I cannot speak directly to the legal issue here, but as a patient I 
consent to my GP keeping records to support my clinical care.  I 
don't particularly have a problem with fully anonymized data going 
outside (like whether x% of pts have a BP less than y/z), but I do 
not recollect having given any kind of consent for my data to be 
streamed or stored where anyone outside the practice can access it.

If a backup of my data is considered necessary I would be quite happy 
to keep a copy in my own home.

It's true that at least 97% of people feel far more relaxed about 
their medical data (and I have nothing particularly to hide in mine, 
I had an MI nearly 9 years ago and regular Rx since) but there does 
not appear to be any option to both remain in the NHS AND opt out of 
having ones complete data warehoused and accessed without the kind of 
safeguards that the Summary Care Record has in place for tracing and 
legitimizing access.  Any implication of consent is pretty far 
fetched, and pretty coercive because the costs of completely leaving 
the NHS are so huge for most people.

Hence I agree with Saul, and have wondered about whether the ethics 
might justify a legal challenge to this untested area whatever the 
law is believed to say.


At 19:19 24/04/2012, you wrote:
>Not really. The implied consent that electronic records has associated with
>it assumes that backups to non local servers, and data management requiring
>streaming to remote storage is a legitimate use of the data that practices
>hold and are thus covered by the DPA requirements of handling data
>Never been tested though, but a lot of the untested bits of the DPA that we
>use day to day would not cause problems and objections would not be upheld.
>The Data Commissioner is quite sensible and the evolving case law seems to
>be sound. Basic tenet of the whole thing is that appropriate and necessary
>data handling does not contravene the DPA.
>(Pseudo specialist in medical data management