251Control of patient informationE+W
(1)The Secretary of State may by regulations make such provision for and in connection with requiring or regulating the processing of prescribed patient information for medical purposes as he considers necessary or expedient—
(a)in the interests of improving patient care, or
(b)in the public interest.
(2)Regulations under subsection (1) may, in particular, make provision—
(a)for requiring prescribed communications of any nature which contain patient information to be disclosed by health service bodies in prescribed circumstances—
(i)to the person to whom the information relates,
(ii)(where it relates to more than one person) to the person to whom it principally relates, or
(iii)to a prescribed person on behalf of any such person as is mentioned in sub-paragraph (i) or (ii),
in such manner as may be prescribed,
(b)for requiring or authorising the disclosure or other processing of prescribed patient information to or by persons of any prescribed description subject to compliance with any prescribed conditions (including conditions requiring prescribed undertakings to be obtained from such persons as to the processing of such information),
(c)for securing that, where prescribed patient information is processed by a person in accordance with the regulations, anything done by him in so processing the information must be taken to be lawfully done despite any obligation of confidence owed by him in respect of it,
(d)for creating offences punishable on summary conviction by a fine not exceeding level 5 on the standard scale or such other level as is prescribed or for creating other procedures for enforcing any provisions of the regulations.
(3)Subsections (1) and (2) are subject to subsections (4) to (7).
(4)Regulations under subsection (1) may not make provision requiring the processing of confidential patient information for any purpose if it would be reasonably practicable to achieve that purpose otherwise than pursuant to such regulations, having regard to the cost of and the technology available for achieving that purpose.
(5)Where regulations under subsection (1) make provision requiring the processing of prescribed confidential patient information, the Secretary of State—
(a)must, at any time within the period of one month beginning on each anniversary of the making of such regulations, consider whether any such provision could be included in regulations made at that time without contravening subsection (4), and
(b)if he determines that any such provision could not be so included, must make further regulations varying or revoking the regulations made under subsection (1) to such extent as he considers necessary in order for the regulations to comply with that subsection.
(6)Regulations under subsection (1) may not make provision for requiring the processing of confidential patient information solely or principally for the purpose of determining the care and treatment to be given to particular individuals.
(7)Regulations under this section may not make provision for or in connection with the processing of prescribed patient information in a manner inconsistent with any provision made by or under the Data Protection Act 1998 (c 29).
(8)Subsection (7) does not affect the operation of provisions made under subsection (2)(c).
(9)Before making any regulations under this section the Secretary of State must, to such extent as he considers appropriate in the light of the requirements of section 252, consult such bodies appearing to him to represent the interests of those likely to be affected by the regulations as he considers appropriate.
(10)In this section “patient information” means—
(a)information (however recorded) which relates to the physical or mental health or condition of an individual, to the diagnosis of his condition or to his care or treatment, and
(b)information (however recorded) which is to any extent derived, directly or indirectly, from such information,
whether or not the identity of the individual in question is ascertainable from the information.
(11)For the purposes of this section, patient information is “confidential patient information” where—
(a)the identity of the individual in question is ascertainable—
(i)from that information, or
(ii)from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information, and
(b)that information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual.
(12)In this section “medical purposes” means the purposes of any of—
(a)preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health and social care services, and
(b)informing individuals about their physical or mental health or condition, the diagnosis of their condition or their care and treatment.
(13)In this section—
“health service body” means any body (including a government department) or person engaged in the provision of the health service that is prescribed, or of a description prescribed, for the purposes of this definition,
“processing”, in relation to information, means the use, disclosure or obtaining of the information or the doing of such other things in relation to it as may be prescribed for the purposes of this definition.