There is arguably a well-established legal and regulatory framework for sharing healthcare data, which can be summarised in headline terms as follows:
Since 25 May 2018, access to patient health records has been governed by the EU General Data Protection Regulation (GDPR), enacted by the Data Protection Act 2018.
The NHS Constitution states that patients have the right to privacy and confidentiality, the right to expect the NHS to keep patient confidential information safe and secure, and the right to be informed about how their information is used. Patients also have the right to request that their confidential information is not used beyond their own care and treatment.
In November 2014, Dame Fiona Caldicott was appointed as the first National Data Guardian (NDG) for health and care, to ensure patient trust in the use of their data and to review the balance between the protection and sharing of this data. The Health and Social Care (National Data Guardian) Act 2018 placed the role on a statutory footing.
On 25 May 2018, NHS Digital launched the national data opt-out programme, a tool that allows patients to choose to opt out of their data being shared outside of the NHS.
However, the framework is not foolproof – public confidence in the security of their healthcare data is likely to have been affected by a number of recent breaches:
The 2017 Wannacry ransomware attack affected 80 NHS Trusts, plus a further 603 primary care and other organisations, at an estimated cost of £92 million. None of the 80 NHS Trusts affected by WannaCry had applied an advised Microsoft patch update.
Dame Fiona Caldicott concluded in 2017 that data was improperly shared between the Royal Free NHS Trust and Google DeepMind, which had been given access to five years’ worth of data from 1.6 million patients.
In 2018, Bupa was fined £175,000 after an employee was able to extract the personal information of 547,000 Bupa Global customers and offer it for sale on the dark web.
Public concern over data sharing came to the fore in 2016, when the government attempted to launch Care.data, a system to extract and link large amounts of data collected as part of NHS care. Following concerns over the opt-out system in place and over patient confidentiality, the scheme was first suspended, then closed.
This may be as much a public health matter as a technical matter: “Public trust in the Health Service’s ability and willingness to safeguard their privacy is a cornerstone of the NHS. If the public stop trusting that the information they share with their clinicians will remain private, then it may become impossible to obtain the level of candour required for effective, safe treatment, posing risks to public health” 1.
Against this background, government is planning the launch of the General Practice Data for Planning and Research (GPDPR) programme. The programme, which will involve the daily collection of GP data to support health and care planning and research, has been deferred in the face of public concern. NHS Digital, which leads the programme, will use the additional time to speak with patients, doctors, health charities and others.
The Patient Experience Library was asked to conduct a rapid literature review to be presented to a group of charities: National Voices, Healthwatch England, the Richmond Group and the Patients’ Association. They will use the results of the literature review as a basis for understanding public concerns about use of healthcare data, and to develop a set of patient-centred principles which will be recommended to NHS Digital.