Analysis: Can GPs allow their patients' data to be shared?
Lawyer Hazel Grant describes how to navigate the conflicting legal obligations on practices with regards to sharing of patient data.
The penalties for sharing data under the Data Protection Act (DPA) are severe. If GPs are held to breach the DPA the Information Commissioner can enforce, by issuing enforcement orders (similar to a court order requiring certain actions) or undertakings (under which GPs would agree to certain actions). Alternatively the Information Commissioner can issue fines of up to £500,000 for serious breaches of the DPA.
But under the DPA, there is an exemption for the provision of information required by other legislation. The provisions in the Health and Social Care Act (HSCA) that require GPs to share patient data will be relying on this exemption to say that GPs and others must provide information to the Health and Social Care Information Centre, despite their obligations under the DPA.
The exemption in the DPA is a limited one and only applies to the extent that the obligation in the DPA is inconsistent with the Health and Social Care Act (HSCA). So this will mean that GPs will first need to look at the HSCA requirements and then tailor their DPA compliance to meet the HSCA obligations. In effect, the HaSCA obligations overrule some of the DPA obligations.
Nevertheless, GPs have an obligation under the Data Protection Act (DPA) to notify patients of the new sharing arrangement and the DPA is not clear on whether opt in or opt out consent is required, and in fact there could be an argument that, under the DPA, patient consent is not required, as the GPs are required by a legal obligation to provide the information.
Although this might be a legal argument, the health secretary gave a commitment that patient preferences would be respected in this situation, therefore there is a practice of gaining opt out consent.
In the present situation, given the sensitivity of the information and the confusion, it seems unlikely that the Information Commissioner would carry out any enforcement without some clear guidance on how he sees compliance under the DPA in the light of the new HSCA obligations.
Hazel Grant is an IT lawyer, specialising in IT procurements and information law at Bristows law firm