Arguably the most significant reform of the Health and Social Care Act 2012 is the introduction of a National Health Service Commissioning Board, which will supervise local primary care clinical commissioning groups. These clinical commissioning groups will replace primary healthcare trusts. Primary healthcare providers, particularly GPs, were always the gatekeepers to the National Health Service, but under the 2012 reforms, they will also be the principal budget holders under these clinical commissioning groups, buying secondary care in a quasi-competitive open market.
Under ss14X and 14Y of the National Health Service Act 2006, following wholesale amendment to that 2006 Act by the Health and Social Care Act 2012, clinical commissioning groups will have separate statutory duties to promote innovation and research. The groups also have a duty to carry out their functions effectively, efficiently and economically (s14Q).
To assist clinical commissioning groups in their extensive duties set out in Part 2 of the 2006 Act, they will have the power to raise income (a new power under s14Z5 of the 2006 Act), by doing anything the Secretary of State can do under ss7(2)(a), (b) and (e) to (h) of the Health and Medicines Act 1998, either alone or with other groups. In particular, s7(2)(f) will permit the groups “to develop and exploit ideas and exploit intellectual property.”
Whilst it may therefore be a stretch to argue that clinical commissioning groups have a duty to exploit the value there may be in patient data, it is clear that to exploit patient data is well within their duties and powers under the 2006 Act. In addition, disclosure of information “made for the purpose of facilitating the exercise of any of the clinical commissioning group’s functions” is explicitly permitted by the 2006 Act (s14Z23(1)(f)).
This only leaves the Data Protection Act 1998 to consider. Could clinical commissioning groups sell patient data under the Data Protection Act 1998, with or without the consent of patients themselves?
This is an interesting question. One answer is that it would be possible. In order to process patient data, the groups would have to meet one of the conditions for processing sensitive personal data (as defined in the Data Protection Act 1998).
It is arguable that there is the statutory basis for selling the data, being to comply with commissioning groups’ statutory duties to promote innovation and research, and to raise income in order to exercise their statutory duties effectively, efficiently and economically. As there is a statutory basis, the selling of patient date could be argued to be “necessary for the exercise of functions conferred by or under statute” – which is one of the conditions for which the processing of sensitive personal data is permitted under the Data Protection Act 1998 (paragraph 7(1)(b) of Schedule 3 of the Data Protection Act 1998). This does not require patients’ consent.
In addition, processing for research purposes is itself a permitted purpose under the Data Protection Act 1998 (paragraph 10 of Schedule 3 of the Data Protection Act 1998, and paragraph 9 of the Schedule to the Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417); again without patient consent.
Lastly, there is always the ‘medical purposes’ condition of paragraph 8 of Schedule 3 to the Data Protection Act 1998:
8 (1) The processing is necessary for medical purposes and is undertaken by—
(a) a health professional, or
(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.
(2) In this paragraph “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.
Patients’ consent may not strictly be required by law, but under the first (and second) data protection principle, patients will have to be made aware by clinical commissioning groups that their data, in whatever form, for medical research purposes. Patients could try to exercise a stop notice right under s10 of the Data Protection Act 1998, but ‘good luck with that’ is the phrase that immediately springs to mind.
Although it may be lawful for commissioning groups to sell patient data, it may be that best practice will lead to any sale being restricted to Barnardised or anonymised patient data. This may be clarified by the NHS Commissioning Board, which has a responsibility to issue guidance on the processing of patient information under s13S of the 2006 Act, following the abolition of the National Information Governance Board for Health and Social Care in the 2012 Act. ‘Patient information’ in this context is a new term defined at s20A of the Health and Social Care Act 2008, and is broader than a patient’s personal data, as defined under the Data Protection Act 1998, to include any information about a person’s health, diagnosis or care or data derived from that information, whether that information or data identifies an individual or not.
So, a case can be made for saying that commercialisation of patient data may well be a consequence of the Health and Social Care Act 2012. Whether this consequence was unintended or was anticipated is for others to answer.