOISA application should be progressed and of the requirement to respond to requests quickly.

Organisations should consider maintaining a log of requests with the view to making frequently requested information available through its publication scheme.

16. The Gender Recognition Act 2004

The Act gives transsexual people the legal right to live in their acquired gender. It established the Gender Recognition Panel, who have the authority to issue a Gender Recognition Certificate. Issue of a full certificate provides legal recognition of the transsexual person's acquired gender.

Under the Act, information relating to an application for a Gender Recognition Certificate is 'protected information' if it is acquired in a professional capacity. It is an offence to disclose protected information to any other person unless an exemption applies. Some of the exemptions are:

the person has consented;

  • the person cannot be identified from the information;
  • information is needed for prevention and investigation of crime;
  • information is needed to comply with a court order.

See here (Part 2 of schedules 2, 3 and 4 are specific to Scotland)

Further information is available from the Department of Constitutional Affairs here

Records management considerations:

Applicants to the Gender Recognition Panel are required to supply evidence from a medical practitioner in support of their application. As 'protected information' covers all information that would identify a person as being a transsexual, if successful in their application a new health record must be created so that protected information is not disclosed.

The Gender Recognition (Disclosure of Information) (Scotland) Order 2005

It is not an offence to disclose the 'protected information' referred to under the Gender Recognition Act 2004 if:

  • the disclosure is made for the purpose of obtaining legal advice;
  • the disclosure is made in an official capacity in relation to an organised religion to disclose that information to any other person acting in such a capacity e.g. to enable a minister or religion to decide whether to solemnise or permit the marriage of the subject;
  • the disclosure is made for medical purposes to a health professional; and the person making the disclosure reasonably believes that the subject has given consent to the disclosure or cannot give such consent;
  • Specific disclosures in relation to credit reference agencies, insolvency and bankruptcy.

'Medical purposes' includes the purposes of preventative medicine, medical diagnosis and the provision of care and treatment. Find out more here

17. The Health and Safety at Work Act 1974

The Act imposes duties on employers to look after the health and safety of their employees and responsibilities on employees to comply with the measures put in place for their health and safety.

There are also six regulations concerned with health and safety at work:

  • Management of Health and Safety at Work Regulations 1999;
  • Workplace (Health Safety and Welfare) Regulations 1992;
  • Display Screen Equipment Regulations 1992;
  • Provision and Use of Work Equipment Regulations 1992;
  • Manual Handling Regulations 1992;
  • Personal Protective Equipment Regulations 1992.

The regulations require that employers carry out risk assessments and provide employees with information and training where necessary.

The Management of Health and Safety at Work Regulations 1999 sets out more explicitly what organisations must do to comply with the Health and Safety at Work Act. The Health and Safety Executive has published an approved Code of Practice for use with the regulations, available here

The Code has a special legal status - a court will take account of whether an organisation has followed the Code in prosecutions for breach of health and safety legislation, unless the organisation can prove that they complied with the law in some other way.

Records management considerations:

Organisations should retain equipment maintenance records, records of assessments and training records etc for appropriate periods, as proof that they are complying with the law and maintaining the safety of their employees. Retention of these records will also assist organisations to appropriately defend against any legal action and comply with investigations carried out by the Health and Safety Executive and/or the Healthcare Commission.

18. The Human Fertilisation and Embryology Act 1990 as amended by the Human Fertilisation and Embryology Act 2008

The Act is retrospective and applies to information obtained before and after it was passed. The Act prohibits the disclosure by current and former members and employees of the Human Fertilisation and Embryology Authority of:

  • any information contained within the Authority's register; and
  • any information obtained with the expectation that it would be held in confidence.

The Human Fertilisation and Embryology Authority (Disclosure of Donor Information) Regulations 2004 ( SI 1511) prescribe the information which the Authority will provide to persons who have attained the age of 18 and who may have been born in consequence of treatment services under the Act.

Records management considerations:

To meet the requirements of this Act, organisations must ensure they have processes in place to ensure that such information is available only to those permitted access. This is especially important as regards paper records, where information on this form of treatment is likely to be included within past medical history (particularly hospital records). Find out more here

19. The Human Rights Act 1998

The Act became part of UK law on 2 October 2000. It does not contain new rights. It incorporates the European Convention on Human Rights into UK law, allowing an individual to assert their Convention rights in UK courts and tribunals, rather than at the European Court in Strasbourg. The Act can be used only against a public body, therefore NHS and social care organisations, as public bodies, are subject to the Act. Article 8 of the Act - the right to respect for private and family life - is the most relevant to the health and social care setting.

The Right to Respect for Private and Family Life contains four rights. These are:

  • the right to respect for private life;
  • the right to respect for family life;
  • the right to respect for one's home; and
  • the right to respect for correspondence.

Article 8 is not an absolute right, in that the Act makes provision for interference with the rights (see below). It does, however, impact on subject access requests, consent, confidentiality and disclosure issues.

The right to respect for private life

The current approach is that the right to respect for private life includes an obligation on a public body to meet subject access requests. Denial of access could be interpreted as a breach of Article 8 as it prevents an individual gaining access to information held about him/her. This reflects the rights of the individual under the Data Protection Act 1998. Legislation must be read, as far as possible, in a way that is compatible with the Human Rights Act.

The right to respect for private life can also be invoked where treatment information is withheld from the individual. If an individual consents to treatment but has not been given sufficient information to make a fully informed decision that consent will not be valid. Arguably, the withholding of information is a breach of the Article 8 right.

The Article 8 right reflects the common law duty of confidentiality in that patient information should only be disclosed with that patient's consent. If information is inappropriately disclosed the individual can take legal action for breach against the public body concerned. Not only must patient information be held confidentially, it must also be held securely. Failure to do so will also breach the right to respect for private life.

The right to respect for family life

This right may also be relevant, in that relatives of the ill often wish to be involved in the decision making process, and kept informed of progress. However, this right must be balanced against the patient's right to confidentiality.

The right to respect for family life becomes even more relevant where the patient is a child or 'incompetent' adult. Failure to keep the family informed can be seen as an interference with this right, actionable under the Act. However, in a situation where the child is 'competent' and does not wish for information to be shared with his/ her family, the young person's right to confidentiality is likely to outweigh the right of the family.

Explaining this may bring the professional into conflict with the family, but ultimately the right of the individual to have information held confidentially will outweigh the right of the family.

It may be possible to claim that one's rights in relation to respect for family life have been breached in an employment context. An employee under an excessive workload such that it impinges on his/her life outside of the work environment could possibly plead interference with his/her right to respect for family life.

The right to respect for correspondence

Correspondence includes written and telephone communications. It may be relevant for an individual to assert this right in relation to the monitoring of workplace e-mails. In particular, if the employee has not been informed that he/she 'has no reasonable expectation of privacy' and that workplace monitoring is taking place. To lessen the risk of being sued under this heading an employer should ensure that:

  • the organisation complies with the advice from the Information Commissioner;
  • all employees are informed of the organisational policy on 'private' e-mails (which should also include the use of the telephone and the internet); and
  • consistent decisions are taken if policy breaches are discovered.

Interference with an Article 8 right

Article 8 rights are qualified rights; this means that in certain circumstances they can be set aside by the state. However, this interference must be lawful, for a legitimate social aim and necessary to achieve that aim. Furthermore, the interference must not be disproportionate to the objective to be achieved.

  • Legitimate social aims are:
  • national security;
  • protection of public safety;
  • protection of health or morals;
  • prevention of crime or disorder;
  • protection of the economic well-being of the country; and
  • protection of the rights and freedoms of others.

The public body will have to weigh up the public interest necessity of breaching an Article 8 right against the rights of the individual.

Records management considerations:

Current understanding is that if organisations comply with the provisions of the common law duty of confidence and the Data Protection Act 1998 they will meet the requirements of Article 8. Find out more here

20. The Human Tissue (Scotland) Act 2006 - Part 1 Section 19 and Part 3

Deals with three distinct uses of human tissue. Also introduces the concept of Authorisation. Part 4 - defines 'nearest relative' and makes provision for witnessing of authorisations and related matters. Find out more here

The Human Tissue (Scotland) Act 2006 (Maintenance of Records and Supply of Information Regarding the Removal of Body Parts Regulations.

Requires those removing and receiving body parts to maintain records and supply information to NHSBT and relevant NHS Board. Find out more here

20.1 The Human Tissue (Scotland) Act 2006 - A guide to its implications for NHS Scotland. HDL (2006) 46. Find out more here

21. The Local Electoral Administration and Registration Services (Scotland) Act 2006

The Local Electoral Administration and Registration Services (Scotland) Act 2006 ( LEARS Act) introduced changes to the electoral system and registration service in Scotland. Under the Act the General Registrar Office for Scotland was given special powers to share information with other government departments, including the NHS. The Registrar General creates and maintains a register of individuals from the Register of Births and Deaths and the Adopted Children Register. See Section 57 of the Act for further information. Find out more here

22. The Mental Health (Care and Treatment) (Scotland) Act 2003

The 2003 Act replaces the 1984 Act. It establishes new arrangements for the detention, care and treatment of persons who have a mental disorder. It also refines the role and functions of the Commission and establishes the Tribunal as the principal forum for approving and reviewing compulsory measures for the detention, care and treatment of mentally disordered persons. Part 18 makes miscellaneous provisions including the drawing up of a code of practice, the making of statements indicating a patient's wishes about treatment, the withholding of correspondence and communications from certain detained patients and the cross-border transfer of patients. Find out more here

23. The Prescription and Limitation (Scotland) Act 1973

The Act sets out the law on the time limits within which actions for personal injuries, or arising from death, may be brought. The limitation period for bringing such actions is three years, based on the date on which the individual became aware of the damage.

Under the Prescription and Limitation (Scotland) Act 1973 a person who has been declared of unsound mind may sue for damages up to 3 years after being declared sound of mind. Unsoundness of mind does not mean insanity but an inability of the injured person by reason of their mental state to manage their own affairs in relation to the relevant event and injury. The provisions of the Act will not necessarily apply to all mental health records, but where an action is initiated it will affect not only the mental health records, but all the health records of that patient. For example, a patient on being declared sound of mind has 3 years in which to sue for damages in relation to a hip operation performed while he was unsound of mind even if that operation had been performed 20 years earlier.

Records management considerations:

It is important that accurate records are retained in accordance with national guidance and local policies. As with other statutory provisions, organisations must be able to locate and supply the information if requested and ensure that closed records are stored in accordance with national guidance.

24. The Privacy and Electronic Communications ( EC Directive) Regulations 2003 (no. 2426) and The Privacy and Electronic Communications ( EC Directive) (Amendment) Regulations 2004 (no. 1039)

These Regulations revoke the Telecommunications (Data Protection and Privacy) Regulations 1999 and are concerned with the processing of personal information and the protection of privacy in the electronic communications sector.

The Regulations set out:

  • circumstances under which direct marketing may be carried out;
  • duties to safeguard the security of a communications network service;
  • limitations on what may be stored or accessed; and
  • restrictions on the processing of traffic and location data.

The Regulations are enforced by the UK Information Commissioner. See links here and here

25. Public Health Legislation in Scotland

The Public Health Scotland Act 2008 passed by the Scottish Parliament on 12th June 2008 and received Royal Assent on 16th July 2008

This Act restates and amends the law on public health; to make provision about mortuaries and the disposal of bodies; to enable the Scottish Ministers to implement their obligations under the International Health Regulations; to make provision relating to the use, sale or hire of sunbeds; to amend the law on statutory nuisances; and for connected purposes.

26. The Public Interest Disclosure Act 1998

The Act allows a worker to breach his duty as regards confidentiality towards his employer for the purpose of 'whistle-blowing'. A disclosure qualifying for protection under the Act is known as a 'qualifying disclosure'.

Such a disclosure is allowed in the following circumstances:

  • where criminal activity or breach of civil law has occurred, is occurring, or is likely to occur;
  • where a miscarriage of justice has occurred, is occurring or is likely to occur;
  • where health and safety has been, is, or is likely to be compromised;
  • where the environment has been, is being or is likely to be damaged; or
  • where information indicating evidence of one of the above circumstances is being or is likely to be deliberately concealed.

It makes no difference whether the circumstance leading to the breach is within or outside of the UK, as long as either UK law or the law of the other jurisdiction prohibits it.

A qualifying disclosure must only be made:

  • in good faith to the individual's employer, or to any other person having legal responsibility for the conduct complained of;
  • for the purpose of obtaining legal advice;
  • where the worker is employed by the Crown, in good faith to a Minister the Crown; or
  • in good faith to a person prescribed by the Secretary of State.

Under this Act, the worker must reasonably believe that any allegation he makes is substantially true.

If it is the employer who is responsible for the conduct complained of, the Act allows a worker to make a disclosure to a person not noted above, provided the following conditions are met:

  • it must be made in good faith, and not for personal gain, with a reasonable belief that the allegations complained of are true; and
  • the worker reasonably believes he will suffer a detriment if he makes the disclosure to his employer; or
  • he has previously complained of the conduct and no action has been taken; or
  • he reasonably believes that evidence of the conduct has been or will be destroyed or concealed.

Such a disclosure will be subject to a test of reasonableness, which is tested with reference to:

  • the person the disclosure was made to;
  • the seriousness of the conduct complained of;
  • whether the conduct is continuing;
  • whether any previously made complaint was acted upon; and
  • whether the worker followed any procedure laid down by the employer.

Records management considerations:

Staff should be made aware of the correct procedures to be followed if circumstances arise that require them to breach confidentiality and any policy guidance/Health Service Circular on 'Public Interest Disclosure' available on the issue.

27. The Public Records (Scotland) Act 1937

Find out more here

28. The Radioactive Substances Act 1993

Find out more here

The High-activity Sealed Radioactive Sources and Orphan Sources Regulations

The Act applies to organisations that keep, use or dispose of radioactive material or waste. It is supplemented by the High-activity Sealed Radioactive Sources and Orphan Sources Regulations ( HASS), which applies additional requirements on organisations that use or dispose of sealed radioactive sources, for example those used for radiography and radiotherapy. Organisations who keep or use radioactive material or sources must obtain a certificate of registration from the Environment Agency, whilst those who dispose of radioactive waste or sources must obtain a certificate of authorisation. Find out more here

Records management considerations:

Records relating to radioactive substances and radioactive waste must be retained as specified by the Environment Agency. The Agency may also require that records be retained for a specified period after the activity has ceased. Once this period has expired, records should be filed with an appropriate repository, ie a Place of Deposit.

29. The Re-use of Public Sector Information Regulations 2005

The Regulations link with the Freedom of Information (Scotland) Act 2002, in that freedom of information is about access to information and these regulations are about how the information can be re-used. However, there is no automatic right to re-use merely because an access request has been granted. Information that is exempt under FOISA or other legislation is also exempt under the Regulations.

Health Service bodies are required to:

  • publish the terms and conditions of standard licences for re-use;
  • compile an information asset register detailing the information available for re-use;
  • publish details of any exclusive re-use licences granted and review those licences every three years;
  • notify the applicant of the reasons for refusal of a re-use application;
  • provide contact details where complaints can be addressed;
  • deal with all applicants in a non-discriminatory manner, for example applying the same charges for the same type of use; and respond to requests within 20 working days.

Records management considerations:

Employees responsible for re-use issues should work closely with those responsible for FOI for several reasons. These include:

  • an information audit is required for both pieces of legislation to determine the records held and the locations of those records;
  • information available for re-use and the terms and conditions of re-use can be included within the organisation's publication scheme (see Freedom of Information (Scotland) Act 2002); and
  • if a request is made for access and re-use, the processes need to be coordinated so that the access issue is dealt with before permission to re-use is granted.

Other obligations

30. Administrative Law

Administrative law governs the actions of public authorities. According to well-established rules, a public authority must possess the power to carry out what it intends to do. It is also necessary that the power is exercised for the purpose for which it was created or is 'reasonably incidental' to the defined purpose. If not, its action is 'ultra vires' i.e. beyond its lawful powers. It is important that all NHS bodies are aware of the extent and limitations of their powers and act 'intra vires'. The approach often adopted by Government to address situations where a disclosure of information is prevented by lack of function (the 'ultra vires' rule), is to create, through legislation, new statutory gateways that provide public sector bodies with the appropriate information disclosure function. However, unless such legislation explicitly requires that confidential patient information be disclosed, or provides for common law confidentiality obligations to be set aside, then these obligations must be satisfied prior to information disclosure and use taking place, for example by obtaining explicit patient consent.

Records management considerations:

Staff should be trained in the legal framework covering the disclosure of confidential patient information. They should also be provided with procedures for obtaining explicit consent and guidance on where to seek advice if they are unsure whether they should disclose such information. Find out more here

31. Blood Safety and Quality Legislation

The Blood Safety and Quality Regulations 2005 (amended by the Blood Safety and Quality and Quality (Amendment) (No. 2) Regulations 2005)

The regulations implement the provisions of Directive 2002/98/ EC (below) so that the retention periods for data relating to human blood and blood components outlined in the Directive are now part of UK law.

The retention periods are as follows:

  • blood establishments must retain certain information regarding donors, establishment
  • activity and testing of donated blood for a minimum of 15 years (regulation 7);
  • blood establishments and hospital blood banks must retain data needed for full traceability for at least 30 years from the point of receipt of the blood or blood component (regulations 8 and 9).

The regulations also set out requirements for maintaining the confidentiality and security of data (regulation 14) and provide that identifiable information held by blood establishments and blood banks must not be disclosed to third parties unless it is for one of the following reasons:

  • to comply with a court order;
  • to assist an inspector appointed by the Secretary of State in accordance with these regulations; or
  • to enable tracing of a donation from donor to recipient or from recipient to donor.

Find out more here

Records management considerations:

Organisations must ensure that they are able to provide full traceability of whole blood and blood components. There should be a record keeping system that:

  • allows for identification of each single blood donation and each single blood unit and components thereof; and
  • enables full traceability to the donor as well as to the transfusion and the recipient. That is, the method of recording must unmistakably identify each unique donation and type of blood component, the location at which the donation was received and to whom that donation was given.

Directive 2002/98/ EC of the European Parliament and of the Council of 27 January 2003

The directive sets standards of quality and safety for the collection and testing of human blood and blood components, whatever their intended purpose, and to their processing, storage, and distribution when intended for transfusion. Find out more here

Commission Directive 2005/61/ EC of 30 September 2005

The annexes of this directive set out the data that should be retained for 30 years in order to comply with the traceability requirements of Directive 2002/98/ EC.

  • Data to be retained by blood establishments:
  • blood establishment identification;
  • blood donor identification;
  • blood unit identification;
  • individual blood component identification;
  • date of collection (year/month/day); and
  • facilities to which blood units or blood components are distributed, or subsequent disposal.

Data to be retained by hospital blood banks:

  • blood component supplier identification;
  • issued blood component identification;
  • transfused recipient identification;
  • for blood units not transfused, confirmation of subsequent disposal;
  • date of transfusion or disposal (year/month/day); and lot number of the component, if relevant.

32. The Common Law Duty of Confidentiality

Common law is not written out in one document like an Act of Parliament. It is a form of law based on central principles and the decisions of judges in previous court cases. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.

Therefore, under the common law, a healthcare provider wishing to disclose a patient's personal information to anyone outside the team providing care should first seek the consent of that patient.

Where this is not possible, an organisation may be able to rely on disclosure being in the overriding public interest. However, claiming a disclosure is in the public interest should not be done lightly. Solid justification is required before individual rights are set aside and specialist or legal advice should be sought before the information is disclosed. Any decision to disclose should be fully documented. It will ultimately be up to a court to decide whether the public interest justification is sufficient.

Disclosures required by court order should be referred to the organisation's legal advisors as promptly as possible, so that any necessary representations may be made to the court, for example to limit the information requested.

If a disclosure is made which is not permitted under common law the patient may be able to bring a legal action not only against the organisation but also against the individual responsible for the breach.

Records management considerations:

All persons involved in the records management function should be aware of their responsibility for maintaining confidentiality of records. Employees should only have access to those parts of the record required to carry out their role. Requests for records access by other staff members should be logged and periodically audited. Particular care should be taken during the transportation of health records outside of the organisational site, for example security envelopes and approved carriers should be used where necessary.

33. NHS Scotland Code of Practice on Protecting Patient Confidentiality

The Code offers detailed guidance on:

  • protecting confidential information;
  • informing patients about uses of their personal information;
  • offering patients appropriate choices about the uses of their personal information; and
  • the circumstances in which confidential information may be used or disclosed.

The Code can be accessed from the Information Governance e-Library website in 'The Basics' section.

Disclosure after a patient's death:

Although there are no legal obligations of confidentiality that apply to the deceased, the ethical obligation to respect a patient's confidentiality extends beyond death. The duty of confidentiality needs to be balanced with other considerations, such a:

  • to assist a Procurator Fiscal or other similar officer in connection with an inquest or fatal accident inquiry;
  • as part of national confidential enquiries; or
  • on death certificates;
  • where a person has a right of access under the Access to Health Records Act 1990; and
  • those close to the deceased.

Deceased patient records are fully accessible after a period of one hundred years from the beginning of the calendar year following the date of last entry under the Freedom of Information (Scotland) Act 2002.

34. Directive 2001/83/ EC of the European Parliament and of the Council of 6 November 2001 on the Community Code Relating to Medicinal Products for Human Use

The directive lays down rules governing the production, distribution and use of medicinal products. It is relevant here as it sets retention periods for information gathered in the course of clinical trials.

The trial investigator has a duty to retain patient identification codes for at least 15 years following the trial.

The health organisation at which the trial was carried out must retain the health records of the patients involved for the maximum period possible, i.e. 30 years.

The sponsor of the clinical trial must retain all other documentation pertinent to the trial as long as the product is authorised.

The sponsor or successor must retain the final report of products that are no longer authorised for five years.

Relevant standards and guidelines

35. BSISO 15489-1 (Designing and Implementing Records Keeping Systems - DIRKS) Includes an eight step approach to effective records management for organisations to follow.

36. BSIPD 0016: 2001 Document scanning. Guide to scanning business documents

This guide provides an insight into the processes of document scanning, explains the main features and benefits of different types of scanners and provides guidance to evaluate scanners to user requirements. Find out more here

37. BSIBIP 0008

BSIBIP0008-1:2008

The current British Standard document relating to 'Evidential Weight and Legal Admissibility of Information Stored Electronically '.

BSIBIP 0008-2:2008
The current British Standard document relating to 'Evidential Weight and Legal Admissibility of Information Transferred Electronically.'

BSIBIP 0008-3:2008.

The current British Standard document relating to 'Evidential Weight and Legal Admissibility of Linking Electronic Identity to Documents '.

38.BS 4783-8:1994

Storage, transportation and maintenance of media for use in data processing and information storage. Recommendations for 4 mm and 8 mm helical scan tape cartridges.

39.BS 5454:2000 Recommendations for the Storage and Exhibition of Archival Documents.

40.BSISO/ IEC 17799:2005 BSISO/ IEC 27001:2005 BS7799-2:2005

This Standard provides a code of practice and a set of requirements for the management of information security.

The Standard is published in two parts. Part one has been adopted as ISO 17799:2000 and provides a code of practice for information security management. Part two provides a specification for information security management systems.

41.PDISO/ TR 15489-2:2001

This is the international records management standard and is about best practice in records management.

42.BSISO 19005-1:2005- Document Management

This Standard provides for organisations to archive documents electronically for long-term preservation.

Professional Codes of Conduct and Guidance

All the NHS professions have their own codes of conduct setting out the standards of ethical behaviour owed by members of each profession. These standards typically include:

  • respecting patients' decisions about their care and treatment;
  • obtaining consent for treatment or for disclosure of patient personal information;
  • protecting patient personal information by maintaining confidentiality; and
  • ensuring continuity of care through good record-keeping practice.

Information on professional codes of practice can be obtained from the following organisations

43.The General Dental Council, Standards for Dental Professionals(06/05) The GDC guidance explains the standards the GDC expects of dental professionals:

44.The General Medical Council: Good Medical Practice (2006) Good Medical Practice sets out the principles and values on which good practice is founded;

45.Health Professionals Council: Standards for Conduct, Performance and Ethics (07/08) Explaining the standards of conduct, performance and ethics that registrants and prospective registrants must keep to.

46.The code: Standards of conduct, performance and ethics for nurses and midwivesNMC (01/08) Informs Nurse and Midwives of the standard of professional conduct required of them in the exercise of their professional accountability and practice.

Nursing and Midwifery Council: Standards for Medicine Management (02/08) Includes records management guidance on transcribing medication from one "direction to supply or administer" to another form of "direction to supply or administer" and storage of medication and associated records.

47. Nursing and Midwifery Council, Record Keeping Guidance (07/09)NMC guidance on records and record-keeping practices for nurses and midwives.

48. Nursing and Midwifery Council : Midwives' Rules and Standards - (05/04) The Nursing and Midwifery Order 2001 requires the NMC to set rules and standards for midwifery, including record keeping.

49.The Chartered Society of Physiotherapy: Rules of Professional Conduct (2005)

50.The Chartered Society of Physiotherapy: General Principles of Record Keeping and Access to Health Records (2000)

51.Scottish Social Services Council: Codes of Practice for Social Service Workers and Employers (2009)

Back to top