This site is intended for health professionals only

At the heart of general practice since 1960

pul jul aug2020 cover 80x101px
Read the latest issue online

Independents' Day

Analysis: Can GPs allow their patients' data to be shared?

Lawyer Hazel Grant describes how to navigate the conflicting legal obligations on practices with regards to sharing of patient data.

The penalties for sharing data under the Data Protection Act (DPA) are severe. If GPs are held to breach the DPA the Information Commissioner can enforce, by issuing enforcement orders (similar to a court order requiring certain actions) or undertakings (under which GPs would agree to certain actions).  Alternatively the Information Commissioner can issue fines of up to £500,000 for serious breaches of the DPA. 

But under the DPA, there is an exemption for the provision of information required by other legislation. The provisions in the Health and Social Care Act (HSCA) that require GPs to share patient data will be relying on this exemption to say that GPs and others must provide information to the Health and Social Care Information Centre, despite their obligations under the DPA. 

The exemption in the DPA is a limited one and only applies to the extent that the obligation in the DPA is inconsistent with the Health and Social Care Act (HSCA). So this will mean that GPs will first need to look at the HSCA requirements and then tailor their DPA compliance to meet the HSCA obligations. In effect, the HaSCA obligations overrule some of the DPA obligations.

Nevertheless, GPs have an obligation under the Data Protection Act (DPA) to notify patients of the new sharing arrangement and the DPA is not clear on whether opt in or opt out consent is required, and in fact there could be an argument that, under the DPA, patient consent is not required, as the GPs are required by a legal obligation to provide the information. 

Although this might be a legal argument, the health secretary gave a commitment that patient preferences would be respected in this situation, therefore there is a practice of gaining opt out consent.

In the present situation, given the sensitivity of the information and the confusion, it seems unlikely that the Information Commissioner would carry out any enforcement without some clear guidance on how he sees compliance under the DPA in the light of the new HSCA obligations. 

Hazel Grant is an IT lawyer, specialising in IT procurements and information law at Bristows law firm

Readers' comments (6)

  • Can't we just put a stop to this by saying a collective no?
    Come on BMA stop being so slack!

    Unsuitable or offensive? Report this comment

  • Clear as mud then.

    Unsuitable or offensive? Report this comment

  • Drachula

    So, who has access to this info? Who knows about your dark secrets? Is anyone going to tell their GP anything? Will I have to have 2 sets of notes for everyone? The benign set and the real, useful one? Will the police be demanding access to find out who are the drunks? Will insurers and employers be able to find out about all about us? Big Brother really is watching.

    Unsuitable or offensive? Report this comment

  • Many conflicting opinions. Having spent three hours reading the guidance (pages and pages of links) I am not able to reassure patients that their confidential data will not be shared outside the NHS, nor where it will go even within the NHS. As a practice we think the only responsible action is to opt all patients out and have an opt in system when ALL patients have an informed choice.
    Each of the doctors, nurses, practice manager, admin and reception staff have opted out. Applying the 'friends and family test' how can we then not opt all our patients out until they choose to opt in?

    Unsuitable or offensive? Report this comment

  • What is this information going to be used for ?
    A lot of records may not be totally up to date - ? The validity of information .
    More funds spent in a fruitless manner me thinks

    Unsuitable or offensive? Report this comment

  • Sharing clinical data is fine, but that must not require my NHS number, my date of birth or my postcode, that amounts to raping a patients private life.

    There is a very big difference between sharing clinical data and sharing personal data .. whatever happens, I have no faith in the NHS and if they told me my own name, i would need to go and check that out, they simply cannot be trusted!

    Unsuitable or offensive? Report this comment

Have your say