And another thing

Put on your anoraks, friends, we’re going to Data Protection land.

My objection to is that it is unfair – I believe that data should only be extracted from GP systems and used for research (no matter how beneficial) with consent. I am wary of’s hype-man Dr Tim Kelsey, who said on Twitter that the NHS would “never” compromise patient privacy. I know Twitter enforces brevity, but he had room for ‘knowingly’, ‘intentionally’ or ‘deliberately’ and he didn’t feel the need for any of them. Everyone who knows how the NHS works (or has worked in it) knows that compromises of patient privacy – both physical and in information terms – happen often, despite much effort to prevent them. Even if Kelsey only meant, it is still a promise he cannot possibly hope to keep. I am uncomfortable with the way the NHS Chief Data Officer – Dr Geraint Lewis – insists that receiving payment in return for information is somehow not ‘selling’ it (despite the universally recognised definition of ‘sell’ in any dictionary you choose) or that it is wrong to suggest that insurance companies will use data for insurance purposes when documents published by the Health and Social Care Information Centre say that they will.

However, on the narrower question of whether is legal, especially in terms of whether it is legal under the Data Protection Act, I don’t think there is much of an argument. It is legal. If you have a majority in Parliament, you can make a lot of things legal. The people organising it don’t need your consent and are not attempting to obtain it. The leaflet drop is no way to inform people about such a significant step, but I don’t think it is required.

Here’s why:


Consent cannot be obtained through an opt-out. The EU Directive on which the DPA is based and with which it must comply says that consent must be freely given, and be based on a positive indication of the subject’s wishes. How can the absence of something be consent? The answer is that it can’t. An unticked box is an unticked box and nothing more. The health sector has invented the concept of ‘implied consent’, but this is a misnomer. When they talk about ‘implied consent’, what they mean is ‘inferred consent’ – a person actively does something (for example, they willingly turn up for a test or an examination), and their consent to treatment and data processing can be inferred from their actions.

What is happening with is not an attempt to get consent because the Data Protection Act does not oblige an organisation to process data only with consent. It gives the organisation options – consent is one, and a legal obligation is another. GPs have a legal obligation to allow the data to be extracted (they have no choice) and that’s that. Consent is irrelevant. The opt-out is a legally unnecessary bonus offered by NHS England to get people like me off their backs – if you don’t like it (in Kelsey’s now deleted words, if you don’t want to make a contribution to society), opt-out. I think they could withdraw it, as I don’t see that the Health and Social Care Act 2012, which gives them the power to extract the data, obliges them to offer one.

Precisely why the health minister Dan Poulter told an MP in a written answer that the ICO may be involved in policing whether GPs have unusual amounts of opt-out is a mystery, as they have nothing whatever to do with it. The opt-out is for show; it’s not necessary for DP purposes.


Parliament decided that GPs would have a legal obligation to provide (or rather, not prevent the extraction of) the personal data. However, as the ICO – in the form of Dawn Monaghan’s blog – confirms, GPs are the data controllers of the information and are therefore responsible for data protection compliance up to and including the extraction. The ICO goes on to say that: “responsibility for letting patients know what is happening falls to GPs, as the data controllers

The first Data Protection principle states that the use of personal data must be fair. Schedule 1, Part II of the Data Protection Act sets out precisely how that must be done – by providing certain information. Dinosaurs like me call it ‘fair processing’, whereas the current Commissioner has rebranded it a ‘privacy notice’. The information that must be supplied is the identity of the data controller, the purposes for which the data is being processed and any other information specific to the situation required to make the processing fair (surprises like – for example – your GP data will be passed to insurance companies). So if you’re unhappy with the level of information you’ve received, even though isn’t their fault, you complain to your GP, because they are the data controller sharing the data, right?


Breath in: Schedule 1, Part II, Section 3 (2) (b) contains a caveat. The fair processing data must be supplied unless:

“the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract” (my emphasis)

The above was overly complicated; I had overlooked the obvious. Section 35 (1) of the DPA states  that personal data “are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court”. The non-disclosure provisions include all fairness considerations including fair processing.

In other words, the Data Protection Act says explicitly that if they are supplying the data in order to comply with a legal obligation, the GPs do not need to provide fair processing. The effectiveness of NHS England’s soft-soap leaflet is legally irrelevant, and if you complain to your GP about the information campaign, I think they’re in the clear.

If you think I’m technically incorrect here, by the way, feel free to comment. I sympathise with the GPs, so I think my interpretation has the small attraction of getting them off the hook, but if I’m wrong, I’d genuinely like to be put right.

But back on topic, precisely why the ICO does not want you to know this is something I cannot explain. I suspect that – like the legal precedent in the Durant judgment that says that subject access requests cannot be used for litigation – they regard it as an inconvenient truth that if they ignore, will go away. I suspect GPs will deal sympathetically with complaints from their patients, but they can turn the ICO away if it comes knocking. There is no threat there.

This is why I am appalled with Scrape away the hype and the window-dressing, and this is an authoritarian measure from which the relevant law offers no protection. Get something through Parliament, and the DPA is your poodle. That’s what happened here and even if you favour research, do you really think their means to your end is OK?

If you’re happy with, nothing here will convince you otherwise and nor should it. But if you’re unhappy with, face reality: consent is not required, the ICO’s powers are limited to what breaches they can find out about (AKA what they get told about), and even the opt-out is a non-statutory gift that can be removed. Quite why everyone including the ICO is pushing the GPs around is beyond me – we know who’s in charge, and they hold all the cards.


  1. just look to second to last paragraph
    is the intent this

  2. So the only really opt out is to unregistering from your GP or to withhold information from your GP which what some patients are telling me is what they are doing. We are NOT recommending that. I merely stating options.

    Helen Wilkinson

    The Big Opt Out

  3. Andrew Watson says:

    Interesting and thought-provoking – thanks.

    I spent a few minutes mumbling about consent when Radio Cambridgeshire invited me to comment on yesterday:

    Interestingly, almost the comments from listeners (or at least, all the ones the station read out) were in favour of opting out, and mostly from people who had already done so.

    BTW, two typos in your posting: I think “insurance companies will use data” should be “insurance companies will not use data”, and “Breath” should be “Breathe”.

    Thanks for keeping DPA amateurs like me informed on the legalities.

  4. Derek O'Connor says:

    Hi Tim – I agree with you views on consent and that it cannot (or should not) be obtained through an ‘opt out’ – however the game is changing as can be seen by the organ donation debate in Wales – (see
    I am a registered doner so don’t have a problem in this particular circumstance, but only a matter of time surely before the concept of ‘presumed’ consent creeps into other areas.

  5. I have blogged on why the relevant authorities’ human rights obligations might lie behind the leafleting campaign
    I have also attempted to outnerd you. Be gentle.

  6. “Breath in: Schedule 1, Part II, Section 3 (2) (b) contains a caveat”. I think you are wrong. This provision protects the data controller who obtains the personal data by law from issuing a privacy notice.

    • Even though it explicitly mentions the ‘disclosure’ by the data controller, rather than obtaining by the data controller, which is mentioned earlier in the same schedule?


      • This is a reference to the onward disclosure by “the data controller” who gets the personal data from the GP. “The data controller” must be the receiving data controller.

      • It isn’t. Section 2 of Schedule 1 says the fair processing must be provided unless the disclosure by ‘the’ data controller is because of a legal obligation in the bit I quoted. Where does it refer to that final provision applying only to the receiving data controller, rather that the disclosure by the data controller?

      • You are missing Sched 1 paragraph 1(2).

      • Sched 1 paragraph 1(2) refers to the Data Controller who obtains and says data is obtained fairly (in this case, HSCIC). Processing fair for them.

        Sched 1 para 3 (2) (b) says that the requirement to supply fair processing in Sched 1 para 2 (1) (b) doesn’t apply to situations where “the” data controller who discloses is under a legal obligation to do so. Where does it say that this provision only applies to the data controller referred to in Sched 1 para 1(2)?

      • And I am a moron. Section 35(1) says personal data “are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court”. The non-disclosure provisions include all fairness considerations including fair processing. No need to prove necessity. So no fair processing required by GPs.

  7. – worth a look.. ..for medical insurance it states..

    Insurance companies

    The HSCIC also says that identifiable (Red) data will be available to insurance companies – as long as those companies promise that they will not use it “for the purposes of selling or administering any kind of insurance”, and as long as their reason for wanting the data was “to improve NHS patient care”.

    In addition, anonymised and pseudonymised (Green and Amber) data should be given to insurance companies as:

    they “can make good use of the data”, and it will

    “enable insurance companies to accurately calculate actuarial risk so as to offer fair premiums to its customers”

    Information Governance Assessment – addendum

  8. Eve Sariyiannidoi says:

    According to the ICO guidance on Data Protection, ‘an exemption from “the non-disclosure provisions” – which would allow the data controller(s) to disclose personal data that would otherwise be protected from disclosure – is not an automatic exemption from all, or any, of those provisions. This is because an exemption only applies to the extent that the provisions are inconsistent with the disclosure in question’. Therefore, one would question the use of a Section 35 exemption (e.g. based on statute) to avail from any compliance with the DPA principles, including fair processing.

    • The bit about ‘inconsistency’ isn’t just in the ICO guidance, it’s in the Act itself in Section 27. But that’s the interesting thing – if the provision of fair processing to every citizen isn’t inconsistent with the legal requirement (i.e. the exemption doesn’t apply), then the current attempt to provide fair processing is wholly inadequate. Many households won’t receive the leaflet or won’t notice it, and the content of the leaflet is incomplete and potentially misleading. So if we’re looking at the ICO and their guidance (the privacy notices code for example), it is inconceivable that the current provision of fair processing is, well, fair. Either I’m right, or they need to act quickly and stop wringing their hands.

      The bit of my blog that I have crossed out – referring to provisions in Schedule 1, Part II, Section 3 (2) (b) – is still relevant as well.

      • Eve Sariyiannidou says:

        Completely agree. And there will be new EU data protection laws soon which will not require a new DPA. No wonder NHS England are rushing the implementation of

      • I don’t want to argue for the sake of it, but “there will be new EU data protection laws soon” is an optimistic take on the current situation. Substitute “may” for “will” and “at some point” for “soon” and I think that’s a more realistic summary.

  9. Eve Sariyiannidoi says:

    Compulsory, maybe not. Necessary, yes. To reiterate, one would question the use of a Section 35 exemption (e.g. based on statute) to avail from any compliance with the DPA principles, including fair processing. ‘Informed consent’ is a condition of fair processing.

  10. Informed consent is not a condition of fair processing in the Data Protection Act 1998.

  11. Eve Sariyiannidou says:

    Consent is not a ‘formal’ condition of fair processing. However, it is used as such when one attempts to construe ‘fair processing’.

  12. If it’s not formal, it’s not there. You’re basically saying that you can’t process personal data fairly without consent, and the Data Protection Act (i.e. UK law) is designed to do something else – to allow for circumstances where data is processed without informed consent. My argument with is the fact that the project is being – legally – operated without the need for consent. Wishing it were different doesn’t make it so; they don’t legally need consent and so they haven’t attempted to obtain it. I don’t think they should have made that decision, but that’s the way it is.


  1. […] of information rights bloggers, Tim Turner, has written in customary analytic detail on how the current NHS leafleting campaign was not necessitated by data protection law, […]

%d bloggers like this: