GP practices could take an “opt-out by default” stance to the programme without breaching the Data Protection Act, the Information Commissioner’s Office has said.

Speaking at the Emis National User Group conference in Nottingham, Dawn Monaghan, the public services strategic liaison group manager for the Information Commissioner’s Office, addressed queries from GPs about whether they could opt all of their patients out of the controversial programme.

The programme will extract data sets from different organisations, starting with GP practices, and link them to an expanded set of Hospital Episode Statistics within the 'safe haven' of the Health and Social Care Information Centre.

The project was due to start earlier this year, but was “paused” by NHS England after medical and privacy groups objected to a public leaflet campaign that failed to include a clear account of the programme, who would receive the data, or an opt-out form for patients.

Up to 500 “pathfinder” GP practices will now trial in a phased roll-out starting this autumn.

Monaghan said GP practices can in theory take an “opt out by default” stance for its patients, provided they have a justifiable explanation, communicate their position clearly and allow patients to opt in if they choose.

“Technically they could, technically there’s nothing in the DPA to stop them doing that…a GP could argue that there is not enough time to make it clear to patients, so they didn’t do it.”

However, she said that did not take into consideration how NHS England and the HSCIC may deal with practices who take that approach.

Monaghan said the two organisations have still not given GPs enough information about the programme.

“I don’t think it’s been made clear enough to you as GPs what they’re wishing to do with the data, how they’ll do it, how the HSCIC will extract it, the opt-out process and how they will ensure it’s being honoured.”

While the ICO is not prescriptive about how the two organisations and GPs should run a consultation process, Monaghan said it needs to be “clear and consistent” to ensure that patients understand their rights.

She suggested GPs could “re-engage” with patients annually to ensure they are still happy for their data to be shared.

Phil Booth, the co-founder of privacy campaign group medConfidential, said he has concerns about the lack of clarity regarding who can access the data.

Booth said restrictions limiting access to organisations dealing with the provision of health and social care or the promotion of health are “way too broad and permit all sorts of things”.

He also expressed concerns about whether prohibiting the release of identifiable patient data for “purely commercial purposes” will cover information intermediaries such as Harvey Walsh who feed information back into the NHS as well as to commercial companies.

“They’re still not specifying which organisations may be eligible to receive linked data, they haven’t ruled out and cannot rule out companies – the words may be changing but I’m not sure the intention is.”

Eve Roodhouse, programme director, said the pause in the programme “has been an opportunity for us to hear and act upon the concerns of stakeholders and clear up misconceptions”.

Roodhouse said NHS England and the HSCIC have held over 150 local and regional meetings with almost 3000 people to discuss their plans, while they have also continued to meet with key bodies such as the BMA.

She said the pathfinder process will help the programme team to “test, evaluate and refine all aspects of the data collection process” as well as its communication with patients and GPs about the programme and the opt-out process.

“We will continue listening to and informing the public throughout the roll out to ensure that we get this absolutely right.”

Roodhouse said more information on the pathfinders will be released “in due course”.