The Data Protection Act 1998 (DPA) [1] became law on 24 October 1998. It is based around eight ‘Principles of Data Protection’ (Table 1) and its provisions apply to manually processed data such as health records. For living individuals, it replaces the Access to Health Records Act 1990 [2]. However, the majority of the Access to Medical Reports Act 1988 [3] remains in force. It is not the purpose of this article to examine in detail the far-reaching implications of the DPA for health professionals in general, as these have been dealt with in documents such as those from the medical defence societies and from the Office of the Data Protection Commissioner [4], or for occupational health departments (there have been two popular explanations of this which are readily available [5,6]), but rather to look at two particular implications for occupational physicians. There are several transitional arrangements relating to various categories of data; for manual filing systems (such as the majority of occupational health record systems), the DPA applies fully from 23 October 2001. As with any legislation whose application may vary widely with individual cases, many of the provisions of the DPA, whose broad principles reach deep into the heart of the keeping of medical records, will need to be clarified by case law. Occupational health records frequently contain different types of material, as well as records relating to the care of an individual (for example, reports to and from management, work attendance data, etc.—all these data are essential to the effective management of an individual case). This is all ‘sensitive personal data’ held in a ‘relevant filing system’ and, hence, all subject to the provisions of the DPA. This means that individuals to whom the records relate will have to give explicit consent to their processing. It is unclear from the DPA whether this consent will have to be written; however, the draft Code of Practice [4] states that compliance with the ethical guidelines of the Faculty of Occupational Medicine [7] will suffice in most cases. Individuals will also have the right of access to the material, unless certain limited exemptions within the DPA apply. This raises the interesting question of whether an organization’s management might have the right of veto over the release of management reports addressed to an occupational health professional, relating to an individual. To constitute a ‘health record’ for the purposes of the DPA, a record must have been made by or on behalf of a health professional. It would therefore be difficult to consider a letter or report made by an employer who is neither a health professional nor acting on behalf of a health professional to constitute a ‘health record’, even though the letter or report could be filed within an individual’s occupational health file. Thus,
Read full abstract