Whose data is it anyway?

by | Jan 4, 2013 | Data Protection | 1 comment

The Guardian’s website led with an odd story this morning. Not for the first time, GPs (the people whose insights are supposed to be so profound that they are effectively running NHS Commissioning) are complaining about the complexity of dealing with access to childrens’ medical records from parents who are divorced or separated. The most obvious thing to say about the article is that it runs to nearly 1000 words without mentioning the relevant legislation (Data Protection), which is a remarkable oversight. The second obvious thing to say is that the picture of GPs (and journalists) not understanding how Data Protection works is at least as great a concern as the complaint about how hard it is to deal with divorcing couples. Everyone else gets on with it without generating front page news.

The Medical Protection Society – the medical legal defence organisation – report “a steep increase in calls from GPs concerned about requests for access to children’s medical information from separated parents”. However, the reported concerns are pretty standard and the idea that doctors are running to their legal representatives deserved better scrutiny. The only legislation giving a right to medical data about living people is the Data Protection Act, and the only person given a right to a child’s medical information is the child. The right of subject access is not delegated to anyone else in the DPA, and parents are not given any specific rights over their child’s information. The article states: “Parents who were married will normally both have parental responsibility and be entitled to see their child’s medical record”, which is a significant oversimplification. Data Protection doesn’t mention Parental Responsibility. Parents have been given a specific right of access to education records under the Pupil Information Regulations, but no such provision has been made for medical information.

The Information Commissioner’s Office – in my experience – tend to use PR as the only test even though their own Guide to Data Protection is more nuanced. Keen to clear their caseloads and faced with angry parents who obviously won’t go away, I think they sometimes adopt the line of least resistance – they’ve got PR, so hand the data over and help me meet my targets. PR is rarely removed from a parent, except in very serious cases or when the child is adopted. I’ve dealt with numerous parents who were forbidden even from sending a birthday card direct to their child, and yet the court hadn’t bothered to remove PR. These parents cannot logically act on their child’s behalf, so convincing them they have an “entitlement” that they don’t have helps no one. The ICO once issued an adverse assessment on a decision my employer made to withhold records from a parent who had no contact with their child, but when we told them that we were sticking to our decision, they would not enforce their decision, effectively backing down. Check the Government’s guidance on PR and you’ll find a lot more about the parent’s responsibilities than their rights.

When a parent asks for information about their child, they are exercising their child’s rights on their child’s behalf. A disclosure to a parent that is the child’s interests is always justified, so GPs must focus on that question. The individual decision may not be easy, but the principle is. The idea that “GPs will try to keep out of it [the marital dispute]” is sensible, but a GP cannot expect to run away from tricky decisions about who gets access to data. It’s part of the job. They are not ‘caught in the crossfire’ as the headline would have it. A disclosure of information about the child’s health while in the care of a non-resident parent at the weekend or on holiday should probably be automatic. On the other hand, a disclosure of any information about the other parent – where they live, how they are, what they think – is unacceptable, and GPs or their staff must have the skills to respect the confidences of other patients. Many requests will fall somewhere in between. The article asserts that a father in a domestic violence case “may have a right to access the child’s record, but the GP may have to be mindful of the fact that he may have to withhold any information leading to the whereabouts of the mother.” A father in this situation does not have a ‘right of access’ – if a parent needs information to fulfill his duties to his child as the responsible adult, they must get that information but no more. Indeed, there is an argument that parents aren’t making conventional subject access requests for their child’s information at all – medical professionals must give them everything they need to know, but if PR is the key, then they may not need a copy of the whole record to satisfy that. Fixating on PR also ignores the fact that a relative like a grandparent or another carer – who almost certainly won’t have PR – may well be an appropriate person to provide information to in some circumstances.

The author is keen to conflate the medical records issue with the headline-grabbing case of Neon Roberts, the child whose mother and father are at odds about whether he should receive radiotherapy. While this real-life and tragic variation on Kramer Versus Kramer is clearly newsworthy, it’s almost completely irrelevant to the question of access to records. Meanwhile, a much more important issue is only hinted at. This is the child’s information, and the child’s right of subject access. While a parent who has PR and needs to make difficult decisions should not be denied information that they need to protect their child’s best interests, neither the child or its information is the property of its quarrelling parents.

The famous Gillick case  – Gillick v West Norfolk and Wisbech Area Health Authority [1985] 3 All ER 402 (HL) – establishes that a child with sufficient capacity can make their own medical decisions. A similar, more recent case – (R (Axon) v Secretary of State for Health and the Family Planning Association [2006] EWHC 37 (Admin) – underlines this same principle. If a competent child can consent to medical treatment and keep it confidential from their parents, naturally they will also be entitled to decide who gets access to their information. Babies and infants will clearly need a concerned parent to act for them, but even a snotty 12-year-old may be mature enough to be involved in a decision and decide who gets to know what.

Journalists are sometimes keen to slate Data Protection as an unnecessary and bureaucratic barrier to transparency. Often, what they’re complaining about is the misuse of Data Protection by officials, compounded by their own ignorance of what the legislation actually says. The Guardian’s article shows symptoms of this same disease – GPs cannot negotiate this territory without a functioning knowledge of the Data Protection implications, and journalists who attempt to write about these issues need the same. Otherwise, we get hand-wringing and headlines, but none of the clarity this issue requires.