London Metropolitan University professor of international law Douwe Korff told MPs the 'opt out' rather than 'opt in' system used for the records fails to comply with a European directive that patients must provide informed consent.
Uploading and disclosing records of patients who have not opted out could fall foul of the law. 'The European Court of Justice has been strict in applying these principles,' Professor Korff told the committee.
He pointed to situations where patients would have a 'reasonable objection' to their details being put on the database, such as where they were HIV positive or had an abortion years ago. Under European law, only anonymised data can be passed on for research, auditing and commissioning without the consent of the individual, he added.
The practice in England, where names are omitted but postcodes and dates of birth accompany medical records, does not comply with this requirement, he said.
Patient Concern co-director Joyce Robins said: 'It is.terrifyingly easy to access personal information. There are only 12 houses on my street, so I am.totally identified.'
But Information Commissioner's Office assistant commissioner Jonathan Bamford did not agree that the electronic patient record system would pave the way for litigation, saying the European directive was too vague.