As you will be aware, the Data Protection Commissioner contacted you recently in connection with Committee meeting that has been held recently to deal with the issue of cancer registration. Although the Commissioner was not asked to attend the meeting, it has been suggested to her that she should make her views on this matter known to the Committee. In particular, it was suggested that the Commissioner discuss the likely impact of the Data Protection Act 1998 on cancer registration.

  The 1998 Act places a requirement on data controllers who process personal data, ie on organisations who handle information about living, identifiable individuals, to provide the individuals who are the subject of the personal data with certain information in order to make the processing of that information fair. That information is the identity of the data controller or his representative, the purpose/s for which information about the individual are to be processed and any other information needed to make the processing fair. This is known as the "fair processing information". In the context of information that attracts confidentiality, the fair processing requirement could compel data controllers to provide individuals with information as to the disclosure of personal data about them. It is clear, therefore, that the 1998 Act is more explicit that the 1984 Act it supersedes in terms of the standard to be met in obtaining information fairly from individuals.

  My experience with dealing with cancer registries and similar bodies is that they generally do not have direct contact with the individuals about whom they hold information. As I understand it, it is usually practitioners responsible for treating individuals with cancer who disclose information about them to the registries. Therefore it will fall to the practitioner to ensure that individuals are aware of the fair processing information described above. A consent-gathering process would allow individuals to be told who the cancer registry is and what it does. In this context, the fair processing requirements of the Act could be satisfied by practitioners seeking the consent for the disclosure of information about individuals. However, as I understand it disclosures of personal data are sometimes made to registries without the consent, or even the knowledge , of the data subjects concerned. It should be noted that it is the Commissioner's understanding of the law relating to confidentiality that if an individual objects to the disclosure of confidential personal data about him this must be respected unless there is an express legal basis for making the disclosure in the absence of consent. Put simply, there may well be individuals who do not want the information that they have provided in confidence to those responsible for treating them to be disclosed to a registry. (This understanding of the law in this context would seem to be supported by guidance on confidentiality issued by the General Medical Council and other bodies.)

  Clearly, a combination of the fair processing information and the individual's apparent right to object to the disclosure of personal data about him could have implications for the operation of cancer registries. It should be noted that although the 1998 Act contains certain exemptions for those carrying out research, and it could be argued that the operation of the registries constitutes a form of research, there is no general exemption from the requirements of fairness and lawfulness.

  Although it does not fall to the Commissioner to attempt to satisfy the information needs of data controllers, there do seem to be three options for running the registries in compliance with the 1998 Act.

  Firstly, practitioners disclosing personal data to the registries could seek the consent of the individual data subjects concerned. Perhaps this consent could be sought as part of the individual's care programme. This is the manner in which much medical research, including epidemiological research, is being conducted.

  Secondly, the registries themselves should consider what their information needs are and should consider carefully whether those needs can be satisfied without being provided with personal data—ie information in patient identifiable form. As I understand it, some cancer registries study, for example, the incidence of certain forms of cancer within certain population groups living in certain locations. If that is correct, then the registries should consider whether it is possible for them to carry out their functions without being provided with patient identifiable information—eg by being provided with age band, partial postcode and Read code, for example. If necessary, it may be possible to link information relating to individuals in order to allow records relating to individuals to be differentiated from each other without being provided with information identifying them. This could perhaps be done by providing the registry with linkage information encrypted from an individual's NHS number without providing the registry with the decryption key.

  Thirdly, cancer registration could be put on a statutory basis, as is the case with notifiable diseases. This means that practitioners must or could disclose regardless of the wishes of individual data subjects. Although it is not for the Commissioner to take a view as to whether cancer registration should be put on a statutory basis, by virtue of section 35 of the 1998 Act personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment or by any rule of law. It should be noted though, that even where a disclosure is made in response to a statutory requirement this does not necessarily preclude data controllers from being as fair as is possible to patients in terms of explaning to them how the information they provide to their practitioner will be used, disclosed etc.

  Please contact me should you require clarification of any point.

27 June 2000