UK institutional “data breach” … HSCIC asks for an inconsistent consent …

By | Tuesday February 21st, 2017

A recent decision of the Information Commissioner’s Office ( has manifested a fear that for years affected the UK (and not only) and that it is the focus of the discussions between the associations for the protection of clients/patients/data subjects.

The above document states that the British “Data Controller” has experienced an anomaly related to the possibility that patients give their consent to the processing of personal data for purposes other than direct care …

In particular, in January 2014, HSCIC offered patients the chance to opt-out of their personal confidential information, through the so-called “type 2 objection”, thus choosing to accept or deny the use of their confidential information “uses other than direct care” …

The disruption behind the incident consisted in not giving the correspondence between the choice of the patient and the effect on the data processing of the latter.

Actually, the cause is imputable to a combination of technical issues combined with regulatory limits that in some cases have recommended HSCIC to share information with third parties, confident to have the legitimacy to go against the wish of the patient.

ICO states that “HSCIC was not able to collect, record or implement the type 2 objections registered by patients with their GPs” (GPs refers essentially to the MMG).

The incident involved about 700,000 patients.

Such example is similar to the separate collection procedure conducted in certain Italian cities, started before the existence of waste disposal sites … but this transition can go on for years … for personal data protection this approach is unacceptable …

Following the direction of the Secretary of State on health issues (Direction to HSCIC of April 15, 2016), certain regulatory preconditions have been created in order to implement the opt out requests of patients.

However, ICO has adopted a measure divided into 7 points against the abovementioned behavior of HSCIC.

Basically, ICO enforces HSCIC to remedy, within 3/6 months (this does not refer to a range of time but to different measures with different timings), the conduct which violated the Data Protection Act,

tempi di adeguamento alla decisione dello ICO

through the adoption of procedures that implement the “type 2 objection”, report the illegality of patient data collected between 2014 and 2016 to those who have been shared with, as well as the destruction of databases interested by the unlawful conduct.

We look forward to any developments …


Category: Data Breach Impact, Risk and Measures Legal framework

About riccardo.abeti

Partner in EXP legal - Professional Association, operates mainly in the areas of Information and Communication Technology law, Data Protection and Corporate Criminal Responsibility. For over 15 years provides legal and organizational assistance, writing decrees for public administrations, contracts, guidelines, policies and procedures, providing advices, conducting impact assessments, designes systems of information flow management (optimization of existing processes, implementation of new processes and procedures) and providing teaching activities in areas in which is specialized. He has managed and still manages project teams and human resources using own proven project management skills. It is often involved in public consultations, in order to make a contribution to the many issues discussed, for example, by the Personal Data Protection Authority.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.