Different interpretations of data laws could hamper innovation

New technologies mean that more data can be collected and shared, but regulations can be interpreted in very different ways - and that could put small organisations and innovation at risk, writes Dr Pablo Martin.

Data security (Photo: Urupong/Getty Images)
Data security (Photo: Urupong/Getty Images)

Patient care is based on information, which needs to be collected, analysed and stored. Clinicians use data which is not limited to written word – technology allows audio, video and images to be added to clinical records, which are transferred from the different devices that capture that type of information.

Strict protocols and regulations exist to process this personal information securely, following data protection regulations. The regulations are already complex, but it seems that different parts of the country can interpret them in different ways.

The case of two CCGs below highlights different interpretations of th current General Data Protection Regulation (GDPR), which came into effect in May last year, when developing new clinical pathways.

A tale of two CCGs

Many areas in the UK have been offering patients teledermatology, but the approach can be quite different.

In Leeds CCG a new pathway was piloted1 and then implemented in all practices2. For the purpose of this article there are two important aspects of the pathway to consider:

  • Imaging storage on portable devices is not allowed. Data is transferred directly via software to a secure cloud space. It is considered unsafe to store images in personal devices, and the CCG advises strongly against it.
  • Verbal consent. The software used has a click to confirm the clinician has obtained the appropriate patient consent.2 Written consent is not required.

Kernow CCG has taken a different approach to its dermatology service:3

  • Temporary storing of images in a separate area of personal devices is promoted. Data is stored using the free software powerPDF, aiming in this way to prevent the mix with personal information, and shared using encrypted email services. Specific guidelines are clear that the device needs password protection and that images should be deleted after being transferred.
  • Written consent from the patient is required and a form is provided in the CCG website. After patient signature, it needs to be photographed for storage and sharing.

Interpretation of the law

There is no doubt that 'the duty to share information can be as important as the duty to protect patient confidentiality',4 but regulations are not clear. CCGs can assess data security when developing new pathways and come up with very different ways of handling data protection and confidentiality as this teledermatology case shows.

According to article 5.1 of the GDPR, information should be 'processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures'.5

Meanwhile, according to article 7.1: 'where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data'.5

There are no specific details preventing use of personal devices, nor a need for written consent. Both CCGs have followed GDPR with very different interpretations of the law.

Uncertainty comes when an organisation within a particular CCG decides to create bespoke pathways. Where is the defence if the CCG it belongs to advises against the way they want to proceed, for example not demanding written consent or using personal devices?

The organisation can claim it is following the GDPR and indicate that other CCGs follow similar interpretations, but the weakness of a decision that does not follow local guidance is there. It could also somehow prevent or block a different process from taking place in order to avoid conflict, as there will undoubtedly be clinicians who do not agree with working under a system that deviates from current local guidance.

The way forwards

New technologies are allowing more information to be collected, available and shared, but there is a cloud of doubt around regulations that can be interpreted in very different ways. Small individual organisations can be put at risk for not following local rules that are simply a different interpretation of the current law.

There is a need to be more open and flexible when discussions on pathways that involve data processing take place. It cannot be one single rule – variation needs to be recognised and allowed and diversity of solutions that work within the law promoted.

Patients and clinicians will benefit from agreement on the different interpretations that the law allows. Only then will innovative pathways be possible, and potential uncertainty and confusion removed.

  • Dr Martin is a GP in Leeds


  1. Urwin, R. et al. An Apple (or Android) a day keeps the 2-week-wait targets at bay. Br J Dermatol 2017; 177, IssueS1. Special Issue: Abstracts for the British Association of Dermatologists 97th Annual Meeting, Liverpool, U.K., 4–6 July 2017. Available from  https://doi.org/10.1111/bjd.15526
  2. Hussain, W. The Leeds Teledermatology Experience. 2018. Accessed October 2019 from: https://www.networks.nhs.uk/nhs-networks/regional-dermatology-transformation-and/documents/north-east-yorkshire-and-humber-dermatology-transformation-and-sustainability-network-wednesday-27th-june-dr-walayat-hussain-teledermatology-trials-in-leeds
  3. Kernow CCG. Teledermatology. How to do teledermatology with iphone. 2019. Accessed October 2019 from: http://rms.kernowccg.nhs.uk/primary_care_clinical_referral_criteria/rms/primary_care_clinical_referral_criteria/dermatology/teledermatology
  4. Bunch, C. (Ed)  A Manual for Caldicott Guardians. UK Caldicott Guardian Council.  2019: The UK Caldicott Guardian Countil. Available from: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/581213/cgmanual.pdf
  5. Council of the European Union, and European Parliament.  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 2016: EU. Available from https://publications.europa.eu/en/publication-detail/-/publication/3e485e15-11bd-11e6-ba9a-01aa75ed71a1/language-en

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins


Already registered?

Sign in

Follow Us:

Just published

£20 notes spread out

VAT trap for PCNs could strip millions of pounds from general practice

Tens of millions of pounds could be stripped from general practice because work carried...

Talking General Practice logo

Podcast: Is the BMA representing GPs effectively, why GPs face a pension tax hit, and views on the workload crisis

In our regular news review the team discusses representation of GPs, a new survey...

Man sleeping

NICE guidance on insomnia backs app to replace sleeping pills

Hundreds of thousands of people with insomnia could be offered treatment via a mobile...

Health worker prepares a dose of COVID-19 vaccine

JCVI backs autumn COVID-19 booster campaign for high-risk adults and NHS staff

Frontline health and social care staff and adults at increased risk of severe illness...

GP consultation

Government accused of 'misleading' claims on general practice workforce

GP leaders have accused the government of making misleading claims about the general...

Consulting room door

LMC calls for enhanced access to be scrapped after abuse forces practice to close reception

A Midlands LMC has backed a practice forced to close its reception desk after abuse...