Under plans to simplify patients' rights to opt out of sharing data held in medical records, the government has set out proposals to scrap the 'type 1 opt-out' - which currently allows patients to insist that no identifiable data should be shared outside their GP practice for purposes beyond their direct care.
The government plans to implement a single opt-out system, following proposals from the national data guardian (NDG) in response to a consultation on the current model.
In a report published on Wednesday, the government said: 'The NDG recommended a new opt-out to give people a clear choice about how their personal confidential data is used for purposes beyond their direct care.
'We endorse the NDG’s proposed national opt-out and intend to implement it, whilst taking the time needed to get it right. The new opt-out will clarify how people can opt out, recognising that information will flow where there is a mandatory legal requirement, an overriding public interest or other exceptional cases. Individuals will be able to make their choice known online as well as in person.'
But BMA medical ethics committee chair Dr John Chisholm said: 'Doctors have serious concerns about the removal of patients’ right to opt out of having their details sent from their GP surgery to NHS Digital, without first putting in place the necessary protections and guarantees about how this information will be used.
'The current arrangement between NHS Digital and the Home Office, in which the Home Office can request confidential patient information for immigration purposes, is undermining patient trust in how their confidential information is used.'
He warned that the current arrangement used a lower threshold for sharing patient data than required by the GMC.
'The BMA believes there needs to be a higher threshold for releasing information from NHS Digital to the Home Office, and independent oversight of disclosures before the removal of the opt-out,' Dr Chisholm added.
'If patients don’t have confidence in the system, not only does it damage the doctor-patient relationship, there is also a real risk that some will be put off visiting their GP, which could have serious public health implications.'
The government has also announced a £50m investment alongside measures to tighten up data and cyber security across the NHS and in GP practices.
The changes also follow the WannaCry ransomware attack that severely affected the NHS earlier this year and left many GP practices unable to operate fully.
The report says NHS Digital will develop and implement a mechanism to de-identify data as it is collected from GP practices by September 2019.
It will also start to broadcast alerts about cyber threats ‘to mitigate immediate risks with cyber security’.
GP IT systems
The government will work alongside GP systems suppliers to make sure the technology used in general practice is ‘secure by default’, and will work ‘with the primary care community to ensure that data security training meets its specific needs’.
From November, data security will form part of the CQC’s role in determining how well-led a practice is and work has already begun to find the fastest and most cost-effective way to move the NHS away from unsupported computer operating systems, including Windows XP.
Health minister Lord O’Shaughnessy said: ‘The NHS has a long history of safeguarding confidential data, but with the growing threat of cyber-attacks including the WannaCry ransomware attack in May, this government has acted to protect information across the NHS.’
RCGP chair Professor Helen Stokes-Lampard said: 'Robust cyber-security and effective, safe data sharing between healthcare professionals are both imperative to ensure our patients receive the best possible care right across the NHS.
'The cyber-attack in April was a wake-up call to many of us working in the health service about the fragility of the IT systems we are using, not just to keep our patients’ data safe, but to keep our surgeries functioning. Dame Fiona Caldicott put forward some excellent recommendations, including more investment and the need for suitable alert systems, in her report earlier this year, and we are encouraged that the DH plans to adopt these standards in full – and has already done so in some cases.'
Professor Stokes-Lampard added that the college welcomed 'a phased approach to introducing a transparent national opt-out scheme for data and information sharing'
She said: 'Sharing of patient data between healthcare professionals can result in higher quality, faster and more integrated care. There are also significant benefits, particularly for medical research, to sharing properly anonymised patient data on a large scale, with approved research bodies.
'What is essential is that the NHS is beyond reproach when it comes to the use of patient data for any purpose, that patients have trust in the way their data is being used, and that they are confident it will be kept secure. We still need to do more to get the message across to patients about the great potential benefits of data-sharing and reassure them that their data really will be secure, and used responsibly for the benefit of everyone’s health.'