Managers could “stumble into illegality” by breaching the Data Protection Act as a result of the rapid structural reforms to the NHS, HSJ has learned.

The risks centre on emergent GP commissioning consortia and primary care trust clusters, and how they access sensitive information owned by established NHS commissioners.

Although PCT clusters are composed of statutory bodies with legitimate access to patient data, the Data Protection Act does not give them the automatic right to access all data for which PCTs have responsibility.

The south east London PCT cluster identified the issue as an “almost certain, catastrophic risk”. According to its board papers for May, “there is a risk that the cluster is accessing and processing patient identifiable data from PCTs in breach of the Data Protection Act”.

The Information Commissioner’s Office has powers to fine public bodies up to £500,000 for any such breach, and the cluster noted there were additional dangers of “reputational damage and civil action by any patients affected”.

Since the risk register was published, the south east London cluster has circulated an information governance framework which has been adopted by all of its local PCTs’ business support units.

Information Commissioner’s Office group manager for public services Dawn Monaghan said information governance should be dealt with at the beginning of a change process, “rather than bolted on”. Otherwise, “you might have stumbled into illegality”.

She told HSJ clusters should undertake a privacy impact assessment, and confirmed the office had spoken to strategic health authorities about the potential dangers posed by clustering.

NHS Confederation senior policy manager Frances Blunden said: “In the enthusiasm to make new ways of working, there’s a danger of overlooking very important things around data protection and information governance.

“This could be very widespread and has a lot of potential to undermine patient confidence in the NHS and ability to process, safeguard and use their info legally and safely.”

She added that the problem was showing up on risk registers “in organisations that are on the ball”. PCTs that were less conscious of the issue might be acting illegally without realising it.

Department of Health chief information officer Christine Connelly said she did not know whether there was any “innate risk” affecting data protection in the move to clusters and commissioning consortia.

She said: “PCT clusters are managing that risk of data – and individual PCTs are.”

However, she added that any change process increased the risk of data loss or inappropriate access.