J Med Ethics 29:34-35 doi:10.1136/jme.29.1.34
  • Symposium on consent and confidentiality

The requirements of the Data Protection Act 1998 for the processing of medical data

  1. P Boyd
  1. Correspondence to:
 Mr P Boyd, Assistant Information Commissioner, Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK;
  • Accepted 23 September 2002


The Data Protection Act 1998 presents a number of significant challenges to data controllers in the health sector. To assist data controllers in understanding their obligations under the act, the Information Commissioner has published guidance, The Use and Disclosure of Health Data, which is reproduced here. The guidance deals, among other things, with the steps that must be taken to obtain patient data fairly, the implied requirements of the act to use anonymised or psuedonymised data where possible, an exemption applicable principally to records based research, the right of patients to object to the processing of their data, and the interface of the act and the common law duty of confidence.