Data protection and the NHS | Letters
The General Data Protection Regulation does not require organisations to contact consumers to obtain approval for further communications (however the contact details were originally collected). And it certainly doesn't require NHS trusts to "get explicit permissions from patients" to send appointment reminders (New data law raises fears for NHS messages to patients, 19 May). That some NHS trusts are apparently under this misapprehension (which is as a result of confusion regarding GDPR and the 2003 regulations relating to the sending of electronic direct marketing) is concerning. A reminder message is both a very useful service for a patient, and a sensible way of avoiding the cost to the NHS of missed appointments. What it is definitely not, however, is a direct marketing message.
Indeed, if NHS trusts are using patient data in this way, and if the result is some patients wrongly not getting reminders, those trusts are arguably breaching the existing data protection law that requires data to be "adequate" for the purposes for which it is held.
Jon Baines
Data protection adviser, Mishcon de Reya LLP