Home - Knowledge Center - Health Informatics


The Data Protection Act of 1998 directs organisations in the United Kingdom to collect, process and pass on personal information in accordance with strict rules. This is required in order to protect the privacy rights of individuals.

The Act came into effect on the 1st of March 2000 and it is a revision of the Data Protection Act of 1984 and also implements the European Directive on Data Protection. The Act gives patients rights to have access to their personal health information. Patient information processing in the United Kingdom must comply with the eight principles of the Data Protection Act.


These principles state in relation to healthcare that data should be:
  • fairly and lawfully processed;
  • processed for limited purposes, which include preventive medicine, medical diagnosis, medical research, provision of care and treatment and the management of healthcare services;
  • adequate, relevant and not excessive, especially when obtaining, recording, holding, altering, retrieving, destroying or disclosing of data
  • accurate;
  • not kept longer than necessary;
  • processed in accordance with the data subject's rights thus individuals are entitled to prevent processing
    • for direct marketing purposes
    • which will or likely to cause the data subject or another person unwarranted and substantial harm or distress
  • secure thus any data subject who suffers damage due to unauthorised disclosure is entitled to compensation;
  • not transferred to countries without adequate protection.

The Act applies fully to all patient records whether they are held on computer or in paper files, and whether they consist of hand written case notes or x-rays. The Information Commissioner, which is a UK independent supervisory authority, enforces and oversees the Data Protection Act 1998. The Commissioner has also released guidance for healthcare organisations on how the Act affects the use and disclosure of patient data. Below are some examples of the use and disclosure of patient data:

  • Care & Treatment
    • Routine record keeping, consultation of records etc, in the course of the provision of care and treatment;
    • Processing of records in the event of a medical emergency;
    • Disclosures made by one health professional or organisation to another, e.g. where a GP refers a patient to a specialist;
    • Clinical audit e.g. the monitoring of a patient care pathway against existing standards and benchmarks.
  • Administration
    • Processing for administrative purposes, e.g. disclosure by a GP made in order to receive payment for treatment provided;
    • Administrative audit, which may include studies designed to improve the efficiency of the NHS as an organisation, e.g. to support decisions about the allocation of resources.
  • Research & Teaching
    • Statutory disclosures to disease registries and for epidemiological research;
    • Non-statutory disclosures to disease registries and for epidemiological research;
    • Clinical trials;
    • Hospital-based teaching;
    • University-based teaching.
  • Use and disclosures for non-health purposes
    • Disclosures for Crime and Disorder Act 1998 purposes;
    • Disclosures to the police;
    • Disclosures to hospital chaplains;
    • Disclosures to the media.

All NHS and Primary Care Trusts have a 'Caldicott Guardian'. This is the person who oversees the systems to keep information safe and secure. Caldicott was implemented to protect ‘all patient identifiable information which passes from National Health Service (NHS) organisations in England to other NHS or non NHS bodies for purposes other than direct care, medical research or where there is a statutory requirement for the information.’ Thus in relation to the Data Protection Act 1998, the Caldicott Guardian would have the ensure the following:

  • The use or transfer of information should be justified;
  • Patient information should not be used unless it is absolutely necessary;
  • Use the minimum necessary patient information;
  • Access to patient information should be on a strict 'need to know' basis;
  • All staff must be aware of their responsibilities;
  • All staff must understand and comply with the law.



International Medical Informatics Association
American Medical Informatics Association
UK Health Informatics Society
British Computer Society Health Informatics Committee
European Federation for Medical Informatics
American Nursing Informatics Association
American Telemedicine Association

Knowledge Center
Biomedical Informatics
Health Informatics
Clinical Informatics
Dental Informatics
Nursing Informatics
Pharmaceutical Informatics
Public Health Informatics
Veterinary Informatics
Healthcare Technologies
Health Informatics Topics
Computer Aided Learning
Decision Making
Healthcare IT Strategy Making
Medical Data
Medical Classification Systems

Last Updated: 9 August 2006.

Copyright © 2018 Biohealthmatics.com. All Rights Reserved. Contact Us - About Us - Privacy Policy - Terms & Conditions - Resources

Can't find what you are looking for? View our Site Map