Private firms can already get their hands on your NHS records
Analysis: A new law could weaken protections for our NHS data. But it can already be accessed without consent
Campaigners are rightly concerned that the Data Protection and Digital Information Bill winding its way through Parliament will, if passed, undermine many of the current protections for our personal health data. It will, for instance, lower the threshold for its use in scientific research by changing the definition of scientific research to include anything, including commercial activities, that can 'reasonably' be described as such.
But what’s often overlooked is that existing legislation already allows the government and public bodies to access our health records for purposes other than our direct care without our consent.
Our NHS records, in addition to supporting our direct care, are hugely valuable for planning services, ensuring public health, and supporting scientific research. The government also believes this data should be used to help grow the UK’s economy and as this bill and other indicators show, wants to reduce legal protections to make it readily available to the world of commerce.
While many of us are willing for our personal health data to be used for the public benefit, only a small minority want it to be shared with commercial companies. At the same time, lack of investment in technology and IT training means the NHS has become hugely dependent on private, largely multinational, companies for IT infrastructure and data processing services. This is despite evidence showing a number of the multinationals profiting from NHS contracts have tarnished records in terms of probity and data breaches.
The Covid-19 public inquiry is a historic chance to find out what really happened.
Key sites for the exploitation of our personal health data include the 42 semi-autonomous NHS organisations known as Integrated Care Systems (ICSs). These have replaced a truly national health service across England and drive a ‘transformation’ of the NHS that will undermine it as a universal and comprehensive service.
ICSs came into being on 1 July 2022. They are charged with bringing together NHS organisations such as hospital trusts and GP practices with local councils and others – including private companies – to provide local health and care services. This ‘integration’ allows the vast pooling of citizens’ data, offering the ICS (and NHS leaders) the unprecedented detail needed to meet central demands for ‘value’ and improved outcomes in health. It’s an approach that relies on a data-driven methodology for identifying the high-risk, potentially high-cost individuals who may benefit from interventions that may prevent health deterioration and expensive hospital admissions. In contrast, those individuals judged to be less at risk are encouraged to adopt digitally-delivered ‘self-care’ and/or healthy lifestyles.
In this way data has become the bedrock of the NHS and it begs the question of how, in the context of such structural upheaval and shift in ethos, is the use of our data being governed and our privacy safeguarded?
Research by the Keep Our NHS (KONP) Data Working Group, in collaboration with a local campaign group, has begun to explore this to provide a snapshot of how patients’ health data were accessed and used by the private firms on one London ICS in the early months of 2023. Information was gleaned from a variety of sources, such as the ICS’s governing board’s papers, its governance handbook, the ICS’s website, and Freedom of Information (FOI) requests, as well as by word of mouth. We focus here on the legal basis the ICS used for processing our personal data, which may provide an indication of what’s happening elsewhere.
Legal access to data
All ICSs are required by the UK General Data Protection Regulation (GDPR) to provide the public with a ‘plain English’ explanation (so-called fair processing or privacy notices) about why they collect patient data in certain circumstances, who they share it with, and the contact details of the relevant data controllers and data protection officers. In practice, in the case of the ICS we studied, it is surprisingly unclear how patients are provided with privacy notices, or how understandable these are.
The notices also outline the rights of the individual, including their right to object to their data being used. However, it will also explain this right can be overridden by an ICS to comply with its legal obligations. Most of these obligations are set out in very broad terms by the Health and Social Care Act (2012) and include duties to “improve the quality of services”; “reduce inequalities”; and “exercise functions effectively, efficiently and economically”. Where compliance with these obligations involves the processing of patient data, this can be done without the individual’s consent – even if the data remains in an identifiable form (as it needs to for some purposes) – provided an appropriate lawful basis is identified.
GDPR gives six lawful bases that allow data processing, the most relevant in this context being:
- ‘consent’ (where there is a positive opt-in)
- ‘legal obligation’ (where processing is necessary to comply with a common law or statutory duty)
- ‘public task‘ (where processing is necessary in order to carry out a specific task in the public interest that is set out in law, or ‘in the exercise of official authority, covering public functions and powers set out in law’. In terms of the NHS, it is the duties of the ICS (outlined above) that are set out in law.
The data privacy notice published by ‘our’ ICS (as with notices we have seen from other ICSs) draws on the ‘public task’ basis, stating its processing of personal data is supported by conditions set out in GDPR, specifically in Article 6(1)(e) and Article 9(2) (h). It also mentioned an individual’s rights established under UK case law known as the Common Law Duty of Confidentiality. This duty must be upheld in circumstances where there is an expectation of confidentiality, such as within a clinical encounter. Yet, again, the information can be lawfully disclosed without consent when disclosure is ‘in the public interest ‘ – or when there is a legal duty to disclose.
All this suggests that, while we believe our personal health data is currently protected by legislation, in practice existing safeguards can be trumped by what is argued to be the broader public interest.
The NHS’s valuable store of data has been founded on public trust. If this trust is lost, as the National Data Guardian observes, “things will fall apart”: there will be serious implications both for patients, who may feel they can no longer fully confide in their healthcare team, and for the integrity of the NHS data set and its unique value for research and planning.
So as well as resisting proposed legislation that will make our personal health data even more vulnerable, we need to demand improvements to existing data safeguards.
Get our weekly email