GPs and Data Sharing
Date: 30/07/2024 | Data Protection & Information Law, Healthcare
GP Practices will handle a large amount of data about their patients and staff. You may be asked to share that data with your local Health Board or law enforcement agencies. Scottish GP Practices should be aware of what and how data can be shared.
Data Sharing with Health Boards
Patient data
This is a topic which has been extremely controversial but in fact GPs share patient data with many organisations on a regular basis to provide their services to patients and for research purposes.
It is built into the 2018 General Medical Services Contract in Scotland that GP practices and the local health board contracting with them are joint data controllers in relation to GP patient records. These new contractual provisions were designed to reduce the risk involved in information sharing. This arrangement only refers to sharing GP patient records with the local health board, and in relation to all other data sharing, GP practices still need to think about data protection laws.
Staff data
The local health boards may also ask for information about staff including doctors who are partners at the practice. As GP practices are data controllers in their own right in relation to any personal data then they need to consider whether they have a lawful basis for sharing the personal data.
This could be because you have a contractual obligation to do so. So for example, in the case of complaints the local health board may request personal data to allow it to investigate a complaint as long as it is reasonably connected with the provision of service under the contract. The 2018 Contract obliges GP practices to co-operate with such an investigation. Each practice would then have to consider what information should be shared and refer to the other data protection principles.
Any data shared must be necessary for the purposes of the investigation and if you are unsure, you should ask why the health board requires the information. You should only share the minimum amount of data and it should be shared securely.
Other data
The 2018 Contract envisages GP practices sharing other data with health boards particularly in relation to GP clusters with the aim of improving quality. If this is not personal data then data protection principles do not apply. This includes anonymised data, often aggregated so that no individual can be identified from it when shared outside the practice.
Data Sharing with Law Enforcement
Sometimes GP practices will be asked to share information with the police which generally involves GP practices resolving the tension between patient confidentiality and considering the risks to the patient or others, if information to is not shared.
The police can make requests under the Data Protection Act 2018 and when this sort of request is made, it is important to understand that the practice is not obliged to provide the information, whether medical records or simply the address of a patient, but instead the practice must decide whether not providing the information could prejudice the investigation and the police should be able to share some basic information about this with you so that you can make a reasoned decision.
By contrast, if the police have a warrant or a petition warrant then you are obliged to provide the information.
We can help – the Davidson Chalmers Stewart Information Law team can guide you through any data sharing queries: when you should and should not supply information and what questions to ask and documenting your decision making.
