The General Practice to Diabetic Retinopathy Screening (GP2DRS) system automates the sharing of patient information between general practices and local diabetic eye screening (DES) services.
GP2DRS gives local screening providers an up to date and accurate record of all people with diabetes aged 12 and over. This means providers can invite everyone eligible for screening in a timely fashion, reducing the risk of sight loss.
More than 2.4 million patient records are now being shared using GP2DRS.
Under the General Data Protection Regulation (GDPR) there must be a lawful basis for the transfer of this data. This blog article provides reassurance of that lawful basis for DES providers and GP practices.
Lawful basis for processing personal data
Under GDPR, personal data should not be processed without a lawful basis. There are 6 potential lawful bases for processing personal data. Consent is one of these bases and often the one people think of first. However, it is quite common for other lawful bases to be relied upon in situations where patient records are processed for direct care.
GP2DRS does not rely on patient consent as the lawful basis under GDPR for sharing records. GP2DRS relies on the following lawful bases:
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
This is described in the ‘legal obligation’ section below.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Several organisations have to undertake their respective ‘public tasks’ in line with their official roles in order for people to receive diabetic eye screening. For example, GPs are responsible for referring eligible patients for screening and local DES services are commissioned by NHS England to provide screening under the standard NHS contract.
As the sharing of information is necessary for these public tasks to be performed, this provides a lawful basis for processing personal data under GDPR.
- Processing is necessary for ... the provision of health or social care.
GP2DRS complies with this condition because diabetic eye screening is part of the direct care pathway. This permits GP2DRS to process ‘special category data’ (namely, data concerning health).
Long before the introduction of GP2DRS, GPs shared patient data with DES providers as part of the direct care pathway for people with diabetes.
GPs need to share that information so patients can be referred and receive care. Importantly, there is actually a legal obligation on GPs to share patient information for the purposes of direct care under Section 251B of the Health and Social Care Act 2012.
This legal obligation does not apply where the patient objects to the disclosure of their information. To cater for this, GP2DRS uses a mechanism for patients to object to this transfer whereby they are coded in their GP record as having ‘withheld’ consent to sharing demographic information for diabetic retinal screening.
The use of this coding allows GPs and DES providers to know if the legal obligation to share each individual’s information applies or not.
It is important to remember that the lawful basis for processing data remains ‘compliance with a legal obligation’. It is not ‘consent’. The legal obligation is removed if an individual objects to their information being shared.
As well as the legal obligation to share patient data for direct care, there is also an additional legal obligation specific to GP2DRS.
PHE has issued a ‘direction’ for the collection of patient information via GP2DRS. This means that NHS Digital, as the provider of the extraction functionality for GP2DRS, is legally obliged to collect patient records from GPs and to share these for diabetic eye screening. This gives another ‘legal obligation’ basis for processing personal data using GP2DRS.