Exclusive GP practices must take ‘reasonable steps’ to inform patients that identifiable data will be extracted from their records from this autumn and used by the NHS and private companies, or face action under the Data Protection Act.
The EMIS National Users Group (NUG) and the Information Commissioner’s Office (ICO) both say that practices are the ones responsible for informing patients of how their data will be used, and give them the opportunity to opt out, or potentially face prosecution.
But GP leaders said that responsibility should not fall solely on GPs, and that a national awareness campaign was needed about the radical change in the way patient data was to be used.
The development comes as 82 ‘early implementer’ practices begin piloting a new system of data extraction from records in the NHS run by the Health and Social Care Information Centre (HSCIC) using the General Practice Extraction Service.
This involves patient-identifiable data being extracted from records and linked with other data from hospitals and social care and then cascaded through the NHS, or potentially bought by researchers or private companies for use outside the NHS. Currently the ‘early implementer’ practices are informing patients about the changes to the way their data is handled, with extractions due to begin soon.
Earlier this year, health secretary Jeremy Hunt said patients who objected to having data from their GP records being extracted through the General Practice Extraction Service (GPES), which is due to begin operating this autumn, would be given a veto.
But it has emerged that GP practices will have to inform patients about how their data could be used and whether they wish to opt out.
An ICO spokesperson told Pulse that they would look for reasonable assurance that patients are aware of these changes. However he could not provide details on what would constitute ‘reasonable assurance’ or what practical steps GPs should take to prevent prosecution.
He said: ‘We’d expect GPs to take reasonable steps to inform patients of the changes. If they fail to do so they leave themselves open to possible action for failure to comply with the Data Protection Act.’
He added the sanctions faced by GPs could include a fine if the ICO could demonstrated the breach had caused substantial damage and distress, having to undertake informed agreements of compliance, or a legal ‘stop now’ order laying out the measures needed to be compliant.
Advice from EMIS NUG, and seen by Pulse, said: ‘If patient data is extracted from the practice clinical data base without the patient being made aware then the practice could be prosecuted by the patient.
‘It is thus vital that the practice takes steps to try and inform its practice population about the care.data extraction so that individual patients have the opportunity to opt out of their personal data extraction.’
The NUG suggest that practices inform patients through posters, leaflets, notices on websites, discussing the issue with the practice participation group and ensuring all staff know about the changes to they can inform patients about them and put in the correct read codes if patients object.
They also suggest practices ensure they have received a ‘deed of undertaking’, between their practice and EMIS before any identifiable data is extracted from its system.
Dr Grant Ingrams, former chair of the GPC’s IT subcommittee and a GP in Coventry said practices were caught between two conflicting rights.
He said: ‘It’s a bit of a dog’s dinner. Practices have a lawful obligation under the Health and Social Care Act to send the data to the HSCIC. But an obligation under the Data Protection Act to protect patient’s data. It’s leaving practices confounded between two rights. If practices aren’t sued by one, they’ll be sued by another.
‘My opinion is that the responsibility lies with the HSCIC or NHS England. GPs should have the information available and be able to explain the process, but that’s it.’
Dr Paul Roblin, chief executive of Buckinghamshire, Berkshire and Oxfordshire LMCs added that it was unfair the onus to inform patients falls solely on practices.
He said: ‘It doesn’t seem fair. If NHS England are extracting the data, they should be responsible for informing patients, especially if it’s an elaborate data extracting system. Or they should say that putting up a poster is enough.’