ICO blog: NHS patient information: the Information Centre and the DPA

In my last blog, I wrote about how the Data Protection Act applies to information from medical records going from GPs in England to the Health and Social Care Information Centre. I committed to writing a second blog giving some explanation of how the Act applies to personal data once it arrives at that Information Centre. So here goes…

In many respects, this is a simpler explanation than my previous blog. The exemptions to aspects of the Data Protection Act provided by the Health and Social Care Act 2012 end once the Information Centre takes receipt of the personal data. And with that in mind, the Information Centre must then treat that information as any other data controller would do.

This means that they are responsible for ensuring what they do with the data (using it, sharing it, storing it, disposing of it etc), complies with the Data Protection Act.

First of all, let’s cover what information patients are given. While their personal data will have been taken directly from GPs under the Health and Social Care Act, patients must be told what that data will be used for. The Information Centre should take active steps to make sure that this information is provided, so all patients are easily able to find out what is happening to their data.

In terms of how the information is used, the rules are also clear. When you provide an organisation with your personal data, that organisation must normally tell you what it plans to use that information for, and if it later decides it wants to use your information for a different reason, it would usually need to come back to you.

In the case of the Information Centre, even though you are not providing your information directly, similar principles apply. It must only use the data for the purposes it has been ‘directed’ to do by NHS England and that it is responsible for as an organisation.

There are exceptions in the Act to how information can be used. These would apply to the Information Centre as to any other data controller, including sharing the information for certain purposes to do with criminal justice or the taxation system, as well as where they’re obliged to by law or a court order, or where they go back to the patient and get their consent to share it more widely.

Notably, some of the data the Information Centre will provide to others won’t fall under the Data Protection Act. This is because it will be anonymised. This is crucial, as once an individual can no longer be identified from information, either alone or in combination with other information, the law no longer considers it to be personal data. That means that the Data Protection Act no longer applies to it, so it doesn’t impose any limitations on what can now be done with it.

Another hot topic of discussion since my last blog has been around how to opt out. Any opt outs the NHS chooses to provide are up to them, and do not fall under the Data Protection Act (as explained in our last blog). But providing a clear explanation to patients of the options open to them does fall under the Data Protection Act. We’ve been clear the communications plans we have seen would be likely to meet the fair processing requirements under the law. But we don’t feel the opt out has been explained as clearly as we expected, and so we are looking to see that addressed. This seems likely to be a topic we’ll return to in a future blog.

Dawn MonaghanDawn Monaghan is the Group Manager for the Public Services Team. Dawn’s team is responsible for engaging with and maintaining relationships with key stakeholders in the health, education and local government sectors.
This entry was posted in Dawn Monaghan and tagged , , , . Bookmark the permalink.