Connected Care DPIA S… · Web viewjoint controller. The dataset definitions are listed in Appendix 4. Certain sensitive terms (excluded read codes) ... that they can refuse access

Data Protection Impact Assessment (DPIA)Connected Care – Direct Care (“Share Your Care”)

IndexA. The need for a DPIA – Article 35(1) B. Conflicts of Interest C. Documents D. Timescales and “Deadlines” E. Simultaneous new processing F. Is personal data being processed? G. The Processing - Article 35(7)(a)

1. How does this directly benefit data subjects? 2. How does this directly benefit our organisation?

H. Consultation – Article 35(9) I. Article 35(7)(b) – Necessity and Proportionality

1. Common Law 2. Caldicott Principles 3. The Data Protection Principles – Article 5

J. “No Surprises” K. GMC Confidentiality Principles L. The Human Rights Act 1998 and Reasonable Expectations M. Article 28 – Data Controllership and Data Processors N. Data Subject Rights O. Things to think about

1. Surrender of control 2. Do we have to disclose? 3. Can we do this in a less intrusive way? 4. Is this lawful? 5. Is this ethical and fair? 6. Reputational risks & Trust in Doctors 7. Consequences of not processing 8. What about children? 9. How does this compare with other, similar projects?

P. Article 35(7)(c) – Risks to data subjects Q. Article 35(7)(d) - Measures to mitigate risks

R. Response from the BMA Ethics Committee S. Response from the General Medical Council T. Response from the National Data Guardian U. Response from the UK Caldicott Guardian Council

V. Conclusion

W. Sign Off

Appendix 1 – Explicit Consent and PTV in other shared recordsAppendix 2 – GP Dataset

1 v7.3 Dr Neil Bhatia, OHG


Appendix 3 – Connected Care data flowsAppendix 4 – ICO guidance – Data Processor ContractsAppendix 5 – Article 28 and Recital 81 of the GDPR



Need for a DPIA - Article 35(1)This project has several criteria that warrant a DPIA:

● Processing special category data – health & social care data

● Large Scale of special category data - Article 35(3)(b)

● Children

● Vulnerable adults

● Linkage of individuals’ data across multiple datasets

● Disclosure of information to organisations or people who have not previously had routine access to it

● Processing that clearly limits data subject rights

● Processing that appears not to respect the data minimisation principle

● Processing of data for similar/identical purposes to existing project

● Processing that appears not to respect the security principle

● Processing that appears unlawful (CLoC, HRA, Article 28)

A DPIA (2019) for this project exists and can be found at:http://www.regisa.uk/documents/DPIA0001v2Publish.pdf

There are also very brief PIAs available, performed:

Prior to the commencement of this project, in 2016 Prior to the proposed rollout to the NEHFCCG practices, in 2018

Some data protection issues are discussed in Schedule L of the ISA( Data Flow –PC170011 –Connected Care NEHF)

This project will result in extraction and uploading of confidential medical information to 2 separate local shared care record schemes simultaneously (unless OHG withdraws from CHIE).

“What is accountability?There are two key elements. First, the accountability principle makes it clear that you are responsible for complying with the GDPR. Second, you must be able to demonstrate your compliance.” (ICO)

The controller is responsible for ensuring compliance with the data protection legislation, including the fundamental data protection principles established in


http://www.regisa.uk/documents/PC170011ccNEHFpracticesv2.pdf

https://www.dropbox.com/s/ru5ih4b5uho40a1/PIA2018.pdf?dl=0

https://www.dropbox.com/s/j0i3xliz0o019tm/PIA2016.pdf?dl=0

http://www.regisa.uk/documents/DPIA0001v2Publish.pdf


the General Data Protection Regulation (the "GDPR") of lawfulness, fairness and transparency.Controllers are accountable for complying with these principles, including ensuring purpose limitation, establishing legal basis for processing of the data, limiting the amount of data collected and only for the necessary time period (data minimisation), and implementing "privacy by design".



Controllers are also responsible for providing transparent information to individuals about their personal data as well as for the compliance of their processors.Controllers must also ensure that individuals can exercise their rights regarding their personal data, including the rights of access, rectification, erasure, restriction, data portability, objection and those related to automated decision-making.

It is policy for Oakley Health Group (OHG) to always undertake a DPIA for any new, or significant change in an existing, data sharing project involving the personal, confidential (and sensitive), information of our patients. We have in excess of 28,000 patients.

Back to Index



Conflicts of interest

Dr Neil Bhatia has no conflicts of interest in undertaking this DPIA, either in his role as IG lead/Caldicott Guardian or as the Data Protection Officer for OHG.

He is neither an employee of, nor receives payment from, any CCG, SCW CSU, Graphnet, Microsoft, System C, FHNHSFT, or any other related organisation.

Any decision to proceed with processing, and to refer this DPIA to the ICO under Art 36 if so required, as a result of the conclusions of this DPIA, will be a partnership decision (majority vote). As a GP partner, however, Dr Neil Bhatia is entitled to a personal vote on this matter.

Back to Index

DocumentsWe have been provided with a “Direct Care” Information Sharing Agreement (or information sharing protocol). This is available at:http://www.regisa.uk/documents/PC170011ccNEHFpracticesv2.pdf

ISA/ISPs provide guidance for practitioners on best practice when sharing information between agencies (i.e. data controllers); they detail what data can be shared, the process that should be followed, the agencies involved and sources of further advice and support. It is clearly useful for when there are joint data controllers.

The Department of Health summarises it well:https://www.gov.uk/government/publications/code-of-conduct-for-data-driven-health-and-care-technology/initial-code-of-conduct-for-data-driven-health-and-care-technology#Principle-2

“Data sharing agreements are only valid between data controllers (those who determine the purposes and means by which personal data can be processed). They should not be confused with data processing contracts, which govern relationships between controllers and processors (those who undertake the processing of data on behalf of a controller).”

“Data sharing agreements are strongly recommended, although they are not a legal requirement. They set out specific concerns relating to the data to be shared, as identified through data flow mapping and DPIA exercises.”

An ISA does not make an unlawful disclosure lawful.The absence of an ISA does not make a lawful disclosure unlawful.


https://www.gov.uk/government/publications/code-of-conduct-for-data-driven-health-and-care-technology/initial-code-of-conduct-for-data-driven-health-and-care-technology#Principle-2





However, the ISA/ISPs, whilst undeniably useful, are not data processor contracts. The data processor in this project, Graphnet, is neither a signatory nor a party to the ISA (it is not even mentioned in the Core Membership Agreement ISA).

The only signatory to 2023 Provision of Care ISA - Provision of Care is the GP practice.http://www.regisa.uk/documents/91exampleMasterAgreementAndSchedules.pdf

The “Core” ISA appears to meet the requirements of Article 26(1) – the “arrangement” between joint data controllers (a ‘joint data controller agreement’).

It is important to note that a ‘joint data controller agreement’ is not the same as a written contract or other legal act which is required when using a data processor (GDPR Article 28).

We have not been provided with a data processor contract between the surgery and Graphnet (the data processor).

Back to Index

Timescales and “Deadlines”Does additional, related or subsequent processing depend on deciding on this processing by a certain date?

No, there is no deadline.This is not COVID-19 related processing.

Back to Index

Simultaneous new processingIs any other data sharing project being launched at the same time, that might lead to confusion for patients?Remember when SCR & care.data were launched simultaneously…?

OHG already extracts and uploads information to the Hampshire Health Record (CHIE), so data processing with Connected Care would mean that we would be ultimately contributing to two “local” health and care record (LHCR) schemes simultaneously.

This would be (as far as I know) a unique situation – nowhere else in England are practices expected to upload confidential medical information to two separate LHCRs.


http://www.regisa.uk/documents/91exampleMasterAgreementAndSchedules.pdf


Connected Care and CHIE are two separate LCHR schemes, with different contributing organisations, different organisations accessing the information, and the preferred solutions for different STPs.One is not an “extension” of the other.

Recently, significant additional information has been added to the Summary Care Record, converting “core” SCRs into “enriched” SCRs, under COVID-19 legislation. All organisations therefore currently have access to detailed information from the GP record.

We have also recently enabled direct records access to Frimley ICS Community Services, so that organisation already has access to detailed information from the GP record.Back to Index

Is personal data being processed?Or is this truly anonymous data ou twith the GDPR/DPA?Pseudonymised data = personal data

Yes, this is confidential information (special category data).

Back to Index



Article 35(7)(a)

● The nature of the processingHow will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or another way of describing data flows. What types of processing identified as likely high risk are involved?

This DPIA concerns purely processing of data for direct medical care. We have also been asked to consider allowing extraction and uploading of confidential information for other purposes, so-called “analytics”, which is the subject of a separate DPIA.

We can agree to upload for direct care but refuse secondary processing.We can agree to secondary processing but refuse direct care processing.We can agree to both direct care and secondary uses processing.We can agree to neither.

There is a single “GP dataset” extracted from GP records systems and uploaded to a data processor (Graphnet). Accordingly, the source of the GP data is the surgery’s electronic patient record.

The data extracted from the GP records system does not vary, whatever the purpose – direct care or secondary uses - of the data extraction. As the analytic ISAs state:

“There is no change to the manner in which data is extracted from GP clinical systems for use within Connected Care.”

Oakley Health Group – as well all associated contributing data controllers – is a joint controller.

The dataset definitions are listed in Appendix 4. Certain sensitive terms (excluded read codes) are not disclosed by default.

Once that clearly identifiable GP data arrives at the data processor, it is stored within the “operational CareCentric database” where it is linked to clearly identifiable “clinical data extracts from Acute, Community, Mental Health and Social Care systems”. That data is further combined with "supplementary non-clinical data covering topics such as capacity and bed state, as provided to Connected Care by the Acute, Community, Mental Health and Social Care organisations on a daily basis".



This operational CareCentric database thus consists of a huge amount of linked data about individuals, sourced from GP/Social Care/Acute Trusts/Mental Health/Community Services etc.

Its primary purpose is for direct care, to enable a “shared care record” to be available to healthcare professionals when justified.

That shared care record is advertised to the public as “Share Your Care”.

The data flow (including that proposed for secondary uses) is demonstrated in Appendix 3.

Some organisations contribute data to the shared record.All these organisations can access data from the shared record.

Some organisations access data from the shared record, but do not contribute to it.

Many organisations already have access to detailed information from the GP record by means of other projects. Details can be found in the section on “necessity” - Article 5(1)(a).

The number of organisations that can access the shared record is vast.

There are some restrictions on the specific data, from the GP record, that an individual can access, based on their “role”.

But anyone classified as a “Clinical Practitioner” or “Health Professional” can access all such uploaded data.

There is no distinction between a hospital consultant and a physiotherapist – both have access to the “full shared record”.

Social Workers can access almost all such uploaded data.


https://www.dropbox.com/s/ns74uxa8uov1ouo/Annex%20D1.pdf?dl=0

https://www.dropbox.com/s/ns74uxa8uov1ouo/Annex%20D1.pdf?dl=0

http://www.regisa.uk/index.php/2-uncategorised/13-schedule-e


● Scope of ProcessingWhat is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover? What will we learn about people that we already do not know, either by obtaining new information or by combining existing information?

The data is as described in Appendix 2 – confidential information derived from the GP records. It is special category, personal, data and is the very same dataset extracted and uploaded for secondary purposes. Some “sensitive” clinical codes are excluded.The Connected Care data extraction process runs every 24 hrs.

See “storage limitation” under data protection principles for data retention.

The data extraction will apply to all patients of the practice except those with a relevant objection (see Right to Object).

The data sourced for the Connected Care data repository spans the Frimley STP/ICS footprint, including the GP practices of 3 CCGs, numerous trusts, social care, mental health providers, community services etc.

● ContextWhat is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in?

The information supplied to Connected Care is derived from confidential medical information provided to OHG by its patients. The original purpose of collecting such data is for the provision of health and care by that respective organisation, and such processing (by OHG) is lawful and with legal bases.

As will be evident in the section of data subject rights, the only control that patients will have is to opt-out completely from both CHIE and CC.



PurposesWhat do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing for you, and more broadly? What will this processing allow us to do that we cannot do now?

The aim of any local shared care record is to provide clinicians with information about a patient that they are treating when otherwise they might not have such information. Access to such a shared care record is not always warranted, but in certain situations can be useful (predominantly in emergency situations and where a patient cannot give a history, perhaps due to being unconscious, or because of dementia).

How does this directly benefit data subjects?What is the intended outcome for individuals?

Potentially, such a project would give clinicians treating data subjects outside of the GP surgery prompt access to clinical information which they might not have access to otherwise.

However, it should be noted that – now - organisations have access to detailed information from the GP record in several ways.

How does this directly benefit our organisation?Does this give us a “competitive advantage”?

"If you just treat privacy as a function of regulatory compliance, you’ll do the bare minimum. Businesses need to think of privacy as a competitive advantage.”Anna Cavoukian, Global Privacy and Security by Design Centre

In due course, OHG would have access to clinical information derived from organisations out with the surgery, such as our local hospital trust (Frimley Health). We would not have access to information from Hampshire County Council (social services) as they are not a contributing organisation to Connected Care.

A shared care record of this nature does not give us a “competitive advantage” as such, as our ability to attract newly-registering patients is not, and has never been, determined by the nature or number of data sharing projects that we have signed up to.

Sharing information in this way – if to the detriment of data subject rights – might even discourage patients from joining our surgery.



But – as ever – the governance around assessing such processing, and if implemented, upholding fairness, transparency, and data subject rights, will further reinforce Oakley Health Group’s standing as a responsible data controller.Back to Index



Article 35(9)● Consultation process with data subjects & othersWas it undertaken? Do we need to? Do we need to get advice from experts?Is their written advice already out there about this(NDG, GMC, MDU, BMA, UKCGC)?

No such consultation has been undertaken by OHG with our patients.

No such consultation has been undertaken by anyone regarding:

The extension of Connected Care to practices within NEHFCCG, given that these practices are already sharing GP records via another local care record scheme (CHIE) and via a number of separate data-sharing schemes

The (abrupt) withdrawal of “permission to view” following GDPR in May 2018 (i.e. the cessation of seeking explicit consent from the patient before accessing their shared care record)

No consultation appears to have been taken with patients, patient representative groups, participation practices, their DPOs or their IG leads.

“As the uses of the identifiable data covered by this sharing requirement are restricted to the provision of care, no explicit and direct consultation has been carried with the public in respect of this sharing requirement.”Schedule K – PC170011 – Connected Care NEHF ISA

Patients (or households) affected by the abrupt withdrawal of permission to view (i.e. those data subjects whose confidential medical information had already been uploaded, prior to the change) were not informed of this significant change, e.g. by a letter.

This project raises significant concerns – in relation to common law, the right to privacy, the right to be informed, adherence to data minimisation principles, and the right to object.

Extraction and uploading to two separate care record schemes is likely to cause abject confusion amongst patients, unless OHG withdraws from CHIE.

Aspects of this project are at odds with established guidance from expert organisations (e.g. GMC, BMA, NDG) and their advice on this must be sought. Their current available advice will be detailed later in this DPIA.Back to Index



Article 35(7)(b) Necessity and proportionality (data protection compliance)

Common Law (CLoC)How is this met?

Throughout this DPIA I will refer to “Permission to View” instead of “explicit consent” when it comes to the act of directly asking a patient whether they are happy for their shared care record to be accessed.

Confidential medical information, provided in confidence to GP surgeries, is processed in this project, and accordingly we must comply with the CLoC.

The extraction and uploading of GP records to a data processor takes place under an “implied consent mechanism”, in common with all local care record projects across England.

“Consent can be implied at this stage because no sharing has taken place.” (My Care Record)

The detail of medical information that is, or could be, extracted and uploaded under Connected Care is vast, easily exceeding the “core” information uploaded in the National Summary Care Record (and potentially the Enriched SCR).

Data protection law requires that personal data must be processed lawfully. This means it must be processed in accordance with any duty of confidentiality that applies. The ‘reasonable expectations’ of the patient should be the test as to whether a duty of confidence arises.

“I believe that placing the patient’s expectations at the centre of matters of confidentiality is right”“As part of this work we have considered the important role that the reasonable expectations of the patient might play in ensuring valid use of implied consent, given the emphasis that the courts have placed on the concept of ‘reasonable expectations’ since the incorporation of the Human Rights Act into UK law.”(NDG Letter to the ICO, 2018, regarding the Royal Free’s use of Streams)



We rely on implied consent to make an individual’s GP record accessible in this way. We do not seek the explicit permission from each of our 28,000 patients before making their information accessible in this way.

Permission to View

The issue with Connected Care arises when that information is accessed by clinicians. Prior to May 2018 (“GDPR”):

“Explicit consent to view the data of an individual is required within the Connected Care CareCentric solution”

This is the permission to view model used by virtually every local care record across England, as well as the National Summary Care Record, other EMIS Web data sharing projects that OHG contributes to such as sharing of the GP record via GP Connect to NHS 111 (and in due course, SECAMB and our local GP out-of-hours organisation), sharing of the GP record with Phyllis Tuckwell Hospice, and sharing of the full GP record with clinicians outside of OHG providing extended access GP appointments). See Appendix 1.

For some projects (including the Summary Care Record), “enduring” permission to view can be explicitly provided by the patient – allowing a particular organisation, for example A&E at your local hospital, permission to access the shared record for 12 months (without needing to ask the patient each time), on an understanding that the patient can revoke such enduring access at any time (and should be regularly asked if they wish to).

With “GDPR”, Connected Care suddenly withdrew permission to view. This was done without consultation with either contributing organisations or patients.

“Explicit consent to view the shared data relating to an individual who has not opted out is not required for the purpose of provision of care to the patient”

Connected Care asserted that:1. We recognise that if we continued to take individual and explicit consent we would be complicating an otherwise straightforward and lawful use of PID; 2. Furthermore, by continuing to take individual and explicit consent we would need to comply with all GDPR consent provisions as summarised by GDPR recitals 32, 42 and 43 (below) and this is where unnecessary use of consent-based processing becomes burdensome; 3. As a consequence, we expect that most if not all Schedule D sharing specifications will no longer include consent as the basis for viewing the shared records; and 4. Unless a patient has opted out from sharing the legal basis for viewing the shared records is now expected to be: GDPR Article 6(1)e



“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” GDPR Article 9(2)h “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”.

It is hard to see how asking for permission to view “complicates” access to the shared care record.

More recently, Connected Care persist in producing documentation stressing that permission to view “must” be withdrawn because of GDPR and “consent”.

Connected Care have confused “permission to view” (i.e. explicit consent to access the record) with the legal basis to process such data. Permission to view does not require compliance with GDPR consent provisions. That would only be the case if Article 6(1)(a), and/or 9(1)(a), was to be the legal basis.

“In the material that you have sent us, you highlight an issue that my panel and I have seen occurring in a number of places this year, namely confusion between the requirement of GDPR and the common law, particularly on the issue of consent. I agree that when confidential patient information is being shared the requirements of both GPDR and the common law should be considered. I also agree that even where consent is the basis on which the duty of confidentiality is set aside, it is not necessarily the case that consent is the appropriate GDPR basis for processing. I do appreciate that this is a complex message for some in the health and care system to absorb”.(NDG, personal correspondence with Dr Neil Bhatia)

Processing of information is not based on the data subject’s consent. The explicit consent (permission to view) required is

to ensure compliance with common law to mitigate against loss of data subject rights – to be informed and the

right to object to mitigate against potential breaches of data minimisation to mitigate against the fact that the “reasonable expectation” of

patients is not that anyone within the NHS can access their detailed GP record (without their explicit permission and an opportunity to object contemporaneously) – their right to privacy (Art 8 HRA)

to ensure the Caldicott principle of “no surprises”, and to maintain trust in the way that the NHS handles confidential and

sensitive medical information

The courts now interpret an individual’s reasonable expectations of privacy as key to the duty of confidentiality.


https://www.dropbox.com/s/778zm0guy079wa3/Attachment%20D%20permission%20to%20view.pdf?dl=0


“For me, trust means citizens knowing how their data is being used, how they can control its use, where the data is going, and that no matter where it goes that someone – a privacy commissioner – has their back.”Information Commissioner Elizabeth Denham's speech at the G20 Side Event - International Seminar on Personal Data in Tokyo on 3 June 2019

What do others say about express/explicit consent (permission to view)?

“If you suspect a patient would be surprised to learn about how you are accessing or disclosing their personal information, you should ask for explicit consent unless it is not practicable to do so (see paragraph 14). For example, a patient may not expect you to have access to information from another healthcare provider or agency on a shared record.” (GMC)https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/using-and-disclosing-patient-information-for-direct-care#paragraph-29

If patients decide to have a shared record they should be able to make decisions about which organisations can access their records.

If patients decide to have a shared record, their explicit consent to view must be obtained e.g. where a practice other than the patient’s registered practice is seeking to view the record for the delivery of out-of-hours care.

In exceptional circumstances, for example if the patient is unconscious and immediate access to the record is necessary, it may be appropriate to access the record without consent to view.

Healthcare professionals should only view the information relevant to their care setting, unless the patient has given their explicit consent for the full record to be viewed. In the BMA’s view, it is unnecessary for a physiotherapist treating ligament damage to access the entire medical history, for example. (BMA)

https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/principles-for-sharing-electronic-patient-records




https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/using-and-disclosing-patient-information-for-direct-care#paragraph-29




The integrated care record – the set of electronically connected records – is created and made available by implied consent.Consent can be implied at this stage because no sharing has taken place. However, before a record is actually accessed the explicit consent of the patient at the point of care is required. (My Care Record)

http://www.enhertsccg.nhs.uk/sites/default/files/primarycare/CPP/2.2%20a.%20MCR%20practice%20briefing%20Final.pdf

Consent for Creating Shared Records, IGA

“The Review Panel concluded that consent should be obtained before sharing a patient’s whole care record with other registered and regulated health and social care professionals for the purposes of direct care. Any exceptions to this guidance should be based on professional judgement in individual cases.”(NDG, 2013 To share or not to share? The Information Governance Review)

“You are quite correct in stating in your correspondence with my office that my 2016 and 2013 reviews re-iterated the Caldicott Principles, and that only relevant information about a patient should be shared between health professionals in support of their care. Both took the position that explicit consent should be obtained before accessing someone’s whole record.”(NDG, personal correspondence with Dr Neil Bhatia, see here)

“Trust is an essential part of the doctor-patient relationship and confidentiality is central to this. Patients may avoid seeking medical help, or may under-report symptoms, if they think their personal information will be disclosed by doctors without consent, or without the chance to have some control over the timing or amount of information shared.”(GMC)

“Asking for a patient’s consent to disclose information shows respect and is part of good communication between doctors and patients.”(GMC )


https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/disclosing-patients-personal-information-a-framework#paragraph-13

https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/ethical-and-legal-duties-of-confidentiality

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf




“Permission to view for direct care provision is designed to ensure that a patient has been informed how their personal information is being used. It also allows the patient to determine who can view this information in the context of the care being provided.”Summary Care Record - Permission to View Guidelines

Permission to View clearly fulfils the CLoC. There is no question of that.

We would rely on implied consent (permission) to make an individual’s GP record accessible

We would rely on the patient’s explicit consent (permission) to permit actual access to the confidential information, by the consuming organisation

It is important to understand that “Permission to View” is a way to satisfy the CLoC (and other important data protection principles) and uphold the right to privacy.

It is not “consent” as understood by the GDPR, and/or as Article 6/9 legal bases.

Back to Index


https://digital.nhs.uk/binaries/content/assets/website-assets/services/summary-care-record/scr-permission-to-view-guidelines.pdf


Caldicott Principles1. Justify the purpose(s)How is this met?The purpose is clear - direct medical care.

2. Don’t use personal confidential data unless it is absolutely necessaryHow is this met?Personal confidential data is necessarily shared.

3. Use the minimum necessary personal confidential dataHow is this met?This principle is not met at the time of extraction and uploading. The level of medical detail available within a shared care record, particularly once multiple datasets are combined (social care, hospital records, GP records, palliative care records) is likely to be far in excess of that potentially required by, for example, a physiotherapist, podiatrist, or charity worker.

4. Access to personal confidential data should be on a strict need-to-know basisHow is this met?Only those with a “legitimate relationship” with the data subject – i.e. those providing him/her with direct medical care at the time is entitled to access the shared care record. The ISA/ISPs also make this clear.

5. Everyone with access to personal confidential data should be aware of their responsibilitiesHow is this met?Each organisation is responsible for ensuring its employees are aware.The ISA/ISPs also make this clear.

6. Comply with the lawHow is this met?

There are legal bases for processing data in this way.Data is being processed for direct medical care.

Seeking permission to view before accessing the shared record absolutely complies with the common law of confidentiality.



7. The duty to share information can be as important as the duty to protect patient confidentialityHow is this met?

This is sharing of information, for direct medical care.

But the Connected Care LHCR is only one way of sharing information.

GP surgeries are under a duty to share information when needed, and such a duty is absolutely discharged when all relevant and necessary information is provided within a referral agreed with the patient, and on the basis of “implied permission”.

We share information via a multitude of other data sharing projects.

Providing access to the GP record via Connected Care might be beneficial, and may be convenient, but it can only happen if unquestionably lawful, fair, transparent, ethical, and upholding of subject rights.

We have no “duty to disclose” information via Connected Care.

Back to Index



Article 5 GDPR – the data protection principlesThe fundamental principles which aim to ensure compliance with the spirit of data protection law and the protection of the rights of individuals (data subjects).

Personal data shall be:

a) processed lawfully, fairly and in a transparent manner in relation to individuals (lawful purpose) A legal basis under GDPR Be otherwise compliant with the requirements of the GDPR and DPA 2018 Not involve any otherwise unlawful processing or use of personal data Be fair towards the individual Avoid being unduly detrimental, unexpected, misleading or deceptive Clear and transparent to individuals and regulators Is this met?

There are lawful bases for processing such data:Article 6(1)(e) – Official AuthorityArticle 9(2)(h) – Provision of Health

We do not process, and have never processed, data under the legal bases of consent (Art 6(1)a or 9(2)a).Under the DPA 1998 we processed such data under Schedule 2 part 5 (equiv. to Article 6) and Schedule 3 part 8 (equiv. to Article 9).

The absence of permission to view could well be in contravention of common law.

The absence of permission to view could well be in contravention of Article 8 of the Human Rights Act.

Access to the shared record, accessible across a vast geographical area and by very many healthcare professionals, is going to be unexpected, and especially in the absence of permission to view.

“In general, fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. You need to stop and think not just about how you can use personal data, but also about whether you should.” (ICO)


https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/#fairness


The absence of PTV – resulting in the inability to be informed, to object in a granular way, to control their data, and in the right not to be surprised, makes this processing unfair to our patients.

“You must also ensure that the sharing happens in a way that people would not find unexpected “(ICO, Data Sharing code of practice, draft for consultation)

And if we cannot inform our patients, and the backstop to that – PTV – is absent, then we cannot be transparent with them about how we process their data.

“Individuals have to know what is happening to their data”“You must ensure that individuals know which organisations are sharing their personal data and which ones have access to that information”(ICO, Data Sharing code of practice, draft for consultation)

The absence of PTV is unduly – and deliberately – detrimental to the basic data protection rights and expectations of the patients that entrust us with their most personal and confidential data.

The absence of any data processor contract means that any such processing would not be lawful, not be transparent, and in breach of Article 28.

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes(purpose limitation) Specified, explicit, legitimate purposes Clear and open from the outset Purposes in line with individual’s reasonable expectations How is this met? How do we prevent function creep?

Data is processed for direct medical care purposes, as regards this DPIA.

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)“Necessary”:

It must be a targeted and proportionate way of achieving that purpose It must be more than just useful or habitual We cannot reasonably achieve the same purpose by some other less intrusive

means – and in particular if we could do so by using non-special category data

It is not enough to argue that processing is necessary because it is part of our particular business model, processes or procedures, or because it is standard practice

How is this met?


https://ico.org.uk/media/about-the-ico/consultations/2615361/data-sharing-code-for-public-consultation.pdf


“You should only share the specific personal data needed to achieve your objectives.”(ICO, Data Sharing code of practice, draft for consultation)

The level of information available to anyone accessing the shared record is potentially vast – and very likely to be far in excess of that required

by any given professional for any given organisation for any given purpose

The information available for a patient presenting to A&E with a sprained thumb – and this is information accessed without the data subject’s express permission – is almost certainly excessive. Their gynaecological history is totally irrelevant, as it is if they to present to a walk-in-centre with earache. It is of course arguable as to whether their shared care record should be accessed at all in such circumstances, given that any competent clinician would be able to take a relevant history from such a patient.But if it is accessed, it would be so without the knowledge or consent of the patient. The patient does not have a choice.

Referrals to specialists

Particularly important to GPs (though applicable to all doctors) is the principle of providing only that information which is relevant and necessary to a specialist when a patient is referred to a hospital outpatient clinic. Unnecessary, excessive and unjustified amounts of confidential information have historically been disclosed to secondary care.

“GPs are breaching patient confidentiality by routinely including ‘inappropriate' information in computer-generated referral letters, LMC leaders have warned.”http://www.pulsetoday.co.uk/warning-on-referral-letters-with-inappropriate-history/13303743.article


http://www.pulsetoday.co.uk/warning-on-referral-letters-with-inappropriate-history/13303743.article

http://www.pulsetoday.co.uk/warning-on-referral-letters-with-inappropriate-history/13303743.article


“Information sharing in this context is acceptable to the extent that health professionals share what is necessary and relevant for patient care on a 'need to know' basis”BMA

https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/confidentiality-and-health-records-tool-kit/2-general-information

When confidential information is shared it should be relevant, necessary and proportionate.

When confidential information is shared within the care team, only information that is relevant, necessary and proportionate should be shared. Close attention must be paid when applying this test to avoid compromising care. There are data protection principles involved, such as the need to demonstrate that:

there is a clear purpose, for example to help with a diagnosis. the purpose could only be achieved by the sharing of confidential

information. the extent of the information sharing is kept as limited as possible,

consistent with achieving the clear purpose.

Where confidential information is stored in a way that makes it practicable to separate pieces of confidential information, it is not acceptable to share all information in an individual’s care record unless the confidential information is relevant and appropriate to the individual’s care. For example, only part of a patient’s medical history may be relevantto a new referral so the rest of the medical record should not be shared unless there is a clinical reason to do so

A guide to confidentiality in health and social care, NHS Digitalhttp://static.ukcgc.uk/docs/HSCIC-guide-to-confidentiality.pdf

“Appropriate information sharing is an essential part of the provision of safe and effective care”

“Most patients understand and expect that relevant information must be shared within the direct care team to provide their care”

“You should share relevant information with those who provide or support direct care to a patient, unless the patient has objected”( GMC )

However, the need to share some information does not entail the sharing of everything, for example, a patient may tell a GP she is pregnant, but


https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/using-and-disclosing-patient-information-for-direct-care

http://static.ukcgc.uk/docs/HSCIC-guide-to-confidentiality.pdf





not by her husband, and she does not consent to this information being shared with any other doctor. Or a professional in a particular field, such as a physiotherapist treating a patient’s knee, may not need to know about his impotence.

The Review Panel concluded that in line with the original Caldicott review principles, only relevant information about a patient should be shared between professionals in support of their care. (p.37)

Information: To share or not to share? The Information Governance Review

When an individual provides consent for sharing information about them for a particular purpose (either for direct care or for other purposes), this consent provides a legal basis for that information sharing. Explicit consent provides a legal defence to potential claims for breach of confidence and breach of privacy; it also ensures that the conditions for processing sensitive personal information in schedules 2 and 3 of the Data Protection Act 1998 are met. Consent may either explicit or, in certain circumstances, implied.

Even when consent has been given, this does not mean that information which is unnecessary or irrelevant must be shared.

The individual is usually able to give consent for any information sharing needed to safely provide that care. Very few individuals ever express concern about information sharing where they see it as necessary to provide their care (for ‘direct care’). Consent for the necessary sharing of information to support care delivery can be inferred from the fact that an individual agrees to receive that care, however, only relevant information should be shared.

A guide to confidentiality in health and social care, NHS Digital

It is a fundamental responsibility of a doctor, when involving others in the care of their patients, to select and then disclose only necessary and sufficient information for the care needed or anticipated.

Exchanging unnecessary and excessive information is disrespectful of the patient and the recipient and contrary to GMC and other requirements.(BMA)

Since GPs (in particular) would (or at least, should) be providing all necessary and relevant information within a referral to a specialist, there should be no need for a specialist to access their shared GP record.


https://www.bma.org.uk/advice/employment/gp-practices/service-provision/tpp-systmone-faqs

https://digital.nhs.uk/binaries/content/assets/legacy/pdf/0/n/confidentiality-guide-2013-references.pdf

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf


Such a specialist would be accessing information that would (or certainly, could) be unjustified and excessive.

An ophthalmologist seeing a patient about a cataract does not need access to their detailed gynaecological history.

In addition, the specialist might well be accessing information that the patient had specifically withheld from the referral letter. There may be good reasons why some information is not present within the referral letter - most commonly, because it is not relevant, but it may be that the patient has expressly objected to the inclusion of particular medical information, even if of relevance to the speciality being referred to.That is the patient’s right.

Even if excessive information is being made available – potentially accessible – that can be mitigated again, to some degree, by asking the patient for their explicit consent to access additional information within the shared record. That is, seeking permission to view.

Patients would then have the opportunity to be informed of the shared care record’s existence and be provided with reasons why that professional feels it warranted to access information beyond that provided by the patient’s GP referral letter. The patient can then say yes, or “no – you ask me directly if you want any more information”.

Who has access to uploaded GP information?

Frimley Park Hospital can access Connected Care.But – as of the 13 th December 2019 - the only departments that can access it are Pharmacy and the Community Nurses.A&E at Frimley Park do not have access.

The Pharmacy department can already access the National Summary Care Record, now auto populated with additional and detailed information (COVID-19 mandated). A&E have access to the National SCR.


https://www.whatdotheyknow.com/request/622831/response/1485656/attach/5/FOI%200670%2019%20Final%20Letter.pdf


Frimley Park Hospital does not upload documents (e.g. discharge summaries) to Connected Care.

“No documentation is uploaded to connected care. Frimley Health are submitting data items relating to the admission, discharge and transfer of a patient and outpatient appointment details.”Frimley Park Hospital, FOI response

All hospital trusts are mandated to provide GP surgeries with electronic discharge summaries in line with the NHS Standard Contract:

following inpatient or day case care or A&E attendance, to issue a discharge Summary to the patient’s GP within 24 hours; and

following outpatient attendance, to issue a Clinic Letter to the patient’s GP within 7 calendar days

The Community Nurses, and in fact all of Frimley ICS Community Services, already have access to the full GP record via our recent enabling of bi-directional records access.

SCAS NHS 111 can access Connected Care.But SCAS NHS 111 can already access the National Summary Care Record, now auto populated with additional and detailed information (COVID-19 mandated).And SCAS NHS 111 can already access detailed information from the GP record via GP Connect – which is their preferred source of information.

SECAMB do NOT have access to Connected Care (as of 30.01.20).But SECAMB can already access the National Summary Care Record, now auto populated with additional and detailed information (COVID-19 mandated).And we can already provide SECAB with detailed information about certain patients via IBIS.And SECAMB will in due course have access via GP Connect : possibly by the end of August 2020. It will be their preferred source of information.At that point, they will cease to use Connected Care.

Phyllis Tuckwell Hospice Care have access to Connected Care.But PHTC already have access to the full GP record via our enabling of bi-directional records access.

NHUC, our GP out-of-hours provider, can access Connected Care.But NHUC can already access the National Summary Care Record, now


https://www.oakleyhealth.org/website/X82206/files/OHG_PTHC_DPIA.pdf

https://www.oakleyhealth.org/website/X82206/files/OHG%20GP%20Connect%20DPIA.docx

https://www.oakleyhealth.org/website/X82206/files/OHG%20NOPTV%20FCS%20DPIA.pdf

https://www.oakleyhealth.org/website/X82206/files/OHG%20NOPTV%20FCS%20DPIA.pdf

https://www.england.nhs.uk/wp-content/uploads/2018/09/interoperability-standard-contract-guidance.pdf


auto populated with additional and detailed information (COVID-19 mandated).And imminently, NHUC (via SCAS) will have access to detailed information from the GP record by means of GP Connect.At that point, they will cease to use Connected Care.

Other hospital trusts (who rarely see our patients) also have access to Connected Care.But they all can already access the National Summary Care Record, now auto populated with additional and detailed information (COVID-19 mandated).

Hampshire County Council (which covers the overwhelming number of our patients) neither contributes to, nor can access, Connected Care.

We cannot realistically state that signing up to Connected Care is necessary to provide efficient direct care to our patients, or to enable fellow healthcare organisations to do so. They already have access to detailed information sourced from the GP record, in established ways, almost all of which are clearly lawful, fair, and upholding of data subject rights.

d) accurate and, where necessary, kept up to date (accuracy)How is this met?

We already have an obligation to keep our electronic GP records accurate, from which Connected Care information is sourced.

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation)How is this met?

Data is stored until such time as either the patient dies, or moves outside of the Connected Care area, or expresses an objection (opt-out).

See this information provided.


https://www.dropbox.com/s/th0g50pcoyzzoej/Attachment%20J.pdf?dl=0


f) processed in a manner that ensures appropriate security of the personal data (confidentiality)How is this met?

In the absence of a data processor contract, we cannot have any demonstrable assurance of appropriate security.

Back to Index



No surprises

“The Review Panel concluded that consent should be obtained before sharing a patient’s whole care record with other registered and regulated health and social care professionals for the purposes of direct care. Any exceptions to this guidance should be based on professional judgement in individual cases.”(NDG, 2013 To share or not to share? The Information Governance Review)

“3.2.6 The Review heard that patients may have elements of their record that they do not want to be shared and felt that sharing their whole record was not necessary for direct care. In line with the Caldicott principles and the last review, only relevant information about a patient should be shared between health professionals in support of their care.Explicit consent should be obtained before accessing someone’s whole record."“3.2.0 …there should be ‘no surprises’ for the individual about who has had access to information about them.”(NDG, 2016 Review of Data Security, Consent and Opt-Outs)

“…there must be no surprises to the citizen about how their health and care data is being used”“ Failing to offer this choice to people can accelerate discontent with how they are being informed and consulted, resulting in a growing rejection of the benefits of data sharing. “(NDG , Building trust in the use of data across health and social care)

“29 If you suspect a patient would be surprised to learn about how you are accessing or disclosing their personal information, you should ask for explicit consent unless it is not practicable to do so (see paragraph 14). For example, a patient may not expect you to have access to information from another healthcare provider or agency on a shared record.” (GMC)

“Trust is an essential part of the doctor-patient relationship and confidentiality is central to this. Patients may avoid seeking medical help, or may under-report symptoms, if they think their personal information will be disclosed by doctors without consent, or without the chance to have some control over the timing or amount of information shared.”(GMC)


https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/ethical-and-legal-duties-of-confidentiality

https://www.gmc-uk.org/-/media/documents/confidentiality-good-practice-in-handling-patient-information---english-0417_pdf-70080105.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/535024/data-security-review.PDF

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf


“If patients decide to have a shared record, their explicit consent to view must be obtained e.g. where a practice other than the patient’s registered practice is seeking to view the record for the delivery of out-of-hours care.In exceptional circumstances, for example if the patient is unconscious and immediate access to the record is necessary, it may be appropriate to access the record without consent to view.” (BMA)

“You have the right to be informed about how your information is used.You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.The NHS also pledges: where identifiable information has to be used, to give you the chance to object wherever possible.All staff have responsibilities to the public, their patients and colleagues. You should aim to: inform patients about the use of their confidential information and to record their objections, consent or dissent.”(NHS Constitution, Respect, consent and confidentiality )

“Asking for a patient’s consent to disclose information shows respect and is part of good communication between doctors and patients.”(GMC )

Is this met?Does the data subject know that we are disclosing?

No.

With the best will in the world, OHG cannot hope to fully inform all our 28,000+ patients about this project. Inevitably, patients will present to organisations out with the GP surgery and be completely unaware of the existence of a shared care record about them – potentially containing a huge amount of confidential medical information.

The first time that they might be aware could be after their record has been accessed – without their knowledge and without their consent.

Many patients would not expect allied health professionals – admin staff, physiotherapists, phlebotomists – to have access to very detailed information about them, from their GP record, outside of the surgery.At least, not without their explicit consent.

Many would not expect social care departments, or charities, to have this level of access.At least, not without their explicit consent.


https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/disclosing-patients-personal-information-a-framework#paragraph-13

https://www.gov.uk/government/publications/the-nhs-constitution-for-england/the-nhs-constitution-for-england#patients-and-the-public-your-rights-and-the-nhs-pledges-to-you



Connected Care allows a huge range of organisations access to the shared record – hospital trusts, GP out-of-hours organisations, local authorities, walk-in-centres, ambulance organisations, mental health organisations, community services, charities etc. And within those organisations, the variety of personnel is large – from clinicians, to admin, to clerical staff.

But “no surprises” can be mitigated against – with “permission to view”.

By asking the patient if they are happy for any particular professional, within a particular organisation, and for a particular purpose, for their explicit consent before accessing that shared record, patients are simultaneously being informed of the its existence (which they might not be aware of) and of their right to object on that occasion (which they cannot do unless they are asked if they object).

The withdrawal of permission to view vastly increases the likelihood that a patient would be surprised (and likely, very angry) that such information about them had been both made available and been accessed without their knowledge.

Patients are happy for doctors to be able to view detailed medical information – less so for some types of nurses, HCAs or admin staff.

Patients can withhold individual items from their Connected Care record, if derived from their GP record. Their GP can mark a particular diagnosis, for example, as “confidential”. But that cannot happen unless the patient knows that such a shared record exists and will be accessed without their permission. Only then can they approach their GP and ask for specific items to be marked as confidential (or opt-out completely).

There should not be occasion when the first time that a patient realises that he/she has a shared care record in existence, and that it has been accessed out with the GP surgery, is after that access has occurred – without the patient’s knowledge, without their permission, and without any opportunity for the patient to object.

And that would be a data protection – and data privacy - disaster.

3.2.6 The Review heard that patients may have elements of their record that they do not want to be shared and felt that sharing their whole record was not necessary for direct care. In line with the Caldicott principles and the last review, only relevant information about a patient should be shared between health professionals in support of their care. Explicit consent should be obtained before accessing someone’s whole record.3.2.7 In focus groups of members of the public, the Review heard that people were comfortable with data being shared with care professionals for their care, but not anywhere else within the local authority. There was



a concern that social care departments might share data with the rest of the council e.g. housing or finance. The Review also heard that people may be surprised that information was shared across health and social care: ‘If a social worker say wants to access your medical records, I think you should sign a form giving your consent’.

National Data Guardian for Health and CareReview of Data Security, Consent and Opt-Outshttps://www.gov.uk/government/uploads/system/uploads/attachment_data/file/535024/data-security-review.PDF

Back to Index


https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/535024/data-security-review.PDF

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/535024/data-security-review.PDF


GMC Confidentiality Principlesa Use the minimum necessary personal information. Use anonymisedinformation if it is practicable to do so and if it will serve the purpose.b Manage and protect information. Make sure any personalinformation you hold or control is effectively protected at all timesagainst improper access, disclosure or loss.c Be aware of your responsibilities. Develop and maintain anunderstanding of information governance that is appropriate toyour role.d Comply with the law. Be satisfied that you are handling personalinformation lawfully.e Share relevant information for direct care in line with theprinciples in this guidance unless the patient has objected.f Ask for explicit consent to disclose identifiable information aboutpatients for purposes other than their care or local clinical audit,unless the disclosure is required by law or can be justified in thepublic interest.g Tell patients about disclosures of personal information you makethat they would not reasonably expect, or check they have receivedinformation about such disclosures, unless that is not practicableor would undermine the purpose of the disclosure. Keep a record ofyour decisions to disclose, or not to disclose, information.h Support patients to access their information. Respect, and helppatients exercise, their legal rights to be informed about how theirinformation will be used and to have access to, or copies of, theirhealth records.https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/the-main-principles-of-this-guidance

Are these all met?

a & e : No – see elsewhere in this DPIA regarding data minimisation

b & c : Yes

d : No – see elsewhere in this DPIA regarding CLoC & HRA

f : Not relevant as this DPIA is for direct care purposes only

g : No – see elsewhere in this DPIA regarding Permission to View

h : Yes


https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/the-main-principles-of-this-guidance

https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/the-main-principles-of-this-guidance


The Human Rights Act 1998 and Reasonable ExpectationsArticle 8 of the Human Rights Act protects our privacy, our family life, our home and our communications.

“Everyone has the right to respect for his private and family life, his home and his correspondence “

Article 8 of the European Convention on Human Rights: Right to respect for private and family life

This means respect for private and confidential information, including the storing and sharing of data. And that very much includes medical information (which includes correspondence between the patient and their healthcare providers).

The Human Rights Act 1998 made the ECHR part of domestic law.

164. Respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention. It is crucial not only to respect the privacy of a patient, but also to preserve his or her confidence in the medical profession and in the health services in general.

Without such protection, those in need of medical assistance may be deterred from revealing such information of a personal and intimate nature as may be necessary in order to receive appropriate treatment and, even, from seeking such assistance. They may thereby endanger their own health and, in the case of communicable diseases, that of the community.

The domestic law must therefore afford appropriate safeguards to prevent any such communication or disclosure of personal health data as may be inconsistent with the guarantees in Article 8 of the Convention (Z v. Finland, § 95; Mockutė v. Lithuania, §§ 93-94).

https://www.echr.coe.int/documents/guide_art_8_eng.pdf Guide on Article 8 of the European Convention on Human Rights, Dec 2018

In April 2019, SCW CSU asserted that:

“However it seems that the problem with explicit consent that people are not understanding is that explicit consent puts professionals at odds with both GDPR and human rights legislation.”

The unlawful disclosure of confidential information, especially in the


https://www.echr.coe.int/documents/guide_art_8_eng.pdf


absence of their knowledge, and the affording to them of a meaningful opportunity and mechanism to object (before access occurs), represents a breach of privacy.

The Law of Confidence has been reinterpreted – and has had to be reinterpreted - in the light of Article 8 of the European Convention on Human Rights.

As a result, for at least the past 20 years, the development of the common law has been in harmony with Articles 8 and 10 of the ECHR.

Article 8(1) of the HRA is absolutely engaged. Any identifiable patient data, held by a doctor or a hospital medical data, attracts a reasonable expectation of privacy.

" all identifiable patient data held by a doctor or a hospital must be treated as confidential".

"….reasonable expectations of patients that all of their data will be treated as private and confidential."R (on the application of W, X, Y and Z) v Secretary of State for Health and Home Office [2015]

If disclosure of personal information interferes with a reasonable expectation of privacy, without legal justification, then a legal wrong will be committed.

Article 8 is not an absolute right. It is a qualified right, but a public authority (such as a GP surgery) can only interfere where that interference is:

In accordance with the law; and Necessary in a democratic society

But those two conditions are not met.

Patients absolutely have a reasonable expectation of privacy when it comes to their personal, confidential GP records. And that includes who has access to them (outside of the GP surgery), when such access occurs, and whether they are meaningfully being informed and afforded the opportunity to object in a meaningful and granular way.


https://www.judiciary.uk/wp-content/uploads/2015/10/w-x-y-z.pdf

https://www.judiciary.uk/wp-content/uploads/2015/10/w-x-y-z.pdf


Secondly, we think it’s important to underline that the delivery of direct care is not of itself a catch-all to allow information to be shared under implied consent. The crucial thing is that information sharing must be in line with the reasonable expectations of the individual concerned.

It’s crucial to understand the boundary between what would and would not surprise people. This understanding should shape the way health and care professionals talk to people about how information is used. This is not just a matter of courtesy. It is also a question of law. It is important to remember that the boundary of what people reasonably expect is itself a restriction on the way information can lawfully be used.

NDG, Reasonable Expectations

Patients have “reasonable expectations” about the sharing of their confidential information, particularly the very detailed information kept by their GP surgery.

They absolutely have a reasonable expectation that their GP surgery will share necessary and relevant information about them if and when they are referred to a hospital specialist, or service. They expect their GP to provide all necessary information, not disclose unnecessary information, and not disclose information that they have specifically asked not to be disclosed.

But there is no reasonable expectation that, as a result of that referral, the organisation that they have been referred to can, and will, access their full GP record, including information that is neither necessary nor relevant, possibly including information that they asked their GP to deliberately withhold, and without being afforded the opportunity to be informed and to object (that PTV would do).

And they absolutely expect to be told that such information is accessible before that information is accessed (unless they are unable to give their permission).

Patients have a reasonable expectation that some information about them might be accessible where they to attend A&E or an out-of-hours centre, or when they ring NHS 111.

But there is no reasonable expectation that, as a result of that attendance, staff within that A&E can, and will, access their full GP record, , including information that is neither necessary nor relevant, possibly including information that they would have deliberately withhold from A&E, and without being afforded the opportunity to be informed and to object.


https://www.gov.uk/government/speeches/reasonable-expectations


And they absolutely expect to be told that such information is accessible before that information is accessed (unless they are unable to give their permission).

It is a reasonable expectation that they will be asked if a healthcare professional (especially one who has already been provided with detailed information by their GP) wishes to access further information from their GP record under any circumstances, especially if there is information within their GP record that they would not want anyone but their GP to be aware of.

And they absolutely expect to be afforded the opportunity to say no to such access.

It is a reasonable expectation that they can “control” their personal data. That they can allow – or refuse to allow, i.e. object to – access to their detailed GP record:

by an entire organisation, or by one or more services within that organisation, or by one or more teams within that service, or by one or more individuals within that team (that individual might

well be a family member, friend, neighbour or work colleague) by any of the above, on any specific occasion

It is a reasonable expectation that they can refuse access to their GP record when they attend A&E for a sprained ankle, but permit access when they attend A&E with breathlessness and chest pain. That any decision to permit access to their GP record, by an external organisation, can vary depending on the clinical situation (as the patient perceives it).

It is a reasonable expectation that they should be able to prohibit access by organisations in one LHCR but allow access by organisations in a separate LHCR.

And it is a reasonable expectation that they should not have to opt-out of all record sharing, with every organisation, because that’s the only way to prohibit one specific organisation/service/team/individual from accessing their GP record.

If a patients full GP record has been extracted and uploaded without their knowledge, accessed without their knowledge, accessed without their permission, and accessed without affording them the opportunity to object, then unquestionably their privacy has been breached.Back to Index



Data Processors – Article 28A controller determines the purposes and means of processing personal data.A processor is responsible for processing personal data on behalf of the controller and can act only upon the instructions of the controller.Does the practice retain full data controllership?How do we ensure that processors comply?

Does processing require the use of a data processor?YES

If yes:

Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controllerArticle 28, GDPR

Processing by a processor requires a contract or other legal act under Union or Member State law, which is binding on the processorEDPS Controller-Processor Factsheet

Has a written data processor contract been provided?NO

Are both the controller and processor parties to the contract?NO

Are both controller and processor signatories to the contract?NO

Does the processor contract contain the following compulsory details?

the name of the controller and the processorNO

contact details for the controller and the processorNO

the subject matter and duration of the processingNO

the nature and purpose of the processingNO

the type of personal data and categories of data subjectNO

the obligations and rights of the controllerNO

Does the processor contract contain the following compulsory terms?


https://edps.europa.eu/sites/edp/files/publication/19-09-27_checklist_3requirements_processing_en.pdf

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/


the processor must only act on the written instructions of the controller (unless required by law to act without such instructions)NO

the processor must ensure that people processing the data are subject to a duty of confidenceNO

the processor must take appropriate measures to ensure the security of processingNO

the processor must only engage a sub-processor with the prior consent of the data controller and a written contractNO

the processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPRNO

the processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessmentsNO

the processor must delete or return all personal data to the controller as requested at the end of the contractNO

the processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member stateNO

Does the processor contract?

state that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPRNO

reflect any indemnity that has been agreedNO

contain an expiration date for processing (after which all processing must cease)NO

Make clear how either the data controller or the data processor may voluntarily terminate the contract, including the notice requiredNO

Is it clear that the data processor must?

only act on the written instructions of the controller (Article 29)NO

not use a sub-processor without the prior written authorisation of the controller (Article 28.2)NO



co-operate with supervisory authorities (such as the ICO) in accordance with Article 31NO

ensure the security of its processing in accordance with Article 32NO

keep records of its processing activities in accordance with Article 30.2NO

notify any personal data breaches to the controller in accordance with Article 33NO

employ a data protection officer if required in accordance with Article 37NO

Does Oakley Health Group retain full data controllership over all aspects of processing?NO

Ultimately, OHG becomes a joint controller with other organisations.

Is Oakley Health Group inadvertently becoming a data controller for information out with the GP record?NO



We have not been provided with a data processor contract, between the data controller (OHG) and the data processor (Graphnet). We hold no such contract, in breach of Article 28.

It is not clear why we have not been provided with a contract. We hold contracts with every other data processor we use.

The commissioning organisation for Connected Care, NHS Berkshire West CCG, holds a service level contract with Graphnet (see this contract chain document).

Within that service level contract, they have inserted data processing terms. The CCG then asserts that contributing data controllers do not require to be signatories and parties to a data processor contract (or individual contracts) with Graphnet as they have been granted “3rd party benefits” under C(RTPA) 1999.

Connected Care asserts the following:

That a data processor contract meeting Article 28 can be met by:

The data processing terms included within a commercial contract The data processing terms included within a confidentiality

agreement Terms extended to third parties by way of the Contracts (Rights of

Third Parties) Act 1999

“The Contracts (Rights of Third Parties) Act 1999 is a legitimate and appropriate means by which to extend the benefit of a data processing agreement to multiple data controllers without them each having to individually sign the agreement.”

“It is not necessary that the Contributing Data Controller(s) are a signatory to that contract; it is sufficient that they are a beneficiary of the contract, in line with the Contracts (Rights of Third Parties) Act 1999. This provides the same level of indemnity to Contributing Data Controllers against misuse of data as if they were signatories to the contract.”

“GDPR Article 28 requires that processing by a processor must be governed by a contract that is binding on the processor with regard to the controller: Article 28.3. In my view, this does not require that the controller must themselves be a party to the contract. It is sufficient if the controller can enforce the contract, under the 1999 Act.”

All the contributing data controllers are merely then “beneficiaries of the contractual terms and clauses”.


https://www.legislation.gov.uk/ukpga/1999/31/section/1

https://www.dropbox.com/s/vqra93j4lykuksr/A06%20Berks%20ACN%2010%2012%2018%20v3.pdf?dl=0


https://www.dropbox.com/s/jutvjdusk103o21/A00%20Contract%20Chain.pdf?dl=0



The CCG is neither a contributing data controller, not does it (or can it) access any information from the shared record. All it has done is to arbitrarily insert data processing terms into a service level contract, then

declare itself a “data controller” declare itself a “joint data controller” assert that every contributing data controller no longer requires a

data processor contract but instead is to rely on “3rd party benefits” generously bestowed to them by the CCG

Under the GDPR, when a ‘data controller’ engages a ‘data processor’, the two parties must enter in to a written contract.

Not “any two parties”, nor “any data processor”.

Any controller that is subject to the GDPR needs to have in place an appropriate Data Processing Contract with any third party that it shares data with where that third party is a processor as defined under the GDPR.

Failure to have in place a suitable Data Processing Contract is a breach of the law under GDPR.

Article 28 is unambiguous. It refers to the controller. Not any controller, not a “lead controller amongst joint controllers”, and not a controller that does not even provide the processor with data to process.

The controller, the one supplying their data, that it controls, to the processor.

We are not the data controller for a hospital trusts records, as extracted, upload and provided to Graphnet for processing on their behalf.

Equally, neither NHS West Berkshire CCG, not Frimley Health NHSFT, nor any other data controller, is the data controller for our patients’ GP records that we extract, upload and provide to Graphnet for processing on our behalf.

It is extremely important that we have a contract that determines the purposes of processing of the data that we provide to Graphnet. We may be happy for such data to be used for direct care purposes, as in the typical “shared clinical record” but not be happy for – and so refuse to permit – processing for secondary purposes. But we cannot control the processing if we are being denied a contract with our instructions detailed.



We may not be processing our personal data for all the same purposes as another controller.

We are not using the same set of personal data for this processing as another controller. We provide data from our GP records; other organisations provide data from the medical records that they alone hold and control.

We might be determined as a joint data controller for the shared, combined clinical record (which includes data that we provide), but we remain the data controller for the data that originates from our GP database.

We determine when any extraction, upload, and sharing of our data commences.

We determine when any extraction, upload, and sharing of our data ceases.

We determine whether any processing for direct care purposes happens at all.

We do not give up data controllership of our GP records as held by Graphnet – on our behalf.

Being a data controller amongst a group of “joint data controllers” does not absolve that organisation of meeting Article 28 by means of a processor contract that it is a party and signatory to.

A contract that it must hold.

There is no interpretation – whether via the golden rule, the literal rule, or the mischief rule – that arrives at the conclusion that the intention of Article 28 was anything other than that there must be a contract in place between the controller who’s data it is (i.e. that they control) and the processor handling that data on their behalf.

There is no ambiguity.

The ICO’s guidance is similarly explicit.https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/what-needs-to-be-included-in-the-contract/

“the” controller needs to be very clear from the outset about the extent of the processing it is contracting out

Processing only on the documented instructions of “the” controller “the” controller and processor may agree to supplement them with

their own terms the processor may only process personal data in line with “the”

controller’s documented instructions


https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/what-needs-to-be-included-in-the-contract/




“the” controller, rather than the processor, that has overall control of what happens to the personal data

If a processor acts outside of “the” controller’s instructions in such a way that it decides the purpose and means of processing, including to comply with a statutory obligation, then it will be considered to be a controller in respect of that processing and will have the same liability as a controller

It is nonsensical to conclude that the intention of Article 28 was to permit a contract between an unrelated 3rd party, asserting itself as “a” data controller, and the processor.

That data controller (NHS West Berkshire CCG) neither supplies nor controls the confidential information derived from our GP records.

Applying the general presumption that the legislators for GDPR have used legislative language “correctly and exactly” [Spillers Ltd v Cardiff (Borough) Assessment Committee [1931] 2 KB 21 at 43], the only interpretation supported by the language is that the contract must exist between the controller supplying the information and the processor handling it on their behalf.

Data controllers cannot rely on data processing terms included within a commercial contract to meet the requirements of Article 28.

Data controllers cannot rely on data processing terms included within a confidentiality agreement to meet the requirements of Article 28.

Data controllers cannot rely on terms extended to third parties by way of the Contracts (Rights of Third Parties) Act 1999 to meet the requirements of Article 28.

There is no interpretation of Article 28 that permits this.

The only relationship that NHS West Berkshire CCG have with Graphnet is that of commissioning (and paying for) Graphnet to provide data processing services to contributing data controllers. And as such, each data controller must be party to, and signatory to, an Article 28 compliant contract with Graphnet.

The organisation making decisions about the data is a Data Controller, regardless of the flow of money. And that is – and can only ever be – Oakley Health Group for our GP records.

Any contract is likely to be identical for all contributing data controllers, with the only variation being in the appendix detailing the data extracted and uploaded (which will necessarily vary between classes of organisation, such as GP surgery and hospital trust). But other types of contract are permissible (see email discussion with the ICO).



It would be nonsensical for there not to be a contract between OHG and Graphnet (that is, after all, the “mischief” that Art 28 seeks to avoid).

Third party rights do not suffice.Third party rights do not meet the requirements of Article 28.

The ICO is clear about that.

It is not correct to say that “Therefore via the Contracts (Rights of third parties) Act 1999, there would be a form of contract between OHG and Graphnet”.There is no “contractual arrangement between signatories of the ISA framework and Graphnet”.We hold no such contract with Graphnet.We are neither a signatory nor a party to any contract with Graphnet.It does not exist.

There is no legally binding contract between OHG and Graphnet. ISA’s do not create such a legally binding relationship, notwithstanding that Graphnet is not (and cannot be) a signatory to any of the ISAs.

The ISAs are not contracts, they are memorandums of understanding between the data controllers. ISAs are not a legal requirement (but regarded as best practice).

It should be noted that the detail about processing should be within the data processor contract, and not within the ISA. The data processing information in the service level contract that exists solely between the CCG and Graphnet is the “bare bones”. The real processing information is – inexplicably – within the ISAs.

“Data Controllership is a matter of fact and cannot be waived, re-assigned or delegated by contract terms. You can include warranties and indemnities in the contract to allow your organisation to recover losses from a problem you didn’t cause, but if you are the party making the decisions, then you ultimately remain accountable for the processing of the personal data”.Who’s in Control, Rowenna Fielding


https://www.dropbox.com/s/bng10yvnrqlirjr/Attachment%20A.pdf?dl=0


If Graphnet process our data without such a contract then:

We are in breach of Article 28 We will not have a contractual relationship with the data processor We are not issuing instructions to Graphnet

Article 29 is clear:"The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law."That’s the controller, not any controller

Graphnet would be processing data out with the explicit instructions of the data controller of Oakley Health Group’s GP records

OHG would not be in control of our data Graphnet would be a third party processing data outside of a lawful

Processor-Controller contractual agreement, and then becomes the Data Controller for ultra vires processing

In other words, we would have unlawfully disclosed confidential information to a third party, and they would be unlawfully holding and controlling it

https://www.supremecourt.uk/cases/uksc-2018-0213.html

“where data is processed in a manner not explicitly permitted by the Data Controller, the Processor is in fact the de facto Data Controller for that processing activity”.

https://www.bailii.org/ew/cases/EWCA/Civ/2017/121.html

“if they [a Processor] are processing personal data on their own behalves they will be data controllers as regards that processing and those data.”

There is no reason why there should not be individual contracts in place between the data controllers and Graphnet, or a single contract that all data controllers are a “multi-party” signatory to.

It is a deliberate decision to refuse to provide such contracts.

We have such contracts for every other data processor that we use.


https://eur03.safelinks.protection.outlook.com/?url=https://www.bailii.org/ew/cases/EWCA/Civ/2017/121.html&data=01%7C01%[email protected]%7C8d02b0449a4143d728bc08d813aeb4fe%7C501293238fab4000adc1c4cfebfa21e6%7C1&sdata=7P%2BbOfBpOt0dHpmFizhXsZmOIFCVLkOrtEmPsUz7rdo%3D&reserved=0



“Organisations working as part of a LHCR will work as joint data controllers with other members of the LHCR areas, because between them they will decide on the purpose and manner for which personal data is collected; it will not be decided by one single organisation within the LHCR. As a LHCR is not a legal entity, joint data controllers will need to enter into binding contracts/processing agreements with data processers as a “grouping” of data controllers rather than appoint a single lead data controller to act on behalf of the grouping.”NHS X

We cannot devolve data controllership to another organisation, such as a CCG or other “lead” data controller.

It should be noted that the contributing data controllers have not been provided with the service level contract, and the data processing terms inserted therein.

I had to specifically request it, and it was only provided to me under FOI.

It should also be noted that any variation of the contract needs only to be agreed between the CCG and Graphnet – no permission is required from OHG, not do we even have to be informed.

Guidance on Data controllers, Data processors and mandatory contracts:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/controllers-and-processors/

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/

https://www.dataprotection.ie/en/organisations/guidance-practical-guide-data-controller-data-processor-contracts

Back to Index








Article 25 (2) – Data Protection by DefaultData Protection by design and default is a legal requirement under GDPR.Article 25 specifies that, as the controller, we have responsibility for complying with data protection by design and by default.‘The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.’ Are we “not processing additional data unless the individual decides we can”?Are we “providing individuals with sufficient controls and options to exercise their rights”?

“Data protection by design and default” is a legal obligation requiring you to put in place appropriate technical and organisational measures to:• implement the data protection principles in an effective manner; and• safeguard individual rights.(ICO, Data Sharing code of practice, draft for consultation)

There appears to be little regard to data protection by default.

The absence of permission to view significantly impacts on the rights, choices, and control of personal data by both patients (data subjects) as well as practices.

The decision to remove permission to view is wholly unnecessary and unjustified.

Back to Index

Data Processors (Article 28)Are we only using a data processor that provides “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”?

There is no data processor contract to provide written guarantees.The consent mechanism is detrimental to data subject rights.

Back to Index



Privacy as the default settingIs it?

2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.Article 25, GDPR

With the withdrawal of permission to view, no.

Back to Index

Privacy embedded into designIs it?

2. Each Party shall provide that controllers and,where applicable, processors, examine the likely impact of intended data processing on the rights and fundamental freedoms of data subjects prior to the commencement of such processing, and shall design the data processing in such a manner as to prevent or minimise the risk of interference with those rights and fundamental freedoms.CoE Convention 108+

With the withdrawal of permission to view, no.

Back to Index


https://rm.coe.int/convention-108-convention-for-the-protection-of-individuals-with-regar/16808b36f1

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default


Ability to implement Data Subject RightsHow is this met?

“You have the right to be informed about how your information is used.You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.

The NHS also pledges: where identifiable information has to be used, to give you the chance to object wherever possible.

You should aim to: inform patients about the use of their confidential information and to record their objections, consent or dissent.”(NHS Constitution, Respect, consent and confidentiality )

“You must have policies and procedures that allow individuals to exercise their rights with ease.”(ICO, Data Sharing code of practice, draft for consultation)

1. The Right to be informedCan we provide a comprehensive privacy policy?Can we provide an appropriate one for children if needs be?Is another data sharing project being launched at the same time?

“You must ensure that individuals know what is happening to their data. They must know which organisations are sharing their personal data and which ones have access to that information, unless an exemption or exception applies.

Before sharing data, you must tell individuals about what you propose to do with their personal data in a way that is accessible and easy to understand.”(ICO, Data Sharing code of practice, draft for consultation)

No matter how comprehensive our privacy notices are, no matter how widely we advertise this project, and no matter how long we do so before commencing processing, we cannot hope to adequately inform but a fraction of our 28,000+ patients of this data sharing scheme.

We are in the middle of a pandemic.






There is little footfall in our GP surgery, and with the increasing use of telephone, video, and e-consultations, there will be reducing footfall. All our prescriptions are sent electronically. The ability to reach people via posters, leaflets, handouts, or messages attached to paper prescriptions is non-existent.We have a Facebook page but less than 1000 followers. Any post concerning data protection is completely drowned out at present by an endless stream of COVID-19 related messages and memes.

We have a website, but we have no idea how many of our patients even look at it.

“You must treat fairly all the members of a group of individuals whose data you are sharing. If you treat most individuals fairly in your data sharing arrangement but treat even one individual unfairly, it will still be a breach of this principle.”(ICO, Data Sharing code of practice, draft for consultation)

The very people that would most benefit from Connected Care are the elderly, the frail, the very ill, and the housebound. These make up a considerable fraction, if not the majority, of our digitally disadvantaged.

They can, and will, never be effectively informed by us.

And in fact, it has never been possible to reliably inform patients about new processing – despite our best intentions. We simply cannot reach anywhere close to a majority of people however we try. We have to rely on safeguards such as PTV to ensure that, for any individual, their data will not be processed in certain ways without their knowledge and opportunities to object.

GP Connect – providing access to the GP record for NHS 111 – has recently gone live. Yet that fully upholds PTV. Any information provided to patients would have to explain why one records access scheme (Connected Care) does not require PTV yet the other (GP Connect) does, and why Connected Care is almost alone in not requiring PTV for access to the shared record amongst our existing data sharing projects. For those few individuals that even see such information, it will be profoundly confusing.

Permission to view – the seeking of explicit consent before accessing the shared GP record – has always been the guaranteed way to ensure that patients are informed before their record is accessed. It has been the failsafe – the backstop, as it were. For very many patients, it will have been the first time that they realised that information about them is made available in this way.




It is the very action that ensures “no surprises”. Without it we cannot have any confidence that our patients will ever be effectively informed about such access to their GP record, and consequently of their right to object and control their data – before any such access takes place.

Removal of permission to view profoundly impacts on the right to be informed. There is a very high risk of confidential medical information about a patient being accessed without their knowledge, their permission, their understanding, and in the absence of any opportunity for the data subject to object.

It should be noted that patients within NEHFCCG have not been written to about this project (and so given the opportunity to opt-out), either individually or on a “household” basis.

As more organisations join the Connected Care scheme and are granted access to the shared record and the GP information therein, patients will not be aware of this. They will not be informed and not be afforded the opportunity to object to, for example, a new mental health provider having access to their GP record.

2. The Right of accessIf a processor is used, how does the subject access the data held by the processor?

Data subjects can make an application either to a contributing organisation (such as their GP surgery) or to Frimley Health NHS FT, who will then co-ordinate any such response amongst the joint controllers.Information about this process has been provided in this document.

3. The Right to rectificationIf a processor is used, does this extend to the data held by the processor?Or is that data simply a reflection of the data held in the GP record (with its own obligation to rectification)?

N/A. The right of rectification lies with the GP record.


https://www.dropbox.com/s/ifpts4fijqey9rd/Attachment%20K.pdf?dl=0


4. The Right to objectWhere does processing take place? Extraction/Uploading/Disclosure/Access?Where does any objection or opt-out act?Is there a granular objection/opt-out mechanism?

“You have the right to be informed about how your information is used.You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.

The NHS also pledges: where identifiable information has to be used, to give you the chance to object wherever possible.All staff have responsibilities to the public, their patients and colleagues. You should aim to: inform patients about the use of their confidential information and to record their objections, consent or dissent.”(NHS Constitution, Respect, consent and confidentiality )

"Despite an extensive information programme to inform the public in Early Adopter sites about the SCR, many patients interviewed by the UCL team were not aware of the programme. This raises important questions about the ethics of an 'implied consent' model for creating the SCR. The evaluation recommended that the developers of the SCR should consider a model in which the patient is asked for 'consent to view' whenever a member of staff wishes to access their record.

However, they and many other NHS patients wanted to be able to control which staff members were allowed to access their record at the point of care. Some doctors, nurses and receptionists, it seems, are trusted to view a person's SCR, whereas others are not, and this is a decision which patients would like to make in real time."(Findings of the UCL Summary Care Record Independent Evaluation, 2008)

The right to object to processing is a fundamental right.

“Every individual shall have a right...to object at any time, on grounds relating to his or her situation, to the processing of personal data concerning him or her unless the controller demonstrates legitimate grounds for the processing which override his or her interests or rights and fundamental freedoms”CoE Convention 108+

Second, there must be no surprises to the citizen about how their health and care data is being used. This is a complex arena where the public


https://rm.coe.int/convention-108-convention-for-the-protection-of-individuals-with-regar/16808b36f1



benefits of access to big data, gathered from the millions of health and care activities occurring daily, need to be balanced with the public’s right to know and, if they wish, object. Failing to offer this choice to people can accelerate discontent with how they are being informed and consulted, resulting in a growing rejection of the benefits of data sharing.

There can be no assumptions made about today’s citizens. They have a right to know, and object about how their data is used, if they wish.Building trust in the use of data across health and social care, NDG

However, you can only object to something if you know it’s happening or going to happen. And since patients cannot be in any way informed about this processing, and the very safeguard to that, the backstop – PTV – is deliberately absent, then they cannot reasonably object.

Permission to view gives the patient the opportunity to be informed and to object to an individual, team, service, or entire organisation having access to their whole GP record in this way. And they can make that decision on each occasion that they are seen, and on each new referral to any given service. They genuinely have granular control over who can access their data.

There may be an individual within a team that the patient does not want to allow access to their GP record, perhaps a relative, neighbour, or friend. PTV allows them to express that objection (whilst still allowing others in the team, and other services granted access by means of Connected Care, access to their GP record if warranted).

A patient might be very happy for a district nurse having access to their GP record via Connected Care – but not a podiatrist or an occupational therapist. PTV affords them the ability for such an objection.

Without PTV, that ability to object in that way – with genuine control - is denied.

Patients can object to organisations having access to their GP record via Connected Care – but that prohibits every organisation having access.

It becomes “all or nothing”. Everyone or no-one.

It's an illusion of choice.

And that is manifestly unfair.

If a patient has been referred to a particular service, understands that his/her GP has provided all relevant and necessary information for that


https://www.gov.uk/government/speeches/national-data-building-trust-across-health-and-social-care


clinical situation, and does not want the service to be able to access further, detailed and wholly unnecessary information about them via the shared GP record, then there is no reliable way to express that objection and to ensure that any such objection would be respected.

In the absence of PTV, GPs cannot rely on:

• Remembering to ask every patient they refer if they object to the organisation, team, or individual clinician accessing their shared care record• Remembering to put any such objection expressed, in writing, within the referral letter• Anyone at the consuming organisation/team actually spotting that objection in the referral letter and ensuring that no-one accesses their shared record

It would be a wholly unfair burden for the GP to bear all responsibility for ensuring and (somehow) enforcing the right of a patient to object to the access of their shared GP record on a particular occasion.

In some (albeit, rare) cases, referrals to specialist services can be made without a written letter – on the telephone, for example.

Clinicians out with the GP surgery access the shared record under the legal basis of Article 6(1)(e) – Official Authority. But that comes with the right to object, and patients cannot object to the access of their record, by that clinician, unless they are asked first.

And in many cases, a referral is made without an opportunity for the GP to discuss records access with the patient at all (a “message” sent to the GP to refer please, for example). Again, without PTV that means the patient won’t be informed or afforded the opportunity to object.

Increasingly, referrals to community services are made by hospital trusts upon discharge of the patient to their home. The GP has no input into the referral and no opportunity to indicate whether the patient objects to access to their GP record. You can be certain that the hospital trust will neither have asked the patient or recorded any objection within their referral.

“A hospital trust wishes to implement SCR viewing to support pre-operative assessment clinics. To maximise the benefits of SCR viewing they want care professionals to have access prior to the patient attending their appointment. To facilitate this they include the following information in pre-operative assessment clinic letters: ‘Prior to your appointment your NHS Summary Care Record (SCR) will be available to view by the hospital staff involved in your care, unless you have previously opted out of having



an SCR. Your SCR contains important information from your GP record including medications, allergies and any bad reactions to medicines.

If you do not want our staff to access your SCR please contact XX on XX at least XX before your appointment date. For any patients that contact the hospital and notify staff that they do not wish for their SCR to be viewed a note is prominently recorded on the hospital system and relevant paper records to ensure this request is fulfilled.”Summary Care Record, Permission to View Guidelines

The list of organisations granted access to the GP record via Connected Care is not static. It can, and will, expand. As new organisations, teams, and individuals are granted access, patients will not have any idea that a new consumer organisation, and/or a team within that organisation, and/or and individual within that team, now has access to their GP record.

They cannot object to that organisation, team, or individual clinician accessing their record whilst permitting other organisations (that they are happy about) access to their information.

Confidentiality policies

Patients – if so informed – can express a wish to their GP surgery to mark certain items within their GP record as “confidential”. Such items (e.g. a sensitive diagnosis) will then not be visible to any external organisation outside of the GP surgery, via EMIS Web data sharing.

But patients can only express that wish when they know that they can express that wish, and when they know that they need to express that wish as

their whole GP record is being made accessible, and there is no permission to view (i.e. contemporaneous objection),

and the alternative is to opt-out entirely from all EMIS Web data

sharing

Emergency/“break glass” access

If permission to view – explicit permission – is never being sought, then there is no such thing as “emergency access” or “break glass access”, as permission is never sought, either for an unconscious patient or for a perfectly conscious patient with full capacity to decide whether to permit access or to object to it.

CHIE and Connected Care



Whilst Oakley Health Group uploads to both CHIE and Connected Care, patients are further restricted in their right to object and the ability to control their confidential information.

Patients cannot opt-out of CHIE whilst permitting sharing of their GP record via Connected Care.

Patients cannot opt-out of Connected Care whilst permitting sharing of their GP record via CHIE.

It is either both – or neither.

The sharing of the GP record to both CHIE and Connected Care represents potential access across a huge geographical area.

Very few patients have their GP record accessed by any organisation within CHIE. Many patients might like to prohibit the sharing of their GP record to CHIE for exactly that reason.

But they cannot do that without prohibiting sharing of their GP record via Connected Care as well.

OHG has in excess of 3200 patients who have explicitly opted out of CHIE/HHR. If those patients wish to have a Connected Care record, in order for their GP information to be available at Frimley Park Hospital, they will have no choice but to opt back in to CHIE/HHR.

Back to Index



Things to think about

Surrender of controlA disclosure to another data controller = a surrender of control

Assuming a lawful contract is supplied, we would be processing data through a data processor, not to another data controller.

Do we have to disclose?What legislation mandates this? Is this just a contractual obligation?

Signing up to Connected Care is neither a contractual nor legal obligation.It is entirely voluntary. We have no duty to disclose.Back to Index

Can we do this without processing the data?Can we do this, or process data, in a less intrusive way?Is there a better way? Is this necessary (the most appropriate choice)?

We already share data in other ways – ways that offer data subjects genuine control and respect their data rights (see later).

Almost all organisations can currently access detailed information from the GP record via existing data-sharing projects.

Back to Index

Is this lawful?

● Common law, and

● Caldicott Principle 6, and

● Article 5(a) GDPR, and

● Any other relevant laws (e.g. PECR, Article 10 GDPR)

Back to Index

The withdrawal of explicit consent to view the uploaded GP record breaches the principles of the common law of confidentiality and Article 8 of the Human Rights Act.



We have no data processor contract – we cannot provide transparency to patients unless they know how such data will be processed by Graphnet.

We will be in breach of Article 28 were we to permit processing without a data processor contract.

Is this ethical?Is this fair? “You need to stop and think not just about how you can use personal data, but also about whether you should” (ICO)

Telling patients that they can only permit sharing of their medical information in this way if:

It is made available across two separate care record schemesThey cannot choose which scheme – it is both or neitherThey cannot object to one scheme only – it is both or neither

Their records might be accessed without their permission (in the case of CHIE)

Their records will be accessed without their permission (in the case of Connected Care)

They cannot object to individual organisations accessing their record – because they will not be asked for their permission first

They cannot object to individual services/teams with a specified organisation accessing their record – because they will not be asked for their permission first

They cannot object to individual clinicians accessing their record – because they will not be asked for their permission first

They cannot object to access to their record for specific purposes – because they will not be asked for their permission first

could clearly be seen to be “unfair” – in the common understanding of this term.

Back to Index



Is there a risk of reputational damage if we proceed with processing?To the practice/To the profession/What would the GMC say?What would our patients think?

“So, yes, the world is changing, the health landscape is changing, patients are changing, but amongst all of this is one constant – our trust in our doctors.”Trust: the Truth?https://www.ipsos.com/sites/default/files/ct/publication/documents/2019-09/ipsos-thinks-trust-the-truth.pdf

“The protection of personal data, not least medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention (art. 8). Respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention. It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general.

Without such protection, those in need of medical assistance may be deterred from revealing such information of a personal and intimate nature as may be necessary in order to receive appropriate treatment and, even, from seeking such assistance, thereby endangering their own health and, in the case of transmissible diseases, that of the community”Z v. FINLAND - 22009/93 - Chamber Judgment [1997] ECHR 10 (25 February 1997)https://www.bailii.org/eu/cases/ECHR/1997/10.html

Yes – there is a risk of reputational damage.

Maintaining trust in doctors, and general practice, is vital if we are to continue the level of doctor-patient relationship that facilitates disclosure of sensitive, confidential information from an individual seeking health care to their healthcare professional.

OHG prides itself on being a fair and profoundly transparent organisation when it comes to data protection. Voluntarily proceeding with a project that we know curtails data subject rights, and does not respect privacy, will be to the detriment of our reputation.

Back to Index


https://www.dropbox.com/s/99fsbhks3jg4m4n/OHG%20GDPR%20booklet.pdf?dl=0

https://www.bailii.org/eu/cases/ECHR/1997/10.html

https://www.ipsos.com/sites/default/files/ct/publication/documents/2019-09/ipsos-thinks-trust-the-truth.pdf

https://www.ipsos.com/sites/default/files/ct/publication/documents/2019-09/ipsos-thinks-trust-the-truth.pdf


What are the consequences of not proceeding with this processing?Can we mitigate against any negative effects?Does it matter at all if we say no?

If we do not proceed with this processing, then we are in the same situation that we are in now. Organisations outside of the GP surgery still have access to relevant and necessary information, it just won’t be via Connected Care and may need to be obtained outside of an established data-sharing scheme, or via an alternative data-sharing scheme.

We have the ability to promote other data sharing projects.

Back to Index

What about children?A child’s personal data merits particular protection under the GDPR.Fairness, and compliance with the data protection principles, should be central to all your processing of children’s personal data.If you profile children then you must provide them with clear information about what you are doing with their personal data.You must write clear and age-appropriate privacy notices for children.

It will be extremely challenging to write age-appropriate fair processing information for children about this – unquestionably gigantic – combination of two data sharing schemes.

Children are as much affected by the curtailment of their rights as any adult.

Back to Index



How does this compare with other, similar data sharing projects?Are there similar data sharing projects already in existence, even locally?How does data protection in those projects compare with this project?

We are, or have been, already part of a number of highly-successful data sharing schemes that provide, or provided, clinicians working in A&E, GP out-of-hours, extended GP access surgeries, and our local hospice, access to information held in the electronic GP record.

We upload information to the National Summary Care Record and can “enrich” those records with additional information – with the explicit consent of the patient.

With COVID-19, they are already enriched.

We also provide our local ambulance organisation (SECAMB) with relevant information on high-risk or vulnerable patients – again, with their explicit consent.

All such schemes rely upon explicit consent to share the GP record (either permission to view or explicit consent to enable viewing in the first place).

Only a local, limited, data-sharing project between the surgery and Frimley ICS Community Services does not respect permission to view.

In particular, the National Summary Care Record has good guidelines on “Permission to View” which should be applicable to all such shared records (See Appendix 3).

Increasing numbers of our patients have secure online access to their GP record – allowing them to share this information with anyone else, anywhere in the world, and under their absolute and total control.

Back to Index



Article 35(7)(c)● Risks to data subjects

What are they?

The right to be informed (before any access takes place).

Extreme care will need to be taken to ensure patients understand the difference between extraction and uploading of confidential information for Connected Care from:

The National Summary Care Record Data sharing with the Phyllis Tuckwell Hospice Data sharing with Frimley ICS Community Services The Hampshire Health Record (CHIE) Risk Stratification for case finding All other secondary uses of information

The right to object (to access by specific individuals, or specific organisations, or for specific purposes/situations).

Data minimisation – unnecessary, excessive, irrelevant and (potentially) deliberately withheld information being made available to an organisation, service, or individual, or for a given purpose, when that data subject would have objected (had they known and been asked first).Back to Index



Article 35(7)(d)● Measures to manage, reduce or eliminate risks

What can we do?What safeguards or measures would mitigate the risks?

Nothing.

Whilst permission to view the record is not being sought

we cannot mitigate against the patient being unaware of the record or its access

we cannot mitigate against the patient being unable to object with any meaningful granularity

we cannot mitigate against the very real possibility that the patient will be “surprised” that their information had been accessed in this way

we cannot mitigate against the lack of data minimisation

Back to Index



Response from the BMA Ethics Committee

View from the BMA Medical Ethics department (07.01.19)

Information Sharing Agreement - Connected Care (North East Hampshire and Farnham)

Summary of advice

I am concerned that doctors will be in breach of their legal and professional obligations of confidentiality if they allow data to be extracted / shared under these proposals.

In my view, it is not clear that implied consent for direct care can be relied upon to satisfy the common law and professional obligation of confidence because patients will not have a legitimate relationship (LR) with the partnership organisations at the point when their data are extracted. (Out of hours / unscheduled care services are likely to be an exception to this).

Compliance with GDPR principles of necessity and ‘data minimisation’ also require further consideration – particularly given the scope of the proposed sharing.

My comments are from an ethics perspective and cannot be relied upon as legal advice. I strongly recommend legal advice is sought before practices sign up to the proposals. Legal advice on these matters can be sought from BMA Law (for a fee).

Background

1. There is a balance to be struck between protecting confidential information and sharing it appropriately to improve the provision of patient care. Whilst I realise that the intention behind these sharing arrangements is to provide increased integration of patient care, I have a number of concerns from a medical confidentiality perspective and compliance with common law. In my view, and unless further clarity is provided, it is not clear that the information sharing agreement (ISA) is compliant with the common law and professional duty of confidentiality and, possibly, the GDPR, however, a legal view should be sought to confirm this (or to quash the concerns). I would strongly recommend that practices seek legal advice before signing-up to the agreement.

2. The ISA proposes that all GP practices within Schedule A (‘List of new practice organisations’) share a GP dataset (see ‘The shared categories of data’ in Schedule D) with the list of ‘participating organisations’ (Schedule A). The list



includes a number of secondary and unscheduled care providers, hospices - plus local Councils, charities and NHS Surrey CCG.

3. The GP dataset is comprehensive and suggests the creation of a second medical record which is available for viewing outside of the GP practice. The extent and number of organisations to which the data will be made available raises questions about compliance with necessity and data minimisation principles under GDPR.

Data flows

4. I understand the data flows to be as follows – based on Schedule D (page 3, ‘Summary of Sharing requirement process’).

Data are extracted from NE Hampshire and Farnham practices to the Graphnet CareCentric repository. From here a copy of the data is then transferred to two places:

1. The Hampshire Care and Health Information Exchange (CHIE)2. The Connected Care CareCentric data repository

The Connected Care data are ‘made available to and accessed by health and social care practitioners with a legitimate relationship with the individual’ (point 9).

Point 10 states that: ‘Subject to a legitimate relationship being established the data is made available through the Care Centric system for viewing…’.

Note: This description is different to that of Dr Bhatia in his DPIA (p. 5) which states that data is uploaded to the CHIE and then ‘subsequently disclosed’ to the Connected Care database i.e. GPs do not provide data to the Graphnet CareCentric repository. Clarification is therefore needed on the data flows.

5. The difference between the CHIE and the Connected Care repository is not adequately explained. To summarise my understanding, I understand that the GP dataset on the patient population of the participating practices will be extracted and be ‘made available’ for viewing via either the Connected Care repository or the CHIE (unless a patient objects). The data should only be viewed when a ‘participating organisation’ is providing direct care and an LR has been created – although the data will be ‘available’ for viewing regardless of whether an organisation is providing direct care or not.



Therefore, it is not the case that the data are shared only when an LR has been established – the data are extracted to enable viewing in advance of the creation of an LR. This is my understanding of the process – although this is not made explicit in the ISA.

6. I note that patients can opt-out of sharing.

7. There is no ‘consent to view’ principle. It is not clear why this established safeguard is missing from the proposal. ‘Consent to view’ may mitigate against a breach of common law for the initial extraction of the data – however, this is a legal point on which I am unable to advise. Even if ‘consent to view’ was to be applied, however, it Is not a substitute to bypass the transparency and ‘right to be informed’ requirements of the GDPR – discussed later in this document.

8. The legal basis put forward for the sharing is set out in GDPR terms – see p.3 of the Schedule D document. Crucially, there is little or no mention of the common law duty of confidentiality (CLDC). Practices must satisfy both the GDPR and the CLDC.

9. In my view, there is doubt as to whether implied consent can be safely relied upon to satisfy common law obligations of confidentiality in the context of bulk extractions so that the data are available to secondary care providers, hospices, Councils, charities etc. This is explored in detail below. I must stress again that my advice is not legal advice. Legal advice should be sought to clarify the question of the common law basis for extraction.

What is direct care?

10. The concept of implying consent for direct care is long-established ethical principle which is set out in GMC guidance and which is consistent with the common law duty of confidentiality.

11. The Caldicott Review 2013 defined direct care as ‘a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals' ability to function and improve their participation in life and society. It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social



care professionals and their team with whom the individual has a legitimate relationship for their care.’1 (My emphasis).

The limits of implied consent: legitimate relationships

12. In my view, the proposals presented in the ISA are stretching the limits of when it is acceptable to imply consent for sharing confidential information for direct care because of the lack of a legitimate relationship at the point when data are extracted.

13. The proposal is that all patients in the ‘new practice organisations’ (Schedule A) will have confidential information from the GP record shared in the form of a GP dataset so that it is accessible by the participating organisations (Schedule A) via the CHIE or the Connected Care repository. This is of concern as many, if the not the majority, of patients will have no LR with the participating organisations. If, at the point in time when the data are extracted from practices, there is no LR in place then it is questionable as to whether there is a legal or ethical basis for the extraction.

14. The Health and Social Care Information Centre (now NHS Digital) guide to confidentiality in health and social care (reference document) defines legitimate relationships as follows:

“A registered and regulated health or social care professional has a legitimate relationship with the patient or service user when any or all of the following criteria are met:

The individual presents themselves to the professional to receive care.

The individual agrees to a referral from one care professional to another.

The individual is invited by a professional to take part in a screening or immunisation programme for which they are eligible and they accept.

The individual presents to a health or social care professional in an emergency situation where consent is not possible.

The relationship is part of a legal duty e.g. contact tracing in public health.

The individual is told of a proposed communication and does not object e.g. the consultant in the ambulatory clinic says she will let the patient’s social worker know of events in the clinic and the patient does not object.” 2

1 The Information Governance Review (2013) To share or not to share p.1282 Health and Social Care Information Centre (2013) A guide to confidentiality in health and social care: references p. 20



15. If a patient has no LR with a particular organisation and will not receive services from it, there is doubt about whether they can have deemed to have given implied consent. This raises the question as to whether an ethical and/or lawful basis exists for confidential information to be extracted from GP practices and made available as described. This point is particularly pertinent given the scale of the GP information to be shared and the number of organisations which will have access to it.

16. I understand that the organisations should only view patients’ data when they are providing direct care and therefore a legitimate relationship will be created at this point, however, it is the lawful and ethical basis of the initial extraction of the GP data into the Graphnet CareCentric data repository (for onward transmission to CHIE and the Connected Care repository) where my concerns lie.

17. It is likely that an exception could be made for the organisations providing local unscheduled care or out of hours services as patients may expect such sharing and consent can legitimately be implied (although the efforts must be made to provide ‘privacy notices’ to make patients aware of this sharing and to provide them with an opportunity to opt-out – as the GDPR transparency requirement).

18. As referenced in Dr Bhatia’s DPIA, the principle of ‘no surprises’ is a useful one (the National Data Guardian makes regular reference to this principle) – in my view, the proposed extracted is likely to fall foul of this principle.

19. There may be lawful and ethical grounds for more limited and tailored sharing amongst a local health community, supported by a formal data sharing agreement. In these circumstances, GP practices should consider which organisations in the local health community are providing care to their patients, such as OOH services, and whether information sharing would improve the delivery of direct care. It should not, however, be possible for one organisation to view all of the records of another organisation.

Compliance with GDPR

Scope of sharing



20. I agree with Dr Bhatia’s concerns about the detailed GP information being shared with those who do not need this level of detailed information - see Dr Bhatia’s DPIA p. 20. This raises doubt about compliance with the GDPR Article 5 principles – ‘relevant’, ‘data minimisation’ and ‘limited to what is necessary’.

Fairness, transparency and the right to be informed

21. The GDPR requires ‘fair’ and ‘transparent’ data processing and that data subjects have the ‘right to be informed’. There is little information as to how these fundamental requirements will be fulfilled across the patient population.

Data controller arrangements

22. Further detail is required about the data controller and processor arrangements. I would suggest that a data controller – data processing contract is required, for example is Graphnet Limited a data processor?

Sharing with hospitals / ambulance service / hospices

23. I will consider sharing with the participating organisations providing health services separately to sharing with the Councils, CCG and charities. It is arguable that patients might have a greater expectation that their confidential information will be shared with health service providers rather than Councils, CCG, charities etc, however, only a limited number of patients will have an existing LR with a local hospital or hospice – and, almost certainly, no patients will have an LR with all the participating organisations listed in Schedule A.

24. Of course, a number of patients who do not currently have an LR with an organisation may well need care from it in the future and therefore an LR will be created at this point.

25. Both in ethical and legal terms, the concept of implying consent to cover (or pre-empt) direct care which may (or may not) be needed in the future in order to extract quantities of confidential data on practices’ patient populations is highly questionable in my view. In other words, it is my view that ‘potential direct care’ does not provide a legitimate basis for GP practices to share information on their patient populations.



Sharing with local Councils, CCG, charities

26. For majority of patients, the Councils will not be involved in providing direct care therefore it is of concern that the ISA includes these organisations. Perhaps a Council may have a limited role in providing some aspects of care to some patients, but this is likely to be a relatively small group from whom consent can be sought – and does not require access to the confidential data of an entire patient population. To the best of my understanding CCGs and charities do not provide direct care – and explicit consent would be required in order to share with these organisations.

Miscellaneous additional comments

27. ISA – Core Agreement – p. 3 – para 15.7 – This is misleading – pseudonymous data which has not been effectively anonymised in-line with ICO code on anonymisation requires a legal basis for sharing. A contract does not provide a lawful basis for sharing if the pseudonymous data enable easy re-identification. (Note that pseudonymous data which are likely reasonably identifiable are personal data under GDPR).

28. ISA – Core Agreement – Narrative – p. 19 – see heading ‘Purpose of the Agreement’ – which states that personal confidential data will be shared and used ‘in order to achieve planned improvements… in financial efficiency’.

If this is the case, an additional lawful justification under common law must be identified – implied consent in the context of the provision of direct care does not extend to purposes related to ‘financial efficiency’. This also contradicts the statement on p.22 that ‘Data provided for use in the provision of care MUST NOT be used for a non-care (secondary) purpose’.

29. ISA – Core Agreement – Narrative – p. 19 – see heading ‘Confidentiality and Sharing – as per above comments – what is the legal basis for sharing ‘personal data’ to ‘plan and organise services’?

Reference to crime prevention – it is not appropriate to include crime prevention in a ISA. In-line with GMC guidance, doctors can make disclosures (without consent) in the public interest only when it is to prevent or detect ‘serious’ crime (or prevent serious harm). Such decisions must be made on a case by case basis and involve a balancing exercise to determine whether the duty of confidential can be justifiably set aside in rare circumstances when the public interest is



served. This is entirely separate to sharing for direct care – and should not be included in an ISA.

Reference to Victoria Climbie – sharing for child protection purposes must be in line with GMC guidance on sharing for child protection reasons reason – see ‘0-18 years: guidance for all doctors’. Again – as per above comment - sharing for child protection reasons should not form an ‘add-on’ to an ISA for direct care.

30. ISA – Core Agreement – Narrative – p. 20 – see heading ‘Consent and the Framework’ – point 3 – ‘…will no longer include consent as the basis for viewing...’ This might be the case for GDPR – but the CLDC still applies therefore the legal basis for sharing and viewing for direct care is implied consent.

31. ISA – Core Agreement – Narrative – p. 21 – final sentence re ‘trusted organisations’ – this is an odd sentence with unclear meaning. The fact that an organisation is ‘trusted’ does not create a lawful basis for sharing.

Comparisons with other local sharing arrangements

32. It might be helpful if I draw a comparison with other data sharing models which have information governance models that allow data to be shared appropriately for direct care, across organisational boundaries, with minimal risk to confidentiality.

33. In one such model a summary GP record is held on the practice IT system supplier server - it is held separately to the ordinary GP medical record. When a legitimate relationship between a patient and a partner organisation is initiated (eg the patient is referred), the partner organisation can then access the summary record (with consent to view).

34. This model has a significant difference to the proposals here, namely the summary is available for access only when a legitimate relationship exists for an individual patient. A patient’s consent can be reasonably implied for it be accessible in the partner organisation in this situation. This is a very different concept to sharing detailed data on whole patient populations on a speculative basis that individuals might or might not receive direct care in the future.

Conclusion



35. I would recommend that legal advice is sought before practices agree to these proposals. It is my view that the proposals raise serious questions about the lawful basis for the data extractions which are proposed.

Sophie Brannan

Senior Policy Advisor (Medical Ethics)

Professionalism and Guidance

Policy Directorate

British Medical Association

Back to Index



Response from the General Medical Council

In reply please quote: SR1-2162152868

Dear Dr Bhatia

Thank you for your email highlighting the concerns that you have about the new scheme that your hospital trust intends to put in place.

Your first question asks if withdrawal of permission to view is in breach of the common law. It is out of our remit to give advice on the law. And we’re unable to comment on the specific service models. But what I can do is set out the areas of our guidance which apply to the situation you have outlined. I hope this is helpful.

In our confidentiality guidance we say that appropriate information sharing is an essential part of the provision of safe and effective care. Most doctors work as part of healthcare teams, and doctors and other practitioners need access to relevant, accurate and up-to-date information about patients to enable the provision of safe and effective care.

This is not however at the expense of patient confidentiality. As you have highlighted in your enquiry there should be no surprises to patients when it comes to the use of their data for their healthcare. The usual basis for accessing or sharing information to support the care of the patient is consent (whether that is express or implied). For the most part patients understand and expect the sharing of information for the provision of their care and we therefore advise doctors that they can rely on implied consent for information about patients to be appropriately shared within the direct care team as long as:

Information is being shared to provide or support a patient’s direct care.

Information is made readily available to patients explaining how their information will be shared, and that they have the right to object.

The doctor has no reason to believe the patient has objected.

Anyone to whom information is disclosed understands that it is given in confidence, and that they are bound by the legal duty of confidence.

You can find this advice in our guidance Confidentiality: good practice in handling patient information (see in particular paragraphs 26-29).

The key point, again, is that there should be ‘no surprises’ for the patient. If a doctor suspects a patient would be surprised to learn about how they are accessing or disclosing their personal information, we say the doctor should ask for explicit consent unless it is not practicable to do so. And accessing health records on a shared system is an example of when this might apply.


https://www.gmc-uk.org/guidance/ethical_guidance/30611.asp

http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp

http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp

https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/disclosures-for-the-protection-of-patients-and-others


Implied consent under GDPR

We are not an authority on data protection law, and cannot give legal advice, but we do recognise that the common law duty of confidentiality and GDPR are separate legal frameworks, and that data controllers need to consider consent separately under the different frameworks.

The standard of consent under the GDPR is higher than under the common law of confidentiality and it will not always be appropriate for data controllers to rely on consent under GDPR as a condition for processing health data. For example, implied consent is an accepted concept under the law of confidentiality, but it is not a sufficient basis for sharing personal data based on consent under the GDPR. However, the GDPR does provide alternative conditions for processing data which are likely to be more appropriate in a health context.

This means that a data controller may be relying on different legal justifications for disclosing information under the common law duty of confidence and under the GDPR. It also means that doctors can continue to share information on the basis of implied consent if the conditions set out in paragraphs 28 and 29 (for direct care) and 96 (for local clinical audit) of our guidance are met. However those conditions are not met, the doctor should be seeking explicit consent to access a patient record unless it is not practicable to do so (for example, in an emergency), or there is another legal justification for accessing the information.

Lastly, I hope it is not inaccurate to summarise your second and third question as asking if doctors will be find themselves in difficulties with the GMC if they access or input information into a system which they do not believe meets the standards set out in professional guidance and/or the law.

Unless they have a role in commissioning or managing IT systems, we do not expect doctors to assess the security standards or legal compliance of the systems provided for them to use in managed healthcare environments. However, we would expect a doctor to raise concerns in line with our guidance about any information governance concerns they had (Confidentiality, paragraph 124).

In terms of the concern you express about doctors being subject to complaints as a result of using information systems that they think don’t meet legal and ethical standards, I can appreciate why this might be a source of anxiety. However, as a general point of reassurance, all complaints we receive are considered on their individual facts and we are able to take account of the particular circumstances surrounding a doctor’s decisions and actions. Doctors who make decisions based on the principles in our guidance (including the guidance on raising concerns) will be in a good position to justify their actions if challenged.


https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/raising-and-acting-on-concerns


I hope that the above sets out our position in relation to the questions you have raised. If you have further questions, please let us know and we will answer them within the context of our guidance.

Kind regards

Emma BlanksonPolicy OfficerGeneral Medical Council

14.01.2019

Back to Index



Response from the National Data Guardian

3rd Floor1 Trevelyan Square Boar Lane Leeds LS1 6AE

[email protected] ref: 299

31 January 2019

Dear Dr Bhatia

Thank you for contacting my office regarding the issues of permission to view and local shared records.

The review I published in 2016 confirms that while there is a low level of public awareness of how health and social care information is used, people have an expectation that information is shared for direct care. Indeed, there is a duty on health and adult social care organisations to share information when it will facilitate care for an individual. This is in line with the seventh Caldicott Principle, that ‘the duty to share information can be as important as the duty to protect confidentiality’.

You are quite correct in stating in your correspondence with my office that my 2016 and 2013 reviews re-iterated the Caldicott Principles, and that only relevant information about a patient should be shared between health professionals in support of their care. Both took the position that explicit consent should be obtained before accessing someone’s whole record.

You asked whether I believe that withdrawal of permission to view for a local shared record scheme could be a breach of the common law. It is important to be clear that as National Data Guardian I am not empowered to make rulings on the law, which is a role of the courts and I am not providing legal advice to you.

However, as you know, I have emphasised the principle that there should be no surprises for the individual concerning who has had access to information about them. Even when information is being shared for direct care, it is vital therefore that information is made readily available to patients explaining how their information will be shared, and that they have the right to object.

In the material that you have sent us, you highlight an issue that my panel and I have seen occurring in a number of places this year, namely confusion between the requirement of GDPR and the common law, particularly on the issue of consent. I agree that when confidential patient information is being shared the requirements of both GPDR and the common law should be considered. I also agree that even where consent is the basis on which the duty of confidentiality is set aside, it is not necessarily the case that consent is 80 v7.3 Dr Neil Bhatia, OHG


1 the appropriate GDPR basis for processing. I do appreciate that this is a complex message for some in the health and care system to absorb. I believe some further clarification of this would be extremely helpful, and intend to consider how this might most usefully be obtained during 2019-20.

Currently an important forum where issues that you raise are of great relevance is the work being undertaken to develop the IG Framework for the Local Health and Care Record Exemplars. We are engaging with that programme over a number of points such as these which we agree should be made clear within that framework. You may find it useful to approach the programme directly with your comments.

With kind regards

Dame Fiona Caldicott, MA FRCP FRCPsych

National Data Guardian for Health and Social Care

Back to Index



Response from the UK Caldicott Guardian Council

“The UK Caldicott Guardian Council is embedded in the National Data Guardian’s office. The UKCGC has been consulted by Dame Fiona on the matter of your enquiry and agrees with and supports her response to you.”

Back to Index



Conclusion● Article 36 – Need for prior consultation with the ICO

Do we need to?Can we disclose, and do we want to disclose?

This DPIA has raised serious data subject risks, as well as the clear prospect of unlawful processing in the absence of a data processor contract.

We have to ensure accountability.We must be able to demonstrate our compliance with data protection law."Confidentiality, once breached, is lost for ever"Cream Holdings Limited and others (Respondents) v. Banerjee and others (Appellants) [2004] UK House of Lords

No mitigation is possible, because the only mitigation that will effectively reduce those risks is Permission to View being upheld as a fundamental data protection safeguard.

The CSU have previously stated, when challenged about the absence of PTV in a proposed LHCR:

“The practice’s requirement for explicit consent to view patient data at the point of care cannot be supported. (To do so would be inconsistent with common law, authoritative guidance and GDPR)”

Data Processor ContractWe cannot proceed until we have received a data processor contract with Graphnet, the processor for Connected Care/Share Your Care, compliant with all the requirements of Article 28(3) and 28(9). The surgery must be a signatory and a party to the contract, and it must be clear that it is the surgery, as the data controller, providing instructions to Graphnet (the data processor).

We do not give up data controllership of our GP records simply by virtue of them being included within a “shared clinical care record”.

It would be unlawful to rely upon “3rd party benefits” as a way of meeting the requirements of Article 28. The ICO has made that clear.

We do not have a legally binding relationship with contract on the basis of a combination of 3rd party rights and non-contractual ISAs.

We neither hold, nor can demonstrate, any such contract with Graphnet. We have no accountability for meeting Article 28.


https://publications.parliament.uk/pa/ld200304/ldjudgmt/jd041014/jee-1.htm

https://publications.parliament.uk/pa/ld200304/ldjudgmt/jd041014/jee-1.htm


If we are not provided with a lawful, Article 28 compliant, data processor contract then any and all processing, whether for direct care or secondary uses, will be unlawful.

And unlawful processing is absolutely a breach of confidentiality.

Any organisation currently extracting and uploading confidential information to Graphnet in the absence of a lawful data processor contract is in breach of Article 28.

Whether that processing is for direct care or for secondary uses.

That is not a risk that Oakley Health Group has any need to take.

Unlawful or unjustified disclosure of confidential information will expose our organisation to:

Breach of statutory duty: under the Data Protection Act 2018 Disciplinary proceedings: an unauthorised breach of confidentiality

can lead to fitness to practise proceedings by the GMC and other regulatory bodies

Civil action: a patient alleging breach of confidentiality can seek damages in civil courts

Oakley Health Group must have a processor contract:

That it holds (i.e. a party and signatory to) That can be shown to data subjects, in the interests of transparency That can be provided to the ICO, if so required That can be disclosed under FOI, if so requested That can be supplied to the court, if so compelled That can be demonstrated to the GMC or CQC, in the event of a

complaint

We are not legally bound to Graphnet – because we are not parties to the contractual terms (or standard contractual clauses) within any data processor contract.

As an example of a data processor contract (that might be replicated between OHG and Graphnet), the one released under FOI that exists between the CCG and Graphnet is inadequate. It lacks the specific and necessary details of processing - because those details are instead included within the ISAs.




There is no reason why we should not be provided with a contract.No reasons are provided, other than an assumption that a tiny amount of administrative time might be saved.

Consultations There has been no consultation by Graphnet/Frimley Health/SCW CSU, either with GP practices (as data controllers) or their patients, as to the absence of permission to view (in stark contrast to almost every other data sharing scheme currently subscribed to by our practice, which upholds PTV), and the effects on data protection, data privacy, data subject rights, and trust in the NHS to process their confidential information fairly.

We, as the GP surgery, have not been afforded any opportunity to consult with our patients, notwithstanding that it would be virtually impossible to do that in the midst of a pandemic.

The NHS Constitution The deliberate absence of PTV goes against all the respective rights and pledges.Patients cannot realistically be informed about this use of their confidential information – unless PTV is in force.Patients cannot exert their right to object (except for a total opt-out of all data sharing for direct care) – unless PTV is in force.

NHS Staff cannot “inform patients about the use of their confidential information and to record their objections, consent or dissent” if they are not required to seek permission to view, if only once, for that patient.

The Common Law of ConfidentialityNot seeking the permission to view of the patient – if needs be, just once (enduring) – means that any resulting access to their whole GP record, when all relevant and necessary information has already been provided within the referral, is a likely breach of common law.

There is no reasonable expectation by patients that their whole GP record could be directly accessed by many hundreds of people in an organisation external to their GP practice, without their permission and without any opportunity to object to that particular access.

The Courts have developed the significance of the concept of a “reasonable expectation of privacy” within the law of confidence.

“a duty of confidence will arise whenever the party subject to the duty is in a situation where he knows or ought to know that the other person can



reasonably expect his privacy to be protected.”Campbell v MGN Ltd [2004] UKHL 22 (6 May 2004)

The Human Rights ActPrivacy lies at the heart of liberty in a modern state.Campbell v MGN [2004] 2 AC 457

Not seeking the permission to view of the patient – if needs be, just once (enduring) – means that any resulting access to their whole GP record, in the absence of the patient’s knowledge, represents a breach of Article 8 – the right to privacy.

Article 8 reflects the right to control the dissemination of information about one’s private life.

The failure of Oakley Health Group to be able to effectively inform our patients of such processing of their confidential information before any such disclosure and processing occurred, and to offer a reliable mechanism for them to provide a right to objection, and a mechanism to respect that objection, is a breach of Article 8.

The Courts have developed the significance of the concept of a “reasonable expectation of privacy” within the law of confidence.

“What human rights law has done is to identify private information as something worth protecting as an aspect of human autonomy and dignity.”Campbell v MGN Ltd [2004] UKHL 22 (6 May 2004)

Data Minimisation - Article 5(1)(c) - NecessityThe whole GP record is being made available to many hundreds, or thousands, of health professionals and clinicians. Such disclosure is unnecessary when all relevant information should have, or may have, already been provided within the referral process.

Permission to View mitigates against such access, as the patient is afforded the opportunity

to be informed to have explained why access to the whole GP record is needed to say “No” (to object).


https://www.bailii.org/uk/cases/UKHL/2004/22.html

https://www.judiciary.uk/wp-content/uploads/2015/12/representative-claimants-v-mgn.pdf

https://www.bailii.org/uk/cases/UKHL/2004/22.html


Data Protection by Default – Article 25This is absolutely not the case.There is an abject failure of fundamental data subject rights : the right to be informed and the right to effectively object.Data processing is manifestly unlawful in the absence of a data processor contract and an absolute way to meet the CLoC (i.e. by PTV).

The Right to be InformedWe are being asked to process such data immediately, without any opportunity to consult with our patients.We cannot inform our patients about such intended processing in any effective or comprehensive manner.The absence of PTV removes the very safeguard against processing of personal data without the knowledge of the patient.

The Right to ObjectWithout being informed, our patients are not afforded the opportunity to object. You cannot object to something if you don’t know it’s happening.

The absence of PTV means that confidential information about a patient will be processed without their ability to object:

to a given clinician, healthcare professional, social worker, or admin staff

and/or a given team and/or or a given service and/or an entire organisation

The only route available to the patient is to opt out of all data sharing completely. They have no choice. They have no control.

Patients cannot opt-out of Connected Care whilst still permitting records sharing via CHIE.Patients cannot opt-out of CHIE whilst still permitting records sharing via Connected Care.It is neither or both.

Patients have a reasonable expectation that they will be afforded an accessible way to object to individual LCHRs, organisation, teams, services, and clinicians from accessing their confidential information, if they so wish.



Article 28(1)Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.Article 28(1) GDPR

Notwithstanding the abject lack of a data processor contract, we cannot use Graphnet as a processor if it does not ensure the protection of data subject rights.

Reasonable ExpectationsIt is unreasonable to process data in this way.

It is unreasonable to deny patients the opportunity to be reliably informed about access to their GP record before that access takes place.

It is unreasonable to deny patients the opportunity to express a contemporaneous objection to any access to their GP record, either by an organisation, or a service, or a team, or an individual, outside of their GP surgery.

Reasonable expectations are at the heart of the common law of confidentiality and of the right to privacy (as enshrined in Art 8 HRA).

“The sharing of personal data must be conducted in a way that is trustworthy, aligned with society’s values and people’s expectations.”Addressing trust in public sector data use

No SurprisesThe flow of confidential information in the absence of an effective mechanism by which patients can be informed, and in the absence of any granular mechanism by which to object, breaches the “No surprises” principle.


https://www.gov.uk/government/publications/cdei-publishes-its-first-report-on-public-sector-data-sharing/addressing-trust-in-public-sector-data-use

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/what-does-it-mean-if-you-are-a-controller/


Loss of Control and the tort of misuse of private information (MPI)

Patients will lose control of their medical information under Connected Care. They have total loss of control and loss of autonomy over their personal data and private information.

Even if they know about Share Your Care, their only way to have the slightest control is to opt-out entirely – that is manifestly unfair.

The essence of the MPI tort is the protection of the values underpinning article 8 of the HRA.

The Court of Appeal has confirmed that a court can award an individual damages for loss of control of their personal data.

The ‘misuse’ at the heart of such claims is usually the disclosure of private information (including passing information from one person to another) but can include the mere accessing of such information.

Individuals do not need to show financial loss or distress.

Lloyd v Google LLC [2019] EWCA Civ 1599 (02 October 2019)“Those values (or interests) are not confined to protection from distress, and it is not in my view apparent why distress (or some similar emotion), which would admittedly be a likely consequence of an invasion of privacy, should be the only touchstone for damages. While the law is used to awarding damages for injured feelings, there is no reason in principle, in my view, why it should not also make an award to reflect infringements of the right itself, if the situation warrants it. The fact that the loss is not scientifically calculable is no more a bar to recovering damages for “loss of personal autonomy” or damage to standing than it is to a damages for distress. If one has lost “the right to control the dissemination of information about one’s private life” then I fail to see why that, of itself, should not attract a degree of compensation, in an appropriate case. A right has been infringed, and loss of a kind recognised by the court as wrongful has been caused. It would seem to me to be contrary to principle not to recognise that as a potential route to damages.”

Gulati & Ors v MGN Ltd (un-redacted) [2015] EWHC 1482 (Ch)

“Damages can and should be awarded for distress, damage to health, invasion of Sir Cliff’s privacy (or depriving him of the right to control the use of his private information), and damage to his dignity, status and reputation.”Sir Cliff Richard v BBC and the Chief Constable of South Yorkshire Police [2018] EWHC 1837 (Ch) [350]


https://www.judiciary.uk/wp-content/uploads/2018/07/cliff-richard-v-bbc-judgment.pdf

https://www.judiciary.uk/wp-content/uploads/2018/07/cliff-richard-v-bbc-judgment.pdf

https://www.bailii.org/ew/cases/EWHC/Ch/2015/1482.html



Oakley Health Group – as the data controller – is a significant risk that an individual, or individuals, can rightly complain that they have experienced loss of control and autonomy over their confidential information.

Article 5(1)(a) – Lawfulness, Fairness, TransparencyProcessing data in a way that breaches either the common law of confidentiality, or Art8 of HRA, will itself be a breach of Article 5(1)(a).

Without the right to be informed, there can be no transparency of processing.

Patients cannot object to organisations accessing their whole GP record – because they will never be asked if they object. Their only option is to opt out of all such data sharing schemes completely.

The absence of PTV means that such processing is demonstrably and manifestly unfair.

There is no technological, or administrative, or procedural reason why PTV, or ensuring PTV, is absent.

PTV does not hinder lawful, fair, proportionate, ethical, rights-upholding data sharing. It does not put “barriers” to data sharing.

To the contrary, asking the patient before accessing their shared record ensures that both the clinician and the GP surgery allowing such access is complying with lawful, fair, and ethical data processing.

It is not “complicating” to ask a conscious patient, with capacity, in front of you, or at the end of a telephone, or by email, or by text, if they mind their GP record being accessed for a particular reason.

It is straightforward for enduring PTV to be recorded and made clearly apparent to all within a team, service, or organisation.

Permission to view mitigates, to a significant level, against:

failure of the data subject to be informed failure of the data subject to be afforded the opportunity to object the provision of confidential data far in excess of that necessary for a

particular clinician’s needs (data minimisation) a patient being “surprised” as to how his/her information is being usedIt actively mitigates against risks inherent in enabling access to the whole GP record.

It does not matter how “permission to view” is sought and recorded.Face to face, by text, phone, email, or letter.



Recorded in the clinical record, or as free text, or as a “pop-up”, or within a dedicated template or “start-up” box.

As long as it is sought, and it is recorded, in a demonstrable way (to the clinicians, to the patient, to the data controller, to the ICO/GMC/CQC).

Data protection laws contain checks and balances to ensure that personal information can flow and be effectively utilised for healthcare.

But in Connected care, those checks and balances are missing, resulting in information that is unlawfully and unfairly used for healthcare.

There is a very real risk that knowingly signing up to and supporting such a system (even if the ICO determined it to be “lawful”) will further erode and jeopardise our patients’ (i.e. public) confidence in general practice’s ability to hold, safeguard, and share patients’ confidential medical information in a fair, justifiable, and lawful manner, and fully respectful of their data subject rights.

It will categorically hamper trust.

And trust is much easier to lose than it is to gain.

It is unlawful, to share data in this particular way.It would not be the action of a responsible organisation.It would not be justified.

It is neither necessary nor proportionate.

We are depriving our patients of their right to control the use of their private and confidential information.

Processing is not subject to clear and strong safeguards – we cannot uphold data subject rights.



Oakley Health Group – as the data controller – is at significant risk that an individual, or individuals can rightly complain that they

have experienced loss of control over their confidential information have been subject to a breach of confidence (CLoC) have been subject to a breach of their privacy (HRA) have experienced unlawful processing of their data (GDPR/DPA) have claims under the torts of breach of confidence and the misuse

of private information have a claim under Article 8 of the HRA have a claim under a breach of the DPA 2018

Under Article 8, the patient would have a claim for infringement of the right itself; that is, “truly compensatory” not “vindicatory” damages, in that they compensate for the lost opportunity of controlling one’s own information which, though not measurable in money terms, can often be said to have a monetary value.

It is the nature of General Practice that we have as our patients many vulnerable patients, those with sensitive physical and psychological histories, some with PTSD, some who have suffered physical, sexual, emotional, domestic abuse; and for whom any unauthorised and uncontrolled disclosure – in the absence of the patient’s right to be informed and to meaningfully object – is more likely to cause serious distress (the eggshell skull principle) Burrell v Clifford [2016] EWHC 294 (Ch) [159] and TLT & Ors v The Secretary of State for the Home Department & Anor [2016] EWHC 2217 (QB ) ).

“Although vindicatory damages are not recoverable in this context, in misuse of private information and data protection claims, damages may be awarded for loss of autonomy or loss of control; the nature of the information disclosed and the degree of loss of control should bear on this aspect of the court's assessment of damages – the more intimate the information and the more extensive the disclosure, the greater the award.”Reid v Price [2020] EWHC 594 (QB) (13 March 2020)

Back to Index


https://www.bailii.org/ew/cases/EWHC/QB/2020/594.html



https://www.lexology.com/library/detail.aspx?g=7d27d198-79ec-4049-9e59-f8c6b8e82afb


Sign OffItem Name/date Notes

Measures approved by: Dr Neil Bhatia, IG lead.No further actions required, DPIA is complete as of 24.07.20.

Integrate actions back into project plan, with date and responsibility for completion

Residual risks approved by:

Dr Neil Bhatia, IG lead.Residual risks remain high as no mitigation without PTV exists and we do not have a data processor contract that we hold.Consultation with the ICO will be required.

If accepting any residual high risk, consult the ICO before going ahead

DPO advice provided: within this DPIA(see conclusions), as Dr Neil Bhatia is both IG lead and DPO

DPO should advise on compliance, measures to reduce risks, and whether processing can proceed

Summary of DPO advice:

1) A DPIA for such processing was necessary

2) That DPIA has now been carried out and the methodology of it has comprehensively addressed all relevant issues and identified risks. The DPIA represents due diligence on the part of the data controller.

3) Processing in the absence of a lawful data processor contract will result in unlawful data disclosure, a data breach, and a breach of confidentiality.We must be provided with a contract. The ICO has already provided detailed guidance on this, but we can still refer this matter to the ICO under Article 36 – and we have to if we wish to consider any such processing (and Graphnet refuses to provide us with a contract).

4) We know that the ICO has already expressed concerns about the absence of PTV, enough to start an Article 36 investigation previously. Share Your Care amplifies those risks, as instead of one organisation having access there are now many organisations, hundreds of teams, and potentially thousands of individuals, who can access the GP record in this way.

5) We must also consider withdrawal from CHIE – we cannot realistically upload GP records to two separate LHCRs, and therefore soon to be two separate data processors. CHIE and CC currently have different approaches to PTV. Patients cannot opt-out, or remain opted-out, of one LHCR whilst permitting the other.

Comments:

Consultation responses reviewed by:

No consultation has ever taken place for Connected Care.

If your decision departs from individuals’ views, you must explain your reasons



Comments: Responses from consultation with regulatory authorities about the lawfulness of processing has been documented.

Partnership majority decisions:

1) Not to proceed with such processing at this time.

2) Not to proceed with such processing at this time. +To write to the ICS requesting necessary documentation before we will reconsider:

A clearly lawful data processor contract

s251/CAG/HRA authorisation for such disclosure and processing, for secondary uses, within Connected Care, or clear confirmation from CAG that s251 support for this is not required

The partnership will discuss further once we have receipt of their response.

3) Refer this DPIA to the ICO under Article 36

We can simply not be involved in this project.

We routinely make detailed information available from the GP record, to very many organisations, in other – lawful – ways.

This option allows us time to consider the trust’s response (if any).

We can then refer the matter to the ICO under Article 36, if we are not provided with the documentation that we have requested.

We are under no obligation (and there is no necessity) to permit such processing.

No delay is incurred in referring this to the ICO.



for their consideration

4) Proceed with processing in full knowledge that such processing is unlawful.

The ICO will provide an initial response within 10 days.

We will immediately breach Article 28 of GDPR. This will constitute a data breach.

The partnership will need to justify why it believes

that the outcome of this DPIA is wrong

why the advice of the DPO, the NDG, the GMC, the BMA, and the ICO, is flawed, and

why such processing is – to the contrary – entirely lawful

DPO advice accepted or overruled (partnership majority decision)

The partnership accepted the DPO’s advice at the partnership meeting on 8th September 2020.

A vote was taken and a clear majority decision was made to refer this DPIA to the ICO under Article 36.

In favour: NB, AJL, TF, MM, JM, AA, FS

Against: KB, GR

Accordingly, it will be the responsibility of Dr Bhatia to refer this matter to the ICO under Article 36.

Article 36 referral to the ICO was made on 8th September 2020.

If overruled, you must explain your reasons

This DPIA will be kept under review by:

Dr Neil Bhatia The DPO should also review ongoing compliance with DPIA

Dr Neil BhatiaGP, IG/FOI/Records Access lead, Caldicott Guardian, DPOOakley Health Group



Date: 8th September 2020

The ICO responded to the Article 36 referral.

The ICO asserted that, in contrast to its previous advice, the Contract (Rights of Third Parties) Act 1999, in this scenario, effected a legally binding effect between OHG and Graphnet, despite the absence of a data processor contract. As such, no breach of Article 28 would occur.

The ICO gave advice on Permission to View.

I reiterated my opinion that the absence of permission to view could be perceived as a breach of confidentiality, and I believed was both unfair and a breach of privacy.

The partnership voted to proceed with processing for direct care purposes.

Dr Neil BhatiaGP, IG/FOI/Records Access lead, Caldicott Guardian, DPOOakley Health Group

Date: 25th November 2020


https://www.oakleyhealth.org/website/X82206/files/OHG%20DPIA%20response%20FINAL.pdf


Appendix 1 - Explicit Consent/PTV in other shared records

The National Summary Care Record



EMIS Web Remote Consultations (Extended Access GP appointments)

EMIS Web Records Sharing (Phyllis Tuckwell Hospice)

Healthcare Gateway’s MIG – Adastra (GP out of hours record sharing)

Accessing records

Only health and social care (HSC) staff treating you can access the NIECR for your Emergency Care Summary Record. They'll ask for your permission first.

NI, Emergency Care Summary Record



Who can look at my Emergency Care Summary?

• NHS staff can look at your Emergency Care Summary oncomputer if they need to treat you when your GP surgery isclosed. They must ask you if you agree to this before theylook at your information.

• If you are unconscious, NHS staff may look at your EmergencyCare Summary without your agreement. This is so they cangive you the best possible care.

Scotland, Emergency Care Summary

Royal Pharmaceutical Society, Using EHRs Professionally



“the GP Connect tab presents a permission to view qualifying question similar to Summary Care Record. Clinicians will seek permission and select Yes, No or Emergency. The response to this is recorded in the Event list of the case for historical reviewing/audit purposes.”

GP Connect, HTML Records AccessSCAS NHS 111

Viewing a patient record within EMIS Web using GP Connect



Your Care Connected



Surrey Care Record

Informed implicit consent to share

Oxfordshire residents were informed by direct mailing of the intent to share their information via the Oxfordshire Care Summary in March 2012; they are able to opt out if they wish, by means of a Read code being added to their GP record.

NOTE: change in consent status can be made at any time: a signed form must be submitted to their GP

Explicit permission to view

Patients will be asked their permission before a clinician views their Oxfordshire Care Summary, unless they are unable to do so and the clinician deems it clinically justified to view without permission.

Break glass

Where the patient is unable or unwilling to give permission, and there is a clinical justification for accessing the OCS, the clinician may access the OCS without permission, but must be able to account for their actions. This is known as a break glass incident and will be investigated.

Oxfordshire Care Summary



Connect Care

Bolton Care Record

We will not make or keep any copies of the record created once the enquiry is complete. Only approved staff can log on to My Care Record. As the patient you will be asked for your permission for the record to be viewed and all access is logged so we can track precisely who has accessed the record and for what purpose.

My Care Record (Herts and Essex)

Kingston Care Record



Manchester Care Record

Stockport Health and Care Record

Salford Integrated Record

Sutton Integrated Digital Record



Connected Nottinghamshire

The Local Care Record

Cheshire Care Record



East London Patient Record (eLPR)

Share To Care



The North Staffs and Stoke-on-Trent Shared Record

The Integrated Doncaster Care Record (iDCR)

The Great North Care Record



The Local Shared Care Record (Devon NEW)

Healthcare staff will ask for your permission when they need to view your JUYI record, however there are circumstances where the care professional looking after you will not need to check with you before accessing your information, for example if you are unconscious or if you are not present.

The information will be used only by authorised health and social care professionals directly involved in your care. Your permission will be asked before the information is accessed, unless the clinician is unable to ask you and there is a clinical reason for access. These records will be used only for the purpose of enabling informed care to be supplied directly to you as an individual.

Gloucestershire Care Record (JUYI) (GP surgery “permission form”)

Derbyshire Shared Care Record (MIG)



Camden Integrated Digital Record (CIDR)

Northwest London Care Information Exchange

Bolton Care Record



Sutton Integrated Digital Care Record

My Care Record works on a “consent at the point of care” basis so opting out isn’t strictly necessary, as the patient will always be asked, at the point of care, if they consent to their record being viewed. If the patient does not agree the record is not viewed.

My Care Record (Bucks)

You will be asked for your permission to view your record each time you come into contact with a registered health and social care professional and only the parts that are relevant and necessary will be visible. Every time a record is accessed the identity of the reader is recorded. You can request details of all the people who have accessed your record. Staff can be asked to give a reason why they have viewed your record and the Organisation’s disciplinary policy will be applied if appropriate.

Trafford Co-ordination Centre (TCC)



Somerset Integrated Digital electronic Record (SIDeR)

You will be asked directly to give your explicit consent, at the point of contact, for your record to be viewed. You can say “yes” or “no”; the consultant/Doctor will only view your record if you say yes.

You will be asked beforehand for permission by the assessing healthcare professional each time your record is viewed. The healthcare professional is only viewing your record; they are not downloading, amending or storing any of your data. This means that when they close your record it is no longer accessible.

If you are unable to give consent, for example if you are unconscious and it is deemed vital, then a healthcare professional may view your record in order to be able to provide appropriate care for you. In this situation, the healthcare professional must state a reason consent has not been obtained (e.g. patient is unconscious), this is logged in the system and is fully auditable.

Before any information is collected or displayed to a care professional, that professional must have your consent to view your record. Your consent is recorded on the system so that we know exactly who has accessed what information and when.

The Wirral Health Information Exchange



Microtest Guru (Cornwall local shared care record)

Liverpool iLinks (“We share because we care”)

The Bradford & Airedale Integrated Digital Care Record (IDCR)



Barnsley Shared Record

A new project called ‘Share for You’ is being implemented across all health and social care agencies in the Rochdale borough which allows the full records to be securely shared from the GP surgery to the hospital or clinic setting systems, once the patient has granted their permission.

When a patient’s records are requested, it collects the information from the different systems and shows the information to the requester. None of the information it collects is stored and none of it can be changed. Because it collects the information only when it is needed, the information is always accurate and as up to date as possible.

Before any information is collected or displayed to a care professional, patient consent must be provided. Patient consent is recorded on the system in an Audit trail so that it is accessed only on a need to know basis and no information is stored or saved within any other setting.

Information about Share for You is being shared in health and social care settings including GP practices, hospitals and clinics.

Share for You

Shared care records have processes in place to ensure the correct records are matched, that patient consent is addressed, that records can only be viewed by clinicians and care professionals with the right authority to view and that data is secure and safe.

Graphnet, Digital Shared Care Records in Context: The National Strategy



Lancashire Patient Record Exchange Service

Data accessed under this agreement is subject to explicit consent from the Data Subject where this is practical. If a health care professional requires access to a data subject’s record and they were unable to obtain consent, they must only access the record where it is of clinical benefit to the patient to do so. This may apply in cases where a data subject is not present or unresponsive or access to their record is required in order to prepare for a consultation with that data subject. Where appropriate, the data subject should be informed that their record has been accessed and the reason why.

In cases where a patient is unconscious, requires emergency treatment or lacks capacity either temporarily or in line with the Mental Capacity Act 2005 and access to the CHIE would benefit the patients care, the users of the CHIE, who are care professionals, will use their judgement about accessing the information.

CHIE (Hampshire Health Record)



“We will obtain your explicit consent (permission) to share your detailed electronic health (and where applicable social care) record to anyone that cares for you. By providing your permission, we make your record available to all NHS commissioned services and local authorities providing health and social care services, using the clinical record computer system, SystmOne. This allows for anyone at these organisations who have the appropriate controls to retrieve your electronic record, once you are registered for care. However, these individuals should only legitimately access your record to provide you with care services. They must also record your permission to view your record.”SystmOne fair Processing Notice: where GPs set Explicit consent to make your record available to all organisations for direct care purposes

We assume that you are happy to share your detailed electronic health (and where applicable social care) record to anyone that cares for you. We therefore make your record available to all NHS commissioned services and local authorities providing health and social care services, using the clinical record computer system, SystmOne. This allows for anyone at these organisations who have the appropriate controls to retrieve your electronic record, once you are registered for care. However, these individuals should only legitimately access your record to provide you with care services. They must also record your permission to view your record.SystmOne fair Processing Notice: where GPs set Implied consent to make your record available to all organisations for direct care purposes

Providing consent to viewWhen you start receiving care from a care service (that uses SystmOne), you have the right to either agree or disagree that they may view your SystmOne record. The health or social care professional seeing you should ask your permission for them to view your electronic record.

If you answer YES: That care service will be able to view information recorded on your electronic record by other care services (excluding any data you have requested to keep private (see below)).

If you answer NO: That care service will not be able to see any information recorded anywhere else (even if your record has been set to share from any other care services).

As a patient, you have control over who can see your health information. Even if you give permission on one occasion, you can still change this at any time.SystmOne Patient Guide



Appendix 2 – GP Dataset



Appendix 3 – Connected Care Data Flows


Data Processor(Graphnet)

GP Datasetcombined with

clearly identifiable “clinical data extracts from Acute, Community, Mental Health and Social Care systems”

and"supplementary non-clinical data covering topics such as capacity and bed state, as provided to Connected Care by the Acute,

Community, MentalHealth and Social Care organisations on a

daily basis"This is the CareCentric Operational

“Shared Care Record” available to healthcare professionals with a legitimate relationship to the patient (direct care)Note : Permission to View is NOT upheld

A mirror copy of the CareCentric Operational Database is transferred to

The CareCentric Azure-based data warehousewhere further linkage occurs with “additional data sets” from hospital trusts

GP Datasetas described in Appendix 1

Disclosure of clearly identifiable, confidential information

Secondary uses processing occurs(“data analysis”). Subsequentanonymisation and pseudonymisation.

So-called “Data Marts”

Clearly identifiable outputs Psuedonymised outputs Anonymised outputs

Available to as yet unspecified individuals and organisations

Disclosure of clearly identifiable, confidential information


Appendix 4 – ICO guidance on Data Processor Contracts

28 May 2020

Our reference: IC-40997-T3S9

Dear Dr Bhatia,

Thank you for your email of 22 May 2020.

Following our conversation this afternoon, in which further clarification was made over the exact relationship of the arrangement I have included the updated response for you.

Again, my apologies for misconstruing your original query, as you mentioned you do not instruct the “processor” it appeared that it was not a data processor of yours. However following our conversation, it is clear that this organisation is to be used as a processor for your practice, and a number of other data controllers.

In that respect, The Contracts (Rights of Third Parties) Act 1999 would not constitute compliance with the GDPR under article 28. In which it states that the data controller must have a contract in place with any and each data processor they use. Each of the data controllers you described should have a separate contract in place with the data processor. You would not be able to nominate a “lead data controller” who is the only one with a contract in place.

Article 28 mentions that you can rely on another legal act under Union or Member State law. This refers to times where there is a legal requirement, under legislation, for a controllers to use a processor for certain processing. The legislation you have referenced isn’t such legislation, as it doesn’t require you to use a processor. It therefore doesn’t meet compliance with article 28.

I hope this information is helpful to you. If you would like to discuss this further, please contact me on my direct number *********. If you need advice on a new issue you can contact us via our Helpline on 0303 123 1113 or through our live chat service. In addition, more information about the Information Commissioner’s Office and the legislation we oversee is available on our website ico.org.uk.

Yours sincerely *************Case OfficerInformation Commissioner's Office

09.06.20

Dear ********,118 v7.3 Dr Neil Bhatia, OHG

https://ico.org.uk/

https://ico.org.uk/global/contact-us/live-chat




Sorry for the delayed response, and thank you very much for your advice and our discussion.

I wholeheartedly agree that the any interpretation of Article 28 – whether literal or purposive – is that there must be a contract in place between the data controller (not any data controller, or just one of a collaboration of joint data controllers, or an organisation purporting to be a “data controller” even though they are not providing the processor with any data) and the data processor.

Absolutely, Article 28 is not upheld by virtue of a data controller simply having “third party benefits” and the ability to enforce terms of a contract that, in all likelihood (and as in the scenario that my organisation faces) they haven’t even seen. They must be a party to a contract with the data processor, as the ICO clearly – and repeatedly - states in its guidance.

With respect though, I would dispute the need for a “separate contract” to be in place between each controller and the processor.

1. Absolutely, individual contracts are the “gold-standard”, and they clearly allow necessary flexibility in processing. Each individual controller can permit certain processing, or conversely not permit it, without that affecting any such decision of another controller. Termination of an individual contract (mutually agreed, or by one of the many reasons for repudiation) is also likely to be straightforward, and not adversely affect the other controllers. The starting point could be individual, but identical, data processing contracts – easy enough to organise in the 21st century.

2. A separate organisation (e.g. a CCG or CSU) could be the data processor (as long as it wasn’t supplying data for processing to the original processor, I believe) and sub-contract that processing to the original processor. This would mean that the CCG/CSU would be the point of contact/negotiation with the data controllers, and party to that contract (instead of the original processor). This could be individual/separate contracts, or one “multi-party” contract as below.

3. Assuming processing was universal in nature across the controllers, there is nothing to stop a single contract being produced, with the processor as one signatory and party, and the other data controllers as the other, “multi-party” and signatories. Organisationally, that is trickier in terms of getting sequential signatures from the data controllers, and there might be problems when additional processing, or variation in the terms, is proposed that is not universally accepted by the joint data controllers.

4. Finally, an agent (again, perhaps a CCG or CSU) could be used, if explicitly authorised by the controllers, and – assuming the contract terms were acceptable to the controllers – would sign the contract



on behalf of the controller(s), and then “drop out”. Each controller would then be, in law, a party to a contract. Again, this could be individual, identical contracts, or a single “multi-party” one. The agent would be the signatory for the multi-party contract or for each individual contract.

I believe that all examples, 1-4, result in the data controller holding a contract, and being a party and signatory to it (by means of an authorised agent if so decided), with the data processor, and so fully upholding Article 28.

Please do let me know if you disagree. Having individual contracts isn’t, I think, explicitly stated in Article 28, and whilst effective when the number of data controllers is relatively small could be problematic if, for example, a thousand data controllers were using one data processor.

Many thanks again for your clear and forthright advice.

Kind regards,

Dr Neil Bhatia

12 June 2020


Dear Mr Bhatia,

Thank you for your email of 9 June 2020.

Having individual contracts isn’t explicitly stated in the legislation and it is correct it can be performed with a set of contracts between multiple parties. However in practicality it would be beneficial for each Data Controller (DC) to have their own contract in place with the Data Processor (DP) as it allows each party to be able to demonstrate they are clear about their role regarding the personal data being processed.

In regards to your scenarios I will respond with guidance to each of them as you have numbered.

1. This is correct and is a practice already approved by the European Data Protection Board. They have approved the Danish Data Protection Agency’s Standard Contractual Clauses (SCCs), which a DC can use when entering a relationship with a DP. The SCCs are in single document, with sections highlighted for DCs to amend to their specific processing requirements. These SCCs full comply with Article 28 and could be the basis for your contracts.

2. This arrangement would be seen as a DC to DP to sub-processor. In this case a contract would still need to exist between the DC and the DP (in this example the CCG/CSU), and at least a single second contract between the DP and sub-


https://edpb.europa.eu/sites/edpb/files/files/file2/dk_sa_standard_contractual_clauses_january_2020_en.pdf

https://edpb.europa.eu/sites/edpb/files/files/file2/dk_sa_standard_contractual_clauses_january_2020_en.pdf

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/when-is-a-contract-needed-and-why-is-it-important/


processor. Care would need to be taken when keeping accountability for each DC’s data.

3. This would be a valid arrangement, however again, practicality becomes an issue when a DC requires slight variations, or has different requirements than other DC’s who are party to the contract.

4. Similar to 2, however when the agent “drops out” the contract would then need to exist directly between the DP and the new DP (former sub-processor).

Ultimately however the DC is accountable for ensuring compliance with the legislation, for both themselves, and any DPs they use, they should ensure they are entering into any legal contracts with utmost care, which would allow them to have full control of the legal clauses of the contract.

In closing I can only answer your query based on the information you provide in the email, where as I believe there may be other aspects that come into play in this scenario. Therefore I would very much appreciate discussing this with you further in a telephone conversation. You can contact me directly using the number below, or if you preferred, by replying to this email with a contact number and time that is suitable for you and I will contact you then.

I hope this information is helpful to you. If you would like to discuss this further, please contact me on my direct number *********. If you need advice on a new issue you can contact us via our Helpline on 0303 123 1113 or through our live chat service. In addition, more information about the Information Commissioner’s Office and the legislation we oversee is available on our website ico.org.uk.

Yours sincerely ***********Case OfficerInformation Commissioner's Office


https://ico.org.uk/



https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/


18.06.20

Hi *******,

Thank you very much for our conversation.

I attach some information received only this morning. I think SoftCat might actually be the data processor and Graphnet the sub-processor. But essentially, data processor functions are undertaken by Graphnet.

Attachment A explains why the “lead data controller” asserts reliance on the C(RTP)A 1999 :

“GDPR Article 28 requires that processing by a processor must be governed by a contract that is binding on the processor with regard to the controller: Article 28.3.In my view, this does not require that the controller must themselves be a party to the contract. It is sufficient if the controller can enforce the contract, under the 1999 Act.’

(I disagree with that assertion)

“At no point do Graphnet determine both purposes and means for the data being processed, so Graphnet are NOT a controller. “

“a clear establishment of Graphnet as only a data processor”.

Attachment A00 shows the contractual relationship, the “chain of contract”:

NHS Berkshire West holds the service level contract as well as the “data processor contract” with SoftCat/Graphnet, and is a party to that contract (it is not an “agent”)

Frimley Health NHS FT – one of the joint controllers submitting (and accessing) medical data – is only responsible for “contract administration”It is the self-appointed “lead data controller”, but is not a signatory to the contract, nor an agent. It too has only 3rd party “benefits” under C(RTP)A 1999, just like all the other controllers

Attachment A06 Berks ACN shows the mandatory Art 28 terms that were inserted into the service level contract to ensure that it complied with the requirements of a data processor contract.

NHS Berkshire West is the controller (and “the customer” for the service level aspects), and is one party.SoftCat is the processor and is the other party.

On page 7, item 6 refers to the C(RTP)A 1999. The joint data controllers (e.g. GP surgeries, hospitals, local authorities) are all referred to as “service recipient organisations”.




https://www.dropbox.com/s/bng10yvnrqlirjr/Attachment%20A.pdf?dl=0


Item 6.1.1. means that NHS Berkshire West can amend the terms of the contract without the 3rd parties’ consent/approval/notification if it “is otherwise necessary for the continued enjoyment of the Services”

Annex 1, p10, lists the processing undertaken etc. It basically covers all processing that might be undertaken, subject to individual agreement by each contributing organisation.

On page 13 Graphnet clearly states that it is acting only as a data processor.

On page 20, it states that “(e) Additional SROs : Additional Service Recipient Organisations may be added under the Variation Procedure”.

Finally, I attach the “core” information sharing agreement (CORE ISA) between the (joint) data controllers.

The list of data controllers – whether both uploading personal data to, and accessing, the shared care record, or simply just accessing it, can be found here:http://www.regisa.uk/index.php/agreement-details/2-uncategorised/13-schedule-e

Neither Graphnet or SoftCat are signatories, nor are they parties to that agreement, because they are not data controllers. The only signatory is the organisation (e.g. I would sign it on behalf of my surgery).

The reason why some CCGs are listed as “members” is not because they have access to clinical records (they absolutely do not), nor is it because they contribute information to the shared record, but because they seek/hope to have access to anonymised (and possible pseudonymised) data outputted from secondary uses analysis of the database. Again, such analysis would be undertaken by Graphnet as the data processor (subcontracting it to Microsoft and their “Azure Data Warehouse”).

Decisions on new/amended processing by Graphnet are made by a representative committee of the controllers, the “IGSG” (see p.7). Notwithstanding any such decision, each data controller then has to agree to such processing for their organisation’s data.

So, in our case, we might agree to the sharing of our records for direct medical care, and sign the relevant ISA (http://www.regisa.uk/documents/PC170011ccNEHFpracticesv2.pdf )

but refuse to allow any secondary/analytics processing and refuse to sign the relevant ISA (http://www.regisa.uk/documents/SU180001ccAPpracticesv2.pdf )


http://www.regisa.uk/documents/SU180001ccAPpracticesv2.pdf


http://www.regisa.uk/index.php/agreement-details/2-uncategorised/13-schedule-e

http://www.regisa.uk/index.php/agreement-details/2-uncategorised/13-schedule-e


Again, the only signatory is the organisation (e.g. I would sign it on behalf of my surgery).

Graphnet/SoftCat are never signatories to any of these ISAs (as they are not data controllers).

There would be no lawful way for us to transfer confidential information to a CCG/Graphnet, if the CCG/Graphnet were to assert itself as a data controller unit. Neither organisation is a clinical provider, and they don’t have a legitimate, clinical relationship with any of our patients.

The CCG/Graphnet could not become the data controller for the disclosed information as they would have no legal basis to hold confidential clinical records for all these contributing organisations.

Graphnet can only “borrow” data, with each controller’s authority, and process it on their behalf, as a data processor, returning that data (or destroying it) and the end of any agreement.

And for that, each controller needs lawful, demonstrable authority by virtue of a clear Art 28 contract.

Best wishes,

Neil

18.06.20

Hi ***********,

If of use/interest, I have found the “variation clause” as attached. I note that no permission is required from any “3rd party” before variation can occur.

For significant changes to processing, there is a process (Attachment M), but individual practices may not be informed, or even aware of any such changes approved, or indeed of any resulting variation in “the contract”.

In my view, it is simple – if we are to engage Graphnet to process data on our behalf – our data- then they are the data processor and we are the data controller.There then must be a written contract in place between the two of us.

Third rights “benefits” do not suffice.

I do not feel that there is any interpretation of Article 28 other than that. It would be nonsensical for there not to be a contract (that is, after all, the “mischief” that Art 28 seeks to avoid), any whether literally or purposively interpreted, Art 28 means a contract between the data controller



supplying the medical records, and the processor receiving them (and processing them on that data controller’s behalf).

Not any data controller, and not a contract that might exist somewhere in the world.

If Graphnet process our data without such a contract then, I believe:

We are in breach of Article 28 Graphnet would be processing data out with the explicit instructions

of the data controller of Oakley Health Group’s GP records Graphnet would be a third party processing data outside of a lawful

Processor-Controller contractual agreement, and then becomes the Data Controller for ultra vires processing

In other words, we would have unlawfully disclosed confidential information to a third party, and they would be unlawfully holding and controlling it


where data is processed in a manner not explicitly permitted by the Data Controller, the Processor is in fact the de facto Data Controller for that processing activity.


“if they [a Processor] are processing personal data on their own behalves they will be data controllers as regards that processing and those data.”

Neil


https://eur03.safelinks.protection.outlook.com/?url=https://www.bailii.org/ew/cases/EWCA/Civ/2017/121.html&data=01%7C01%[email protected]%7C8d02b0449a4143d728bc08d813aeb4fe%7C501293238fab4000adc1c4cfebfa21e6%7C1&sdata=7P%2BbOfBpOt0dHpmFizhXsZmOIFCVLkOrtEmPsUz7rdo%3D&reserved=0

https://eur03.safelinks.protection.outlook.com/?url=https://www.supremecourt.uk/cases/uksc-2018-0213.html&data=01%7C01%[email protected]%7C8d02b0449a4143d728bc08d813aeb4fe%7C501293238fab4000adc1c4cfebfa21e6%7C1&sdata=UXGRrWrTD50sFm6lUi2J1SxpAl1zWRc/DCwchDQqf/s%3D&reserved=0


30 June 2020


Dear Mr Bhatia,

Thank you for your email of 18 June 2020.

Your assessment of the scenario we have discussed appears to be accurate and you should not proceed with Graphnet as a processor without a contract, that you hold. This contract would be a controller to processor contract and would cover the processing of personal data. It would not necessarily have to cover the service level element, which may be sufficiently covered by the third part rights afforded under the C(RTP)A 1999.

Furthermore, Graphnet should only process any personal data in line with any instructions you have provided them with. If they were to then make their own decisions they would be in breach of your contract, and become the data controller of such information.

I hope this information is helpful to you. If you would like to discuss this further, please contact me on my direct number *******. If you need advice on a new issue you can contact us via our Helpline on 0303 123 1113 or through our live chat service. In addition, more information about the Information Commissioner’s Office and the legislation we oversee is available on our website ico.org.uk.

Yours sincerely

************Case OfficerInformation Commissioner's Office


https://ico.org.uk/


Appendix 5 – Article 28 and Recital 81 of the GDPRhttps://eur-lex.europa.eu/eli/reg/2016/679/2016-05-04#tocId40

Article 28

Processor

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) takes all measures required pursuant to Article 32;

(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is


https://eur-lex.europa.eu/eli/reg/2016/679/2016-05-04#tocId40


possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.

5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.

6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.

7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).



8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.

10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Recital 81

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject- matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.
