The Health Service (Control of Patient Information) Regulations 2002

Citation, commencement, interpretation and extent

1.—(1) These Regulations may be cited as the Health Service (Control of Patient Information) Regulations 2002 and shall come into force on 1st June 2002.

(2) In these Regulations—

“the Act” means the Health and Social Care Act 2001,

“public authority” has the same meaning as in section 3(1) of the Freedom of Information Act 2000(1);

“public health laboratory service” means the microbiological service provided by the Public Health Laboratory Service Board under section 5(2)(c) and (4) of the National Health Service Act 1977(2);

“research ethics committee” means a local research ethics committee established or recognised by a health authority within its area or a multi-centre research ethics committee which is recognised by Secretary of State in respect of research carried out within five or more health authority areas or any other research ethics committee recognised by the Secretary of State.

(3) Any notice given under these Regulations shall be—

(a)in writing; or

(b)transmitted by electronic means in a legible form which is capable of being used for subsequent reference.

(4) Any reference in these Regulations to a numbered regulation is a reference to the regulation which bears that number in these Regulations and any reference to a numbered paragraph in a regulation is a reference to the paragraph which bears that number in that regulation.

(5) These Regulations extend to England and Wales only.

Medical purposes related to the diagnosis or treatment of neoplasia

2.—(1) Subject to paragraphs (2) to (3) and regulation 7, confidential patient information relating to patients referred for the diagnosis or treatment of neoplasia may be processed for medical purposes approved by the Secretary of State which comprise or include—

(a)the surveillance and analysis of health and disease;

(b)the monitoring and audit of health and health related care provision and outcomes where such provision has been made;

(c)the planning and administration of the provision made for health and health related care;

(d)medical research approved by research ethics committees;

(e)the provision of information about individuals who have suffered from a particular disease or condition where—

(i)that information supports an analysis of the risk of developing that disease or condition; and

(ii)it is required for the counseling and support of a person who is concerned about the risk of developing that disease or condition.

(2) For the purposes of this regulation, “processing” includes (in addition to the use, disclosure or obtaining of information) any operations, or set of operations, which are undertaken in order to establish or maintain databases for the purposes set out in paragraph (1), including—

(a)the recording and holding of information;

(b)the retrieval, alignment and combination of information;

(c)the organisation, adaption or alteration of information;

(d)the blocking, erasure and destruction of information.

(3) The processing of confidential patient information for the purposes specified in paragraph (1) may be undertaken by bodies or persons who (either individually or as members of a class) are—

(a)approved by the Secretary of State, and

(b)authorized by the person who lawfully holds the information.

(4) Where the Secretary of State considers that it is necessary in the public interest that confidential patient information is processed for a purpose specified in paragraph (1), he may give notice to any body or person who is approved and authorized under paragraph (3) to require that body or person to process that information for that purpose and any such notice may require that the information is processed forthwith or within such period as is specified in the notice.

(5) Where confidential information is processed under this regulation, the bodies and persons approved under paragraph (3) shall make available to the Secretary of State such information as he may require to assist him in the investigation and audit of that processing and in his annual consideration of the provisions of these Regulations which is required by section 60(4) of the Act.

Communicable disease and other risks to public health

3.—(1) Subject to paragraphs (2) and (3) and regulation 7, confidential patient information may be processed with a view to—

(a)diagnosing communicable diseases and other risks to public health;

(b)recognising trends in such diseases and risks;

(c)controlling and preventing the spread of such diseases and risks;

(d)monitoring and managing—

(i)outbreaks of communicable disease;

(ii)incidents of exposure to communicable disease;

(iii)the delivery, efficacy and safety of immunisation programmes;

(iv)adverse reactions to vaccines and medicines;

(v)risks of infection acquired from food or the environment (including water supplies);

(vi)the giving of information to persons about the diagnosis of communicable disease and risks of acquiring such disease.

(2) For the purposes of this regulation, “processing” includes any operations, or set of operations set out in regulation 2(2) which are undertaken for the purposes set out in paragraph (1).

(3) The processing of confidential patient information for the purposes specified in paragraph (1) may be undertaken by—

(a)the Public Health Laboratory Service;

(b)persons employed or engaged for the purposes of the health service;

(c)other persons employed or engaged by a Government Department or other public authority in communicable disease surveillance.

(4) Where the Secretary of State considers that it is necessary to process patient information for a purpose specified in paragraph (1), he may give notice to any body or person specified in paragraph (3) to require that body or person to process that information for that purpose and any such notice may require that the information is processed forthwith or within such period as is specified in the notice.

(5) Where confidential information is processed under this regulation, the bodies and persons specified in paragraph (3) shall make available to the Secretary of State such information as he may require to assist him in the investigation and audit of that processing and in his annual consideration of the provisions of these Regulations which is required by section 60(4) of the Act.

Modifying the obligation of confidence

4.  Anything done by a person that is necessary for the purpose of processing confidential patient information in accordance with these Regulations shall be taken to be lawfully done despite any obligation of confidence owed by that person in respect of it.

General

5.  Subject to regulation 7, confidential patient information may be processed for medical purposes in the circumstances set out in the Schedule to these Regulations provided that the processing has been approved—

(a)in the case of medical research, by both the Secretary of State and a research ethics committee, and

(b)in any other case, by the Secretary of State.

Registration

6.—(1) Where an approval granted by the Secretary of State under regulation 5 permits the transfer of confidential patient information between bodies or persons who may determine the purposes for which, and the manner in which, the information may be processed, he shall record in a register the name and address of the bodies or persons to whom that information may be transfered together with the particulars specified in paragraph (2).

(2) The following particulars are specified for inclusion in each entry in the register—

(a)a description of the confidential patient information to which the approval relates;

(b)the medical purposes for which the information may be processed;

(c)the provisions in the Schedule to these Regulations under which the information may be processed; and

(d)such other particulars as the Secretary of State may consider appropriate to enter in the register.

(3) The Secretary of State shall retain the particulars of each entry in the register for so long as confidential patient information may be processed under an approval to which the entry relates and for not less than 12 months after the termination of that approval.

(4) The Secretary of State shall, in such manner and to the extent to which he considers it appropriate, publish entries in the register.

Restrictions and exclusions

7.—(1) Where a person is in possession of confidential patient information under these Regulations, he shall not process that information more than is necessary to achieve the purposes for which he is permitted to process that information under these Regulations and, in particular, he shall—

(a)so far as it is practical to do so, remove from the information any particulars which identify the person to whom it relates which are not required for the purposes for which it is, or is to be, processed;

(b)not allow any person access to that information other than a person who, by virtue of his contract of employment or otherwise, is involved in processing the information for one or more of those purposes and is aware of the purpose or purposes for which the information may be processed;

(c)ensure that appropriate technical and organisational measures are taken to prevent unauthorised processing of that information;

(d)review at intervals not exceeding 12 months the need to process confidential patient information and the extent to which it is practicable to reduce the confidential patient information which is being processed;

(e)on request by any person or body, make available information on the steps taken to comply with these Regulations.

(2) No person shall process confidential patient information under these Regulations unless he is a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(3) For the purposes of paragraph (2) “health professional” has the same meaning as in section 69(1) of the Data Protection Act 1998(3).

Enforcement Procedure

8.—(1) Any person who does not comply with a requirement imposed on him under regulation 2(4) or (5), 3(4) or (5) or 7 may be subject to a civil penalty of not exceeding £5000.

(2) The Secretary of State may determine whether any person has not complied with such a requirement and he may assess whether it is appropriate to impose the maximum civil penalty, a lesser penalty or no penalty having regard to the seriousness of any non-compliance, the circumstances of any person who has not complied and the need to ensure the compliance in respect of any such future requirements.

(3) Any penalty payable under this regulation shall be recoverable by the Secretary of State as a civil debt.