This site is intended for health professionals only

At the heart of general practice since 1960

pul jul aug2020 cover 80x101px
Read the latest issue online

Independents' Day

Neil Bhatia

Neil Bhatia

GP, IG/FOI/Records Access Lead, Caldicott Guardian, DPO

  • Three more GP practices close due to coronavirus fears

    Neil Bhatia's comment 13 Feb 2020 4:10pm


  • GPs to share video consultations with hospitals under Babylon partnership

    Neil Bhatia's comment 23 Jan 2020 11:46am

    I can't think of anything more utterly useless. An absolute gimmick.

    All I want is a clinic letter, preferably within 7 days of the appointment, and ideally electronically. I have no interest whatsoever in viewing the secondary care consultation, and I am absolutely sure that my consultant colleagues have absolutely no interest in viewing mine. A decent, informative, referral letter from me is what they want.

  • GP practice threatened with breach notice for failing to cooperate with PCN

    Neil Bhatia's comment 17 Jan 2020 10:33am

    "Dr Shashikanth said his assigned PCN wants to write to patients promoting services"

    That is marketing.

    That requires the explicit consent of patients. I doubt they have all already agreed to receive such promotional material from an organisation out with their GP surgery.

    PECR do not cover marketing by post, but if you are sending post to named individuals you must comply with the Data Protection Act and the GDPR.

  • Judge finds in favour of GP practice that refused to post medical records

    Neil Bhatia's comment 21 Oct 2019 1:01pm

    Just to clarify, information already known to the patient still has to be disclosed under a SAR

  • Judge finds in favour of GP practice that refused to post medical records

    Neil Bhatia's comment 21 Oct 2019 11:40am

    Personally, I think we can safely infer that disclosing the record in this way, where reasonable (i.e. the patient can collect it), fully upholds the data subject’s right of access and meets the requirements that disallow an order under CPR 31.17 (and probably CPR 31.16).

    Were you to make the record available for collection and not provide an alternative route if the patient was housebound/in prison/in a nursing home, then that could be deemed a contravention of Article 15.

    If you refuse to send the SAR to a third party and that results in either no disclosure (pt in prison) or an unsafe disclosure (patient has lost capacity) then that could be deemed a contravention of Article 15. Such situations are uncommon though.

    When it comes to civil actions, which the vast majority of SARs that we receive relate to, then the disclosure of records within civil claims is still governed by the Civil Procedure Rules (CPR). Disclosure in civil cases was clarified by the case of Dunn v Durham [2012] EWCA Civ 1654, which confirmed that the CPR was the correct regime under which to disclose and redact *documents*.

    There is case law about SARs, CPR, and DPA 1998 though, much of which would be applicable to DPA 2018:

    Seeking remedy, where the patient refuses to collect the record and could perfectly do so, would have to go down the DPA s167 route. That is complex and expensive (as the judge says) and the court would view dimly on the costs involved when the alternative is simply for the patient to collect their own record. And no solicitor is going to risk high court costs for such a trivial matter – assuming the practice had not *refused* the SAR.

    The ICO has stated that practices are, of course, entitled not to disclose to a third party where they have concerns, but that there must no be a “blanket” policy of never disclosing to a third party (because sometimes we have to). It is important that a SAR policy reflects this, that all SARs are assessed individually, including the ability of the patient (or their spouse/partner etc) to be able to collect the SAR - as they do with all other forms, certificates, letters, results.....


  • Thousands of terminally ill patients risk being denied benefits, says RCGP

    Neil Bhatia's comment 21 Jun 2019 3:54pm

    But I do a DS1500 anyway. It doesn't affect the benefits that they are entitled to, or ultimately receive, simply how quickly their application is processed.

    "You will not face any negative consequences from the factual information you supply, for example if your patient lives longer than 6 months."

    "Determining life expectancy in these circumstances is not an exact science. The form asks for factual information and does not require you to give a prognosis."


  • CCG bans patients from leaving hospital-managed GP practice amid exodus

    Neil Bhatia's comment 17 Jan 2019 2:33pm

    sorry, that prevents PATIENTS *registering* at another local practice!

  • CCG bans patients from leaving hospital-managed GP practice amid exodus

    Neil Bhatia's comment 17 Jan 2019 2:32pm

    They can't possibly do that.
    The CCG could facilitate a "ban" in all but name by permitting all local practices to close their lists. That effectively prevents practices *registering* at another local practice.

  • CCGs should pay for data protection officers, suggests partnership review

    Neil Bhatia's comment 15 Jan 2019 4:24pm

    Funding a DPO won't help with costs (time/money). The DPO role is advisory only, it remains the obligation of the data controller - the practice - to do the donkey work for SARs, DPIAs, privacy notices, assessing new data sharing etc etc.
    Fund the work that the IG lead for the practice has to do is another matter, but throwing money at the practice won't help the fact that GPs are spending an increasing amount of time away from direct patient care dealing with SARs etc - no amount of money will help if they can't get locums to cover.

  • BMA: Subject access requests to GPs increased by more than a third since GDPR

    Neil Bhatia's comment 14 Dec 2018 11:10am

    We do the same. Patient *always* collects the SAR.

    We can't (usually) charge - all we can do is limit the cost to us, and put up private fees elsewhere to compensate.

  • GMC denies breaching data legislation to share personal GP information

    Neil Bhatia's comment 17 Oct 2018 12:46pm

    I do hope that anyone who receives such an email will complain to the ICO

  • GP calls off recruitment attempts after introducing e-consultations

    Neil Bhatia's comment 17 Oct 2018 9:25am

    What's the difference between askMyGP and other e-consultation platforms (such as E-Consult)?

  • First city adopts new system for sharing GP patient records across services

    Neil Bhatia's comment 16 Oct 2018 12:12pm

    No, the GP practice remains the data controller I believe - data is viewed in real-time (streamed), not extracted and uploaded to a central data repository, so does not leave the GP records database as such. Practices can turn this on and off at will via EMIS web

  • GPs asked to promote Government's NHS App to patients via text

    Neil Bhatia's comment 06 Sep 2018 3:28pm

    Promoting the NHS App via text is direct marketing...

  • GP practices in one area offered £35m extra a year to work 'at scale'

    Neil Bhatia's comment 20 Jul 2018 10:40am

    Good luck recruiting 120 GPs to the area...

  • Doctors want 'sanctions' for patients who post recordings of consultations online

    Neil Bhatia's comment 29 Jun 2018 12:20pm

    We all have data privacy rights.
    Patients AND doctors.

  • Preparing for new data regulations – GP practice check list

    Neil Bhatia's comment 02 May 2018 9:09am

    @Fed up
    No - this would be a request under a different Act
    See Paul Cundy's other article

  • ‘New data regulations will build patient confidence’

    Neil Bhatia's comment 03 Apr 2018 7:49pm

    To correct some factual inaccuracies:

    "Patients will also have the power to request their information is moved or deleted"

    The right to data portability (I think that is what you are referring to) does not apply to GP records - it only applies "where the processing is based on the individual’s consent or for the performance of a contract". For GP records, we do not rely upon consent, and we do nto have a contract with the patient.

    The right to erasure does not apply if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority - Article 6(1)(e); which is the legal basis that we are relying upon for our GP records. Patients have the right to rectification, but not to their records being "deleted".

  • Thank you and goodbye

    Neil Bhatia's comment 28 Mar 2018 3:07pm

    Thank you for everything Nigel, best of luck for the future.

  • Government must protect GPs against new data protection legislation, say LMCs

    Neil Bhatia's comment 13 Mar 2018 6:01pm

    No, the practice is the data controller.

    The server is in Leeds (for example) and the system supplier hosts the surgery database - in doing so, is a data processor.

    The system supplier cannot do anything with the patient records without the data controller's permission/instruction.