Lawyers have warned of the legal limits on sharing information with private companies when running preventative initiatives after a primary care trust was found to have broken the Data Protection Act.

The Information Commissioner found NHS Bournemouth and Poole had breached the act by passing patient information to a company it had commissioned to carry out NHS health checks without patients’ consent.

Contact details of 3,700 patients identified as likely to benefit from a cardiovascular health check were passed from GP practices to Enhanced Healthcare Services. One patient complained after being telephoned by the company.

In a report to last week’s trust board meeting, Bournemouth and Poole interim chief executive Suzanne Rastrick said the ICO had upheld the complaint and found that the first principle of the act, that personal data shall be processed fairly and lawfully, was breached by the PCT.

She said the ICO had decided not to take any regulatory action on this occasion “due to the information governance processes that the PCT can demonstrate are in place” and because the PCT had agreed to write to all of the patients who were contacted by the firm.

HSJ understands the PCT does have procedures in place but on this occasion they were not followed.

Anne Crofts, partner at DAC Beachcroft, told HSJ the NHS had “historically” worked on an “implied consent model” where there is an assumption patients consent to their confidential data being used by the team involved in the care episode the patient has initiated. However, she warned there were “particular issues” with preventative risk stratification exercises like Bournemouth and Poole’s.

“The difficulty arises here when the patient hasn’t initiated the contact,” she said. “If the patient doesn’t know beforehand their confidential information will be shared and how they could object you can’t assume that consent is freely given.”

Mills and Reeve Associate Lucy Johnston told HSJ a solution would have been for the GP practice to send out the letters on behalf of the company inviting patients to contact the company directly.

“There is an increased sensitivity amongst patients around sharing information with new and private providers (as opposed to NHS organisations).  This requires careful thought and management,” she said.

An ongoing review of the Caldicott principles of patient confidentiality, due to report in March next year, is expected to provide further advice and guidance on sharing information with independent sector providers.