Different interpretations of data laws could hamper innovation

New technologies mean that more data can be collected and shared, but regulations can be interpreted in very different ways - and that could put small organisations and innovation at risk, writes Dr Pablo Martin.

Data security (Photo: Urupong/Getty Images)

Patient care is based on information, which needs to be collected, analysed and stored. Clinicians use data which is not limited to written word – technology allows audio, video and images to be added to clinical records, which are transferred from the different devices that capture that type of information.

Strict protocols and regulations exist to process this personal information securely, following data protection regulations. The regulations are already complex, but it seems that different parts of the country can interpret them in different ways.

The case of two CCGs below highlights different interpretations of th current General Data Protection Regulation (GDPR), which came into effect in May last year, when developing new clinical pathways.

A tale of two CCGs

Many areas in the UK have been offering patients teledermatology, but the approach can be quite different.

In Leeds CCG a new pathway was piloted1 and then implemented in all practices2. For the purpose of this article there are two important aspects of the pathway to consider:

  • Imaging storage on portable devices is not allowed. Data is transferred directly via software to a secure cloud space. It is considered unsafe to store images in personal devices, and the CCG advises strongly against it.
  • Verbal consent. The software used has a click to confirm the clinician has obtained the appropriate patient consent.2 Written consent is not required.

Kernow CCG has taken a different approach to its dermatology service:3

  • Temporary storing of images in a separate area of personal devices is promoted. Data is stored using the free software powerPDF, aiming in this way to prevent the mix with personal information, and shared using encrypted email services. Specific guidelines are clear that the device needs password protection and that images should be deleted after being transferred.
  • Written consent from the patient is required and a form is provided in the CCG website. After patient signature, it needs to be photographed for storage and sharing.

Interpretation of the law

There is no doubt that 'the duty to share information can be as important as the duty to protect patient confidentiality',4 but regulations are not clear. CCGs can assess data security when developing new pathways and come up with very different ways of handling data protection and confidentiality as this teledermatology case shows.

According to article 5.1 of the GDPR, information should be 'processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures'.5

Meanwhile, according to article 7.1: 'where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data'.5

There are no specific details preventing use of personal devices, nor a need for written consent. Both CCGs have followed GDPR with very different interpretations of the law.

Uncertainty comes when an organisation within a particular CCG decides to create bespoke pathways. Where is the defence if the CCG it belongs to advises against the way they want to proceed, for example not demanding written consent or using personal devices?

The organisation can claim it is following the GDPR and indicate that other CCGs follow similar interpretations, but the weakness of a decision that does not follow local guidance is there. It could also somehow prevent or block a different process from taking place in order to avoid conflict, as there will undoubtedly be clinicians who do not agree with working under a system that deviates from current local guidance.

The way forwards

New technologies are allowing more information to be collected, available and shared, but there is a cloud of doubt around regulations that can be interpreted in very different ways. Small individual organisations can be put at risk for not following local rules that are simply a different interpretation of the current law.

There is a need to be more open and flexible when discussions on pathways that involve data processing take place. It cannot be one single rule – variation needs to be recognised and allowed and diversity of solutions that work within the law promoted.

Patients and clinicians will benefit from agreement on the different interpretations that the law allows. Only then will innovative pathways be possible, and potential uncertainty and confusion removed.

  • Dr Martin is a GP in Leeds


  1. Urwin, R. et al. An Apple (or Android) a day keeps the 2-week-wait targets at bay. Br J Dermatol 2017; 177, IssueS1. Special Issue: Abstracts for the British Association of Dermatologists 97th Annual Meeting, Liverpool, U.K., 4–6 July 2017. Available from  https://doi.org/10.1111/bjd.15526
  2. Hussain, W. The Leeds Teledermatology Experience. 2018. Accessed October 2019 from: https://www.networks.nhs.uk/nhs-networks/regional-dermatology-transformation-and/documents/north-east-yorkshire-and-humber-dermatology-transformation-and-sustainability-network-wednesday-27th-june-dr-walayat-hussain-teledermatology-trials-in-leeds
  3. Kernow CCG. Teledermatology. How to do teledermatology with iphone. 2019. Accessed October 2019 from: http://rms.kernowccg.nhs.uk/primary_care_clinical_referral_criteria/rms/primary_care_clinical_referral_criteria/dermatology/teledermatology
  4. Bunch, C. (Ed)  A Manual for Caldicott Guardians. UK Caldicott Guardian Council.  2019: The UK Caldicott Guardian Countil. Available from: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/581213/cgmanual.pdf
  5. Council of the European Union, and European Parliament.  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 2016: EU. Available from https://publications.europa.eu/en/publication-detail/-/publication/3e485e15-11bd-11e6-ba9a-01aa75ed71a1/language-en

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins


Already registered?

Sign in

Just published

Clinical trials: Microscope in a lab

GPs could be incentivised to recruit patients onto commercial clinical trials

GPs could be offered incentives to recruit patients onto commercial clinical trials...

Talking General Practice logo

Podcast: How many GPs do we need for safe general practice, pay restoration, the state of premises

Talking General Practice looks at safe working limits and the number of GPs we need...

Stethoscope and a computer

EMIS to keep panic button after outcry from GPs

EMIS, one of the main GP IT system providers, has backtracked on plans to phase out...

Health minister Lord Markham

Health minister Lord Markham: How we will support GPs to offer patients greater choice

Health minister Lord Markham explains what the government's plans for using the NHS...

Patient receives the flu vaccine

Flu vaccination campaign to return to pre-pandemic cohorts this year

This year's flu vaccination campaign is set to be reduced after it was expanded during...

Plant-based diet

Vegan and vegetarian diets can play key role in reducing cardiovascular risk, study finds

Plant-based diets can play a significant role in lowering the risk of stroke and...