NHS England’s use and sharing of confidential data is starting to look positively sinister to me, and no, this is far from an outbreak of tin foil hat paranoia on my part. Let me explain.
Deep in the bowels of NHS Digital’s website you will find details of a significant change to the way that the records your GP holds are accessed and used.
The title “General Practice Data for Planning and Research (GPDPR)” looks extraordinarily dull, off-putting and techie. The message is clear: move along, nothing to see here. Except that there’s a lot to see if you look a little deeper.
The web page contains the details of a massive data extraction exercise covering all the records held by family doctors in England. The site explains that this is “to support health and care planning and research” and that the exercise will also “reduce burden on GP practices, allowing doctors and other staff to focus on patient care” (sic). Who wouldn’t support either of those?
Perhaps, in the case of this exercise, because it involves the skimming and the storage of potentially highly-sensitive information about you, including your sexuality and sexual health, in an enormous database that can and will be shared.
NHS data, because there is much more than just the records held by your GP, is already passed on to a bewildering number of organisations. NHS Digital’s Data Access Request Service (DARS), which talks about its “products”, maintains a register of these.
A lot of the information releases I looked at when I downloaded this went to various parts of the NHS. But I also found numerous universities, local councils, government bodies, regulatory agencies, and, most disturbing of all to me, commercial organisations listed.
For example, the register shows seven separate datasets were shared with a company called Harvey Walsh, which says it delivers “the solutions and informatics that pharmaceutical and device companies need to gain successful market access”, among other things. There were a further eight handed to a data company called Method Analytics which lists both public and private sector organisations as clients.
In both cases, some of that data was classified as “sensitive”.
Many of the releases on the register were compliant with the data sharing code of practice operated by the Information Commissioner’s Office (ICO), including the releases to Harvey Walsh and Method Analytics were marked as compliant with the code.
However, A significant number of cases were not listed as non-compliant.
Shockingly, patient opt-outs were frequently not observed because the register says “data flow is not identifiable”.
However, some data releases for other organisations said: “Patient objections upheld”. In these cases, opt-outs were observed. So what if those objections weren’t upheld? Or even made?
The more I dug into the issue, the more I found my head starting to hurt. Is my data going to find its way into the hands of some organisations if I approach my GP for help? “Patient X gets headaches when investigating grotesque abuses of patient privacy by NHS Digital. Diagnosed paracetamol.”
We need to talk some more about those opt-outs because there is one specifically available for this exercise – but it is far from easy to access. It is called a Type 1 Opt-out and if you don’t register for it by 1 July, your data will be scraped and stored, although you can still avoid sharing future treatments you may obtain through your GP by registering after that date.
The problem with this is that to obtain an opt-out, you have to register it by submitting a letter to your GP practice. Have you tried to access yours recently? Many remain closed because, obviously, there’s a pandemic on.
You could try booking a phone appointment but how do you think your overworked doctor is going to feel about you taking one of those away from someone who might be very sick for the purposes of avoiding government/corporate use?
By the way, you have to secure a separate opt-out, a national data opt-out, to avoid NHS Digital sharing your data.
All this ought to be easy. You should just be able to tick a digital box. The fact that it is not is indicative of a disgracefully cavalier approach by NHS Digital, and it serves as a damning indictment of Matt Hancock’s Department of Health, on the direction of which this is occurring.
That department may soon be under new management thanks to Dominic “Mark Anthony” Cummings sticking the knife into Hancock, as well as his boss Boris Johnson, over their handling of the pandemic.
But will the new person at the top change anything? And, by the way, why on earth is this even happening in the middle of a pandemic anyway? P.S. In case you were worried, there is a separate collection of data related to that.
NHS Digital said the ICO had not objected to its plans, and that it was in the process of delivering a data protection impact assessment.” It should be noted that the ICO has its critics and is soon to be updated.
NHS Digital says it “has engaged with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices”.
But it’s interesting to consider the lengthy joint statement of the first two of those bodies. It says that they are “broadly supportive of the principles of the new collection in seeing fewer extracts of data and a reduced administrative burden for general practice”.
That’s some way short of an endorsement, which the NHS Digital website does rather imply, and the pair also stress the importance to patients of the data being “made available for appropriate purposes in a secure and trusted manner”.
Is it? I’m not at all sure about that. The information is supposed to be anonymised but Phil Booth, from the watchdog MedConfidential describes this process rather as “pseudonymised” which I think is apt given that it features things like your date of birth and your postcode “in unique coded form”. He points out that the process can also be reversed by NHS Digital because it controls the software.
Foxglove, a team of lawyers, tech experts and communications specialists campaigning against the misuse of data by governments and big companies, says: “It is insulting and unfair to try and force through such huge changes to how NHS data is used, with profound implications for how the health service functions in the future, by attempting to slip it past the British people.
“Matt Hancock wants to make the data of 55m people available to ‘third parties’ which could include big tech and pharmaceutical firms. Handing the personal and sensitive data of tens of millions of patients away to private companies – without telling them – could seriously damage trust in the NHS.”
Booth says he’s not against data being used for the purposes of research and health planning. But he says that if it’s done, it must be handled with transparency and, crucially, with consent. He also picks up the point about trust, which he says represents a huge risk in this exercise: “If a patient cannot trust that what they tell their doctor is in confidence then they might not tell them at all.”
Precisely. Trust in the NHS is also crucial at a time when it needs to convince people of the safety and efficacy of vaccines. NHS Digital’s behaviour here puts trust at risk too, and it’s frankly unforgivable.