The Data Protection Act 1998 makes it clear that a section 10 request should only be overridden where the purpose served by processing the data is sufficiently important to warrant doing so even where it is accepted that substantial harm or distress is being caused. We do not expect there to be many, if any, circumstances where this would arise in the case of an individual who is competent to make decisions. We are, however, taking legal advice, and consulting with the Department for Children, Families and Schools, about the position in respect of those that lack competence, where all decisions should be taken in the individual's best interests.
Data from the secondary uses service will only be disclosed to the police where it is in the overriding public interest, for example to prevent, or support detection of, extremely serious crimes, where there is statutory authority, or where the courts have made an order requiring disclosure.
The data controller for information held within the secondary users service is the Department. Other organisations lawfully permitted access to data held within the secondary users service will be data controllers in common for the subset of data that they can access.
With regard to detailed care records provided as part of the national health service care records service, the Department is data controller in common with the NHS organisations providing health care to patients. Although key data controller responsibilities such as overall network and technical system security are managed through the Department's contracts, most data controller responsibilities will be discharged by local organisations. However, there may be occasions, for example due to an organisation ceasing to exist or function, where the Department is the sole data controller for the data concerned.