Are doctors practices unlawfully spying on patients?

Published : Saturday 17 August 2019

NHS organisations using information gleaned from social media about individuals has legal data protection implications ...

Please note: this content is 5 years old. It may be of lower quality or no longer accurate.

The internet is now a huge part of many people’s lives, from being a never-ending resource of information, entertainment, online shopping to online banking and healthcare.

Social media has seen explosive growth as a means to connect to people, communicate, interact and share ideas, and in many ways, it has become the new public square.

With all this personal data floating around, much of it public, people need to be increasingly aware of how it might impact their privacy and security, but there are limits to what legitimate law-abiding organisations can do with it within the scope of the law.

Culcheth Medical Centre

On the 14th August 2019, a letter surfaced alleging to be from Culcheth Medical Centre in Warrington, UK.  The letter appeared to be to a patient who had posted comments online regarding the practice. The letter specifically references that the person in question posted a link to a public CQC (Care Quality Commission) inspection report on a forum via Warrington Guardian Facebook page.

(Click for full resolution)

Credit: Twitter @kieran_walshe

The sinister letter states that “you may be aware the practice monitors social media” and that “these [comments] have been seen by the managers and staff members, as well as GP Partners” and “politely” asks the individual to find another practice.

Ironically, Culcheth’s CQC report states that the GP Practice “requires improvement” pointing out specifically their process for handling complaints.

This isn’t the first time this sort of oppressive conduct has come to light but perhaps this is the clearest evidence of how the information is then used to target patients if you don’t comply with authoratarian policies.

(Click for full resolution)

credit: Twitter @stendec6

The wonderful thing about the internet is that it provides an opportunity to engage with people, learn from them and improve services. Outright trying to ban it is at best highly questionable and reflective of the organisation’s culture and attitude to patients. However, more than this, organisations using information gleaned from social media about individuals has legal data protection implications.

Data Protection Law

It is important at this point to highlight that as the author of this blog I am not legally qualified. These are personal opinions based on my own experience and research which I have done when addressing my own challenges with respect to the NHS and data protection.

Data Protection legislation sets out clear laws and principles which all organisations must abide by when processing personal information and this includes public domain data such as social media.

With the introduction of EU GDPR (General Data Protection Regulation) in May 2018 these rights were reaffirmed and strengthened across the EU, and indeed many other countries around the world are following suit.

Where an organisation is processing your personal data about you, among many requirements:

  • they must have a legal basis, 
  • you have a right to know and 
  • the processing must not be reasonable or excessive. 

Where there is a breach the ICO (Information Commissioners Office) who preside over Data Protection in the UK should take action, but usually don’t, and you also have the right to sue for damages.

It certainly appears as if this practice is processing social media and other data gleaned online about patients.

What’s the precedent?

A useful case to reference is Halliday Vs Consumer Finance Ltd from 2013 in which the claimant was awarded £750 for the breaches of data protection alone. It’s possible that further damages may be awarded depending on the circumstances surrounding the case.

In another case, the Met Police’s LGBT Twitter account embroiled itself in a bizarre online attack against an individual who had questioned their policy.

In the online exchange, it was apparent that the Met Police had used police systems to look into the individual’s background and made reference to the individuals family.

Credit: YouTube Crimebodge

Putting aside their perverse use of “open source”, a formal police complaint was raised and subsequently kicked through the long grass until unsurprisingly the response absolved the Met of any wrongdoing.

From the claimants perspective, it was evident police systems had been used to look into the individual online and breached data protection. The claimant went on to sue the Met Police for the breach as well as harassment and eventually settled out of court for £2,750. This included £1500 for 2 beaches of the data protection act.

What of the spying doctors practices?

This particular issue does appear to relate to the individual’s online activity which wasn’t expressly sent to the doctor’s practice, furthermore by the practices own admission it would appear they are trawling the internet.

It remains unclear how many patients have been caught up in this latest scandal or how many other doctors practices are doing the same but it is far from an isolated problem.

The matter has been raised with the ICO along with NHS England. The ICO has yet to respond however NHS England have indicated the matter has been addressed:

“Thank you for getting in touch regarding Culcheth Medical Centre. We have been advised by the Clinical Commissioning Group (CCG) that all patients at Culcheth Medical Centre will be receiving apology letters from the practice who have been affected by this. I hope this answers your concerns.”

An apology is certainly the first step but this does not address the wider issue and it is doubtful patients will have it explained to them that this behaviour is not only tantamount to bullying but also likely to be unlawful and therefore opening up the possibility they are due compensation.

Given previous experiences, it is hard to imagine NHS England, the ICO or the PHSO (Parliamentary and Health Service Ombudsman) doing any more, let alone setting the record straight to ensure patients are treated fairly and legally throughout the NHS.

As for the professional bodies they represent the interest of their members, not patients.


The NHS does not have a great track record when it comes to personal data, whether it is problems relating to the privacy and security of medical records, unlawful sharing or just denying individuals their basics right.

This is yet another example which serves to highlight what many patients are facing. This oppressive overbearing culture is designed to make patients fearful of raising concerns due to the implications it might have for their care.

We can only imagine what goes through a practices mind when making such decisions but it is clearly unacceptable, probably unlawful and certainly not in the interest of patients.

While more may unfold as a result of this case, sadly, given the lacklustre attitude of national bodies and regulators, it’s unlikely we will see a real change any time soon.

Please feel free to reach out to me on social media if you have more information relating to this or similar cases. I can’t promise to solve your problems, but together we can highlight issues and improve healthcare for everyone.


Dan's Blog

Information Technology, programming, health, fitness and photography enthusiast.

  • Not a writer.
  • All views are my own.
  • Offence is optional.
  • Do your own research.

Post by tag