The web pages on information governance are being updated in accordance with changes to data protection legislation in the UK.

Further information about these changes is available from the Information Commissioner’s Office (ICO): The ICO is the UK's independent data protection regulator.

UK and national legislation: A-L | M-Z | By subject

A - L

Access to Health Records Northern Ireland Order (1993)

Access to Medical Reports Act (1998) allows individuals to see any medical report written on them for medical or employment purposes.

Adults with Incapacity (Scotland) Act 2000 Mental Capacity Act (2005), applicable to England and Wales and the Draft Mental Capacity Bill (2015) in Northern Ireland, apply to adults who cannot make some or all decisions for themselves.

Of special significance to SLTs are the following points:

  • Ensure information is provided in accessible formats
  • All means possible must be given to support effective expression

Speech and language therapists must clearly document supportive communication techniques that support the individual’s ability to demonstrate capacity.

Children’s Act (1989) defines:

  • ‘Parents’ and parental responsibility and therefore access rights to documents.
  • Children’s rights to have their wishes and feeling considered regarding the provision of services.

Children’s Act (1989) part 2 defines:

  • Who is a ‘parent’
  • Who has parental responsibility
  • Who has access rights to documents

Children and Family Act (2014) introduced EHC plans. These have replaced statements of special educational needs and document the plan of support for children, young people and their families from 0 – 25 years.

Common Law Duty of Confidence arises when one person discloses information to another, e.g. patient to clinician, where it is reasonable to expect the information will be held in confidence. The duty of confidence stands true whether for a child, young person or adult. There are only three lawful routes to disclosing confidential information:

  • Individual's/legal guardian’s consent
  • Disclosure is in public interest, e.g. safeguarding
  • Legal duty to do so, e.g. court order

Computer Misuse Act (1990) covers issues around computer security and advises a 12-month summary conviction or fine for misuse.

Data Protection Act (1998) applies to the United Kingdom of Great Britain and Northern Ireland. The Act controls how:

  • Organisations use personal information
  • Organisations process personal information
  • Individual’s can access the information held on them by an organisation.

Terms defined within the Act:

  • Personal information includes an individual’s name, address, age, race, religion, gender and any information relating to their physical, mental or sexual health.
  • Processing includes holding, obtaining, recording, using, sharing, disclosing and disposing of the data.
  • Requests for personal information under the Data Protection Act may be made by:
    • Service users
    • Solicitors representing service users
    • Staff
    • Police (via a Section 29 form or court order)

There is a 40-day response time to information requests; a charge may be incurred.

Data Protection (Processing of Sensitive Personal Data) Order (2000) amends the Data Protection Act (1998).

It states that sensitive personal data may be processed without consent, to:

  • Detect and prevent crime.
  • Protect against malpractice, incompetence and mismanagement.
  • Provide confidential counselling and advice where explicit consent cannot be given.
  • For research where the data does not, in any way, identify the individual.

Data Protection (Subject Access Modification) Order 2000 limits access to an individual's health records if:

  • The information released may cause serious harm to the physical or mental health of the patient or any other person.
  • Access would disclose information relating to, or provided by, a third party who has not consented to the disclosure.
  • The third party gives their consent to disclosure.
  • It is reasonable to disclose without the third party's consent.

Draft Mental Capacity Bill (2015)

Freedom of Information Act (2000) applies to England, Wales and Northern Ireland. Information held by Scottish public authorities is covered by the Freedom of Information Act Scotland (2002).

The Acts cover:

  • The right to be informed whether a public body holds certain information.
  • The right to obtain a copy of that information.
  • The duty of organisations to be proactive in publishing information about themselves.

Information includes:

  • Printed documents
  • Computer files
  • Letters
  • Emails
  • Photographs
  • Audio recordings
  • Video recordings.

Requests must be in writing and include the applicant’s name, address and reason for applying. Requests for personal information come under the Data Protection Act. Requests may be refused if they would take too much time/cost, are vexatious or have been made previously by the same individual. The Information Commissioner's Office has comprehensive advice on managing freedom of information requests.

Health and Social Care Act (2012) gives information standards a legal status and requires:

  • Adult health and social care organisations to use a consistent identifier (NHS number).
  • A legal duty for adult and social care organisations to share information where this will facilitate the care of the individual.

Human Right Act (1998) Article 8 protects the individual’s right to privacy, including how your personal information is held and protected. By complying with the common law duty of confidence and the Data Protection Act (1998), organisations should meet the requirements of Article 8.