Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, who will hold data controllership for the Single Patient Record; and who will be liable should the patient data be misused.

The Single Patient Record (SPR) will improve outcomes for patients by giving professionals access to all the key information they need to deliver care, in one place, affording safer decision-making with fewer information gaps.

No decision has been made on the arrangements for how the SPR will be delivered, and what the implications are for data controllership.

We will be consulting with general practitioners through a series of national engagement events starting in June 2026. This follows our programme of deliberative engagement with the public in 2024, which aimed to understand how a SPR could be designed in a way that maximises benefits and is trusted by the public, and the outcomes from this engagement are helping to shape our approach to the SPR.

It is in the best interest of all parties to have an agreed position on key issues such as data controllership. Data controllership is a specific legal term under UK General Data Protection Regulation that reflects the reality on the ground of who decides what data is collected and how it is used. In effect, a data controller is a decision-maker on the use of data and is accountable for its use.

The following points are our starting position, which we look forward to discussing with the profession.

Health and care organisations will remain data controllers for the data they hold in their practices, and what they share with the SPR, to provide services to their patients.

Regulations made under the bill will require relevant health and care organisations, including general practices, to share relevant data with the SPR for the purpose of making it available to clinicians in different care settings, to improve the care of their patients.

Where, in accordance with the regulations, the SPR operator determines the means and purposes of processing data in the SPR, they will also become a data controller, with responsibilities to comply with the data protection legislation.

There is no date for publication of any legal or governance frameworks which will apply, although these will be published before any data is processed within the SPR.