This page contains a Flash digital edition of a book.
CASE STUDY DISCLOSURE OF PATIENT INFORMATION An abandoned car Background


The police arrive at a GP surgery and ask to speak to the practice manager – Ms R. They inform her that an aban- doned car has been found in a local woods. They have obtained the registered keeper’s name and an address but have been unable to trace that individual. A search of the vehicle has also found a diary in the car, which seems to


indicate that someone has a doctor’s appointment at 2pm today. They tell Ms R that officers are visiting all local hospitals and surgeries asking for the names of all patients with 2pm appointments. The officers say that they require this infor- mation under the powers conferred to them by Section 29 of the Data Protection Act 1998.


Scenario 1


The practice manager and senior partner take the officers into one of the consulting rooms for a quiet chat. One of the officers explains that they believe some harm may have come to the owner of the vehicle and it is important that they contact the individual if possible.


Scenario 2


The practice manager and senior partner take the officers into one of the consulting rooms for a quiet chat. The lead officer says it’s a “routine” investigation into a possibly stolen car and they need to speak to the owner.


Manager


Practice


F


IRST to consider is that the request in the initial scenario is very broad in nature and it would be entirely inap-


propriate for the practice to simply disclose the names of all patients with 2pm appoint- ments that day. The police themselves may be wary about providing specific informa- tion, which could identify an individual at this stage, but the practice manager in this case really does require more information to proceed with here. As well as breaching the duty of confi-


dentiality owed to the patients concerned, disclosure of these names could amount to a breach of the Data Protection Act 1998. There is an exemption in the Act under Section 29 – Crime and Taxation – which allows a ‘data controller’ to give out personal information for these purposes, but there are limits on what can be released (see page 9 in this issue). The Information Commis- sioner’s Office advises that if you do decide to release personal information to the police, you should consider what is the minimum necessary for them to be able to do their job. Importantly, Section 29 does not confer


any particular police powers in this respect, but allows the ‘data controller’ to consider release of personal information for the stated purposes and only if not releasing it would be likely to prejudice any attempt by police to prevent crime or catch a suspect. The second consideration in any such


request is: “Am I sure that the person making 14


the request is who they say they are?” Confirmation of identity is essential before proceeding any further. In relation to this particular request, the manager could then ask what specific concerns the police have about the circumstances in which the car has been discovered. In the case of Scenario 1, it would be


more helpful if the police could ask a direct question about whether the registered keeper is a patient at the practice, if they had an appointment at 2pm today, and if they turned up for it. This would allow Ms R to respond by disclosing only the minimum amount of information necessary to answer the police request while at the same time acting in the best interests of the patient. In the case of Scenario 2 – the stolen car –


the situation is less clear. While the police request would appear to comply with Section 29 DPA requirements, allowing appropriate disclosure for the purposes of investigating a crime, the corresponding GMC guidance for doctors on confidentiality and consent is less helpful, and boils down to whether the alleged offence constitutes a ‘serious crime’ or not. The GMC do not state what constitutes a ‘serious crime’, and the practice would have to consider the relevant facts and circumstances available before coming to a decision. In order to do this, sufficient information from the police will be required if they are seeking compliance. In these circumstances it would also be


prudent and possibly extremely helpful, to attempt to seek the patient’s consent before agreeing to provide the police with the infor- mation. If this is not possible or the patient refuses, then the practice would have to make a judgement call based on the ‘public interest’ criteria – having first of course, discussed the matter with an MDDUS adviser, who will be able to help in consider- ing the various factors relevant to the request before coming to a decision. Also, remember, that in a decision not to disclose the information requested, the police can apply for and obtain a lawful warrant or court order requiring disclosure.


KEY POINTS • Give careful consideration to any police requests for patient information – even confirmation that someone is a patient.


• Consider all relevant GMC guidance on disclosure in the public interest, weighing it up against the patient’s right to confi- dentiality.


• Obtain consent for disclosure if possible, practical and/or reasonable.


• If disclosing, provide only the minimum information necessary to fulfil the purpose.


• Ask for confirmation of identity of any officer making a disclosure request.


• Call MDDUS for advice in specific cases.


Alan Frame is risk adviser with MDDUS Training and Consultancy


AUTUMN 2011ISSUE 5


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16