Policy for taking and Sharing Images of Patients in the United Kingdom

October 6, 2017

Other Blog Entries

Uk guidelines Here we discuss the United Kingdom governance relating to the use of mobile phones for clinical photography. There are obscene amounts written on patient data protection. We have attempted to navigate the various sources to provide some clarification!

Information Governance (IG) Handbooks

Each NHS Trust has its own Information Governance Handbook. It aims to provide a way for employees to deal various rules set out in a plethora of places. The "Key Information Governance Policies" are:

  • Data Protection Policy. This policy sets out the roles and responsibilities for compliance with the Data Protection Act 1998.
  • Freedom of Information Policy. This policy sets out the roles and responsibilities for compliance with the Freedom of Information Act and Environmental Information Regulations.
  • Confidentiality Policy. This policy lays down the principles for all who work within NHS England and have access to personal or confidential business information. All staff must be aware of their responsibilities for safeguarding confidentiality and preserving information security to comply with common law obligations of confidentiality and the NHS Confidentiality Code of Practice.
  • Information Security Policy. This policy is to protect, to a consistently high standard, all information assets. The policy defines security measures applied through technology and encompasses the expected behaviour of those who manage information within the organisation. It covers the Information Security NHS Code of Practice and the international information security standard (ISO/IEC 27002: 2005).
  • Document & Records Management Policy. This policy is to promote the effective management and use of information, recognising its value and importance as a resource for the delivery of corporate and service objectives. This covers the NHS Care Record Guarantee for England, the Social Care Record Guarantee for England, the Records Management NHS Code of Practice.
  • Information Sharing Policy. The policy will ensure that all information held or processed by NHS England is made available subject to the appropriate protection of confidentiality and in line with the terms and conditions under which the data has been shared with NHS England. This policy sets out what is required to ensure that fair and equal access to information can be provided and is supported by a range of procedures.

Relevant policies and other guidelines are discussed in the sections below. You should always refer to your trust's Information Governance Handbook.


GMC: Making and using visual and audio recordings of patients

The General Medical Council (GMC) has a published guide relating to the "Making and using visual and audio recordings of patients".

The key takeaways:

  • Serious or persistent failure to follow the guidance will put your registration at risk.
  • Respect patient wishes.
  • Make recordings only where you have appropriate consent or other valid authority for doing so.
  • Disclose or use recordings from which patients may be identifiable only with consent or other valid authority for doing so
  • Make appropriate security arrangements for storing recordings.
  • Be familiar with, and follow, the law and local guidance and procedures that apply where you work.

A few excerpts are particularly relevant.

You must get the patient’s consent to make a recording that forms part of the investigation or treatment of a condition, or contributes to the patient’s care, except in the circumstances described in paragraph 10. You should explain to the patient why a recording would assist their care, what form the recording will take, and that it will be stored securely.

Paragraph 13

Recordings made as part of the patient’s care form part of the medical record, and should be treated in the same way as written material in terms of security and decisions about disclosures.

Paragraph 15

Gmc guide

Download the guide from the GMC website.


Data Protection Act 1998

The Information Commissioner's Office (ICO) has a published a series of guides, codes and advice on how to comply with the Data Protection Act 1998 (DPA). Below we review some of the relevant ones.

ICO: The Guide to Data Protection

The guide was created for those who have day-to-day responsibility for data protection.

The eight principles are (summarised):

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Ico guide

Download the guide from the ICO website.

ICO: Data sharing code of practice

This is a statutory code that explains how the Data Protection Act 1998 (DPA) applies to the sharing of personal data.

The key takeaways:

  • Only share what is necessary.
  • Information must be shared securely.
  • Ensure you are giving information to the right person.
  • Record your data sharing decision and your reasoning and include:
    • What information was shared and for what purpose.
    • Who it was shared with.
    • When it was shared.
    • Your justification for sharing.
    • Whether the information was shared with or without consent.

It is worth noting that this code is designed for the sharing of any personal information. Where it talks about sharing information without consent, other codes, guidelines and laws suggest otherwise in a medical setting.

Ico code

Download the guide from the ICO website.

ICO: Privacy in Mobile Apps

This guidance has been produced to help app developers comply with the Data Protection Act 1998 and ensure users' privacy.

The key takeaways:

  • Personal information captured from the phone (e.g. a device identifier and photo metadata) can still be considered "personal data".
  • It's vital to know where and how data will flow when your app is used, and who is in control of the data throughout the life cycle of the app.
  • If a mobile app is the "Data Controller" they must register with the ICO.
  • You should only collect and process the minimum data necessary for the tasks that you want your app to perform.
  • When providing notices or information in your mobile app, use plain English and use language appropriate to your audience.

It is worth noting that PicSafe removes metadata from photos. It should also be noted that the user controls where the data is sent and is thus the "data controller". According to the registration self assessment, PicSafe is "under no requirement to register". Use of PicSafe, however, allows users to comply as a data controller.

Ico app guide

Download the guide from the ICO website.


Safe Data, Safe Care: Data Security Review

In July 2016 the NHS published a report reviewing how data is safely and securely managed in in the NHS.

Key findings:

  • Data security policies and procedures were in place at many sites, but the day-to-day practice did not necessarily reflect them.
  • Data security systems and protocols were not always designed around the needs of frontline staff. This leads to staff developing potentially insecure workarounds in order to deliver good timely care to patients – this issue was especially evident in emergency medicine settings.

Key recommendations:

  • All staff should be provided with the right information, tools, training and support to allow them to do their jobs effectively while still being able to meet their responsibilities for handling and sharing data safely.
  • IT systems and all data security protocols should be designed around the needs of patient care and frontline staff to remove the need for workarounds, which in turn introduce risks into the system.

Cqc guide

Download the guide from the ICO website.


Other related documents

There are almost too many reports and guidelines to comprehend! Beyond what we discussed above, all other documents relating to patient privacy and mobile clinical photography mostly repeat the same points.

Here is a list of links to relevant legislation:

And finally, here is a link to a discussion around The Common Law Duty of Confidentiality.