Patient data: not sharing a ‘breach’

  • 14 October 2015
Patient data: not sharing a ‘breach’
The Information Commissioner’s Office will not take regulatory action over NHS Digital/

GPs could be investigated for failing to share patient data when there is a duty to do so, according to the Information Commissioner’s Office.

Speaking at the recent Healthcare Efficiency Through Technology event in London, Dawn Monaghan, group manager for public services at the ICO, said that any GP who steadfastly refuses to share data with other health and care professionals at the point of care could be in breach of the Data Protection Act.

“What we would do actually is hold GPs to account if they were absolutely, categorically not sharing any data whatsoever when there should be times they are sharing,” she said.

“If that is the case, that might be considered unfair and a breach of principle one [of the Data Protection Act] depending on the circumstance. If that was brought to us as a complaint we would look at it.”

Her comments came during a discussion on the NHS needing to get the right balance between security of data and effective use of information as it moves towards a more integrated model of care, where the ability to share data between different health and social care services is crucial.

Several commentators have discussed the need for the ICO to control inappropriate sharing of data, but Monaghan said that a failure to share is just as big a problem.

“If what you are sharing for is direct clinical care there is going to be serious detriment. If you do not share that data you are more likely to be held to account doing that than you are for breaking a data protection principle.”

Monaghan commented that there is both “fear” and “confusion” among GPs around their responsibilities for data sharing due to the numerous legal obligations under the Data Protection Act, the Common Law Duty of Confidentiality and the Health and Social Care Act.

“We have three different pots then of what you need to do in terms of data sharing. There is complete confusion.”

She also mentioned that issues with controversial national data collection scheme care.data had contributed to the confusion.

To overcome this, Monagahan said the ICO is working with several organisations, including the Health and Social Care Information Centre, NHS England and the National Data Guardian to work out how to communicate to people what they can do in terms of data sharing in healthcare.

“It’s about how can we help people understand that the Data Protection Act is not a barrier to data sharing, said Monaghan.

“It is about focusing on benefit and focusing on how you mitigate the risks that might be associated and how can we create something that can then be promulgated out and give some sort of clarity and consistency in this arena to stop the paralysis and unblock what at the moment is just fear.”

She said that GPs who shared appropriately shouldn’t be concerned about the ICO taking action.

“If you are keeping it accurate, relating it for only as long as possible, keeping it secure… there is no reason why we would want to hold you to account for any of that.”

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Patient data published online following south east London cyber attack

Patient data published online following south east London cyber attack

Cyber criminals have published patient data online which they claim was stolen as part of an attack on Synnovis, NHS England has confirmed. 
ICO guidance on transparency published for health and care sector

ICO guidance on transparency published for health and care sector

New guidance has been issued by ICO over how health and care organisations should be transparent over the use of personal information.
Ransomware group releases NHS Dumfries and Galloway patient data

Ransomware group releases NHS Dumfries and Galloway patient data

NHS Dumfries and Galloway have confirmed that patient data has been released by a ransomware group, following an earlier cyber attack on its IT systems.