British data protection laws used to create the Care Record Guarantee could fall foul of new European Commission data protection laws, adopted in February according to an international law expert.

However, the view expressed to the parliamentary select committee on health by Douwe Korff, professor of international law at London Metropolitan University, was vigorously opposed by a representative from the information commissioner’s officer also present at the hearing.

New laws created by the EU Article 29 Data Protection Working Party on the protection of individuals with regard to the processing of personal data relating to health in electronic health records state that patients should give explicit consent to the processing of data and such data should be used ‘for the specific purpose of providing health-related services’.

Giving evidence to the parliamentary committee, Professor Korff, said: “Putting data on a patient record depends on a certain legal basis, if the data is disclosed, you need to have the consent of the patient otherwise it is illegal under the EU rules. Under the Care Record Guarantee, the patient is not the owner of their data, even though the Data Protection Act gives them the right to control their own data.

“The EU Data Protection Directive specifically prohibits the processing of personal data concerning health in general unless the data subject has given his explicit consent to the processing of those data. Opt-out solutions will not meet the requirement of being ‘explicit’.”

Professor Korff also pointed out to the committee that the use of data from the CRS for Secondary Uses Services (SUS) was also contrary to what EU laws require from electronic health records.

“Connecting for Health (CfH) has chosen to use patient data for all medical purposes, but the EU directive only applies to medical care, so their proposals would break European Law. The guidelines clearly state that the processing of data by health professionals covers processing of personal data for the specific purpose of providing health-related services of a preventative, diagnostic, therapeutic or after-care nature and for the purpose of the management of these healthcare services.

“Furthermore, it says not covered is further processing which is not required for the direct provision of such services, such as medical research. The two laws fundamentally clash and I would be happy to take a case on the matter to the European Court of Human Rights in Strasbourg.”

Listening carefully to Professor Korff’s evidence was Jonathan Bamford, assistant information commissioner, who along with information commissioner, Richard Thomas, sits on the Article 29 Data Protection Working Party.

Throughout Professor Korff’s evidence, Bamford shook his head in disagreement. Asked for his thoughts on the allegations, he told the committee: “There is a basis in UK law for doing what we are doing. The differences between the UK and EU laws are a completely separate issue, but I do not think that the Article 29 Working Party would say we were being unlawful.

“There are exemptions to the EU laws stated, but if the EC felt we were being unlawful, it would be a matter for the European Court of Justice to address and if there is an issue with UK data protection laws, then that would be a matter for the new Ministry of Justice to look into.”

Bamford said that though he did not think it was wrong to use the CRS data for SUS purposes, he would be starting an investigation to ensure that such data is properly pseudonymised. He said he has confidence on an anecdotal basis that it was being properly used currently.

He added that the informed consent approach gives patients proper transparency of their records and time to action their choice if they wish to opt-out.

However, Joyce Robins, the co-director of Patient Concern, said that this was far from the case.

“So much time and money has been spent on IT problems and now there is a push to get it moving. It is flying in the face of all medical ethics and is extremely worrying. Patients receive a leaflet which has information in small print advising patients to ask their GP surgery to discuss the opt-out with them, and then because they do so they are going to be labeled as a ‘privacy fascist’ or a ‘luddite’. This just indicates current attitudes and it is a real fear for patients.”

Concerns were also raised that patients who opt-out have to do so using the Section 10 rule of the Data Protection Act – saying that opting in will cause them substantial distress.

Bamford said: “A good reason for this is for GPs who need to defend themselves later because they couldn’t get access to medical records to aid them with their care. It is a balance of interests. It would be possible to sit with every patient and ask, but the practicalities are huge, so now the challenge is to maximise the extent to which individuals know what is happening.”

However Robins followed this up by alleging: “Consent blocks can be overridden with the click of a mouse without a patient’s consent. It is appalling. We also have to look at when and how historical information goes up which is absolutely crucial and you can bet your life that doctors aren’t going to be sitting with patients at that point.”

Bamford assured the committee that this will be checked: “It is an important issue to be addressed. It would be wrong to go fully live without agreement. We are working with CfH to do a research project to find vulnerabilities.

“The proof of the pudding is in the eating. We have the right to inspect the early adopter sites and see for ourselves…the system cannot be implemented properly unless it complies properly with the Data Protection Act.”

This would include ensuring that sealed envelopes will work correctly to safeguard the interests of patients, and not just leaving it to ‘blind faith in computer nerds’ as one committee member put it.

“It may be unfair in connection with some personal information if patients aren’t given the right to exercise their rights considering the degree of patient information being made available to others outside of medical carers, but we believe that providing the opt-out clause is the best fair and legal way of doing this,” Bamford added.

However, Professor Korff said: “The Data Protection Act in my opinion is too lax to meet EU standards. The EU offers free and informed consent. In the UK, the individual becomes no longer the subject, but an object and I think this flies in the face of medical ethics.”

The EC working document on the processing of personal data relating to health in electronic records is available for public consultation until 13 June 2007.


EC Working Document on the processing of personal data relating to health in electronic health records (EHR)

Care Record Guarantee

Data Protection Act

Information Commissioner’s Office