Public trust in the government looking after our NHS data is at an all-time low following revelations that health care data were being sold on to large commercial organisations for insurance purposes and of serious data breaches of identifiable patient data leaking into the public domain. It resulted in the BMA, RCGPs and medConfidential spear-heading an opt-out campaign against government plans to link England-wide aggregated patient data collected from GP practices with hospital admissions/ episode data in a scheme know as Care.data. On 7 May, Parliament has a chance to start listening.

Commercial exploitation of data is not new. We allow supermarkets, train companies, utilities and banks to use our data in return for nectar points, loyalty cards and the like. But since the time of Hippocrates, information about patients has been recognized as special and sacrosanct.

Doctors are bound by a special duty of confidentiality. Laws underpin it. We go to our doctors when we are at our most vulnerable. We share our innermost thoughts and worst fears. Terminal illnesses, miscarriages, sexually transmitted diseases, domestic violence, unemployment or work stresses are ‘routine’ diagnoses for the medical profession, yet they are also deeply personal and often tragic for the patient.

Sharing these with trusted doctors and health professionals is a big step for many. Knowing that commercial companies could exploit what we or the doctor might say – for example, to decide whether we or others are too costly to treat, or to target marketing of drugs, health insurance or user charges – makes that big step even bigger. 

For over 60 years the NHS has cherished and protected our data through public ownership and control and strong legal safeguards. Aggregated data has flowed for public interest purposes – such as to the national Statistics Authority and to cancer registries, and to generate public health statistics to inform planning, medical audit and monitoring of inequalities. There are no recorded incidents of researchers having abused their privileged access.

But public trust has now been undermined by the government decision to deliver NHS care through a market. Billions of pounds of NHS money are now flowing to companies such as Serco, Group4, Virgin and United Health – even to private insurance companies.

In 2012 the government scrapped its legal duty to secure a comprehensive health service.

These companies can provide both NHS-funded and privately-funded care to the same patient and in the same episode of care, regardless of need or ability to pay. So what happens to our NHS data where it is generated through commercial transactions and will be collected, stored and used by the private sector?

True, a patient can consent for their data to be used, but in a vulnerable position it is a brave patient who will refuse consent if they are told it will help coordinate and plan their care or that lack of data might prevent the best care being made available. Opting in will destroy national statistics built up over more than a century and will seriously impair research into the patterns and causes of diseases, access to care and the effectiveness of interventions over the long term. Opting- out may have similar consequences.

But if we agree to share our data with the private sector what happens to the data afterwards? What is to stop Virgin or Group 4 selling on our data that is generated through commercial contracts with NHS commissioners, or using it to help set up patient charges and insurance?

Under the old rules, confidential patient data was basically allowed to be shared for two reasons only – for national statistics and for medical purposes (known as “Section 251 approvals”). Section 251 approvals allow research and monitoring of infectious diseases, cancers and various other purposes but only by health professionals and their equivalents.

Part 9 of the Health and Social Care Act 2012 opened up commercial access by allowing companies to request the establishment of information systems for their use. NHS England has already told the Health and Social Care Information Centre (HSCIC) to require care providers to upload identifiable data.

Once at HSCIC our data can be sold on to companies if “in connection with the provision of health care or adult social care”. Unlike the old “medical purposes” exemption, this new formulation is so vague and ill-defined it can extend to insurance and marketing, billing and invoicing, and targeting eligible and ineligible patients. One patient’s data can be used to deny others care. In other words, the government has made patient data into an asset to be traded in the market place, equating the public interest with commodification.

The pharmaceutical companies and commercial sector argue that great gains can come from having access to patient data. Even if this were true, there is legal provision for this already in section 251. Every other researcher and research institution has to seek section 251 approvals now, so there is no need to expand the provisions to wider purposes. And separate laws govern drug trials in any case.

So what is to be done to the Care Bill on 7 May? Everything flows from the law. All commercial exploitation of data has to stop and be put on hold. Private companies cannot be free to sell on our data and trade it on the open market.

In the long term we need to think hard about the impact of commercialisation of services and data on the public interest.

For now, we’ve proposed three amendments for the Lords to consider. Public trust cannot be expected without legal measures to protect patients and our data from being exploited for private gain. We argue that can only happen if patients give their consent to this, although the meaning of consent when given from a position of vulnerability is itself questionable, and that research can only take place if it is in the public interest and for medical purposes as set out in Section 251. We also insist on keeping parliamentary, or at least independent, oversight of the HSCIC’s operation, under the auspices of the Information Guardian. The Committee which oversees 251 approvals cannot be stretched to do this.

The Academy of Royal Medical Colleges made up of 21 Medical Colleges met last week to discuss how to restore public trust. They and the statistical bodies must now give their backing to strong legislation which will put the public interest and patients before commercial interests. If they fail to do this, they will themselves further dent public trust and confidence in the government’s system for the protection of patient information.