What is data protection legislation?
Data protection legislation for the UK is set out in the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR) – which also forms part of UK law.
Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.
Information Commissioner’s Office (ICO), Guide to Data Protection
Importantly, in the context of new ways of working and new models of care, the ICO views data protection as essential to innovation.
Good practice in data protection is vital to ensure public trust in, engagement with and support for innovative uses of data in both the public and private sectors.
Will data protection apply to our model of Nf2f clinics?
These laws apply to any organisation that processes personal data. Processing includes the collecting, recording, storing, using, analysing, combining, disclosing, or deleting of any data.
As such, the laws are applicable to any provider considering the use of Nf2f clinics. The GMC guidance on confidentiality states that if doctors are:
…responsible for managing patient records or other patient information, you must make sure the records you are responsible for are made, stored, transferred, protected and disposed of in line with data protection law and other relevant laws. You should make use of professional expertise when selecting and developing systems to record, access and send electronic data.
What data protection considerations are most relevant to Nf2f clinics?
Should we undertake a Data Protection Impact Assessment (DPIA)?
Yes, you should undertake a DPIA to help identify and minimise the data protection risks of your Nf2f project. This is especially pertinent for Nf2f clinics where processing is likely to result in a high risk to individuals.
For example, data processed by primary and secondary care across a number of organisations in an asynchronous model.
To assess the level of risk, both the likelihood and severity of any impact on individuals must be considered.
Here’s a good example of a DPIA completed by NHS Leeds CCG for a Teledermatology Project. This provides a practical example of the level of consideration required when you plan an Nf2f clinic.
Having read the above example, now consider the data protection requirements for your model. You can use the ICO sample DPIA template to document your projects data protection considerations and needs.
Who has clinical responsibility in an Nf2f model?
Clinical responsibility for patients being managed in Nf2f models is a complex area that requires careful consideration. In some instances, it might be clear who has responsibility. However, it could be a more complex situation that is dependent on the type of Nf2f model you’re planning and your discussions with key partners.
Below are examples of Nf2f models and the key considerations when it comes to clinical responsibility.
Clinical responsibility in synchronous Nf2f outpatient models
Telemedicine
| Telephone | Web-based/video applications |
| Clinician to patient telephone interactions are clear – responsibility for the patient remains with the clinician making the phone call and running the remote consultation. | Clinician to patient web-based/ video application (such as Skype) interactions are clear – responsibility for the patient remains with the clinician making the video call and running the remote consultation. |
Clinical responsibility in asynchronous Nf2f outpatient models
Clinical review/multidisciplinary
clinic review
| Simple asynchronous models | Advanced asynchronous models | MDT clinical reviews |
| In simple models, which may reflect an “advice and guidance” type of approach, the clinician might not have the full clinical picture or access to the patient record. Therefore, the clinical responsibility often remains with the clinician seeking advice. | In more advanced models, where integrated systems enable full record sharing, there are varied options as to whether responsibility remains with the referring clinician or the clinician undertaking the clinical review. | In MDT clinical reviews, where secondary care or community care specialists may be providing advice to primary care clinicians, clinical responsibility might vary between the primary or secondary care clinicians. |
Online portals and apps
| Responsibility often lies with the team that has employed the app or portal as a tool. As these teams are responsible for collecting the data, they are clinically responsible for the patient. |
As set out above, you’ll see that the topic of clinical responsibility can be complex. It’s important to have early conversations with key partners to agree where clinical responsibility for the patient lies. This should include engaging with clinicians who will deliver the Nf2f models in these conversations. You can get further advice from your defence organisations. For example, Medical Defence Shield (MDS) or Medical Defence Union (MDU) will support local discussions.
You may also wish to consider written agreements between providers and the commissioner. These agreements should clearly define and document where responsibility lies. This can be formalised and included within a service level agreement (SLA).
Any indemnity related queries should be directed to NHS Resolution, given their lead role in compensation claims on behalf of the NHS in England. Any doctor who proposes to deliver Nf2f clinics should also check with their defence organisation whether they have sufficient cover, in case any other medico-legal problems arise.
As an example of good practice, this standard operating procedure (SOP) describes the processes required to run an Nf2f COPD clinic pilot. It also outlines the Information Governance, accountability and responsibility considerations of the pilot.