Sharing Patient Data – are you doing it legally?

17 July, 2017

Elliot Fry, an associate at law firm Cripps Pemberton Greenish, looks at the importance – and risks – of data sharing for GPs.


Patients are often frustrated at having to give their information numerous times to what they see as the “NHS”, and indeed NHS patient records are arguably owned by the Secretary of State for Health, but that does not mean you can share data without permission.


Entering data multiple times causes delays, increases costs and heightens the risk of data being entered inaccurately and important facts being missed.  Efficiency and patient safety should therefore be increased by accurate and appropriate data sharing.


The Information Commissioner’s Office (which has the power to fine GP practices for breach of data protection law) has raised concerns about data security in the NHS, with a number of GP systems allowing for sharing of data which potentially constitutes unauthorised disclosure of medical records.


So what information should GPs be sharing, if any, and how do you get it right?


Any use of personal data will require a legitimate ground for doing so (and the grounds which can be relied upon are more restricted for medical data). One such ground is consent, and informed, specific, freely given and explicit consent will often be key to data protection compliance. GPs are data controllers in relation to their patients (meaning they make decisions about how the data is used), and so they will be responsible for what happens to the data they collect from their patients. Patients need to know, in advance, the detail of what information will be given, to whom and for what purposes. Crucially, GPs can only share with those who have a legitimate ground for viewing the data.


There has been much discussion around “opt-out” consent as another aspect of compliance, but best practice continues to be obtaining an explicit “opt-in” consent. Patients themselves should also be able to find out who has accessed their records. Regardless of whether consent is “opt-out” or “opt-in” there also needs to be a way for patients to change their minds and opt out at any time. Practices will need to keep records of which patients have opted in or out. GPs should ensure data is only accessible by those who need to see it for legitimate reasons – blanket access to all hospital staff and other local GPs, for example, would not be appropriate. 


It is important not to forget the other principles of data protection law – keeping the data secure and making sure it is relevant, up to date and that its collection serves a legitimate purpose. GPs (and this may be done through their federation) need to have written data sharing agreements in place with those people with whom they are sharing the information, as well as the system providers.


With significant changes coming in 2018, GPs will need to stay up-to-date on best practice, and can’t simply assume that sharing data for the right reasons is enough to make them compliant.


If you have any questions about data sharing, contact Elliot Fry at

First published in Practice Management, July 2017.