Hostname: page-component-7c8c6479df-nwzlb Total loading time: 0 Render date: 2024-03-27T00:43:12.636Z Has data issue: false hasContentIssue false

The Freedom of Information Act 2000: should psychiatrists be worried?

Published online by Cambridge University Press:  02 January 2018

Rights & Permissions [Opens in a new window]

Abstract

Type
Editorial
Copyright
Copyright © The Royal College of Psychiatrists 2005 

‘For knowledge’, wrote Francis Bacon in 1597, ‘is power’. Mere information may not always qualify as knowledge, but 400 years later it is still the control of information that is often the mark of power. For the playwright Shaw, perhaps it was that control which characterised professions as ‘conspiracies against the laity’ (The Doctor's Dilemma, first published 1906). For later-20th-century activists, the recognition of information control as a means of political power inspired the long campaign for legislation to force the State to open its files to the electorate. The advent on 1 January 2005 of the Freedom of Information Act 2000 was the triumphant climax to that campaign.

But the triumph has been muted. To some, the Act seems so emasculated by exemptions that it has little to do with freedom or information. For others, it is another nudge of the political pendulum towards the individual as consumer, before whose altar society now abases itself in the interests of human rights and at the expense of individual professional freedom. Faced with such conflicting views, those working in the professions and the public sector may be forgiven for wondering what the Act actually does. This editorial attempts to explain.

Legal background to the Act

The Freedom of Information Act is only the latest addition to an increasingly complex legal framework of information rights and obligations – a framework that includes the common law of confidentiality, the Data Protection Act 1998, and Articles 8 and 10 of the European Convention on Human Rights 1950.

Confidentiality

Confidentiality is a concept that needs little explanation for psychiatrists and other healthcare professionals, not least because it is underpinned and rigorously applied by their codes of professional ethics (e.g. Reference Draper and RogersDraper & Rogers, 2005). However, it should be noted that it is not an absolute concept – it may be overridden, for example, by law or public interest (see below in reference to exemptions under the Freedom of Information Act).

Data protection

Similarly, the Data Protection Act will be familiar as the statutory regime for regulating ‘personal data’, i.e. information relating to living individuals. For psychiatrists, one of the most obvious examples of such data is information held in patient records.

In summary, the Data Protection Act controls the ‘processing’ (a term that encompasses almost every activity – disclosure, photocopying, erasure, archiving, etc.) of personal data, requiring all such usage to be fair, lawful (i.e. in line with the common law and any other relevant statutory provisions) and in accordance with the Data Protection Act's numerous conditions and exemptions. The most obvious, appropriate and desirable condition will be consent – for example a patient's consent; but it is by no means the only one. The requirements of public interest, such as the need for urgent investigation by a regulator, may sometimes qualify to displace the need for consent; while other situations may be covered by broad exemptions such as research or journalism (Reference AdsheadAdshead, 2005; Reference Draper and RogersDraper & Rogers, 2005; Reference TyrerTyrer, 2005).

It is important to remember that many of the Data Protection Act's restrictions on the processing of personal data may be avoided – particularly by researchers and authors – by anonymising the data. This was foreshadowed by the Caldicott Report recommendations (NHS Executive, 1997) and was endorsed by the Court of Appeal in a case about the selling of prescription data to pharmaceutical companies ( R v. Department of Health, ex parte Source Informatics Ltd, 2000): if the data do not identify a living individual, they cannot be regulated by the Data Protection Act.

Human rights

Increasingly prominent in legal analysis are Articles 8 and 10 of the European Convention on Human Rights 1950. The Convention is now enshrined in English law by the Human Rights Act 1998 as the international index of human rights against which our national laws must be measured. Article 8 formulates an individual's general right of privacy in respect of home and correspondence, subject to a wide range of exceptions permissible in a democratic society, such as public health and national security. In contrast, and sometimes in conflict, Article 10 sets out the general right to freedom of expression and exchange of ideas and information. Again, the principle is defined primarily by specific permissible exceptions – for example the laws of libel, copyright and national security.

What is the purpose of the Freedom of Information Act 2000?

Within this framework of information rights and obligations, the Freedom of Information Act was introduced on 1 January 2005 (although partly implemented before that) as a system for members of the public to obtain access to certain information held by public authorities in England, Wales and Northern Ireland (Scotland has its own version of the Act). It should be noted straight away that access is not granted to personal data such as patient records. These continue to be governed by the Data Protection Act (see above), and so to that extent the Freedom of Information Act has little direct impact on the way that psychiatrists handle patient records. Like the Data Protection Act, the Freedom of Information Act is monitored and enforced by the Information Commissioner.

The Act has two functions: first, to require every ‘public authority’ to adopt and maintain a ‘publication scheme’ setting out the categories of information it will routinely make available; and second, to provide ‘any person’ (which appears to include legal ‘persons’ such as companies) from anywhere in the world with the right to obtain specified information from public authorities (or at least confirmation of whether they have it), within a specified time (usually 20 working days).

Who has to disclose information?

These new obligations are imposed only on ‘public authorities’, as defined in a long list. This list includes not only National Health Service (NHS) bodies but also individual practitioners to the extent that they provide NHS primary care services –medical, dental, ophthalmic or pharmaceutical. It does not cover private services or, for example, the medical Royal Colleges; but such bodies must be aware of the fact that the information they provide to public authorities will fall within the Act.

Every request?

As with common law and European Convention principles of confidentiality (see Article 8 above), the freedom of access is not absolute – the Act is characterised as much by the exceptions as the rule. Apart from general provisions enabling requests for information to be refused for being ‘vexatious’ or likely to involve compliance costs exceeding the prescribed limit (Box 1), information may be withheld under one of over 20 specific exemptions, classified as either ‘absolute’ or ‘qualified’ – the latter being dependent on whether or not disclosure would prejudice the public interest.

Box 1 The limit for compliance costs

Information may be withheld if its provision is likely to involve compliance costs exceeding the prescribed limit, which is currently £450 for most NHS bodies and £600 for government departments

(Department for Constitutional Affairs, 2004)

Absolute and qualified exemptions

If an absolute exemption applies, the public authority need neither disclose the information nor confirm/ deny its existence. Information whose disclosure would prejudice, or otherwise not be in, the public interest may be protected by a qualified exemption.

Examples from each category are shown in Boxes 2 and 3. It is odd that information provided in confidence should be categorised as an absolute exemption (Box 2), because under common and European law confidentiality itself is not an absolute concept but is always qualified by a public interest exception. A classic case is that of W. v. Edgell(1990), in which a doctor was exonerated for passing on to the police information about his potentially violent patient – a disclosure that, on the face of it, was a clear breach of confidence to his patient but was adjudged in that case to be justified in the public interest.

Box 2 Examples of absolute exemptions

  1. Court records filed with or created by a court, or served on or by the public authority for the purpose of proceedings

  2. Personal data – this remains governed by the separate regime of the Data Protection Act

  3. Information provided in confidence, where disclosure would amount to a breach of confidence - in a therapeutic context, such information would usually also fall within the personal data exemption

  4. Where disclosure is prohibited by other legislation (e.g. under the Official Secrets Acts 1911–1989), or would be incompatible with European Commission obligations, or would amount to a contempt of court (e.g. in a case involving children)

Box 3 Examples of qualified exemptions

  1. Information held for the purposes of criminal investigations or proceedings

  2. Information whose disclosure would be likely to prejudice criminal investigations or other legal proceedings, or investigations into illegality or regulatory breach

  3. Information whose disclosure would, or would be likely to, endanger the physical or mental health or safety of an individual. Within psychiatry, such situations may be familiar, but the information will often fall within the absolute personal data and/or confidentiality exemptions above

  4. Information protected by legal professional privilege, i.e. comprising legal advice, or in connection with legal proceedings – this would usually cover, for example, reports prepared by practitioners for legal proceedings in an expert capacity

Codes of practice

Under the Act, there is an Access Code describing good practice for handling requests for information; and a Records Management Code containing practical guidance for the management of records. In addition, the Information Commissioner has issued wide-ranging guidance (Information Commissioner, 2005).

Enforcement and penalties

Dissatisfied applicants can complain to the Information Commissioner; thence to the Information Tribunal; and thence, on a point of law only, to the High Court. The Commissioner may issue notices, including an enforcement notice. Non-compliance may be regarded by the Court as a contempt of Court, for which the penalties are a fine or imprisonment.

What does this mean for psychiatrists in the NHS?

At one level, the Freedom of Information Act will have little immediate impact on practitioners. The psychiatrist's stock-in-trade is patient information – personal, confidential, and therefore largely exempt from the Act's disclosure regime. The primary impact of the legislation will be on information about the functions, processes, resources and decisions of public authorities. Hospital and primary care trusts, for example, are already receiving numerous requests from the media and the public for board minutes, serious untoward incident (SUI) reports, data about expenditure, details of headcount, and so on. For practitioners employed by such trusts, these requests will either be irrelevant or can be passed on to the employer, on whom the disclosure obligation rests. Even psychiatrists who fall within the Act by virtue of providing primary medical services will be affected only in relation to the provision of those services: the personal data exemption will still excuse them from disclosing purely patient information.

However, celebrations as to the Act's overall irrelevance to the field of psychiatry should not be unrestrained. For all practitioners, the subtle but demanding obligations of the Data Protection Act will continue to apply. According to the Information Commissioner, any request under the Freedom of Information Act that concerns the applicant's personal data must be treated automatically as a Data Protection Act ‘subject access request’, and if the data requested relate to someone other than the applicant, the Data Protection Act's strict requirements as to lawfulness and fairness will continue to apply regardless of the Freedom of Information Act (Information Commissioner, 2005). One consequence may be that if the public believe that the Freedom of Information Act provides them with access to such data, an increased number of requests under the Act may increase the amount of patient data being disclosed under the Data Protection Act. Conversely, if NHS apprehension about the Freedom of Information Act prompts the creators and recorders of information (e.g. at trust board meetings) to anonymise more information, their efforts may push that anonymised data out of the Data Protection Act frying-pan and into the Freedom of Information Act fire – resulting in more, not less, information about individual (albeit unnamed) patients finding its way into the public domain.

This only serves to underline the importance of ensuring that the anonymisation of data is effective. It is a particularly important issue for practitioners who provide reports to third parties such as social services departments, which may, as public authorities, be the subject of disclosure requests under the Freedom of Information or the Data Protection Act.

Conclusions

The control of information remains a mark of power, be it the power of government or that of the professions. The Freedom of Information Act states its purpose to be:

‘to make provision for the disclosure of information held by public authorities or by persons providing services for them…’

For organisations such as NHS trusts, the Act has an obvious impact on the information they generate and retain. For individual practitioners who deal in confidential and personal information, its effect is more subtle, but cannot be ignored.

References

Adshead, G. (2005) History is bunk. Invited commentary on Re-evaluating confidentiality. Advances in Psychiatric Treatment, 11, 123–122.Google Scholar
Department for Constitutional Affairs (2004) The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004. London: Stationery Office. http://www.actnow.org.uk/SI3244.pdf Google Scholar
Department for Constitutional Affairs (2005) Guidance on the Application of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004. London: Stationery Office. http://www.dca.gov.uk/foi/feesguide.htm Google Scholar
Draper, H. & Rogers, W. (2005) Re-evaluating confidentiality: using patient information in teaching and publications. Advances in Psychiatric Treatment, 11, 115121.Google Scholar
Information Commissioner (2005) Freedom of Information Act Awareness Guidance No. 1. Wilmslow: Information Commissioner's Office. http://www.informationcommissioner.gov.uk/cms/DocumentUploads/AG%201%20personal%20info.pdf Google Scholar
NHS Executive (1997) Report on the Review of Patient-Identifiable Information (Caldicott Report). London: Department of Health.Google Scholar
Shaw, G. B. [1906] (1987) The Doctor's Dilemma. London: Penguin Books.Google Scholar
Tyrer, P. (2005) The ethics of confidentiality in research. Invited commentary on Re-evaluating confidentiality. Advances in Psychiatric Treatment, 11, 122123.Google Scholar
R. v. Department of Health, ex parte Source Informatics Ltd [2000] LLR 76.Google Scholar
W. v. Edgell [1990] 1 All ER 835.Google Scholar
Submit a response

eLetters

No eLetters have been published for this article.