Not without consent: Legal risks for NHS data sharing

Extracts from NHS England’s 61 million users’ medical records are set to be collected in a centralised database as part of a new initiative, the General Practice Data for Planning and Research (‘GPDPR’). The GPDPR aims to assist NHS Digital in long-term health and care planning, as well as providing a resource in situations such as responding to the COVID-19 pandemic. However, critics of the scheme describe it as a ‘data grab’, and cite numerous examples of where the NHS has damaged public trust.

NHS Digital announced the scheme on 12th May of this year, with a deadline for opting out set for 23 June. This was pushed back to 25 August, following pressure from the Doctors’ Association UK and may be delayed further still. However, it has been suggested that the scheme has been implemented ‘under cover of darkness’ and many people may be unaware of it. Given the controversy surrounding the GPDPR, should individuals opt out of having their data collected and shared, and what risks do they face if they do not?

Background

NHS Digital is the national custodian for health and care data in England. It is responsible for standardising, collecting, analysing, publishing and sharing data and information from the health and social care system, which includes general practice. NHS Digital collects, processes and makes data available in order to improve health and care. It aims to make improvements by simplifying processes, reducing the burden on GPs, and enabling them to focus on patient care. According to its website, NHS Digital uses data to support planning and research, for example, deciding where to provide new clinics or GP services. It also uses data for purposes such as informing guidance, government response and vaccine planning, in circumstances such as the COVID-19 pandemic.

NHS Digital is responsible for maintaining data security in relation to the GPDPR. It also permits individuals to opt out of having their data collected and/or shared. On its website, NHS Digital explains that it will only share data with trusted NHS and research organisations that will use it for the benefit of health and care. These organisations include NHS planners, university researchers and scientists who are researching medicines. NHS Digital specifically states that it will never share it for marketing, commercial or insurance purposes, and that it will not sell individuals’ data.

For the past ten years, NHS Digital has collected patient data from general practice, using a service called the General Practice Extraction Service (GPES). According to the NHS Digital Website, the GPES now needs to be replaced. Patient data collected from general practice aids understanding as to whether the health and care system is working. The GPDPR is intended to fulfil the same functions of the GPES.

Additionally, it is intended to help support the planning and commissioning of healthcare services, develop health and care policy, monitor public health and interventions such as the COVID-19 response. For instance, the GPDPR aims to assist research into the long-term impact of coronavirus on the population, analyse healthcare inequalities and research and develop cures for serious illnesses.

Under the scheme, NHS Digital will share data from GPs’ medical records about any living patient (both adults and children) registered at a GP practice in England. It will also share data relating to deceased patients that were previously registered at a GP practice in England. NHS Digital will not collect patients’ names or addresses, NHS number, date of birth or postcode. Instead, these identifiers will be replaced with unique codes, using de-identification software, so that individual patients cannot be identified. This technique is known as ‘pseudonymisation’.

According to its website, NHS Digital will collect the following types of data:

• Data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, mental and sexual health
• Data on sex, ethnicity and sexual orientation * Data about staff who have treated patients.

However, it will not collect the following information:

• Name and address (except for postcode, protected in a unique coded form)
• Written notes (free text), such as the details of conversations with doctors and nurses
• Images, letters and documents
• Coded data that is not needed due to its age – for example medication, referral and appointment data that is over ten years old
• Coded data that GPs are not permitted to share by law – for example certain codes about IVF treatment, and certain information about gender re-assignment.

According to NHS Digital, data collection will now only begin when the following criteria have been met:

• The ability for patients to opt out or back in to sharing their GP data with NHS Digital, with data being deleted even if it has been uploaded, and outstanding opt outs being processed.
• A Trusted Research Environment is available where approved researchers can work securely on de-identified patient data which does not leave the environment, offering further protections and privacy while enabling collaboration amongst trusted researchers to further benefit patients.
• A campaign of engagement and communication has increased public awareness of the programme, explaining how data is used and patient choices.

Risks

While the aims of the GPDPR are laudable, the NHS has a chequered history when it comes to handling patients’ data. NHS Trusts have regularly found themselves under the scrutiny of the Information Commissioner, which enforces the UK GDPR and the Data Protection Act 2018. For instance, in 2015, health records of patients of the Royal Free London Trust were shared with Google DeepMind, in breach of the Data Protection Act 1998 (the then applicable data protection legislation).

In 2019, the NHS was reportedly found to have sold patients’ data to US and other pharmaceutical companies, without the knowledge of the affected individuals. More recently, the NHS reportedly shared patient data with US data analytics company Palantir, in an effort to respond to the pandemic.

There are two main areas of risk; the first is where the personal data is disclosed or accessed as a result of a security breach. This can cover a broad range of incidents: from accidentally losing patients’ personal data to deliberate cyber-attacks by organised crime groups or nation states. Accidental losses include mishaps such as emailing a patient’s notes to an unintended recipient or leaving a hard-copy file on a train. Cyber attacks include phishing emails and ransomware attacks.

During the pandemic, the health sector became a target for hacking attacks, which were frequently believed to have been carried out by hostile nation states. Organisations that suffer data security breaches as a result of their carelessness risk fines under applicable data protection law, but this does little to undo the potential distress that an affected patient may have suffered.

The other area of risk is where data is used in a way that breaches the UK GDPR principle of ‘lawfulness, fairness and transparency’; for instance, selling patients’ personal data to third parties such as analytics companies, without the affected individuals’ knowledge. In this instance, breaches may be motivated by financial considerations, since patients’ health data may be very valuable. This type of activity is frequently very complex and difficult to detect, so that affected individuals may be completely unaware that such ‘hidden processing’ is taking place.

Conclusion

For NHS users in England, assuming that the scheme goes ahead, the pertinent question is whether to opt out or not. By participating in the GDPDR, individuals may be making a contribution (albeit a small one) to improving the future health and care service across the country. The initiative includes measures to protect patients’ data, in particular, by attempting to render information anonymous and limiting the third-party recipients and purposes for which data may be shared.

However, these security measures are not foolproof and the risk remains of a security breach, whether through innocent or careless mistake or a malicious actor. There is also the risk of questionable data sharing with third parties. Perhaps the critical consideration is whether we should trust the NHS, or perhaps more pertinently, the government, with our most intimate information.