Rights, responsibilities and ‘no legal opt-out’? Care.data is certainly interesting

People have a responsibility to share data, NHS England’s Tim Kelsey said when speaking to Highland Marketing earlier in January.

The national director for patients and information was reflecting on arguments put forward by several high profile charities. Opting-out of care.data could in fact be damaging to the future health service and patient care, they warned.

Kelsey agreed. “Those people who opt-out, do deprive society of fragments of intelligence that could turn out to be very, very important,” he said. “People have a responsibility to share data safely so that other patients can benefit and we can build a high quality health service.”

Responsibility has certainly become a core issue in the care.data debate, and in more ways than one. The responsibility to handle patients’ sensitive data securely, in particular, has been stirring some very passionate discussion.

And now, the Information Commissioner’s Office (ICO) – the UK’s data protection watchdog, has re-clarified rights and responsibilities with some very astute observations, including the fact that there is no legal right to opt-out under the Data Protection Act (DPA).

Dawn Monaghan, the ICO’s strategic liaison group manager, made this clear in her new blog: “Neither GPs (as data controller) or patients (as data subjects) have the right to stop that information being taken into the [Health and Social Care] Information Centre,” she said. “There is no legal ‘opt out’ under the DPA.”

The health secretary has nevertheless still provided patients with the choice of opting-out. But the absence of a legal right is down to measures under the Health and Social Care Act, said Monaghan. This statutory enactment “requires the disclosure of the data, which means the data becomes exempt from the main parts of the DPA,” she said.

Yet despite being largely exempt from the DPA, care.data does still have more implications when it comes to responsibilities as a result of the very same data protection law – responsibilities that have fallen on the shoulders of GPs.

“Responsibility for letting patients know what is happening falls to GPs, as the data controllers,” Monaghan added in her blog. “It might seem unfair that this responsibility doesn’t fall on NHS England, who are instructing the data collection, or on the Information Centre who will collect and use it, but the DPA focuses squarely on whoever originally collected, holds and is going to disclose the data (the data controller) – in this case the GPs.”

So is there good reason that one in four GPs are against care.data? And perhaps one of these key reasons is not because GPs do not see the value in sharing information to improve patient care as commonly construed across the national press, but rather that the buck lies with them.

Indeed, NHS England has in fact put forward some very strong arguments for data sharing in care.data and its crucial importance in improving health services.

NHS England has also been praised by the ICO for its “sensible approach” in helping GPs across the country with their communications responsibilities, through leaflets, social media and a helpline.

And on the subject of communications responsibilities, has the ICO itself gone beyond the call of duty? Due to DPA exemptions, the ICO does in fact have no control or responsibility for how NHS England and GPs choose to communicate care.data messages to patients. But amidst confusion and negativity around the initiative, it has nevertheless produced its own communications activity. Communications which should be applauded for their clarity in what has become quite a tricky subject for many people to understand.

Hard Labour: the Highland Marketing advisory board reviews the impact of the new government
October Budget 2024: Welcome funding, clarity and detail needed
Health tech leaders respond to the Budget
The biggest NHS opportunities for health tech: NIHR insights
The Darzi review: the NHS “is in serious trouble” but what comes next?