We are not aware that any trusts are routinely using smartcards for these purposes. The Department has considered use of smartcard technology to hold patient records, but has rejected it on grounds of patient safety and confidentiality. The use of smartcards, or equivalent tokens, has, however, been identified as having potential for authenticating patient access to patient records, and this continues to be explored as part of ongoing technical development within the national programme for information technology.
Legal penalties for individuals and organisations misusing personal health and other information are provided for under section 60 of the Data Protection Act. My right hon. Friend the Secretary of State is on record as supporting the Information Commissioner in his call for these to be increased. Individual patients may also seek redress through the courts for breach of confidentiality.
Other strong disincentives exist which protect against abuse of patient confidentiality. National health service organisations are responsible, as employers, for the actions taken on their behalf by their employees, and for disciplining their staff when they behave inappropriately. Accessing the care records service without a legitimate reason constitutes a breach of the NHS Confidentiality Code of Practice. Staff who breach patient confidentiality are subject to professional disciplinary measures. Offending doctors and nurses will be reported to their professional regulatory bodies and may face additional disciplinary action, including losing their licence to practice. In the case of general practitioners, a primary care trust may take steps to remove a GP from its list on various grounds, which would include the protection of patients in these circumstances.
The confidentiality of patient records is generally well understood by healthcare professionals. Substantial information is also being issued to frontline healthcare professionals in England about the care records service and how it will impact on their roles, and guidance on information governance. This is being done as part of a major exercise to prepare the NHS and then inform the public about the arrival of the service, its implications for their information and their health, and their options for participation.
Clinical staff working within accident and emergency units will have access to the content of sealed envelopes, and locked and sealed envelopes, to the extent that these cover data entered by that A and E unit, and may have access to sealed, but not sealed and locked, envelopes covering data entered by other departments or organisations. In this latter case, access to the content of the sealed envelope is only authorised where a patient gives express consent or, rarely, when required or permitted by law.
Patients have the right to restrict access to their clinical information, and clinicians responsible for treating them have a duty of care to explain to those who choose to do so the potential impact their decisions may have on their future care. If nonetheless a patient does not want important data to be available to A and E units, even though absence of that information may lead to future harm, they will have the right to seal the information.
All information held by a doctor about a patient is subject to the requirements of the Data Protection Act 1998, and patients’ consent to share, and ability to limit the sharing of their care record, is covered by the NHS care record guarantee. It is not possible to predict precisely how often circumstances will arise requiring authorised users of the care records database to open sealed envelopes without patients’ permission. In part this will depend upon the type of information that patients choose to seal. For example, the law requires some forms of communicable disease to be notified to the National Patient Safety Agency, so if a patient sealed information about this, the information would be extracted without the patient’s permission. Where information is sealed it will be opened without specific permission only where there is an explicit statutory requirement to disclose information, as in the above example, where a court orders the disclosure, or where the public interest outweighs the patient’s right to confidentiality, for example in cases of serious crime or where there are significant risks to other people. By their nature these will be very unusual circumstances.