This site is intended for health professionals only

At the heart of general practice since 1960

pul jul aug2020 cover 80x101px
Read the latest issue online

Independents' Day

GPs face prosecution unless they inform patients their data could be used outside the NHS

Exclusive GP practices must take ‘reasonable steps’ to inform patients that identifiable data will be extracted from their records from this autumn and used by the NHS and private companies, or face action under the Data Protection Act.

The EMIS National Users Group (NUG) and the Information Commissioner’s Office (ICO) both say that practices are the ones responsible for informing patients of how their data will be used, and give them the opportunity to opt out, or potentially face prosecution.

But GP leaders said that responsibility should not fall solely on GPs, and that a national awareness campaign was needed about the radical change in the way patient data was to be used.

The development comes as 82 ‘early implementer’ practices begin piloting a new system of data extraction from records in the NHS run by the Health and Social Care Information Centre (HSCIC) using the General Practice Extraction Service.

This involves patient-identifiable data being extracted from records and linked with other data from hospitals and social care and then cascaded through the NHS, or potentially bought by researchers or private companies for use outside the NHS. Currently the ‘early implementer’ practices are informing patients about the changes to the way their data is handled, with extractions due to begin soon.

Earlier this year, health secretary Jeremy Hunt said patients who objected to having data from their GP records being extracted through the General Practice Extraction Service (GPES), which is due to begin operating this autumn, would be given a veto.

But it has emerged that GP practices will have to inform patients about how their data could be used and whether they wish to opt out.

An ICO spokesperson told Pulse that they would look for reasonable assurance that patients are aware of these changes. However he could not provide details on what would constitute ‘reasonable assurance’ or what practical steps GPs should take to prevent prosecution.

He said: ‘We’d expect GPs to take reasonable steps to inform patients of the changes. If they fail to do so they leave themselves open to possible action for failure to comply with the Data Protection Act.’

He added the sanctions faced by GPs could include a fine if the ICO could demonstrated the breach had caused substantial damage and distress, having to undertake informed agreements of compliance, or a legal ‘stop now’ order laying out the measures needed to be compliant.

Advice from EMIS NUG, and seen by Pulse, said: ‘If patient data is extracted from the practice clinical data base without the patient being made aware then the practice could be prosecuted by the patient.

‘It is thus vital that the practice takes steps to try and inform its practice population about the extraction so that individual patients have the opportunity to opt out of their personal data extraction.’

The NUG suggest that practices inform patients through posters, leaflets, notices on websites, discussing the issue with the practice participation group and ensuring all staff know about the changes to they can inform patients about them and put in the correct read codes if patients object.

They also suggest practices ensure they have received a ‘deed of undertaking’, between their practice and EMIS before any identifiable data is extracted from its system.

Dr Grant Ingrams, former chair of the GPC’s IT subcommittee and a GP in Coventry said practices were caught between two conflicting rights.

He said: ‘It’s a bit of a dog’s dinner. Practices have a lawful obligation under the Health and Social Care Act to send the data to the HSCIC. But an obligation under the Data Protection Act to protect patient’s data. It’s leaving practices confounded between two rights. If practices aren’t sued by one, they’ll be sued by another.

‘My opinion is that the responsibility lies with the HSCIC or NHS England. GPs should have the information available and be able to explain the process, but that’s it.’

Dr Paul Roblin, chief executive of Buckinghamshire, Berkshire and Oxfordshire LMCs added that it was unfair the onus to inform patients falls solely on practices.

He said: ‘It doesn’t seem fair. If NHS England are extracting the data, they should be responsible for informing patients, especially if it’s an elaborate data extracting system. Or they should say that putting up a poster is enough.’

Readers' comments (28)

  • Why don't HSCIC get their data directly from GCHQ?

    Unsuitable or offensive? Report this comment

  • This comment has been moderated

  • once again George Orwell and Big Brother come to light, is nothing sacred anymore

    Unsuitable or offensive? Report this comment

  • At the same time as their patients are having their data extracted from our computers, GPs are simultaneously being prevented from accessing hospital activity data about these same patients under the Section 251 changes - which also prevent CCGs from checking hospital invoices properly. So when doctors want to keep data private they are forced to release it: and when they want to access it to look after their patients and ensure that NHS money is spent correctly and wisely they are told they aren't allowed to do it.
    This is anything but joined-up healthcare.

    Unsuitable or offensive? Report this comment

  • Have patients consented to their data being used at all by the NHS? Take a look at the wording on the GMS1 it appears not have been updated since the 1990'S and the previous Contract prior to 2004 and the 1998 Data Proection Act. Its wording is still about registering with an individual GP not a GP Practice.

    There is nothing to inform patient about how their data will be used by either the GP Practice or the wider NHS or getting consent for their data to be processed.

    Banks etc gain consent for data to be used by third parties as a requirement of the DPA and for the actual processing of data by organisation. Its begs the question why is the ICO letting the NHS off the hook?

    Where is the patient's consent to the processing of any of their data at all by either the wider NHS or the GP Practice?

    Unsuitable or offensive? Report this comment

  • I am losing hope - general practice is becoming a nightmare. it is becoming less and less about the patient and more about defending oneself against Big Brother.

    Unsuitable or offensive? Report this comment

  • Just refuse every GPES request bar QOF and possibly (which looks like it will be compulsory).

    Unsuitable or offensive? Report this comment

  • Why can't we just opt all our patients out of this process ?

    Unsuitable or offensive? Report this comment

  • This is a classic case of how the NHS ties itself in knots, whilst Amazon, ITunes and Expedia show how easy it is to automate permissions and make it a condition of accessing the service. How many people read them? Almost nobody.

    The NHS by contrast has a plethora of times the same individual needs to give permission for ostensibly similar purposes, and often by letter / by post, or in person.

    Primary care - at registration - would be the ideal place, but registration could be done once, and done self-service when people sign up for online access to their GP. Job done. But no, the NHS will employ an army of people to police permission so the crazy situation described above with inadequate access to hospital data will continue. The DH and Jeremy Hunt are making a pigs ear of all of this.

    Unsuitable or offensive? Report this comment

  • Surely this is an issue for the NHS.
    Why are GP practices having to deal with this?

    Unsuitable or offensive? Report this comment

  • Just to clarify although hospital activity data is covered by Sec 251 patients can still object and refuse consent to allow their data to be used for these purposes. Sec 251 does not override patient consent.

    Unsuitable or offensive? Report this comment

View results 10 results per page20 results per page50 results per page

Have your say