More than one million patients opted out of NHS data-sharing in a single month – a huge backlash against plans to consolidate personal records from GP surgeries across England into a centralised database that can be accessed by researchers and commercial companies outside of the health service. Privacy campaigners have raised serious concerns about plans from NHS Digital, which will see the medical histories of more than 55 million patients in England imported into a new database, including mental and sexual health data, criminal records, and more sensitive information.
Following the outcry, NHS Digital pushed back the deadline to opt-out from June 23 to September 1, 2021 to allow more time for those concerned to remove their health records from the database. However, figures published exclusively by The Observer have now revealed the sheer number of people who have decided to opt-out ahead of the deadline.
With more than one million expressing their discontent with the scheme, it’s unsurprisingly that the data-grab is now under threat. NHS Digital has made a number of concessions to privacy campaigners to try to salvage the plan, dubbed the General Practice Data for Planning and Research.
NHS Digital has abandoned its September 1, 2021 but no new launch date has been announced. For those who were concerned about the data-grab, but hadn’t yet had a chance to fill-out the paperwork and submit it to their GP surgery …this is very good news. There is no chance of your health records being siphoned into a central database anytime soon.
To assuage fears, NHS Digital will begin a so-called “listening exercise” before launching a public information campaign to increase awareness of the plans ahead of the new deadline… whenever that will be.
Even before the consultation process begins, NHS Digital has offered a huge concession to campaigners – patients will be allowed to request the removal of their data at any stage. Health records that have already been added to the database can be removed at a later date, if you missed the original deadline, for example.
Previously, NHS Digital had warned anyone who opted-out after the deadline would see future health data removed from the database. However, all historic data would still stay available to researchers, academic and commercial partners of the NHS.
NHS Digital has also pledged to boost the security and privacy of the data stored.
The centralised database will include a number of sensitive health categories, including mental and sexual health data, criminal records, full postcode and date of birth. Earlier this year, NHS Digital confirmed that anything that could be used to identify you from your GP records would be pseudonymised before it’s uploaded. However, the code to unscramble the anonymised data will be held by the NHS.
This rang alarm bells with a number of privacy campaigners as it’s a very different approach than the biggest tech companies, including Apple and WhatsApp, which do not store the digital keys that could unscramble the anonymised data. That’s why Apple refused to help FBI investigators who hoped to unlock an iPhone owned by one of the terrorist suspects.
According to Apple CEO Tim Cook, “In today’s digital world, the ‘key’ to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks – from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”
NHS Digital will hold the keys to unlock its anonymised data, but says it will “only ever re-identify the data if there was a lawful reason to do so and it would need to be compliant with data protection law”. In an example scenario of why medical records would be un-scrambled to reveal the identity of the patient, NHS Digital adds: “a patient may have agreed to take part in a research project or clinical trial and has already provided consent to their data being shared with the researchers for this purpose.”
Speaking about the indefinite delay to the data-grab, a spokesperson for NHS Digital said: “Patient data is vital to healthcare planning and research. It is being used to develop treatments for cancer, diabetes, long Covid and heart disease, and to plan how NHS services recover from Covid. Medical research and planning benefits all of us but is only as good as the data it is based on.
“The better the quantity and quality of data collected, the more useful it is for researching new treatments or for planning good, sustainable NHS services to meet patients’ needs, so it is vital people make an informed decision about sharing their data. We take our responsibility to safeguard data very seriously, and it will only ever be used by organisations that have a legal basis and legitimate need to use it for the benefit of health and care planning and research.
“We have listened to feedback on proposals and will continue working with patients, clinicians, researchers and charities to inform further safeguards, reduce the bureaucratic burden on GPs and step-up communications for GPs and the public ahead of implementing the programme.”