NHS England’s plans for use of our personal data leaves me very worried

Trust in the health service is vital at a time when it needs to convince people of the safety and efficacy of vaccines, but NHS Digital is putting that trust at risk

James Moore
Friday 28 May 2021 08:45 EDT
Comments
NHS data-sharing plans are a concern to privacy groups
NHS data-sharing plans are a concern to privacy groups (iStock/Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

NHS England’s use and sharing of confidential data is starting to look positively sinister to me, and no, this is far from an outbreak of tin foil hat paranoia on my part. Let me explain.

Deep in the bowels of NHS Digital’s website you will find details of a significant change to the way that the records your GP holds are accessed and used.

The title “General Practice Data for Planning and Research (GPDPR)” looks extraordinarily dull, off-putting and techie. The message is clear: move along, nothing to see here. Except that there’s a lot to see if you look a little deeper.

The web page contains the details of a massive data extraction exercise covering all the records held by family doctors in England. The site explains that this is “to support health and care planning and research” and that the exercise will also “reduce burden on GP practices, allowing doctors and other staff to focus on patient care” (sic). Who wouldn’t support either of those?

Perhaps, in the case of this exercise, because it involves the skimming and the storage of potentially highly-sensitive information about you, including your sexuality and sexual health, in an enormous database that can and will be shared.

NHS data, because there is much more than just the records held by your GP, is already passed on to a bewildering number of organisations. NHS Digital’s Data Access Request Service (DARS), which talks about its “products”, maintains a register of these.

A lot of the information releases I looked at when I downloaded this went to various parts of the NHS. But I also found numerous universities, local councils, government bodies, regulatory agencies, and, most disturbing of all to me, commercial organisations listed.

For example, the register shows seven separate datasets were shared with a company called Harvey Walsh, which says it delivers “the solutions and informatics that pharmaceutical and device companies need to gain successful market access”, among other things. There were a further eight handed to a data company called Method Analytics which lists both public and private sector organisations as clients.

In both cases, some of that data was classified as “sensitive”.

Many of the releases on the register were compliant with the data sharing code of practice operated by the Information Commissioner’s Office (ICO), including the releases to Harvey Walsh and Method Analytics were marked as compliant with the code.

However, A significant number of cases were not listed as non-compliant.

Shockingly, patient opt-outs were frequently not observed because the register says “data flow is not identifiable”.

However, some data releases for other organisations said: “Patient objections upheld”. In these cases, opt-outs were observed. So what if those objections weren’t upheld? Or even made?

The more I dug into the issue, the more I found my head starting to hurt. Is my data going to find its way into the hands of some organisations if I approach my GP for help? “Patient X gets headaches when investigating grotesque abuses of patient privacy by NHS Digital. Diagnosed paracetamol.”

We need to talk some more about those opt-outs because there is one specifically available for this exercise – but it is far from easy to access. It is called a Type 1 Opt-out and if you don’t register for it by 1 July, your data will be scraped and stored, although you can still avoid sharing future treatments you may obtain through your GP by registering after that date.

The problem with this is that to obtain an opt-out, you have to register it by submitting a letter to your GP practice. Have you tried to access yours recently? Many remain closed because, obviously, there’s a pandemic on.

You could try booking a phone appointment but how do you think your overworked doctor is going to feel about you taking one of those away from someone who might be very sick for the purposes of avoiding government/corporate use?

By the way, you have to secure a separate opt-out, a national data opt-out, to avoid NHS Digital sharing your data.

All this ought to be easy. You should just be able to tick a digital box. The fact that it is not is indicative of a disgracefully cavalier approach by NHS Digital, and it serves as a damning indictment of Matt Hancock’s Department of Health, on the direction of which this is occurring.

That department may soon be under new management thanks to Dominic “Mark Anthony” Cummings sticking the knife into Hancock, as well as his boss Boris Johnson, over their handling of the pandemic.

But will the new person at the top change anything? And, by the way, why on earth is this even happening in the middle of a pandemic anyway? P.S. In case you were worried, there is a separate collection of data related to that.

NHS Digital said the ICO had not objected to its plans, and that it was in the process of delivering a data protection impact assessment.” It should be noted that the ICO has its critics and is soon to be updated.

NHS Digital says it “has engaged with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices”.

But it’s interesting to consider the lengthy joint statement of the first two of those bodies. It says that they are “broadly supportive of the principles of the new collection in seeing fewer extracts of data and a reduced administrative burden for general practice”.

That’s some way short of an endorsement, which the NHS Digital website does rather imply, and the pair also stress the importance to patients of the data being “made available for appropriate purposes in a secure and trusted manner”.

Is it? I’m not at all sure about that. The information is supposed to be anonymised but Phil Booth, from the watchdog MedConfidential describes this process rather as “pseudonymised” which I think is apt given that it features things like your date of birth and your postcode “in unique coded form”. He points out that the process can also be reversed by NHS Digital because it controls the software.

Foxglove, a team of lawyers, tech experts and communications specialists campaigning against the misuse of data by governments and big companies, says: “It is insulting and unfair to try and force through such huge changes to how NHS data is used, with profound implications for how the health service functions in the future, by attempting to slip it past the British people.

“Matt Hancock wants to make the data of 55m people available to ‘third parties’  which could include big tech and pharmaceutical firms. Handing the personal and sensitive data of tens of millions of patients away to private companies – without telling them – could seriously damage trust in the NHS.”

Booth says he’s not against data being used for the purposes of research and health planning. But he says that if it’s done, it must be handled with transparency and, crucially, with consent. He also picks up the point about trust, which he says represents a huge risk in this exercise: “If a patient cannot trust that what they tell their doctor is in confidence then they might not tell them at all.”

Precisely. Trust in the NHS is also crucial at a time when it needs to convince people of the safety and efficacy of vaccines. NHS Digital’s behaviour here puts trust at risk too, and it’s frankly unforgivable.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in