Section 18: Objections to sharing

The NHS Constitution states that individuals have the right to object to information about them being shared in a form that might identify them and in general to have reasonable objections to this sharing upheld. This is a broad statement that reflects the more complex legal framework. 

The Data Protection Act 1998 provides a basis for individuals to raise objections to the sharing of personal data, (i.e. data that identifies or might enable them to be identified in the circumstances) where they feel that they are suffering or may suffer significant harm or distress as a result. The data controller considering the objection might voluntarily choose to stop processing data about the individual concerned but must otherwise consider whether or not the processing is justified despite the individual’s claim of harm or distress. If the objection is not sustained then the individual may appeal to the courts. Data that is processed under statute is exempt from these provisions.

The common law of confidentiality provides a basis for individuals to express a preference about the sharing of information that they provided in circumstances where it was reasonable to assume that the information concerned was subject to the common law provisions. In the absence of consent, information held in confidence may only be shared when there is a statutory basis or a public interest justification that outweighs the obligation of confidentiality.

S251 NHS Act 2006 provides a basis, through regulations, for setting the common law confidentiality requirements aside, generally replacing them with approvals or other conditions. Whilst it would be possible to use the power provided to override patient objections in emergencies, this has never been invoked and support under the current regulations is generally provided under a condition that objections are respected.

The Human Rights Act (Article 8 of the European Convention on Human Rights) requires reasonable objections to the disclosure of personal confidential data to be respected.

The Health and Social Care Act 2012 provides a basis for the Health and Social Care Information Centre to collect information that is held in confidence when directed or A guide to confidentiality in health and social care: references  requested to collect the information by the bodies listed in the legislation. NHS England and the Secretary of State may direct the HSCIC to collect information and NICE, Monitor and the Care Quality Commission may request that it do so. However, these bodies have agreed that, in the absence of an emergency or exceptional public interest grounds, they will limit directions and requests to information where an individual has not raised an objection, thus providing individuals with a means of preventing their data being collected in an identifiable form.

To ensure that individuals fully understand what they can object to and how to initiate that process it is important that Data Controllers, such as GPs, act upon the fair processing and transparency requirements outlined by the Data Protection Act (See section 3 above, in particular the Information Commissioner’s Privacy Notice Code of Practice.