Data security: Will new consent and opt-out plans protect our personal health information?

The recent review of data security, consent and opt-outs lead to the demise of, but it may not yet herald a new era of transparency over what is happening with our personal data, says Dr Neil Bhatia.

So is finally dead. It is no more, it has ceased to be, it's expired and gone to meet its maker - to paraphrase the great Monty Python. 

Many will not mourn its passing, it was after all a true omnishambles of a project, bereft of adequate planning or consultation, characterised by the arrogance of some who thought they could sneak such a controversial and profound plan under the radar of the public.

Thank goodness for those that challenged it, and for the press, national and medical, and social media, that relentlessly raised awareness of what was going to happen to our confidential personal data – to a public that otherwise would have understood little or nothing from a leaflet stuffed between take-away menus. Monty Python would have been proud of such a tragicomedy.

The toxic brand may be dead, but data sharing of medical records on an industrial scale is very much still on the agenda. Dame Fiona Caldicott’s review of data security, consent and opt-outs does provide some sensible advice. The recommendations to improve NHS data security are clear, and long overdue.

But it is the suggestion for a new model of consent and objections, to secondary uses, which poses the real problem. We know that patient hospital data has been given away and sometimes sold to many organisations, including insurance companies and government departments. Many were appalled at exactly who was getting hold of this information. The one positive legacy of was that we finally found out what had been going on.

The whole purpose of the recently-introduced 'Type 1' and 'Type 2' objections were to allow people to prohibit uses of their data in certain ways, with confidence, and in particular to prevent their information from being uploaded to the HSCIC.

Dame Caldicott's review says the proposed consent/opt-out model will need to be piloted extensively before being introduced. However the opt-out proposals are potentially open to abuse, if, as suggested, one option is to have ‘NHS’ and ‘research’ choices. It takes little for clever commercial organisations, and their lawyers, to assert that their data grab proposals come under the ‘NHS’ section.

No one is ever going to be able to prevent their information being used by organisations for purposes or research that they find ethically unacceptable, or by organisations that seek to privatise areas of the NHS, or by organisations that already might hold vast amounts of information about you. Many do not want their data to be used, ‘anonymised’ or otherwise, to further the interests of these entities, or in these ways.

No one denies that existing opt-out arrangements are a shambles. Current objections cross-react with each other, so that opting out of one data sharing scheme automatically and unexpectedly opts you out of another.

Conversely, opting out of secondary uses (the supposedly unitary and all-encompassing Type 1 opt-out) doesn’t actually opt you out of all secondary uses; so, for example, your GP surgery might still upload your identifiable information to your CCG, to be processed for risk stratification or commissioning purposes, despite your objection.

Not addressing these fundamental problems is a real missed opportunity. Trust lost is hard to win back, and people trust their GP with their information above almost all others in the NHS. Our relationship with our patients is utterly dependent on trust, and we jeopardise that at our peril.

Get it wrong – again – and we’ll all pay the price.

The DH is consulting on proposed new data security standards and the consent/opt-out model. You can access the consultation here. The consultation closes on 7 September.

Before commenting please read our rules for commenting on articles.

If you see a comment you find offensive, you can flag it as inappropriate. In the top right-hand corner of an individual comment, you will see 'flag as inappropriate'. Clicking this prompts us to review the comment. For further information see our rules for commenting on articles.

comments powered by Disqus