“Outsourcing the work is not illegal and should be safe as long as the outsourcing companies handling private data are covered by British Data Protection legislation (as is the case with all UK based data management companies).

India does not offer the security provided by the Data Protection Act so British law does not apply and security relies more on trust and responsible management.
However the NHS should take note of what happened in the private medical sector when patient record handling was outsourced to India.

http://www.dailymail.co.uk/news/article-1221186/Private-medical-records-sale-Harley-Street-clinic-patients-files-outsourced-input--end-black-market.html

"The confidential medical records of patients treated at one of Britain¿s top private hospitals have been illegally sold to undercover investigators.

Hundreds of files containing intimate details of patients¿ conditions, home addresses and dates of birth are being offered for as little as £4 each.

The files were sold by two men who claimed to have gained access to the information from IT companies in India, where thousands of British medical records are sent every year to be computerised".

There is always security a risk with ANY network based computer data distribution system, breaking Data protection laws in the UK will lead to severe penalties, including imprisonment.”

“There are questions on the legality of this, as it means that town hall officials and suchlike may be able to access your medical records. This could have the detrimental effect of causing people to refuse to have serious conditions attended to ie: those of a sexual nature or mental health issues. There are some interesting sites on the internet. I wrote to Derbys Primary Care Services to ask them to clarify. Six months have passed and there has been no reply ...”