GP practices could be investigated by the Information Commissioner's Office (ICO) if they fail to warn patients that identifiable data will be extracted from their electronic health records to be used by the National Health Service (NHS) and sold to private companies.
That is the warning of the EMIS National Users Group and the ICO, which warn that GPs are responsible for warning patients how their private patient data might be used.
Further reading NHS changes could spell the end for big outsourced health contracts Caldicott review: Breaking down the barriers to information sharing in the NHS NHS data revolution coming
EMIS Group software is used by more than half of the GP practices in the UK to electronically store patient data. However, Prime Minister David Cameron in 2011 pledged to open up this data to private exploitation - albeit in an "anonymised" form - so that "every patient could be a research patient". The process is scheduled to begin in autumn.
According to advice to GPs from the EMIS user group: "If patient data is extracted from the practice clinical data base without the patient being made aware then the practice could be prosecuted by the patient.
"It is thus vital that the practice takes steps to try to inform its practice population about the care.data extraction so that individual patients have the opportunity to opt out of their personal data extraction."
But doctors are complaining that the contradictions between the government's drive to re-use patient data and to sell it to pharmaceutical companies, on the one hand, and their obligations under the Data Project Act on the other, has put them in an invidious position.
Dr Grant Ingrams, former chair of the GPC's IT subcommittee and a GP in Coventry, told Pulse magazine that GPs were caught between two conflicting rights.
"It's a bit of a dog's dinner. Practices have a lawful obligation under the Health and Social Care Act to send the data to the HSCIC [Health and Social Care Information Centre], but an obligation under the Data Protection Act to protect patient's data.
"It's leaving practices confounded between two rights. If practices aren't sued by one, they'll be sued by another. My opinion is that the responsibility lies with the HSCIC or NHS England. GPs should have the information available and be able to explain the process, but that's it."
