The Model

Legal basis of patient-contributed data

to support clinical safety

Download PDF: https://drive.google.com/file/d/1cJvsDwmvx3MF09mHjn_OLIxgZYDxh9me/view?usp=sharing

The following provides an explanation on the legal bases on which PKB relies for processing personal data following the latest court decisions, updated guidance which have resulted from these, and external legal advice.

Definition of terms:

Patient Record: comprises data uploaded and shared from health record systems which are made available to Healthcare Professionals (HCPs) and patients via the PKB platform.

Patient Account: comprises patient contributed data uploaded and shared by the patient which are made available to HCPs via the PKB platform.

In the past, Patient-contributed data has been retained on the legal basis of consent:

PKB has historically relied on consent to satisfy data protection laws to process data obtained directly from the patient. Until recently, it was thought consent was the only available legal basis for this processing, as bases on which the public sector could rely to provide a legal basis were not an option to a private supplier unless providing healthcare services under an NHS contract. External legal advisers have advised that this is not the case.

Professionals are at risk if they base a decision on patient-contributed data:

Once viewed by a HCP, the Patient Account, held by PKB, is a Health Record, as defined by section 205 of the DPA 2018, as the data is considered by a HCP when making a diagnosis or decision. PKB customers have raised concerns about relying on consent as the lawful basis, as consent can be withdrawn, and also engages the right to request erasure by the patient (GDPR Article 17). PKB, as a controller for the Patient Account, would have to comply with the withdrawal of consent, which would have the same result.

The impact of a patient withdrawing consent for patient-contributed data would be that the HCP loses the record of the basis of their clinical decision:

This represents a challenge to the HCP’s professional duty to maintain contemporaneous records. A robust audit and forensic analysis capability must be available for any healthcare-related record for medico-legal purposes.

Through lawyers, PKB instructed a leading barrister to obtain his opinion on the establishment of a more suitable legal basis for patient and professional

In order to address concerns raised, PKB have, at their own expense, instructed Tim Pitt-Payne QC, leading Information Right’s Barrister, to evaluate alternate legal bases for lawful processing under Data Protection Laws. There are two parallel processing activities to be addressed, provider-contributed data and patient-contributed data.

The legal bases that Providers will use for provider-contributed data remain:

• GDPR article 6(1)(e) - processing a task carried out in the public interest or as an official authority and

• GDPR article 9(2)(h) - processing that is necessary for the provision of health or social care.

PKB will use the following bases for provider-contributed data under Joint Controllership:

• GDPR article 6(1)(e) - processing a task carried out in the public interest or as an official authority and

• GDPR Article 9(2)(h) - processing that is necessary for the provision of health or social care.

Both Tim Pitt-Payne and DAC Beachcroft agreed that under a Joint Controller relationship the GDPR Art 6(1)e condition could be extended to PKB given PKB is assisting the Provider to discharge their Statutory duties.

New legal bases for Patient-contributed data

The legal basis that PKB relies on for processing patient-contributed data will change. GDPR Article 6(1)(a) - consent obtained - and GDPR Article 9(2)(a) - explicit consent obtained - are no longer recommended following the latest legal advice. PKB will now rely on the following:

• GDPR article 6(1)(f) - processing under legitimate interests. The interests, rights or freedoms of the patient would not be overridden. The activation of the account and inclusion of information within the account by the patient is entirely voluntary.

• GDPR Article 9(2)(h) - processing that is necessary for the provision of health or social care. The PKB platform ensures patient information is available to providers, relatives and/or carers to support the delivery of care, as well as assisting the patient to access health or social care.

This legal bases as a joint data controller with the provider will ensure PKB can retain data as necessary for all HCPs. The patients’ Right to Erasure would not, apart from very limited and specific circumstances, arise in respect of the data held in the PHR, ensuring that a robust medico-legal audit trail and forensic analysis ability is maintained.

PKB and Provider as Joint Controllers

After reviewing the supporting materials provided with the Instruction, Tim Pitt-Payne QC was of the opinion that PKB is, in fact, already acting as a Joint Controller in respect of provider-contributed data. It is important to know that, determining the extent to which a party fulfils a particular data protection role is one of substance, rather than merely applying a label. That PKB behaved like a Joint Controller by determining ‘purpose and means’ through the contract, means that they are a Joint Controller.

Put simply, PKB is a Joint Controller by virtue of:

1. A contractual obligation imposed on controllers through the contract to actively encourage the patient to activate their PKB Account.

2. Jointly determining the purposes for which provider-contributed data is held by seeking to bring about that the information is accessible to patients, not just to Providers. The PKB platform enables a patient:

• to access the information that is provider-contributed and

• to authorise sharing of the information that is provider-contributed with others.

To the extent that patients can decide whether to share provider-contributed data with others, it will be PKB, not the Providers, that is responsible for determining what steps patients need to take in order to convey their wish that information should be shared in this way. It will be PKB that will determine whether any particular patient has effectively communicated or recorded a wish for information to be shared, and if so what is the scope of that wish.

PKB is the sole data controller in relation to patient-contributed data that has not yet been viewed by Providers. It will be PKB that determines the steps that a patient needs to take in order to convey their agreement for patient-contributed data to be made accessible to Providers, so that the latter can consider it in conjunction with the Patient Record.

Therefore, PKB plays a controlling role, determining whether any particular patient has given the instruction that would be required in order for a Provider to be able to view patient-contributed data alongside provider-contributed data, rather than being confined to viewing the provider-contributed data only.

Next Steps

PKB has prepared a comprehensive collection of supporting documents that covers all the key aspects discussed above, these can all be referenced via this website. This website includes the following documents/materials to assist Providers with due diligence activities and the production of DPIAs.

The key documents you will need are as follows:

• Joint Controller Agreement - authored by Kaleidoscope Consultants

• Data Protection Impact Assessment - authored by Kaleidoscope Consultants

• Lay Summary authored by DAC Beachcroft

• Legal Opinion from Tim Pitt-Payne QC

• Revised Privacy Policy