Summary of legislative and common law provisions

Summary of data protection, confidentiality and privacy legislation relevant to NHSCFA

The General Data Protection Regulation (GDPR) and Data Protection Act 2018

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas.

The primary aims of GDPR are to give control to individuals over their personal data and to simplify the regulatory environment for international organisations by unifying the regulation within the EU.

The Data Protection Act 2018 sets out and updates the framework for data protection law in the United Kingdom (UK). It sits alongside the EU’s GDPR and tailors how it applies in the UK. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence and sets out the Information Commissioner’s functions and powers.

Human Rights Act 1998

This Act binds public authorities including Health Authorities, Trusts and Primary Care Groups to respect and protect an individual’s human rights. This will include an individual’s right to privacy (under Article 8) and a service user’s right to expect confidentiality of their information at all times.

Article 8 of the Act provides that “everyone has the right to respect for his private and family life, his home and his correspondence”. However, this article also states “there shall be no interference by a public authority with the exercise of this right except as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention or disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.

Each organisation must act in a way consistent with these requirements. It must take an individual’s rights into account when sharing personal information about them.

The Computer Misuse Act 1990

This Act makes it a criminal offence to access any part of a computer system, programs and/or data that a user is not entitled to access. NHSCFA issues each employee with an individual user id and password which will only be known to the individual and must not be divulged to other staff. This is to protect the employee from the likelihood of their inadvertently contravening this Act.

NHSCFA will adhere to the requirements of the Computer Misuse Act 1990, by ensuring that its staff are aware of their responsibilities regarding the misuse of computers for fraudulent activities or other personal gain. Any member of staff found to have contravened this Act will be considered to have committed a disciplinary offence and be dealt with accordingly.

Access to Health Records Act 1990

Under this Act all patients have a right to request access to all of their healthcare records. Persons wishing to access the records of a deceased individual may also do so under the Act.

Access to Medical Reports Act 1998

The Act gives patients the right to see reports written about them by a doctor for employment or insurance purposes within whom they have a normal doctor-patient relationship.

Access to a report can be withheld if the doctor thinks it is likely to cause serious harm to the physical or mental health of the individual or others or indicate the intentions of the practitioner in respect of the individual, or to reveal the identity of another person who has supplied information.

Confidentiality: NHS Code of Practice

This gives NHS bodies’ guidance concerning the required practice for those who work within or under contract to NHS organisations concerning confidentiality and patients’ consent to the use of their personal data.

Common law duty of confidentiality

Common law is also referred to as ‘judge-made’ or case law; it is applied by reference to previous case judgements and so is also said to be based on precedent.

The general position is, where information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information providers consent.

The duty of confidentiality is not an absolute right. There are circumstances where making the disclosure of confidential information is lawful:

  • where the individual to whom the information relates has consented
  • where disclosure is necessary to safeguard the individual, or others, or is in the public interest
  • where there is a legal duty to do so (such a court order)

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!