Versions Compared

Old Version 2

changes.mady.by.user David Grange

Saved on

compared with

New Version 3

changes.mady.by.user David Grange

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Lay Summary (of the above legal opinion) from DAC Beachcroft LLP

Strictly Confidential and subject to legal professional privilege 

PATIENT KNOWS BEST (“PKB”) 

SUMMARY NOTE ON ASPECTS OF THE LAWFULNESS OF THE PKB PLATFORM 

  1. Background 

1.1 We have been instructed by Patient Knows Best (“PKB”) to advise, and seek Counsel’s 

opinion on, the data protection and privacy considerations relating to PKB’s approach. 

Counsel’s opinion was obtained by Tim Pitt-Payne QC, and provided by way of a detailed 

advice note. We have now been asked to prepare a summary advice note taking 

counsel’s opinion into account. It is not intended to be a comprehensive precis of every 

point considered in counsel’s advice, but instead as a high level statement of the key 

findings. 

1.2 In broad terms, this summary focusses on the lawfulness of processing patient data by 

reference to the available conditions for processing under the General Data Protection 

Regulation (“the GDPR”), as well as some consideration of the broad data protection 

framework relating to PKB’s platform more generally. It should be noted that: 

1.2.1 We provide our advice by reference to the shorthand descriptions ‘Patient 

Record’, to cover the information uploaded to the PKB platform by providers, 

and ‘Patient Account’, to cover the information uploaded to the PKB platform 

by patients (following activation); and 

1.2.2 We have approached this advice note by reference to patient data specifically, 

which will be special category data thus requiring a condition for processing 

under both Articles 6 and 9 of the GDPR. 

1.3 With that broad introduction in mind this advice note addresses, in particular, whether: 

1.3.1 providers have to rely upon consent as their condition for processing vis-à-vis 

the Patient Record; 

1.3.2 the current model of controller and processor in respect of the Patient Record 

reflects the legal position; and 

1.3.3 PKB, as sole controller of the Patient Account, can rely upon any conditions 

for processing other than consent which, in turn, would potentially legitimise 

ongoing retention of data for medico-legal purposes. 

1.4 This note does not purport to consider every single aspect of data protection compliance 

pertaining to PKB’s Patient Record and Patient Account, nor does it consider issues 

relating to the common law duty of confidentiality. We can, of course, deal with any 

further queries if and when they arise. 

1.5 We now set out our summary advice, followed by the more detailed analysis which 

supports those conclusions. 

2. Summary 

2.1 We set out our more detailed analysis below, but way of brief summary in relation to the 

key issues within the scope of this note:

2.1.1 Providers do not have to rely on consent as their condition for processing under the GDPR in respect of the Patient Record. In fact, we would argue strongly against them doing so given the inherent difficulties in obtaining valid consent in the context of providing healthcare. Reliance on alternative conditions for processing would mean that the vast majority of requests for erasure of data held within the Patient Record would not have to be actioned by the provider and/or PKB; 

2.1.2 The Patient Record actually gives rise to a joint controller relationship between providers and PKB, not one of controller and processor respectively. There 

are number of corollary obligations under the GDPR which arise as a result, 

and which both providers and PKB will need to address prior to the 

commencement of the processing activity; 

2.1.3 There are also alternative conditions for processing available to PKB other than consent, in connection with the Patient Account (for which they are 

controller). Those alternatives would ensure that PKB is able to continue to 

retain data within the Patient Account, notwithstanding any attempt by a 

patient to exercise their right to erasure, where necessary to do so from a 

medico-legal perspective. This will need to be fully and clearly outlined to 

patients when they sign up to PKB. 

2.2 We now consider each of those issues in more detail. 

3. Patient Record: Providers 

3.1 The first key issue we focus on relates to the lawful bases available to providers in respect of data comprised within the Patient Record, particularly whether the only viable condition for processing under the GDPR is consent. Our use of the term ‘providers’ entails both public bodies, such as NHS or Foundation Trusts, and private bodies commissioned under a NHS contract. Please note that our consideration as to PKB’s reliance on consent, in respect of the Patient Account specifically, is considered separately below. 

3.2 The reliance on consent as the condition for processing under the GDPR gives rise to a number of difficulties, not least ensuring that it complies with both Article 4(11) of the GDPR, which requires it to be “freely given, specific, informed and unambiguous”, and the requirements of Article 9(2)(a) for consent to process special category data to be “explicit”. It also gives rise to data subject rights which are likely to cause significant practical problems, not least the right of erasure under Article 17 which arises in a number of specific circumstances including, under Article 17(1)(c) where: 

“the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing.” 

3.3 For reference, Articles 6(1)(a) and Article 9(2)(a) relate to consent for processing personal data and special category data respectively. On the face of it, therefore, providers relying on consent would face the very real possibility of having to delete information it had uploaded to the Patient Record, in the event that a patient seeks to exercise their Article 17 rights. It could, potentially, refuse such a request in the event an alternative condition for processing is found, but this would seem to give rise to further complicating factors, not least: 

3.3.1 If such an alternative condition can be identified, then would this not have been available, and therefore relied upon, in the first place; and

3.3.2 Potentially unfair processing, by purporting to give patients the attendant rights pertaining to a consent-based approach, only to later refuse to give effect to those rights and therefore, arguably, would not be valid consent. 

3.4 For all of those reasons, providers should avoid relying on consent from a GDPR perspective and, on our analysis, it is legitimate for them to do so as there are other, more appropriate, conditions for processing available. In short, they are: 

3.4.1 Article 6(1)(e), which extends to processing necessary for performance of a task carried out in the public interest or pursuant to official authority. We are 

satisfied that providers use of the Patient Record is sufficiently tethered to their 

responsibilities for delivering healthcare to make reliance on this condition 

entirely appropriate; and 

3.4.2 Article 9(2)(h), the broad basis available for processing which is necessary for the provision of health or social care. The broad functionality of the PKB 

Record, to include making patient information available to providers, relatives 

and/or carers to support the delivery of care, as well as assisting the patient to 

access health or social care, means that Article 9(2)(h) can be relied upon. 

3.5 Previously, some doubts were raised as to whether the Patient Record constitutes a ‘health record’ as defined in the Data Protection Act 2018 (“DPA 2018”) and, in turn, whether this precludes reliance upon conditions for processing other than consent. In blunt terms, whether the definition is satisfied is irrelevant in this specific context. Reliance upon either Article 6(1)(e) and/or Article 9(2)(h) is not conditional upon the relevant processing taking place specifically within a ‘health record’. 

3.6 Nonetheless, we are satisfied that the definition is indeed fulfilled in the context of the Patient Record. A health record is defined by section 205 of the DPA 2018 as a record which: 

“consists of data concerning health, and has been made by or on behalf of a health professional in connection with the diagnosis, care or treatment of the individual to whom the data relates.” 

3.7 Given that the Patient Record is specifically contributed to, and accessed by, healthcare professionals we fail to see the basis on which it is not a health record. For the avoidance of doubt, however, the relevance of the definition being fulfilled is that it gives rise to specific exemptions from data subject rights (which are beyond the scope of this note), only. 

3.8 Accordingly, providers have alternative, and more appropriate, conditions for processing available to them other than consent. Those alternatives are more appropriate in the context of providing patients with healthcare, given the inherent imbalance of power between an individual patient and a provider of healthcare services. This would mean, in turn, that requests from patients to delete data comprised in the Patient Record should be refused (unless the data in question has been retained beyond what is necessary by reference to the retention periods set out, in particular, in the Information Governance Alliance Records Management Code of Practice1). 

4. Patient Record: Joint Controllership 

https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/c odes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-an d-social-care-2016

4.1 previous review of the potential data protection designation and relationship between the providers and PKB identified , in respect of the Patient Record, one of controller (provider) and processor (PKB). In our view, however, the more compelling analysis is that the relationship is actually one of joint controllers. 

4.2 The particular role fulfilled by a party from data protection perspective is a question of fact, based on what they are actually doing with the relevant data, and not merely ascribing a particular label. As per Articles 4(7) and 26 of the GDPR, PKB will be a joint controller under the Patient Record if, in conjunction with providers, it jointly determines the purpose and means of processing the data contained therein. That ‘determination’ does not have to be identical on the part of each controller, as joint controllers can each determine distinct aspects of processing. In our view, that accurately describes what is happening in respect of the Patient Record. There are three main justifications for this assessment, which in brief terms are that PKB: 

4.2.1 contractually obliges providers to encourage patients to create a Patient Account, in turn enabling access to information held in the Patient Record and control over the manner in which that information can be shared; 

4.2.2 determines the steps which patients need to take in order to convey their instructions on the sharing of information, including the scope of those instructions; and 

4.2.3 acts as an independent controller in respect of the Patient Account, and therefore determining whether permission has been given to allow access to the same, which is akin to a gatekeeper role in maintaining the appropriate crossover or delineation between the Patient Record and Patient Account, as reflective of a particular patient’s expressed permissions. 

4.3 PKB and the providers, as Joint Controllers are obliged to comply with Article 26 of the GDPR which requires joint controllers to: 

“in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.” 

4.4 The arrangement described “shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects” and the “essence of the arrangement shall be made available to the data subject.” 

4.5 Careful consideration will have to be given to ensuring that joint controller arrangements take appropriate account of the practical difficulties caused by the multi-party nature of the sharing relationships under the PKB platform. Providers and PKB will also need to cooperate in order to accurately and clearly communicate this relationship to patients. 

4.6 This joint controller approach in respect of the Patient Record is predicated on the provider relying on Articles 6(1)(e) and either 9(2)(g) or 9(2)(h) of the GDPR and PKB, in turn, relying upon those same conditions for processing. PKB does not, of course, hold statutory functions, but the Patient Record enables PKB to assist providers in discharging their statutory functions. This further means that the rights to erasure in Article 17 would not, apart from very limited and specific circumstances, arise in respect of the data held in the Patient Record.

4.7 The final point to emphasise is that the further steps we have briefly outlined in the preceding paragraphs are required because there is a joint controller relationship, and not in order to create such a relationship. That is a very important distinction. 

5. Patient Account: PKB 

5.1 We now move onto consider the ‘Patient Account’. Our focus here is on the conditions for processing available to PKB, as the controller for the Patient Account. PKB adopting a consent-based approach would give rise to complications where patients elect to exercise their right to erasure under Article 17 of the GDPR. This would give rise to, potential concerns that providers (including GPs) who have accessed the Patient Account in connection with the provision of healthcare to a particular patient, and wanting to ensure an audit trail remains available in the event of medico-legal challenge. 

5.2 The short answer is that there are alternative conditions for processing available to PKB under the GDPR, other than consent. 

5.3 Those available conditions for processing are: 

5.3.1 Article 6(1)(f), which extends to processing necessary for legitimate interests pursued by PKB, which would be the provision of the PKB Account services to 

patients. Those interests must not be overridden by the interests, rights or 

freedoms of the patient, which we are satisfied would not be the case given 

that activation of the Patient Account is entirely voluntarily, as well as the 

decision to include particular information within it; and 

5.3.2 Article 9(2)(h), the broad basis available for processing which is necessary for the provision of health or social care. The broad functionality of the PKB 

Account, to include making patient information available to providers, relatives 

and/or carers to support the delivery of care, as well as assisting the patient to 

access health or social care, means that Article 9(2)(h) can be relied upon. It 

is sufficient, in this context, for the processing to be undertaken by those 

subject to a contractual duty of confidence, and not necessarily a health 

professional. 

DAC BEACHCROFT LLP 

30 JUNE 2020