According to the ICO, there were 388 data breaches relating to health data in the first nine months of 2013. That is 34% of all the data breaches in the UK during the same period, and the proportion has increased from 27% at the end of March to 38% by the end of September 2013. The chart below compares the number data breach levels by industry sector over the same period. Given the sensitivity of the health data held by medical organisations in this country, those are shocking statistics.
Centralised medical records database
Despite this poor track record, very soon the NHS is going to combine all our medical records into one massive database. Every GP practice in the UK will shortly begin to disclose their patients’ personal and sensitive data to care.data at the Health and Social Care information Centre (HSCIC). The process is monthly, automatic, and assumes patient consent unless patients actively opt out – which is not necessarily a simple process.
So what does this mean to patients? Essentially, personal confidential data (PCD) such as family history, vaccinations, diagnoses, referrals, blood pressure, BMI, cholesterol and NHS prescriptions and more will be extracted from GP systems and shared with care.data.
In order to match data from the GP surgeries with data acquired by the HSCIC from other sources (such as hospitals) identifying data such as data of birth, postcode, NHS number and gender will be included within the data extracts. Once matched across all the data sources, the data is pseudonymised (ie identifying characteristics are removed).
Once an individual is flagged as “deceased” no further data will be collected – though the data already provided will continue to be processed by the HSCIC.
If it were possible to trust the security and intentions of those collecting the data, there are some fantastic potential benefits, for example improved patient care; the effective prevention, treatment and management of illness; hospital performance, management of NHS resources; or the analysis and understanding of specific treatment benefits; even planning new health services.
What are the risks?
The poor track record of the NHS in terms of protecting our medical data is alarming and raises concerns over confidentiality of our medical records. In addition, there are increasing numbers of private companies who provide services to the NHS, from physiotherapists to care homes; from private hospitals to insurance companies. Members of the public are likely to be uneasy about private companies benefiting from their health data, and equally concerned that their GP will no longer be the “gatekeeper” of their confidential medical data.
Furthermore, although the data will be pseudonymised, single-minded analysts may undoubtedly try and will probably succeed to some degree in finding a way of matching the data against other commercial data sets to “re-identify” the individuals.
Who can use the data?
The data can be released for five listed reasons: health intelligence, health improvement, audit, health service research and service planning. That’s a pretty broad spectrum, and it is evident that the number and range of potential customers for this centralised database of our medical records is enormous.
For example, how long it will be before insurers persuade the HSCIC that it is to the benefit of the health and social care system that they should model and predict medical claims rates based on the UK’s centralised medical database, and use the findings to price their medical insurance policies accordingly.
Can GP practices opt out?
The Health and Social Care Act 2012 creates a statutory obligation for GP practices to disclose the information as directed. GPs are unable to refuse to do so as such refusal would put them in breach of the statutory requirement.
But because the GP practice is actually the “data controller” of their patients’ confidential medical records, GP practices are also responsible for ensuring that their patients’ personal and sensitive data is handled fairly (as defined under the Data Protection Act 1998).
So it is up to GPs to ensure that patients are aware that their data will be shared with the HSCIC, that the HSCIC has powers to extract personal confidential data, and, arguably, what the HSCIC intends to do with the data.
And if a patient claims they were unaware that their data was to be shared, it would be the GP practice who would be investigated by the ICO.
The GP practices remain data controllers of the data they hold within the practice, but are no longer responsible for the data once it has been disclosed to the HSCIC. Instead the HSCIC and NHS England become joint data controllers who are obliged to comply with the Data Protection Act. NHS England will determine the “Purpose” for the data collection, while the HSCIC will determine the manner of processing.
How do patients opt out?
Normally one would expect the sharing of data of this sensitivity and confidentiality to be subject to patient opt-in, rather than the NHS assuming consent. However, the Health and Social Care Act 2012 empowers the HSCIC to require providers (eg your GP practice) to send it personal confidential data when directed to do so. And the Act overrides the requirement to seek patient consent.
A patient can inform their GP of their wish to opt out, and no reason is required. It is worth noting that the right to opt out has been implemented as a constitutional rather than a legal right. Having opted out, it is up to the GP practice to ensure that the right code is appended to the legal record.
However, the patient has no right to prevent his or her medical data leaving the GP practice if such data carries no identifiable information as this is anonymous data rather than personal data. The question, really, is what is “identifiable information”? It is DOB? Arguably in some circumstances, it may be. And surely an NHS number is identifiable information.
The Secretary of State for Health has given a commitment that individuals’ objections to disclosure ot the HSCIC will be respected in “all but exceptional circumstance” (for example, a civil emergency).
Is the process compliant?
You could argue that this data sharing activity defies the second principle of the Data Protection Act: “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with the purpose or those purposes”. In my view, you don’t talk to your doctor about a medical condition for any purpose other than to have him solve – or try to solve the problem for you. And while that may include prescriptions, or visits to consultants, hospitals and clinics, making our medical records data available to commercial organisations cannot possibly be considered the “Purpose”.