Blogs | Privacy and data protection | Data protection standards

Control of sorts over personal data for UK healthcare patients

By EDRi · March 21, 2018

NHS Digital, the provider of data and IT systems for the National Health Service (NHS) in the United Kingdom, has announced plans to roll out a new system by March 2018 as part of the national data opt-out. This is intended to allow patients to choose whether or not their personal identifiable data is used for reasons other than their personal health care, such as for planning and research purposes.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

It will purportedly involve patients making an “informed decision” about how their data is used via an online application and “additional mechanisms”, namely the ability to opt-out offline by registering their choices with their General Practitioner (GP). Significantly, NHS Digital notes that patients will be able to “change their mind anytime”. This will replace the existing opt-outs whereby a patient has to register with their GP to prevent their data leaving NHS Digital.

The National Data Opt-out Programme is the result of a review published by the UK National Data Guardian Dame Fiona Caldicott entitled “Data Security, Consent and Opt-out” which suggests that there needs to be an increase in the public understanding of how health data is collected, protected and used. The review also notes that the use of personal data is essential to providing high-quality care, and that any new system would benefit from “high degree of trust in NHS organisations to look after people’s data”. This is despite the UK public health service having experienced both huge data losses, (e.g. the 864 000 pieces of data that were mislaid between GPs and hospitals between 2011 and 2016), ransomware attacks (i.e. WannaCry in 2017), and unregulated data donations (i.e. Google DeepMind deal). Indeed, the National Data Guardian also urged caution over the security of data management systems, offering 10 suggestions on data security standards.

The UK Government responded to these with the report “Your Data: Better Security, Better Choice, Better Care”.

On the value of the use of patients data generally, both the UK Government and NHS Digital cite improved quality of care, facilitating medical research breakthroughs, and increased efficiency of healthcare systems as the main drivers for re-purposing the information gleaned from health and care records.

This sentiment is echoed by the European Commission Taskforce on Health and Digital policies which envisions a system which “would harness the power of data exchange across different ecosystems (digital and health), in a way that generates new knowledge and translates this knowledge into better care services, early diagnosis and treatment of disease all across the EU”.

As in other economic sectors, it is important not to overlook and properly address the risks of digitalising the health sector. For instance, the collection and processing of health data should comply with existing data protection provisions of the General Data Protection Regulation (GDPR). In the case of mobile health (m-health), for example, a strong ePrivacy regulation is required that would protect electronic communications content.

In addition, any data-driven project should be designed unambiguously, with users’ meaningful and informed consent in mind, and in a secure way. Poorly executed data gathering, analytics, and handling may present security risks and result in breaches which have the effect of lowering trust; thereby dissuading individuals from seeking treatment.

NHS Digital: National Data Opt-out Programme
https://digital.nhs.uk/national-data-opt-out

National Data Guardian for Health and Care Review of Data Security, Consent and Opt-Outs
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/535024/data-security-review.PDF

NHS data loss scandal deepens with further 162,000 files missing (16.10.2017)
https://www.theguardian.com/society/2017/oct/16/nhs-data-loss-scandal-deepens-with-162000-more-files-missing

NHS could have avoided WannaCry hack with “basic IT security”, says report (27.10.2017)
https://www.theguardian.com/technology/2017/oct/27/nhs-could-have-avoided-wannacry-hack-basic-it-security-national-audit-office

Google DeepMind and healthcare in an age of algorithms
https://link.springer.com/article/10.1007/s12553-017-0179-1

Taskforce to take Health and Digital policies further (27.02.2017)
https://ec.europa.eu/digital-single-market/en/blog/taskforce-take-health-and-digital-policies-further

(Contribution by Gemma Shields, EDRi intern)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner