The Hippocratic oath incorporated the principle of medical confidentiality into doctors' professional ethics. A modern statement can be found in the booklet `Good Medical Practice' [GMC1] issued by the General Medical Council:
Patients have a right to expect that you will not pass on any personal information which you learn in the course of your professional duties, unless they agree.
This is expanded in the GMC booklet `Confidentiality' [GMC2] which stipulates that doctors who record or who are the custodians of confidential information must ensure that it is effectively protected against improper disclosure. Still more detailed guidance can be found in books published by the BMA [Som93] and HMSO [DGMW94].
Both the government and the healthcare unions are agreed that electronic health records must be at least as well protected as paper ones; the Data Protection Act makes GPs and others responsible for the security of personal health information that they collect; and a recent EU Directive obliges the government to prohibit the processing of health data except where the data subject has given his explicit consent, and in certain other circumstances [EU95].
The basic ethical principle, as stated by both the GMC and the EU, is that the patient must consent to data sharing. Confidentiality is the privilege of the patient, so only he way waive it [DGMW94]; and the consent must be informed, voluntary and competent [Som93]. Thus, for example, patients must be made aware that information may be shared between members of a care team, such as a general practice or a hospital department.
A number of exceptions to this rule have developed over time, and include both statutory requirements and exemptions claimed on pragmatic grounds; they pertain to the notification of abortions, births, some deaths, certain diseases, adverse drug reactions, non-accidental injuries, fitness to drive and disclosure to lawyers in the course of a dispute [DGMW94]. There is controversy over research; the NHSE claims that by seeking treatment, a patient gives implied consent to the use of his records in research, while the healthcare professions do not accept this [Mac94]. However, this debate has no great effect on the security policy set out here.
Finally, there is the issue of the patient's consent to have his record kept on a computer system at all. It is unethical to discriminate against a patient who demands that his records be kept on paper instead; his fears may well be justified if he is a celebrity, or a target for assassination, or for some other reason in danger from capable motivated opponents. Some cases of this kind have been managed using pseudonyms, so that the patient's real identity is never exposed to a computer system.