ICO blog: NHS patient information and the Data Protection Act
In this section
- Key battle won in war against forced subject access request
- NHS patient information and the Data Protection Act
- NHS patient information: the Information Centre and the DPA
By Dawn Monaghan
27 January 2014
The health sector always provides a wealth of data protection challenges, but without doubt the one currently at the forefront of most peoples’ minds are the changes to how patient information in England could be used by NHS bodies and others, with a view to improving care and health services.
With personal data at the centre of the new scheme, it’s no surprise that the ICO is being asked questions about how the Data Protection Act (DPA) applies to the scheme. It’s a complex legal area, and the way in which the DPA applies is different at each stage of the process, but this blog will try to explain it. (I’ll assume some understanding of what the scheme is about, but if you're looking for a simpler outline, then try this infographic).
Let’s quickly run through the key parties, from a DPA perspective. The patient is the data subject. Sensitive personal information about them is held by their GP, who is the data controller. And a third body, the Health and Social Care Information Centre (HSCIC for short, or ‘the Information Centre’ as we’ll be referring to it here) will have access to some of that data. This public body collects health and social care information and prepares it to go out to those who plan NHS services, as well as with approved researchers and organisations outside the NHS.
GPs holding personal information about patients is nothing new and is covered squarely by the DPA. Generally everyone understands what’s happening: you give personal information to your GP who then records that information as your medical history. This record may include information from other health services and allows your GP to track your health throughout your lifetime.
The changes begin with some of the personal information included in that record going from GPs to the Information Centre. This happens under the direction of NHS England, which is allowed due to a new law, the Health and Social Care Act 2012.
This law gives NHS England the right to direct the Information Centre to collect certain sorts of data from the medical records. The law is a statutory enactment which requires the disclosure of the data, which means the data becomes exempt from the main parts of the DPA.
Because the main parts of the DPA are exempt it means that neither GPs (as data controller) or patients (as data subjects) have the right to stop that information being taken into the Information Centre – there is no legal ‘opt out’ under the DPA.
But while the DPA doesn’t give patients a right to object, the Secretary of State for Health has offered patients an option not to have their information used in this way. But as this option isn’t covered by the DPA, we can’t regulate it, and we don’t set the rules on how it works.
One part of the DPA that does remain is the obligation to ensure fair processing; this means that a data controller makes sure data subjects know what is happening to their data and why. In this instance, that means patients must be told about the changes to how their information is being used. That responsibility for letting patients know what is happening falls to GPs, as the data controllers. It might seem unfair that this responsibility doesn’t fall on NHS England, who are instructing the data collection, or on the Information Centre who will collect and use it, but the DPA focuses squarely on the whoever originally collected, holds and is going to disclose the data (the data controller) - in this case the GPs.
Despite that, NHS England as owner of the care.data programme, is helping GPs to inform patients. They are leading a communications campaign that includes a leaflet sent to households nationally, a patient information line and social media activities. In addition, NHS England and the British Medical Association have jointly contacted all GP surgeries to inform them of the changes and provided materials to help them inform patients of the new process such as leaflets and posters.
We see this as a sensible approach, as it means there’ll be consistent messages given to all patients across the country, and it is something we called for back in May 2013. But it’s important to note that we can’t dictate to NHS England, the GPs or any other organisation how they should tell patients, and although we can make suggestions we are not responsible for the actual wording of the leaflets or other materials.
Our initial view is that, assuming NHS England,GPs and the Information Centre communicate these changes in the way that has been set out to us, we would consider it likely that the fair processing requirements under the DPA would be met.
As the regulator, we will continue to monitor the success of the campaign, and will keep NHSE and representative groups such as the BMA and RCGP’s informed of any concerns we may have about awareness of the new programme. Once the new process is in place we’ll review any complaints we may receive about it.
This covers the first part of the scheme, of getting the information from patients to the Information Centre. As we’ve discussed, much of that process is exempt from aspects of the DPA, but once it arrives at the Information Centre, that exemption ends. At that point, the HSCIC become a data controller for the information they have received, and all parts of the DPA apply, including the need to tell patients what they are doing with the data, and why and which organisations they will be sharing it with.
Personal data won’t be sent to the Information Centre until Spring, so I’ll revisit this in a later blog. In the meantime, hopefully this has given an understanding of how the DPA applies to a process that is sure to grab the headlines over the coming weeks and months.
Strategic Liaison Group Manager
27 January 2014