Thought for the day: Whose data is it anyway?

Patient records plan presents a host of legal posers, says Ian McGibbon

New Asset  
Patient records plan presents a host of legal posers, says Ian McGibbon





Coverage of the debate about the implementation of the Integrated Care Records Service (ICRS), which forms a major part of the NHS national programme for IT has focused on the views of clinicians, but it is likely that the ICRS raises issues of legal, as well as ethical or clinical concern.

The Data Protection Act 1998, in particular, will clearly apply to ICRS, bringing with it an associated burden of compliance and liability.

The Act will bring with it three legal complications that clinicians and primary care trusts may have to consider:

  • To what extent is patient consent necessary?
  • On whom does the burden of ensuring compliance fall?
  • Will the statutory requirements for technical security complicate clinician or patient access to clinical records?

One of the most important concerns debated at the British Medical Association's annual conference was the need for patients to consent to their data being included in ICRS. Much of that data will, of course, be medical in nature, and will be categorised by the Act as "sensitive personal data". Higher standards apply to the processing of such data, and in many cases those controlling it must seek the explicit consent of the individual concerned. The view of delegates at the conference was that patient consent was necessary, regardless of the position under the Act.

The outsourcing issue

The Act does contemplate the processing of data in a medical context, but in a way which may be important to the nature of the data to be stored on the ICRS, and to the increasingly outsourced nature of the NHS' services.

The Act requires that those processing data comply with specific conditions before processing begins. One such condition is explicit consent. Another is that the processing is necessary for medical purposes (including the management of healthcare services, which is a usefully wide purpose), and is carried out by a "health professional" or one owing a duty of confidentiality equivalent to that due from a health professional. It might be argued that, from a legal perspective at least, clinicians do not need to seek their patients' consent to include records in the ICRS.

So, an opt-in is not required for legal reasons, and unless marketing is contemplated, an opt-out is unlikely to be exercised. Yet despite the potential negative impact on the system's effectiveness, many may feel that patients should have a right to object to their data being used in this way.

Serious questions arise as to whether a local service provider will be a person owing a duty of confidentiality equivalent to that due from a "health professional". Indeed, regardless of the views of clinicians, service providers will be keen to avoid falling foul of this provision, whether by ensuring a consent exists, or by casting themselves in the role of a mere processor of data, on behalf of the clinician or trust.

A question of identity

A more important consideration will be the identity of the controller of the data - will it be the clinician entering and accessing the patient's data, or the trust providing the systems, or both.

The Act only imposes obligations, and therefore compliance liability, on data controllers, not processors. Clinicians should be concerned, to the extent they feel they are independent users of ICRS, rather than agents of their trusts, about their own compliance position, beyond the need for consent.

Perhaps most likely to have a visible impact on the implementation of the ICRS, assuming that the consent issue is addressed to clinicians' satisfaction, is the statutory requirement that data be protected from unauthorised processing - including access - by appropriate technical and organisational measures.

Although this position may be easily satisfied today, this will be an ongoing compliance requirement in the future, and the very sensitivity of the data that, it is intended, should be made available to patients, will mean that additional hurdles (in the name of protecting the data) must be put in patients' paths.

While the headlines may, so far, have focused on the clinicians' concerns on opt-in or opt-out, it seems clear that this is far from being the only issue that must be resolved before ICRS can be properly implemented.

Ian McGibbon is a solicitor with international law group Lovells

Read more on IT legislation and regulation