home| T: 029 2038 5542| contact us| print page
health records
why is data protection important? | private sector | public sector | employee data | financial data | health records | IT systems | marketing data

health records

Health records can be classified as sensitive personal data under the Data Protection Act, and therefore special precautions should be taken in terms of how it is stored and handled (processed). Health records could include a variety of pieces of information, ranging from illnesses suffered as a child and allergies, to a data subject having a hereditary condition or being HIV positive. The latter could, understandably, cause damage and / or distress to the data subject if it were leaked in some way, e.g. if medical notes were held on a USB key which was then lost and found by someone who might act on the information.

In cases where there is evidence that damage has been caused, the organisation responsible for the security of the data (the Data Controller) could find itself liable to pay compensation. There is also the possibility that the Information Commissioner could become involved to investigate the organisation's technical and organisational measures for data security.

Public bodies that handle these records should consider whether:

  • the data is kept securely to protect it from damage and unauthorised access;
  • the staff that handle the records have had adequate training;
  • the records are accurate and kept up to date; and
  • the date that is recorded is relevant – any comments (including statements of opinion) written in the record may also constitute personal data and might therefore need to be released in response to subject access requests, so care should be taken.

There are also issues surrounding the use of health records for clinical research, drug trials and other similar studies, as these are usually carried out by external organisations on behalf of health sector organisations. Despite the use of anonymisation, the information can still be classed as (sensitive) personal data if there is a key in existence which enables the identification of individuals. It is very important to take into account the following factors:

  • Is there a data processing agreement in place, stating that the data processor (the external organisation) has appropriate safeguards in place to protect the data?
  • Are the data subjects aware of how, and what their data is being processed for?
  • Is the data only being kept for as long as necessary?