The benefits to information sharing across NHS organisations are well documented, yet most NHS organisations remain hesitant, somewhat understandably, to share their patient’s data. 

In particular, concerns can arise regarding patient consent and sharing information in situations unrelated to direct patient care, such as research or population health analysis. 

This article summarises the relevant law, whilst offering suggestions on how compliance can be achieved when sharing information in this context.        

The Data Protection Act 1998

The Data Protection Act 1998 protects individuals’ personally identifiable information and imposes certain obligations on the party deciding how and why personal data is used (the data controller).  

These obligations centre around eight principles of good information handling. In the context of sharing patient medical records (categorised as sensitive personal data under the DPA 1998), key principles include:  

  • Principle 1 – personal data must be processed fairly and lawfully.  Fair processing requires patients to be informed about the use of their data. Lawful processing requires compliance with one of the conditions set out at schedule 3 to the DPA 1998, one of which is explicit patient consent.  In practice, it is preferable to rely instead on the condition of processing for "medical purposes", which is broadly defined, although it excludes social care.
  • Principle 2 – personal data should not be shared for a different purpose (such as marketing) than the purpose for which it was originally collected (for example, clinical treatment). 
  • Principle 7 – adequate security measures should be in place to protect personal data.  Common measures include encryption and including suitable security provisions in written agreements with data recipients.

Confidentiality and the problem of consent

NHS organisations must also comply with the law of confidentiality when sharing patient data, which is usually harder than complying with the DPA 1998. 

Like Principle 1 of the DPA 1998, sharing confidential information is usually justified for purposes of "direct" patient care, the logic being that patients expect their data to be used in this way and their consent can be implied from their accessing of NHS services.  Again, patients need to be told what will be done with their data. 

Unlike the DPA 1998, there is no general alternative to implied consent that permits the sharing of confidential information for medical purposes. The Caldicott 2 report highlighted how patients can find it frustrating having to repeatedly give their consent to data sharing, to facilitate joined up care.  The concept of implied consent has, in practice, expanded to fill that gap. 

Under the DPA 1998, consent to sharing of health data must be "explicit"; that is, it must be freely given, specific, informed and unambiguous. Information Commissioner’s Office and European Commission guidelines suggest, for instance, that writing to patients saying that their medical records will be shared with a third party unless they refuse in writing, does not constitute valid consent (let alone express consent!)

The new General Data Protection Regulations (due to be implemented this year and to take effect in 2018) also require that consent can be withdrawn, which causes obviously can cause practical problems in delivering healthcare services.  These issues appear intractable.

A glimmer of hope?

The Health and Social Care (Safety and Quality) Act 2015, introduced in October last year, includes an obligation on NHS organisations to share and use adult patients’ information if it directly contributes towards their care. 

This obligation is not absolute, however.  For instance, information should not be shared if it is not reasonable for the NHS body to comply or if the information concerns sensitive sexual health services. 

Whilst the new law has facilitated data sharing in particular cases, the various carve outs, and the fact that it does not extend to children, means that it is difficult to rely on it to justify systematic data sharing for large numbers of patients.

Perhaps more encouragingly, the 2015 Court of Appeal case of WXYZ v Secretary of State for Health suggests that the courts are willing to take a pragmatic view to sharing of confidential NHS information with third parties outside of direct patient care, and in the absence of express consent. 

The case considered sharing by the NHS of individuals’ data with the Home Office, which led to a judicial review claim by the individuals, who claimed breach of confidentiality. 

The court held that, where individuals had been made aware beforehand that their information could be shared with third parties for this purpose (an immigration sanction system), there was no expectation of privacy. 

Furthermore, given the purpose of the sharing and various technical safeguards in place, any expectation of privacy was held to have been outweighed by the interests of disclosure and the sharing was therefore lawful.    

Clearly, further cases from the courts on the application of the duty of confidence within the NHS would be welcomed. 

Keep on anonymising

Until then, when using patient data for purposes other than direct care we recommend that data is either pseudo-anonymised or anonymised so that the DPA 1998 and law of confidentiality do not apply. 

Where this is not possible, patients should be notified in writing before their personal data is provided to the NHS body; for instance when they register with their GP.  This notice should include details such as the intended use of their data; their rights including the right to object to processing, the nature of data being processed and who the recipients of their data are. 

This is the first of a regular series of articles that will be running on legal issues from DAC Beachcroft.

Christopher Air and Eleanor Tunnicliffe

Christopher Air is a solicitor and Eleanor Tunnicliffe an associate at international law firm DAC Beachcroft. Christopher Air specialises in advising buyers and suppliers of healthcare technology systems on contractual and data protection issues, whilst Eleanor Tunnicliffe advises public sector bodies on public law issues, including information law.