We need your support to keep TheyWorkForYou running and make sure people across the UK can continue to hold their elected representatives to account.

Donate to our crowdfunder

NHS Trusts (Data Protection)

– in Westminster Hall at 3:30 pm on 27th April 2004.

Alert me about debates like this

Photo of Mike Gapes Mike Gapes Labour/Co-operative, Ilford South 3:30 pm, 27th April 2004

The Data Protection Act 1998 has been topical over recent months with regard to the sad murders at Soham and the way in which some public authorities, particularly police authorities, seemed to misinterpret it. My purpose today is not to enter a wide debate on the Act, but to focus on it in relation to the role of representatives and Members of Parliament taking up cases on behalf of their constituents. I do so knowing that the issue has been considered in the House before.

A Library standard note on the issue—SN/HA/1936—was published on 4 December 2002. Its first sentence states:

"A number of MPs have reported difficulties in carrying out their constituency duties stemming from the Data Protection Act 1998. The legal issues involved also apply to other elected representatives such as councillors, MEPs, MSPs etc."

The note was produced to try to explain the position in December 2002, before the coming into effect on 17 December 2002 of the Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002. I contend, on the basis of my recent experience, that there are still difficulties, despite the advice given by the Lord Chancellor's Department and despite that order, which came into effect one and a half years ago.

The matter was drawn to my attention as a result of correspondence from my local NHS trust, but, on the basis of e-mails that I received, including from officials in other NHS trusts, after I raised the matter during business questions just before Easter, I suspect that it is a wider issue. Certainly the reaction that I provoked when I raised it in the House suggested that similar issues have been raised with other hon. Members.

Data protection in the NHS does not relate simply to NHS trusts. I will not break the embargo, but I think that I can at least refer to the publication tomorrow of a code of practice by the Healthcare Commission, which is starting a process of public consultation on how it will deal with data protection issues. These matters do, therefore, have wide concurrence at the moment.

I have been a Member of the House for more than 12 years, in which time I have received many representations from my constituents on health-related issues, as do all MPs. The vast majority have been by telephone initially. Many are simply telephone calls from elderly and distraught people or from relatives of such people. Sometimes there are letters, but more often than not there are telephone calls or visits to my advice surgery.

In view of my 12 years' experience, I was surprised in early March to receive a letter from the chief executive of Barking, Havering and Redbridge Hospitals NHS trust—the trust that serves my constituency and covers King George's hospital, Ilford, which is in my constituency. The letter stated:

"As you are aware, we have recently been reviewing the whole of the complaints procedure in order to ensure that we are both responsive to, and learn from, our patients' experience.

As part of this review we have developed a new complaints policy, part of which covers our responsibilities under the Data Protection Act. The Act requires that we seek the permission of the patient, wherever possible, to disclose information of a clinical or personal nature to a third party.

Although I appreciate that by writing or talking to their MP, patients and their relatives are implicitly providing consent, it is important that we as a Trust also have that permission in writing.

I have therefore enclosed a supply of consent forms and would be grateful if you could ask your constituent to complete the form and send it to us with your letter."

That letter, with the consent form, was from the chief executive, Mark Rees, to me and, I presume, to other Members of Parliament in the area, and was dated 9 March. The form is a standard form for consent to access to information and, where necessary, for health care records to be disclosed to relevant personnel.

I thought that the letter raised fundamental questions about the role of elected Members of Parliament. I telephoned the trust immediately on receipt of the letter. I was not able to speak to the chief executive at that time, but spoke to senior officials within the trust, and was informed that there had been discussions among compliance officers in north-east London about how to deal with such matters. I asked if there was any documentation or guidance, and was told that there was none of which the person to whom I spoke was aware. I thought that, in those circumstances, I would write to the chief executive and see where that got me, because I felt that wider issues were raised. I wrote to Mark Rees on 18 March 2004 and pointed out that I had read his letter with considerable concern. I wrote:

"I, of course, accept that in the case of a 'third party' neighbour or friend making representations to Members of Parliament issues of confidentiality and Data Protection can arise. However, in the vast majority of cases, representations are made to me directly by constituents or by a close relative on their behalf.

A considerable number of cases are brought to my attention by individuals or their relatives or friends, who telephone my Office. Your letter to me appears to accept that an elected Member of Parliament is not in the same category as another member of the public to whom provisions of Data Protection procedures might be applied.

Indeed, you state that 'patients and relatives are implicitly providing consent'. You are also aware that a very large number of my constituents do not have English as their first language and find it difficult to give written consent or to write letters in English.

Your letter also appears to be in conflict with the advice to Government Departments issued by the Lord Chancellor's Department which is based on The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002: (SI 2002 No. 2905).

The advice states 'If the elected representative says that he or she is asking for information on behalf of someone else, Departments should normally be able to take the elected representative's word for it. The elected representative may often provide a letter or other form of written 'mandate' from the individual. But there is no requirement for the individual to put the request to the elected representative in writing, and getting a written mandate may not always be possible. For example, in urgent cases the individual's approach to the elected representative may have been made by telephone. If Departments are in particular doubt, they may wish to check the position with the individual.'"

I continued:

"It is not acceptable to me, as a Member of Parliament, to be faced with a bureaucratic obstacle course when I take up cases on behalf of my constituents. I therefore expect that you will modify your policy without delay and clarify to all members of your organisation the correct procedure for responding to representations and letters from myself as a Member of Parliament."

I also gave notice that I intended to raise the matter in the House.

I received a reply to that letter on 26 March, which sought to clarify the trust's position. Mark Rees said:

"I am writing further to your letter and our recent telephone conversation . . . I appreciate your views in this matter and as indicated in my original letter, accept that by talking with or writing directly to you as their MP, constituents are giving their consent.

The area of concern that the Trust has is that if a relative or friend raises issues about individual patient care without that person's knowledge or consent, then the Trust would be in breach of the Data Protection Act.

I can understand that you have a view that the Trust is being overly bureaucratic and therefore we shall take up the responsibility of checking, as necessary, with the patient involved."

I still thought that that response did not entirely meet my concerns, so I sent the correspondence to the Secretary of State for Health in a letter dated 30 March. I shall not quote the letter in full because it repeats many of the things that I said in the earlier correspondence. However, I shall quote one paragraph, in which I made the point that the way in which those matters were being considered undermined my position as an elected Member of Parliament and

"could place a bureaucratic obstacle course in the way of making timely and effective representations to NHS Trusts."

I continued:

"I would therefore be grateful if you could intervene to require the withdrawal of this policy and issue advice to NHS Trusts on the role of Members of Parliament in representing their constituents."

The day after sending that letter to the Secretary of State for Health, I received a further letter from Mark Rees in which he further clarified the trust's position. He wrote:

"The issue you raised with me in relation to the Data Protection Act (Processing of Sensitive Data) (Elected Representatives) Order 2002: (SI 2002 No. 2905) required some clarification with regard to obtaining consent to divulge information to a third party.

In my original letter, I acknowledged that if a complaint is raised with an MP directly by the patient involved, then clearly consent has been obtained.

The area of concern that the Trust has is that if a relative or friend raises issues about individual patient care, without that person's knowledge, or consent, then the Trust would be in breach of the Data Protection Act.

Although I want to avoid excessive bureaucracy at all costs, it is considered best practice for the Trust to obtain the consent of the patient involved wherever possible. Therefore, the Trust undertakes to write to the patient directly. However, I appreciate that you have been supplied with some consent forms, which need only to be used if you are in a position to provide one to the relative or friend, who can then obtain the patient's consent and forward the form to the Trust.

I apologise if this was not made clear in my earlier letter."

It seems, therefore, that there are consent forms but that it is not an absolute requirement to use them. I was still not entirely convinced, so I raised the matter at a meeting with the NHS trust in my constituency on Friday 2 April.

I also raised the matter during business questions in April, just before the House rose for the Easter recess, and will refer to that exchange because I was struck by the reply I received from the Leader of the House. He said:

"The Department of Health and the health service are in a slightly different position, as information held by hospitals about the health of individuals is likely to be held in confidence and disclosure to a third party is governed by the common law of confidence. However, the crucial point for my hon. Friend is that the Department of Health has issued guidance for NHS organisations, including trusts, that they should accept an MP's word, when an MP clearly states that he or she has the patient's consent."—[Hansard, 1 April 2004; Vol. 419, c. 1783.]

I had not seen that NHS guidance; I was working on the information that the Lord Chancellor's Department had given. I therefore asked the House of Commons Library if it could tell me where the NHS guidance was, and whether it was available. The Library was helpful and, eventually, after a few telephone calls, obtained a document called "Confidentiality: NHS Code of Practice", which was published in November 2003. It looked through it—it is a long document. The letter from the Library says that the only reference to Members of Parliament that could be found was in

"annex C, Model B3, Example 13, which is about 'non statutory investigations e.g. Members of Parliament."

This says:

"If an investigation is appropriately authorised, disclosure will meet tests of necessity and appropriateness. The minimum necessary information should be disclosed. There is a balance to be drawn between ensuring that a patient has understood and properly consented to a disclosure of information and needlessly obstructing an investigation. Careful consideration of any written authorisation and prompt action are key, e.g. where an MP states, in writing, that s/he has a patient's consent for disclosure this may be accepted without further resort to the patient."

That is very clear. I find it extremely to difficult to ask where that balance is; and if it is published in the annexe as a footnote to a document, it is not particularly helpful to managers in the NHS trust or to Members of Parliament when they deal with these matters.

My intention in securing this debate was to ask the Minister to clarify the Department of Health's position and the position with regard to data protection and Members of Parliament, and to say in what circumstances information should be given in response to letters or telephone calls from Members of Parliament when those hon. Members do not have written consent. It is not my intention to bother the possibly distressed elderly relatives of people in hospital with serious illnesses who cannot themselves respond to such requests.

Members of Parliament are not third parties; they are representatives of their constituents. We are our constituents' advocates; we are here to represent them and, without going into further detail, I hope that the Data Protection Act 1998, having been misused by police authorities in some circumstances, is not to be used by NHS trusts as an impediment to getting the truth about issues or to hon. Members making effective representations in a timely manner on behalf of our constituents. It is sad that Select Committees have less ability to get information than judicial inquiries and that the Freedom of Information Act 2000 may be a more effective way to get information than representations from Members of Parliament.

I hope that the Department of Health will come up with a clear, explicit, public and understandable explanation so that NHS managers and compliance officers and the trusts' chief executives are put clearly in the picture about the circumstances in which they can release information, and when they will have to think about obtaining written consent from the individual on whose behalf a Member of Parliament or another representative is taking up the matter.

Photo of Stephen Ladyman Stephen Ladyman Parliamentary Under-Secretary, Department of Health 3:49 pm, 27th April 2004

I begin by congratulating my hon. Friend Mike Gapes on raising an issue that is of concern not only to him, but to many hon. Members who have had similar experiences.

The Data Protection Act 1998 is a lengthy and complex piece of legislation that brought into force an equally long and complex European directive. It has, somewhat unfairly, been blamed for preventing information from being shared when it is in the interests of individuals and communities that it should be shared. As my hon. Friend said, there have been several well-publicised cases in which it was suggested that incidents might not have occurred if the rules on disclosure of information were less strict. However, it would be fairer to say that incidents might not have occurred if the rules on disclosure of information were better understood. It is often not the Act, but people's misperceptions of it that prevent the sensible sharing of information. The complexity of the Data Protection Act 1998 arguably contributes to this poor understanding, but it is only one element of the legal framework that governs disclosure of information.

The Department of Health is not responsible for the Act, so it is not my job to defend it or explain its application outside health and social care. However, providing those who work in the NHS with clear guidance is the responsibility of Health Ministers, as my hon. Friend suggested. I therefore hope that it will help if I outline both what the Act requires of NHS trusts, and the separate but associated requirements imposed by common-law obligations of confidentiality. I will then consider the guidance that has been provided to NHS trusts and try directly to address my hon. Friend's key concerns.

The Act applies to personal data about living people that are held on computer files or in certain structured manual files. NHS trusts that process personal data must comply with the eight data protection principles set out in schedule 1 to the Act. The term "processing" encompasses obtaining, holding, use and disclosure; in other words, everything that might be done with data. The first and second data protection principles are of particular relevance in the context of disclosure. The first principle requires personal data to be processed fairly and lawfully. The second principle requires that personal data are obtained only for specified and lawful purposes and are not further processed in a manner that is incompatible with those purposes. The other principles require data to be adequate, relevant and not excessive; to be accurate; to be kept no longer than necessary; to be processed in accordance with individuals' rights; to be kept secure; and not to be transferred to countries outside the European economic area without adequate protection.

As part of complying with the key first principle, NHS trusts must inform patients when their data are collected and meet at least one condition in each of two schedules to the Act. The first schedule applies to all personal data, the second only to sensitive data such as health data. The conditions serve to ensure that personal data are not used inappropriately but do not prevent them from being disclosed for legitimate purposes. I repeat, the conditions do not prevent data from being disclosed for legitimate purposes. That is an important point.

The two highest-profile cases in which the Act has come in for criticism are the failure by British Gas to notify social services when cutting off the gas supply for two pensioners, and the failure of the police to retain data about prior contacts with Ian Huntley. In the first of those cases, the Information Commissioner stated that

"in any circumstances, for example age or infirmity, where there are grounds for believing that cutting a particular household off would pose significant risk then the Data Protection Act would not prevent an energy supplier from notifying the relevant body."

In the Huntley case, the Information Commissioner stated:

"It is for the police to decide what information should be kept, and for how long, for their job of preventing or detecting crime."

My hon. Friend is concerned that NHS trusts have on occasion impeded investigations conducted by MPs on behalf of their constituents. NHS staff may have referred in error to the Act. However, the Government amended it through an order, which came into force on 17 December 2002, that removed restrictions on the disclosure of sensitive data to MPs who are dealing with constituents' cases. That means that the Act is not in itself the barrier to sharing information with MPs that some seem to think it is.

However, there are other obligations in law that restrict disclosure of data. Furthermore, due to the first data protection principle requiring that all processing of data be lawful, the Act serves to reinforce those other obligations. Those who process data will be in breach of the Act if they are not met. For NHS trusts in particular that creates a complicated and confusing picture. The most important obligations that they face in law, other than the Act, stem from the requirements imposed by confidentiality under the common law. Information held in confidence, which health data almost always are, cannot generally be disclosed without the consent of the individual concerned; in this case, the patient. The common law obligation is not absolute, but the exceptions are limited to circumstances in which there is a statutory requirement to disclose, an order from a court or, a public interest justification, such as significant risk to others, that outweighs the confidentiality obligation. An investigation conducted by an MP might, rarely, justify disclosure in the public interest, but in most cases there would need to be a clear indication that the patient concerned had consented to disclosure of information. There are several other legal barriers to the disclosure of health information. For example, there are strong prohibitions against the disclosure of information about sexually transmitted diseases.

As I said when I started, it is clearly our responsibility to ensure that NHS staff and organisations are provided with clear guidance on those complex matters. Comprehensive guidance was issued to the national health service in November 2003 in the document referred to by my hon. Friend. It is called, "Confidentiality: NHS Code of Practice". It covers all the legal aspects of disclosing confidential patient information in what we believe to be a straightforward and helpful way, but clearly my hon. Friend disagrees. The Information Commissioner, the General Medical Council, the British Medical Association and the Medical Research Council have all endorsed the guidance.

Photo of Mike Gapes Mike Gapes Labour/Co-operative, Ilford South

I am not criticising my hon. Friend for issuing general guidance, but does he not accept that it would be helpful if there were greater clarity in the advice on what to do when representations are made by Members of Parliament?

Photo of Stephen Ladyman Stephen Ladyman Parliamentary Under-Secretary, Department of Health

I accept that. I am just about to give that clear guidance.

The performance of NHS trusts in the area is being scrutinised this year, for the first time, as part of the work undertaken by the new Healthcare Commission to develop star ratings relating to NHS trust and performance. Although the provision of guidance and increased managerial attention to such matters are useful steps, as I am certain my hon. Friend will agree, it is difficult to ensure that all NHS staff receive appropriate training. The existence of guidance that can be quoted and referred to is a useful tool for MPs. For the record, I want to strengthen the position by providing as clear a statement as I can for Members and for health service staff.

The position is as follows. The Secretary of State for Health expects all NHS employees to co-operate with any reasonable request for information made by a Member of Parliament. Where that request is for information about an identified or identifiable individual, NHS bodies must comply with the Data Protection Act 1998, but, following the order made in December 2002, that should not act as a barrier to any legitimate inquiry. Where information about an identified or identifiable individual is held under a legal obligation of confidentiality, NHS bodies must comply with the NHS confidentiality code of practice. That will normally require the consent of the individual concerned. However, where a Member of Parliament acts on behalf of a constituent who has, whether in writing, by telephone or in person—perhaps by attending a constituency surgery—sought that Member of Parliament's assistance, the Member of Parliament has obtained a form of consent.

It is, of course, important that all concerned exercise careful judgment. Members should ensure as best they can that their constituents realise that any inquiry may result in a number of people having access to information that they would not normally have. They must assure themselves that they have the consent of the individual concerned, or of a parent or someone authorised to act on the individual's behalf. NHS staff should disclose only information pertinent to the inquiry—rather than all of a patient's past record—and they should inform the patient concerned about the disclosure. The bottom line, however, is that, providing that a sensible and responsible approach is adopted by all concerned, there should be no insurmountable barrier to sharing information with MPs.

Sometimes, of course, the NHS body can deal with the MP's inquiry without disclosing confidential health information. For example, if the matter relates to the scheduling of an operation, it may be necessary to disclose only dates and information on waiting times when responding. Under those circumstances, MPs should not press for information that they do not need. When confidential information needs to be shared, the NHS body should accept that if the MP has been asked to inquire into the matter by the individual, or by a person authorised to act on their behalf, that is sufficient consent. The MP must, however, not take lightly his or her duties to make appropriate inquiries only where the constituent genuinely wants those inquiries made.

If my hon. Friend or other hon. Members wish to do so, after it is published in the Official Report, they may bring the statement that I have just made to the attention of local health bodies if they believe that they do not properly understand the position or if a dispute arises. I will also bring the comments to the attention of my right hon. Friend the Leader of the House, as I know that these issues are often raised with him, and I shall ask the Minister of State, Department of Health, my hon. Friend Ms Winterton, who normally deals with these matters, to take into account the issues raised by my hon. Friend.