Summary
In light of recent ICB decisions to cap text messaging, general practices have been encouraged to adopt emails as a routine method for patient communication. As this is a change in practice, GPs must ensure they comply with UK GDPR, patient confidentiality, and consent requirements. This includes verifying the lawful bases for data processing, such as “public task”; ensuring transparency through updated privacy notices; and mitigating risks through a Data Protection Impact Assessment.
Patients should be informed of the change, its benefits, and other considerations, such as shared email access, updating contact details, and their preferences for communication. Practices may also want to consider the use of encrypted emails for sensitive information and ensure compliance with NHS and ICO guidelines on patient communications.
Background
Londonwide LMCs have received queries from practices in relation to the use of patient email addresses to routinely contact or communicate with patients. This is mainly due to several ICBs’ recent decisions to cap funded SMS messages for practices and their advice to move to emails as a standard method of contacting patients.
This change has opened some questions around compliance with data protection legislation, patient confidentiality and consent. This guidance describes a number of factors that need to be considered by practices when using emails to contact patients.
The content of the email and whether it is necessary for the patient’s care or whether it might be seen as direct marketing.
The ICO has provided guidance on direct marketing and the public sector. The majority of messages that a GP practice sends to a patient, whether SMS or email, will be necessary for their task/function and are not direct marketing. If the email promotes any third-party services, then the practice needs to be clear why this is necessary for providing care to the patient, so it is not considered direct marketing.
The lawful basis under UK General Data Protection Regulation (GDPR) by which the practice is processing the data
Normally, the lawful basis would be UK GDPR Article 6(1)(e) public task and a patient would not be required to give consent. However, a patient does have the right to object to their email address being used under this lawful basis and the practice must have a compelling and legitimate ground to continue emailing them. It might be that the practice explains the issue to the patient and why they are sending some messages by email for their direct care.
If the practice had relied on consent for communicating with patients, then the patient has a right to withdraw their consent and the practice must stop processing, in this case stop using their email address, to communicate with them.
Other things to consider are whether the email is encrypted and therefore whether the patient has to register with a portal to open it. And whether the email content contains any patient identifiable information or confidential information.
Transparency and reasonable expectations of the patient
Practices also need to check what information they have in their Privacy Notice in relation to communicating with patients and how they have highlighted the move to using emails more routinely. This is to meet transparency requirements and reasonable expectations of the patient.
If practices have not already done so, they should communicate to their patients the move to using emails more routinely and why, the benefits of doing so and the things for patients to consider. For example:
- If anyone else has access to their emails, and if so, would they be happy for them to see any messages received;
- It is the patient’s responsibility to check that the email address in their GP record is correct; patients may want to ensure practices have an up-to-date alternative method of communication on record, in case of email failure e.g. a telephone number. Patients should also check their email settings to ensure practice emails are not automatically moved to the junk folder.
- Patients can change their preferences about how they are contacted at any time and these preferences are recorded in their record and respected. For children and adults lacking in capacity, someone with parental responsibility or who has power of attorney for that person can make this preference on their behalf.
- Practices should have procedures in place to regularly remind patients to check and update their contact details and preferences.
Confidentiality and consent
If the practice is using the lawful basis of public task, they do not need consent, neither explicit nor implied, for data protection purposes. However, it would be implied consent for confidentiality as long as it was clear to the patient that their data would be used in this way when submitted.
The online GP registration form issued on 1 October 2024 also has a paper version. The paper form mirrors the questions on the online registration form, and it states, in the “Details of patient registering” section, that:
‘The NHS and your GP surgery can use these details to call, text or email you about health care services. All phone numbers must be registered in the UK.”
There is no option to select a preference on the new form. Each London sector may have historically used their own patient registration form, which may or may not have had a statement like the one above. Practices would need to check when the patient registered with them and what form they were using at the time.
Risk management of pre-existing patients
In relation to pre-existing patients, the practice is recommended to undertake a Data Protection Impact Assessment to assess any risks to the patients of sending communications by email; e.g. confidentiality and shared emails; children with competency, etc; and to have mitigations in place for such risks; e.g. considering what would be appropriate to send in an email and whether clinical information should be shared via a portal requiring user verification.
NHS England have this guidance on email and text message communications, which includes a recommendation for organisations to have a policy relating to the use of text messages and email to communicate with their patients, which is regularly reviewed, and they provide a policy template for use if required. This guidance has been reviewed by the Health and Care Information Governance Working Group, including the Information Commissioner’s Office (ICO) and National Data Guardian (NDG).