xmlns:atom="http://www.w3.org/2005/Atom"

Statutory Instruments

2002 No. 1438

NATIONAL HEALTH SERVICE, ENGLAND AND WALES

The Health Service (Control of Patient Information) Regulations 2002

Made

23rd May 2002

Coming into force

1st June 2002

Whereas a draft of the following Regulations was laid before Parliament in accordance with section 64(3) of the Health and Social Care Act 2001(1) and was approved by resolution of each House of Parliament:

Now, therefore, the Secretary of State for Health, in exercise of the powers conferred on him by sections 60(1) and 64(6), (7) and (8) of the Health and Social Care Act 2001 and all other powers enabling him in that behalf, having consulted such bodies as appear to him to represent the interests of those likely to be affected by the Regulations in accordance with section 60(7) of that Act and having sought and had regard to the views of the Patient Information Advisory Group(2) on the proposed Regulations in accordance with section 61(2) of that Act, hereby makes the following Regulations—

Citation, commencement, interpretation and extent

1.—(1) These Regulations may be cited as the Health Service (Control of Patient Information) Regulations 2002 and shall come into force on 1st June 2002.

(2) In these Regulations—

“the Act” means the Health and Social Care Act 2001,

“public authority” has the same meaning as in section 3(1) of the Freedom of Information Act 2000(3);

“public health laboratory service” means the microbiological service provided by the Public Health Laboratory Service Board under section 5(2)(c) and (4) of the National Health Service Act 1977(4);

“research ethics committee” means a local research ethics committee established or recognised by a health authority within its area or a multi-centre research ethics committee which is recognised by Secretary of State in respect of research carried out within five or more health authority areas or any other research ethics committee recognised by the Secretary of State.

(3) Any notice given under these Regulations shall be—

(a)in writing; or

(b)transmitted by electronic means in a legible form which is capable of being used for subsequent reference.

(4) Any reference in these Regulations to a numbered regulation is a reference to the regulation which bears that number in these Regulations and any reference to a numbered paragraph in a regulation is a reference to the paragraph which bears that number in that regulation.

(5) These Regulations extend to England and Wales only.

Medical purposes related to the diagnosis or treatment of neoplasia

2.—(1) Subject to paragraphs (2) to (3) and regulation 7, confidential patient information relating to patients referred for the diagnosis or treatment of neoplasia may be processed for medical purposes approved by the Secretary of State which comprise or include—

(a)the surveillance and analysis of health and disease;

(b)the monitoring and audit of health and health related care provision and outcomes where such provision has been made;

(c)the planning and administration of the provision made for health and health related care;

(d)medical research approved by research ethics committees;

(e)the provision of information about individuals who have suffered from a particular disease or condition where—

(i)that information supports an analysis of the risk of developing that disease or condition; and

(ii)it is required for the counseling and support of a person who is concerned about the risk of developing that disease or condition.

(2) For the purposes of this regulation, “processing” includes (in addition to the use, disclosure or obtaining of information) any operations, or set of operations, which are undertaken in order to establish or maintain databases for the purposes set out in paragraph (1), including—

(a)the recording and holding of information;

(b)the retrieval, alignment and combination of information;

(c)the organisation, adaption or alteration of information;

(d)the blocking, erasure and destruction of information.

(3) The processing of confidential patient information for the purposes specified in paragraph (1) may be undertaken by bodies or persons who (either individually or as members of a class) are—

(a)approved by the Secretary of State, and

(b)authorized by the person who lawfully holds the information.

(4) Where the Secretary of State considers that it is necessary in the public interest that confidential patient information is processed for a purpose specified in paragraph (1), he may give notice to any body or person who is approved and authorized under paragraph (3) to require that body or person to process that information for that purpose and any such notice may require that the information is processed forthwith or within such period as is specified in the notice.

(5) Where confidential information is processed under this regulation, the bodies and persons approved under paragraph (3) shall make available to the Secretary of State such information as he may require to assist him in the investigation and audit of that processing and in his annual consideration of the provisions of these Regulations which is required by section 60(4) of the Act.

Communicable disease and other risks to public health

3.—(1) Subject to paragraphs (2) and (3) and regulation 7, confidential patient information may be processed with a view to—

(a)diagnosing communicable diseases and other risks to public health;

(b)recognising trends in such diseases and risks;

(c)controlling and preventing the spread of such diseases and risks;

(d)monitoring and managing—

(i)outbreaks of communicable disease;

(ii)incidents of exposure to communicable disease;

(iii)the delivery, efficacy and safety of immunisation programmes;

(iv)adverse reactions to vaccines and medicines;

(v)risks of infection acquired from food or the environment (including water supplies);

(vi)the giving of information to persons about the diagnosis of communicable disease and risks of acquiring such disease.

(2) For the purposes of this regulation, “processing” includes any operations, or set of operations set out in regulation 2(2) which are undertaken for the purposes set out in paragraph (1).

(3) The processing of confidential patient information for the purposes specified in paragraph (1) may be undertaken by—

(a)the Public Health Laboratory Service;

(b)persons employed or engaged for the purposes of the health service;

(c)other persons employed or engaged by a Government Department or other public authority in communicable disease surveillance.

(4) Where the Secretary of State considers that it is necessary to process patient information for a purpose specified in paragraph (1), he may give notice to any body or person specified in paragraph (3) to require that body or person to process that information for that purpose and any such notice may require that the information is processed forthwith or within such period as is specified in the notice.

(5) Where confidential information is processed under this regulation, the bodies and persons specified in paragraph (3) shall make available to the Secretary of State such information as he may require to assist him in the investigation and audit of that processing and in his annual consideration of the provisions of these Regulations which is required by section 60(4) of the Act.

Modifying the obligation of confidence

4.  Anything done by a person that is necessary for the purpose of processing confidential patient information in accordance with these Regulations shall be taken to be lawfully done despite any obligation of confidence owed by that person in respect of it.

General

5.  Subject to regulation 7, confidential patient information may be processed for medical purposes in the circumstances set out in the Schedule to these Regulations provided that the processing has been approved—

(a)in the case of medical research, by both the Secretary of State and a research ethics committee, and

(b)in any other case, by the Secretary of State.

Registration

6.—(1) Where an approval granted by the Secretary of State under regulation 5 permits the transfer of confidential patient information between bodies or persons who may determine the purposes for which, and the manner in which, the information may be processed, he shall record in a register the name and address of the bodies or persons to whom that information may be transfered together with the particulars specified in paragraph (2).

(2) The following particulars are specified for inclusion in each entry in the register—

(a)a description of the confidential patient information to which the approval relates;

(b)the medical purposes for which the information may be processed;

(c)the provisions in the Schedule to these Regulations under which the information may be processed; and

(d)such other particulars as the Secretary of State may consider appropriate to enter in the register.

(3) The Secretary of State shall retain the particulars of each entry in the register for so long as confidential patient information may be processed under an approval to which the entry relates and for not less than 12 months after the termination of that approval.

(4) The Secretary of State shall, in such manner and to the extent to which he considers it appropriate, publish entries in the register.

Restrictions and exclusions

7.—(1) Where a person is in possession of confidential patient information under these Regulations, he shall not process that information more than is necessary to achieve the purposes for which he is permitted to process that information under these Regulations and, in particular, he shall—

(a)so far as it is practical to do so, remove from the information any particulars which identify the person to whom it relates which are not required for the purposes for which it is, or is to be, processed;

(b)not allow any person access to that information other than a person who, by virtue of his contract of employment or otherwise, is involved in processing the information for one or more of those purposes and is aware of the purpose or purposes for which the information may be processed;

(c)ensure that appropriate technical and organisational measures are taken to prevent unauthorised processing of that information;

(d)review at intervals not exceeding 12 months the need to process confidential patient information and the extent to which it is practicable to reduce the confidential patient information which is being processed;

(e)on request by any person or body, make available information on the steps taken to comply with these Regulations.

(2) No person shall process confidential patient information under these Regulations unless he is a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(3) For the purposes of paragraph (2) “health professional” has the same meaning as in section 69(1) of the Data Protection Act 1998(5).

Enforcement Procedure

8.—(1) Any person who does not comply with a requirement imposed on him under regulation 2(4) or (5), 3(4) or (5) or 7 may be subject to a civil penalty of not exceeding £5000.

(2) The Secretary of State may determine whether any person has not complied with such a requirement and he may assess whether it is appropriate to impose the maximum civil penalty, a lesser penalty or no penalty having regard to the seriousness of any non-compliance, the circumstances of any person who has not complied and the need to ensure the compliance in respect of any such future requirements.

(3) Any penalty payable under this regulation shall be recoverable by the Secretary of State as a civil debt.

Signed by authority of the Secretary of State for Health

Hazel Blears

Parliamentary Under Secretary of State,

Department of Health

23rd May 2002

Regulations 5 and 6(2)(c)

THE SCHEDULEGeneral Provisions

Circumstances in which confidential patient information may be processed for medical purposes under regulation 5 and particulars for registration under regulation 6.

1.  The processing of confidential patient information for medical purposes with a view to making the patient in question less readily identifiable from that information.

2.  The processing of confidential patient information that relates to the present or past geographical locations of patients (including where necessary information from which patients may be identified) which is required for medical research into the locations at which disease or other medical conditions may occur.

3.  The processing of confidential patient information to enable the lawful holder of that information to identify and contact patients for the purpose of obtaining consent—

(a)to participate in medical research;

(b)to use the information for the purposes of medical research, or

(c)to allow the use of tissue or other samples for medical purposes.

4.  The processing of confidential patient information for medical purposes from more than one source with a view to—

(a)linking information from more than one of those sources;

(b)validating the quality or completeness of—

(i)confidential patient information, or

(ii)data derived from such information;

(c)avoiding the impairment of the quality of data derived from confidential patient information by incorrect linkage or the unintentional inclusion of the same information more than once.

5.  The audit, monitoring and analysing of the provision made by the health service for patient care and treatment.

6.  The granting of access to confidential patient information for one or more of the above purposes.

Explanatory Note

(This note is not part of the Regulations)

These Regulations make provision for the processing of patient information, including confidential patient information.

Regulation 1 contains definitions of the terms used in the Regulation and provides that the Regulations apply to England and Wales only.

Regulation 2 makes provision relating to the processing of patient information in connection with the construction and maintenance of databases by bodies (known as “cancer registries”) which undertake the surveillance of health and disease of patients referred for the diagnosis or treatment of neoplasia. Regulation 2(4) provides powers under which the Secretary of State may require certain persons to process information for those purposes. Regulation 2(5) makes provision for information on the operation of these Regulations to be passed to the Secretary of State.

Regulation 3 makes provision for the processing of patient information for the recognition, control and prevention of communicable disease and other risks to public health. Regulation 3(4) provides powers under which the Secretary of State may require certain persons who perform health service or other public functions to process information where, for example, there is a need to assess whether there is a significant risk to public health. Regulation 3(5) makes provision for information on the operation of these Regulations to be passed to the Secretary of State.

Regulation 4 provides that information may be processed in accordance with these Regulations notwithstanding any common law obligation of confidence.

Regulation 5 and the Schedule to these Regulations makes general provision in relation to the processing of patient information. Such processing is restricted to that approved by the Secretary of State and, in the case of processing for research purposes, the relevant ethics committee.

Regulation 6 requires the Secretary of State to record and make public particulars relating to approvals which permit the transfer of confidential patient information.

Regulation 7 restricts the processing of information under the Regulations, for example by requiring the removal of particulars by which the persons to whom information relates can be identified if that is practical (regulation 7(1)(a)).

Regulation 8 provides for enforcement by civil penalty of requirements imposed under regulations 2(4) or (5), 3(4) or (5) or 7.

The Schedule to these Regulations sets out the circumstances in which confidential patient information may be processed for medical purposes under regulation 5. The provisions relate, for example, to the processing of confidential patient information in order to identify who should be invited to participate in medical research (paragraph 3) or to enable the auditing, monitoring and analysing the provision made by the health service (paragraph 5).

A Regulatory Impact Assessment has not been prepared for these Regulations. In general the Regulations enable the flow of information and impose no obligations. Where obligations are imposed, they are imposed primarily on those performing functions for public authorities and so any burden imposed on business is considered negligible.

(2)

See S.I. 2001/2836.

(4)

1977 c. 49; subsections (2)(c) and (4) of section 5 were amended by the Public Health Laboratory Service Act 1979 (c. 23), section 1.