Using data in the NHS: the implications of the opt-out and GDPR

Key messages

Patient data is not only vital for managing an individual’s care, it also plays an important role in other ways: planning health services, improving diagnosis and treatment and evaluating the effectiveness of policy. These ‘secondary uses’ of data offer significant opportunities to improve care, especially if advances in technology and data analysis can be harnessed.
Public confidence in data-sharing has been tested by several high-profile breaches of data security and confidentiality, while the NHS is still recovering from the controversy associated with the care.data programme. Nevertheless, the public trust NHS organisations to manage patient data, and there is strong support for data being shared to improve care and for further research.
Safeguards governing the secondary use of patient data have been strengthened in recent years and will be bolstered by the implementation of a new national data opt-out alongside the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018.
These changes will not have any impact on depersonalised datasets, so most secondary analysis and research will be unaffected. However, analysis that relies on using confidential patient information – including some of the national patient surveys and specific efforts to evaluate NHS services and conduct research – may be affected.
The consequences will depend on opt-out rates. If large numbers of people opt out of allowing confidential patient information to be used for research, this could affect the quality and validity of the data on which this research depends, potentially undermining important work to improve services and treatments.
National policy has to keep a balance between responding to legitimate public concern about the security and confidentiality of data and enabling data to be shared and used by NHS organisations and third parties. It is also essential that NHS national bodies are transparent with the public about how patient data is used.
NHS England and NHS Digital must ensure that opt-out levels are kept under review and put in place a long-term plan to promote the benefits of NHS organisations and third parties being able to access and use patient data. At the same time, NHS organisations must ensure they are beyond reproach in the way they use patient data.

Glossary: Where possible, we use terms suggested and tested by Understanding Patient Data; occasionally a technical term is used interchangeably as outlined below.
Individual care (sometimes ‘direct care’): data used for clinical, social or public health activities that aim to treat an individual or support prevention; also includes data used to assure quality of care in local audit and to measure the outcomes of care, where that is undertaken by teams involved in that individual’s care (National Data Guardian 2013).
Secondary use: data used for purposes other than individual care, such as improving services or research.
Confidential patient information: information that identifies an individual or could be used to identify an individual with other information that could be obtained by the user of the data, and also includes information collected by a professional who has a duty of confidence to the individual. For the purposes of this briefing, this will mostly mean health professionals.
Depersonalised data (sometimes ‘pseudonymised’ or ‘anonymised’): data in which key identifiers, such as name, have been removed.
Anonymous data (sometimes ‘aggregate’ or ‘statistical’): data rendered into a form that means individuals could not be identified; in practice, this will usually be aggregated, where individuals’ information has been pooled together into overall statistics.

Introduction

Every time a patient has an interaction with an NHS organisation, information is collected about them. Clinicians and NHS administrators collect this information on an individual’s care – for instance, so that there is a record of treatments or drugs they are given or so that hospital consultants can share their test results with GPs.

Patient data is also used for purposes that go beyond an individual’s care – to enable NHS organisations to understand the health needs of their local population, to monitor and manage services, and for research. Any use of data that goes beyond what is required for an individual’s care is known as a ‘secondary use’ – secondary to the original reason for collection.

Every time a patient has an interaction with an NHS organisation, information is collected about them. Clinicians and NHS administrators collect this information on an individual’s care – for instance, so that there is a record of treatments or drugs they are given or so that hospital consultants can share their test results with GPs.

The public trust NHS organisations more than any other institution with data (Ipsos MORI and Royal Statistical Society 2014), and there is strong public support for using patient data to further research and improve care (Chan et al 2016; Ipsos MORI 2016). Strict safeguards are in place for storing and managing patient data. These safeguards have been bolstered in recent years, partly in response to public concern about the loss of medical records and criticism of the care.data programme (see below). More broadly, public anxiety about how data is used has grown as a result of high-profile breaches of data security and confidentiality, for example, Facebook and Cambridge Analytica sharing data from online profiles without users’ consent and for unethical purposes (Bowcott and Hern 2018).

The safeguards governing the use of personal data, including patient data, are changing on 25 May 2018. This briefing explains the implications of these changes for the use of patient data. It does not attempt to provide guidance, but some guidance that might be helpful is signposted – for example:

What is patient data and how is it used?: Data in hospitals is captured in a patient administration system (PAS), or sometimes an electronic patient record, which records patients’ administrative details and some information about their interactions with the hospital (NHS Confederation 2017).
Some of the data held in PASs is collected by NHS Digital and is eventually made available in a depersonalised form as Hospital Episode Statistics (HES). HES is a database that contains details of all inpatient, outpatient and A&E activity in England (NHS Digital 2018d). HES data is used for analysing data about the number and type of patients treated and for producing performance data, for example, on how long patients wait in A&E departments. The data in HES is widely used by NHS organisations and researchers and has been the basis for thousands of academic articles, providing an evidence base for improving health. HES data also played an important role in uncovering the Mid Staffordshire scandal in 2009 (Triggle 2014).
Most, but not all, datasets are held centrally by NHS Digital. NHS Digital follows strict disclosure rules when publishing pooled data from HES to ensure patient confidentiality is maintained.
The story is slightly different in general practice. Every patient who interacts with a GP has an electronic medical record, which contains a wealth of data about patients; unlike in hospitals, however, this information is not routinely collected by NHS Digital and so there is no national GP data available for secondary uses. There are some data-sharing initiatives – for example, the Clinical Practice Research Datalink extracts data from GP practices that are signed up to the initiative and makes it accessible in a depersonalised format for research (Clinical Practice Research Datalink 2018).
There are also some local initiatives such as the Kent Integrated Dataset, which links data from most GP practices in Kent with secondary care and local council data (Local Government Association and Institute of Public Care 2016). The dataset is depersonalised, and additional safeguards are in place to prevent identification of individuals. Kent County Council has used this data to understand local service demand and evaluate its policies.
Linking data from different care settings, as in the Kent Integrated Dataset, is made possible by every patient in the NHS having a unique identifier, their NHS number. The NHS number makes it possible to link data from different care settings and sources before depersonalising the dataset.
The Local Health and Care Record Exemplar programme will support selected local areas to first join up patient data for individual care in local areas, and, once safeguards are in place, then begin to explore making local data available for secondary uses (Digital Health 2018). Even with local efforts to join up data, without a national programme for collecting general practice data there is no way of understanding activity in general practice as we understand activity for hospitals (Baird et al 2016). Furthermore, without GP data, we do not fully understand a patient’s care before hospital and out of hospital.

Why is patient data so important for supporting the NHS?

Patient data is used under strict regulation by NHS organisations, academic and commercial partners for a variety of reasons, including:

understanding disease
improving diagnosis
ensuring patient safety
planning NHS services
evaluating how effective NHS policy is.

Those planning health services or trying to understand the public’s health have been using information collected from patients for decades, if not longer. However, with advances in data analysis and greater availability of patient data in a useable format, there is increasing interest in how patient data might be used to drive improvements in care.

Any organisation using patient data must meet legal requirements and be able to demonstrate a clear benefit to the health and social care system of their work. No data can be shared for purely profit-making purposes (NHS Digital 2018c).

Understanding Patient Data – an organisation set up to support conversations with the public and health care professionals about health data – keeps an online resource of examples of how patient data is used for developing new treatments and improving care. Patient data is also used in the everyday running of the NHS: NHS organisations monitor any variations in the quality and effectiveness of care.

For example, the Haematological Malignancy Research Network collects information from every individual with blood cancer in Yorkshire and links this to various national data sources (Understanding Patient Data 2017a). This partnership between St James’s University Hospital diagnostic service, researchers and other hospitals allows doctors and researchers to better understand diagnosis and treatment of people with blood cancer.

In some cases, the NHS shares patient data with commercial organisations. For example, as part of a study looking at what happens to patients after they have been diagnosed with cancer, Monitor Deloitte (a company with data analytics expertise) was commissioned to analyse linked, depersonalised data from the National Cancer Intelligence Network and hospital data. Extra information governance procedures – such as depersonalising the data following linkage – were put in place to keep the patient data secure. Monitor Deloitte’s analysis found significant differences in survival rates and outcomes between different types of cancer (Understanding Patient Data 2017b).

The system for protecting patient data

Legal obligations for secondary uses of patient data

The Data Protection Act 1998 (DPA) was the primary route for ensuring that organisations look after personal data properly and inform people about how their data is going to be used: well-advertised privacy notices are often considered sufficient for this (Medical Research Council 2017). The DPA was superseded by the General Data Protection Regulations on 25 May (see below).

While consent is often not required to satisfy DPA obligations, it is usually required to satisfy the Common Law Duty of Confidentiality (CLDC). This is case law that has established that certain professionals, including doctors and nurses, have a duty of confidence towards their patients (Medical Research Council 2017). The CLDC ensures that information between a professional and patient will remain confidential, except in specific circumstances, and means that explicit consent should normally be sought to satisfy the duty of confidence for secondary uses.

In clinical settings, implied consent may be relied on for sharing confidential patient information for an individual’s care (National Data Guardian 2013). Where an individual’s care team is involved in local clinical audit (reviewing the care their patients have received and what improvements they might make (General Medical Council 2017), this is considered individual care and can be carried out with implied consent (National Data Guardian 2013).

Confidential patient information can also be disclosed without consent where the use can be shown to meet a public interest test or where there is another mandatory legal requirement for the data, such as a court order.

Guidance on seeking consent can be found in Information Governance Alliance guidance.

A fine line between individual care and secondary uses – the Royal Free/DeepMind Health data-sharing agreement: In 2016, DeepMind Health and the Royal Free NHS Foundation Trust announced a partnership to build an app called ‘Streams’, which uses an NHS-mandated algorithm, together with information about patients, to alert clinicians to the possibility of acute kidney injury (King 2017). The project garnered much attention as DeepMind Health is owned by Google and it is currently building artificial intelligence technologies, which have potential for healthcare (Harwich and Laycock 2018).
During this project, the Royal Free asked DeepMind to use confidential patient information of about 1.6 million of its patients. Critics expressed a number of concerns about this agreement, partly related to privacy and partly about the role of big technology firms in health care (Powles and Hodson 2017). One part of the controversy was that this data was arguably not being used for individual care – the Royal Free asked DeepMind to begin using patient information before clinicians used the app in care, to ensure it worked safely before deployment; the trust held that this amounted to individual care (Information Commissioner’s Office 2017c).
The Information Commissioner’s Office (ICO) and National Data Guardian disagreed with this assessment, saying that the testing of the app is a secondary use. This means that even though data shared as part of the delivery of care in the Streams app could count as individual care, testing would not. For this and other reasons, the ICO found that the Royal Free had failed to comply with the relevant legislation (Information Commissioner’s Office 2017b) and should have done more to make patients aware that DeepMind would be processing information on the Royal Free’s behalf.

Where it is not practical to get explicit consent to satisfy the CLDC, section 251 of the NHS Act permits the CLDC to be set aside for specific secondary uses (Health Research Authority 2018b). This requires organisations to apply to the Health Research Authority’s Confidentiality Advisory Group (CAG), which considers whether the secondary use can be achieved without access to confidential patient information and whether there is a specific medical purpose for the data being shared (Health Research Authority 2018b). This ensures that section 251 cannot be used for obtaining patient data for purely profit-making purposes or for non-health services.

Guidance on section 251 can be found on the Health Research Authority website.

Accessing confidential patient information through section 251

Applications for the use of identifiable confidential patient information under Section 251 are made by a range of organisations; the Health Research Authority keeps a register of approved applications (Health Research Authority 2018a). Under Section 251 organisations can also apply to obtain patients’ addresses; for example, the Cancer Patient Experience Survey, which needs to identify patients and contact eligible patients to ask them about the experience of care they have received.

‘Identifiers’ are not limited to names and addresses – NHS numbers are also considered identifiers. This means that section 251 support is often used when data users want to link datasets together.

If the use of confidential patient information for analysis can be avoided, this protects patients’ privacy and reduces the barriers for obtaining the information. If data is depersonalised to make it unlikely that patients can be identified, approval under section 251 is not required.

Using depersonalised patient data

Most analysis by the NHS and researchers uses depersonalised data. Data that is anonymised to the Information Commissioner’s Office (ICO) standards (Information Commissioner’s Office 2012) is not subject to restrictions in the Data Protection Act or the Common Law Duty of Confidentiality and can be shared more freely (Medical Research Council 2017).

However, there are still safeguards in place. Anyone wanting access to HES data has to submit an application to NHS Digital’s Data Access Request Service (DARS), which requires data users to sign up to a data-sharing agreement and adhere to strict information governance protocols (NHS Digital 2018b). The Care Act 2014 (2014) added legal restrictions requiring NHS Digital (then the Health and Social Care Information Centre) to make information available only if it supports the provision of health and social care or the promotion of health. Data cannot be shared for purely profit-making reasons.

In practice, though, with some detailed datasets complete anonymity is difficult to guarantee without losing some usefulness of the data. The ICO’s current guidance on anonymisation allows for a middle ground, ’depersonalisation’ or ‘pseudonymisation’, where identifiable information is removed (Information Commissioner’s Office 2012) and includes other safeguards, such as minimising the data that is released and keeping any information that could re-identify individuals in the dataset in a separate organisation. Pseudonymisation is a way of effectively reducing the risk of re-identification.

The use of depersonalised data presents a communications challenge for maintaining trust in data-sharing. The public tend to be happier with sharing when it is anonymous (Ipsos MORI 2016), but in practice this is hard to guarantee. The public recognise that data is never completely safe, but more needs to be done to communicate that risks of re-identification are very small when there are other safeguards in place.

Guidance on pseudonymisation and anonymisation can be found in the Information Commissioner’s Office Anonymisation code of practice

Changes to safeguards and care.data

Despite the existing safeguards, new attempts to make patient data available for secondary uses have attracted controversy. In the early 2000s, several accidental data losses attracted attention in the media and caused concern that NHS organisations were not taking data protection seriously.

In 2013, in response to growing unease about information governance, Dame Fiona Caldicott, the National Data Guardian, published her second review of information governance in health and social care (National Data Guardian 2013). Much of the review focused on clarifying principles of how to balance protection of patient data with the need to share information to improve care. It added an additional principle to those described in an earlier review (Department of Health and Caldicott 1997) which highlighted that the NHS has a duty to share information.

The review also recommended that patients should be able to request that their confidential information is not shared, and the Secretary of State accepted this recommendation, confirming that all patients would have the right to opt out of confidential personal information being shared for secondary uses (Digital Health 2013).

The care.data programme, which was announced shortly after the Secretary of State accepted the National Data Guardian’s recommendations, would have allowed data from GP records passed to NHS Digital to be anonymised and shared with NHS and third-party organisations in line with existing safeguards. Academic researchers, commercial organisations and others could request access to the data (Hoeksma 2014), though NHS organisations themselves would have been the biggest users.

Patients could opt out of care.data, but the programme was criticised for not having the right safeguards in place (Mann 2014) and for its public awareness campaign, which sent out information leaflets that resembled ‘pizza leaflets’ (Hoeksma 2014).

In early 2014, concerns about care.data reached their peak and NHS England postponed the plans.

Public awareness and attitudes towards data-sharing

Care.data represented a particular focal point for public and media scrutiny of patient data-sharing, possibly due to the perceived sensitivity of health information (Ipsos MORI and Joseph Rowntree Reform Trust 2014). Findings from the early 2000s demonstrated general concern and unawareness about how patient data is shared, showing that public fears were deep-rooted (Robling et al 2004).

The nature and ferocity of this distrust has not been limited to health care, as the recent outcry at the Facebook and Cambridge Analytica data-sharing has demonstrated (Bowcott and Hern 2018). While health data is considered by the public as some of the most sensitive data, research has also found that NHS organisations are the most trusted to handle data (Ipsos MORI and Royal Statistical Society 2014).

Despite this trust, many people express concerns about health data being used, especially without consent (Sterckx et al 2016). Putting safeguards in place does help to allay fears, but generally the public feel that all safeguards should be in place anyway (Ipsos MORI 2016). Additional safeguards are unlikely to boost confidence in patient data-sharing, where long-term public awareness and education are sorely needed.

These findings should be read in the context that the public is often very supportive of data-sharing when it is seen to have a public benefit. Patient data-sharing is no exception to this (Chan et al 2016). Other research has found that, when given time and information to consider patient data sharing, the public feel that the individual’s right to privacy should not stop research that benefits patients overall (Tully et al 2018).

Recent Healthwatch (2018) research has found that attitudes have been stable over the past few years. They urge policy-makers to continue a long-term public awareness campaign and remain beyond reproach in their use of health data.

Two different types of opt-outs were introduced under care.data, and their scope was later clarified (NHS Digital 2014):

type 1: an objection logged directly with a GP practice to prevent any confidential patient information leaving the practice for secondary uses
type 2: prevented any confidential patient information leaving the Health and Social Care Information Centre (now NHS Digital).

There were challenges with these. First, there was no central information about the people who had lodged a type 1 opt-out meaning that NHS Digital would not know the profile of those who were missing from their datasets. Type 2 opt-outs did not apply to information that was appropriately anonymised, meaning that NHS Digital would still be able to share complete depersonalised datasets (Department of Health 2016).

In 2015, the Secretary of State commissioned the National Data Guardian to undertake a third review, which was tasked with recommending a new national opt-out model for health and social care data. Following the publication of the review (National Data Guardian 2016), NHS England announced formally that care.data would be stopped, after being indefinitely paused since 2014.

A year later, after significant delays, the government published its response to the review and accepted the recommendation for a new national opt-out (Department of Health 2017).

How is the way the NHS handles patient data changing?

On 25 May 2018, the national data opt-out will be launched, alongside the new General Data Protection Regulation (GDPR). Both measures add new safeguards to the management of patient data and also explicitly aim to shore up public trust.

The national data opt-out

Patients and the public now have the opportunity to make an informed choice about whether they wish their confidential patient information to be used only for their individual care and treatment or also for research and planning purposes. The opt-out will have the following features.

It will be a single mechanism for recording opt-outs in a central database (rather than through GPs).
Patients can register their opt-out online or over the phone.
The opt-out will not apply to anonymous data or data that has been depersonalised in accordance with the ICO’s managing data protection risk code of practice (Information Commissioner’s Office 2012).
Some exemptions will exist where there is an overriding public interest or other legal basis, which aligns with legal exemptions from the Common Law Duty of Confidentiality. For example, the opt-out will not apply to patient data that is required for validating invoices for NHS care or where a court order has been obtained.
Two specific registries, one collecting data on all individuals with a cancer diagnosis and one on those with a rare disease, are exempt but they will continue to operate their own opt-outs.
Patients who have opted out can still give their consent for a specific use of data, like a specific research trial.
Existing type 1 opt-outs (those registered with GP practices) will be upheld until at least 2020. Existing type 2 opt-outs will be transferred to the new national data opt-out; those who have registered a type 2 opt-out will be contacted and informed of the changes (Stevens 2017).

The government’s response to Caldicott did not answer all the questions about the opt-out, for example:

What will the format and the wording of the opt-out be?
At what point will the opt-out apply?
What patient data is in scope of the opt-out?

The first of these questions has been answered in part, as it was confirmed in March that the opt-out would be a single question covering both research and planning (Heather 2018b).

Patients and the public now have the opportunity to make an informed choice about whether they wish their confidential patient information to be used only for their individual care and treatment or also for research and planning purposes.

The second question has also been answered; organisations have been informed that the opt-out will apply when the purpose of the data use changes rather than when the data leaves the NHS organisation that collected the data (NHS Digital 2018e). For example, a trust would need to apply the opt-out to patient data if its use changed from individual care to research (unless the data is going directly to NHS Digital, who apply the opt-out themselves).

The third question is the one with the most wide-ranging implications. Type 2 opt-outs, as well as other guidance for what qualifies as sensitive health information, refer to ‘confidential patient information’, which is defined as: identifiable, relating to a patient’s health or care, and covered by a duty of confidentiality (NHS Digital 2018e). Personal demographic data linked to clinical data, or drawn from a patient’s medical record, is subject to the opt-out but demographic data not drawn from the medical record would not be subject to the opt-out. For example, a name and address on their own, without clinical information, is not classed as confidential patient information.

Guidance on how the new opt-out is applied can be found on the NHS Digital website.

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) is designed to modernise data protection law against emerging challenges. These challenges include the growth of advanced machine learning techniques, for instance, which have led to an intensified interest in what these can tools can do with big datasets, like those held by the NHS. The new regulation has a big impact on any large-scale collectors of data (Parliament Street 2018)

GDPR should not change anything fundamental about what the NHS can do with patient data, but some elements are important to highlight.

First, ‘explicit consent’ is harder to achieve under GDPR than under CLDC (Information Governance Alliance 2018). Using explicit consent as a legal basis for sharing data requires organisations to be specific about the purpose for which it is being obtained and to document the consent. This may be possible for data collected for specific research projects, but it is unlikely to be possible for many secondary uses. Guidance from the ICO and IGA suggests that NHS organisations should rely on other alternatives to consent for GDPR purposes (Information Governance Alliance 2018).

The GDPR strengthens rights that individuals have over data about them (Information Commissioner’s Office 2017a). Both the right to object and the opt-out (which are different from each other) must be honoured by health organisations.

Under GDPR, the way in which ‘pseudonymised’ data is processed could require increased safeguards and controls for the use of this data for planning and research, and make using patient data for these reasons more challenging. Some argue that the purpose of GDPR is not to remove the pseudonymised status of data that currently permits many secondary uses (Mourby et al 2018), but the current lack of ICO guidance makes this difficult to assess.

Guidance on the new GDPR can be found on the Information Governance Alliance’s website and the Health Research Authority’s website.

Implications of these changes

The opt-out affects other NHS organisations who may want to use confidential patient information for planning as well as researchers and commercial organisations who use patient data to provide research and analysis expertise to the NHS. Depersonalised datasets will be unaffected by the opt-out, meaning the majority of analyses using patient data will continue. However, some analyses rely on confidential patient information, which is subject to the opt-out.

The consequences will depend on opt-out rates. If they remain low, there will be less impact. This needs be a major motivation for researchers, charities, the NHS and government to act in a way that maintains public trust and keeps down opt-out rates. Clinicians and managers also have a role to play in providing patients with information about how their data is used. (Understanding Patient Data has a range of tools to support these conversations.)

Even a low rate of opt-out has a potentially detrimental impact on some types of analysis. Opt-out numbers have been steadily rising since the original opt-outs were introduced. As of March 2018, 2.4 per cent of the English population had registered a type 2 opt-out (NHS Digital 2018a). Type 1 opt-outs are ostensibly higher; however, as these opt-outs prevent any data from leaving the GP practice, it is impossible to say how many are duplicates or overlap with type 2 figures. Easier online access to the national opt-out may increase opt-outs.

Number of registered opt-outs since introduction

Source: NHS Digital (2018). Releases after January 2017 changed from monthly to quarterly. Due to the lack of information in type 1 opt-outs, it is impossible to know how many of these are individual people and how many are double-counted in the type 2 figures.

The implications of these changes could be significant. Confidential patient information is used at both national and local level to:

monitor the quality of care in NHS organisations
allow commissioners to compare the quality of services being offered by different hospitals
evaluate and improve treatments and services
flag particular problems in how care is being provided in local organisations
engage staff in considering how they improve patient care.

If opt-outs are applied to datasets with confidential patient information in, this risks making some kinds of analysis less useful and affects how we use analysis to design and improve services and treatments. Even where usefulness is maintained, confidence in analysis run on incomplete datasets may be undermined.

The opt-out affects other NHS organisations who may want to use confidential patient information for planning as well as researchers and commercial organisations who use patient data to provide research and analysis expertise to the NHS.

The impact on the national patient surveys is of particular concern. National surveys such as the Cancer Patient Experience Survey and the NHS Inpatient Survey are important sources of information about people’s experiences of care that can be used by both national and local NHS organisations for a range of activities, such as identifying unwanted variation in care and monitoring the quality of treatment. The Cancer Patient Experience Survey is believed to be at risk (Brennan 2017).

The reason for this impact on surveys is that some groups are more likely to opt-out than others, introducing variation into identifiable datasets. Picker Europe, an organisation that conducts surveys on behalf of the NHS and others, has said that an opt-out mechanism is likely to have an impact on the representativeness of surveys (Graham 2016). It is crucial that NHS England and NHS Digital work to mitigate this risk, if possible, and, if not, then to put contingencies in place to protect the representativeness and robustness of the patient surveys.

Some surveys should not be affected by the new opt-out. The GP Patient Survey, for example, relies only on demographic data (not confidential patient information) and will not be affected; given the existing dearth of data on primary care (Baird et al 2016), this is positive.

Variation in opt-out rates may also have an impact on other data analysis. Currently, for example, some local CCGs have a higher opt-out rate than others (NHS Digital 2018a). A recent peer-reviewed analysis of opt-out rates (Piel et al 2018) found that some areas have substantially higher levels of opt-outs than others, limiting the ability to measure variation. A statistical solution might be able to adjust for the demographics of people who opt out, but this would not show other, non-demographic differences between those who have opted out and those who have not. This could potentially slow down public health surveillance conducted by academic researchers. Public health analysis allows researchers to understand how disease affects different parts of the population differently, depending on their location or deprivation, for example. Understanding this helps health organisations to support healthy behaviours and reduce the severity of disabling diseases, but this requires high-quality health data. Without access to complete patient data, there is a risk of undermining some of these goals.

Clinicians and managers also have a role to play in providing patients with information about how their data is used.

In the long term, increasing opt-outs might jeopardise other types of analysis that are essential for planning and running the NHS, but it is incredibly difficult to pinpoint precisely what opt-out rate would be damaging. Rising opt-out rates may gradually introduce variation into linked, identifiable datasets, leading to inaccuracies in their findings.

Furthermore, ways of analysing datasets are becoming more advanced and some emerging machine-learning tools are biased against certain demographic groups (Pelzel 2017). With opt-out variation skewing against some ethnic populations (Piel et al 2018), bias could be introduced into machine-learning algorithms built from opt-out-applied datasets. This could lead to services and treatments being designed, unknowingly, with a better understanding of those groups that do not opt out.

The timetable for upholding opt-outs is unclear. We know opt-outs will be recorded from 25 May 2018 but the timetable for when different data releases will have the opt-out applied has not been made clear. Time is clearly needed to understand what the implications might be and mitigate these risks.

If opt-outs are to be phased in, this may create confusion for NHS organisations that are required to apply the opt-out for some forms of data-sharing but not others. It also begs the question of how patients will be told if their opt-opt is only to be applied to some data releases in the first year.

There is also a question of how the enforcement of GDPR interacts with the opt-out, which is dependent on whether the ICO’s code of anonymisation (Information Commissioner’s Office 2012) is changed. Any changes to this code in the future could have an impact on the number of datasets that are subject to the opt-out.

Conclusion

Data from patients is used to improve services, research new treatments and plan for the future of the NHS. The changes we have described should help to rebuild public trust after recent controversies surrounding data in the NHS and in other sectors. However, this area is incredibly complex and includes many legal and policy technicalities. It is worth considering whether people who decide to exercise their opt-out are aware of precisely the purposes and uses of data that the opt-out will apply to.

Most people are happy for their data to be used for improving services and for research (Chan et al 2016), particularly when it is made clear that the research is at risk without data-sharing (Ipsos MORI 2016). Importantly, despite concerns, the public also believe that the individual’s right to privacy should not stand in the way of research that helps patients overall (Tully et al 2018). However, awareness of how the NHS uses data is very low (Stockdale et al 2018; Ipsos MORI 2016); and while there is a clear desire to express preferences for data-sharing, do patients know what they are opting out of and understand the implications of this?

We have presented examples of how the opt-out could put some NHS planning and research at risk. These examples urgently need further study and a comprehensive response from central NHS bodies. At the same time, more needs to be done to understand the long-term implications of an increasing rate of opt-out, including which groups in the population are opting out and how this might impact our ability to build improve care for these groups.

We hope that national bodies and regulators will ensure that staff and researchers handling patient data in the NHS and other organisations will be given the guidance and support they need. Concern and myths about patient data have slowed its use for the common good in recent years (Wellcome Trust 2015) – and this may have an impact on confidence in NHS organisations sharing data for individuals’ care. We welcome the news that applications for patient data have been increasing (Heather 2018a), and we hope that the developments we have described here will not set this back.

Policy in this area is a delicate balance between, on the one hand, responding to public concern about privacy and security, and on the other, being able to realise the potential of making better use of patient data. The key question is whether the implementation of the changes we have outlined here will tip the balance away from the benefits of sharing data.

References: Baird B, Charles A, Honeyman M, Maguire D, Das P (2016). Understanding pressures in general practice. London: The King’s Fund. Available at: www.kingsfund.org.uk/publications/pressures-in-general-practice (accessed on 15 May 2018).
Bowcott O, Hern A (2018). ‘Facebook and Cambridge Analytica face class action lawsuit’.The Guardian website, 10 April. Available at: www.theguardian.com/news/2018/apr/10/cambridge-analytica-and-facebook-face-class-action-lawsuit (accessed on 11 April 2018).
Brennan S (2017). ‘Exclusive: Patient record opt-outs risk blocking improvements in cancer care’. Health Service Journal website, 30 August. Available at: www.hsj.co.uk/policy-and-regulation/exclusive-patient-record-opt-outs-risk-blocking-improvements-in-cancer-care/7020441.article (accessed on 16 April 2018).
Chan DL, Evans H, Carragher E (2016). Perceptions of the cancer registry [online]. Ipsos MORI website. Available at: www.ipsos.com/ipsos-mori/en-uk/perceptions-cancer-registry (accessed on 30 April 2018).
Clinical Practice Research Datalink (2018). ‘GP practice linkage consent’. CPRD website. Available at: www.cprd.com/EmisLinkageConsent/ (accessed on 12 April 2018).
Department of Health (2017). Your data: better security, better choice, better care: Government response to the National Data Guardian for Health and Care’s review of data security, consent and opt-outs and Care Quality Commission’s review ‘Safe data, safe care’. Available at: www.gov.uk/government/consultations/new-data-security-standards-for-health-and-social-care (accessed on 16 April 2018).
Department of Health (2016). Patient objections (type 2) directions 2016 [online]. NHS Digital website. Available at: https://digital.nhs.uk/Patient-objections-type-2-Directions-2016 (accessed on 13 April 2018).
Department of Health, Caldicott F (1997). Report on the review of patient-identifiable information [online]. National Archives website. Available at: http://webarchive.nationalarchives.gov.uk/+/http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4068403 (accessed on 11 April 2018).
Digital Health (2018). ‘Local Health and Care Record Exemplar bid invites issued’.Digital Health website, 22 March. Available at: www.digitalhealth.net/2018/03/local-care-record-exemplar-bid-invites-issued/ (accessed on 4 May 2018).
Digital Health (2013). ‘Hunt pledges to respect patient data’. Digital Health website, 26 April. Available at: www.digitalhealth.net/2013/04/hunt-pledges-to-respect-patient-data/ (accessed on 11 April 2018).
General Medical Council (2017). Confidentiality: good practice in handling patient information. Available at: www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality (accessed on 13 November 2017).
Graham C (2016). ‘Recommendations for a new consent model for patient data are wide of the target’. Blog. Picker website. Available at: www.picker.org/news/blog/recommendations-new-consent-model-patient-data/ (accessed on 16 April 2018).
Harwich E, Laycock K (2018). Thinking on its own: AI in the NHS [online]. Reform website. Available at: www.reform.uk/publication/thinking-on-its-own-ai-in-the-nhs/ (accessed on 12 April 2018).
Health Research Authority (2018a). ‘Confidentiality Advisory Group registers’. Health Research Authority website. Available at: www.hra.nhs.uk/planning-and-improving-research/application-summaries/confidentiality-advisory-group-registers/ (accessed on 4 May 2018).
Health Research Authority (2018b). ‘Guidance for CAG applicants’. Health Research Authority website. Available at: www.hra.nhs.uk/about-us/committees-and-services/confidentiality-advisory-group/guidance-confidentiality-advisory-group-applicants/ (accessed on 4 May 2018).
Healthwatch England (2018). How do people feel about their data being shared by the NHS? [online]. Available at: www.healthwatch.co.uk/resource/how-do-people-feel-about-their-data-being-shared-nhs (accessed on 17 May 2018).
Heather B (2018a). ‘Demand for NHS patient data more than doubles’. Health Service Journal website, 3 April. Available at: www.hsj.co.uk/technology-and-innovation/demand-for-nhs-patient-data-more-than-doubles/7022054.article (accessed on 16 April 2018).
Heather B (2018b). ‘NHS must honour new single patient opt-out from May’. Health Service Journal website, 1 March. Available at: www.hsj.co.uk/technology-and-innovation/nhs-must-honour-new-single-patient-opt-out-from-may/7021808.article (accessed on 16 April 2018).
Hoeksma J (2014). ‘The NHS’s care.data scheme: what are the risks to privacy?’ BMJ, vol 348, pp g1547.
Information Commissioner’s Office (2017a). ‘Right to object’. ICO website. Available at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/ (accessed on 27 April 2018).
Information Commissioner’s Office (2017b). ‘Royal Free - Google DeepMind trial failed to comply with data protection law’. ICO website. Available at: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/07/royal-free-google-deepmind-trial-failed-to-comply-with-data-protection-law/ (accessed on 12 April 2018).
Information Commissioner’s Office (2017c). Royal Free London NHS Foundation Trust undertaking [online]. ICO website. Available at: https://ico.org.uk/action-weve-taken/enforcement/royal-free-london-nhs-foundation-trust/ (accessed on 12 April 2018).
Information Commissioner’s Office (2012). Anonymisation code of practice [online]. ICO website. Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/anonymisation/ (accessed on 12 April 2018).
Information Governance Alliance (2018). General Data Protection Regulation (GDPR) guidance on consent [online]. NHS Digital website. Available at: https://digital.nhs.uk/information-governance-alliance/General-Data-Protection-Regulation-guidance (accessed on 13 April 2018).
Ipsos MORI (2016). The one-way mirror: public attitudes to commercial access to health data. Report prepared for the Wellcome Trust [online]. Ipsos MORI website. Available at: www.ipsos.com/ipsos-mori/en-uk/commercial-access-health-data (accessed on 15 May 2018).
Ipsos MORI, Joseph Rowntree Reform Trust (2014). Privacy and personal data [online]. Ipsos MORI website. Available at: www.ipsos.com/ipsos-mori/en-uk/privacy-and-personal-data (accessed on 11 April 2018).
Ipsos MORI, Royal Statistical Society (2014). ‘New research finds data trust deficit with lessons for policymakers’. Ipsos MORI website. Available at: www.ipsos.com/ipsos-mori/en-uk/new-research-finds-data-trust-deficit-lessons-policymakers (accessed on 11 April 2018).
King D (2017). ‘Why doesn’t Streams use AI yet?’ Blog. DeepMind website. Available at: https://deepmind.com/blog/streams-and-ai/ (accessed on 12 April 2018).
Local Government Association, Institute of Public Care (2016). Transforming social care through the use of information and technology [online]. LGA website. Available at: www.local.gov.uk/transforming-social-care-through-use-information-and-technology (accessed on 12 April 2018).
Mann N (2014). ‘The care.data programme: explicit detail on protocols and safeguards is needed’. BMJ, vol 348, pp g2201.
Medical Research Council (2017). Using information about people in health research. Available at: www.mrc.ac.uk/research/facilities-and-resources-for-researchers/regulatory-support-centre/supporting-research-using-health-data/ (accessed on 3 January 2018).
Metcalfe C, Martin RM, Noble S, Lane JA, Hamdy FC, Neal DE, Donovan JL (2008). ‘Low risk research using routinely collected identifiable health information without informed consent: encounters with the Patient Information Advisory Group’. Journal of Medical Ethics, vol 34, no 1, pp 37–40.
Mourby M, Mackey E, Elliot M, Gowans H, Wallace E, Bell J, Smith H, Aidinlis S, Kaye J (2018). ‘Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK’. Computer Law & Security Review, vol 34, no 2, pp 222–33. Available at: www.sciencedirect.com/science/article/pii/S0267364918300153 (accessed on 23 February 2018).
National Data Guardian (2013). Information: to share or not to share? The information governance review [online]. GOV.UK website. Available at: www.gov.uk/government/publications/the-information-governance-review (accessed on 18 December 2017).
National Data Guardian (2016). Review of data security, consent and opt-outs. Available at: https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs (accessed on 17 May 2018).
NHS Confederation (2017). The non-executive director’s guide to NHS data – Part one: Hospital activity, data sets and performance [online]. NHS Confederation website. Available at: www.nhsconfed.org/resources/2017/10/the-non-executive-directors-guide-to-nhs-data-part-one (accessed on 10 November 2017).
NHS Digital (2014). Opting out of sharing your confidential patient information. Available at: www.digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe/how-we-look-after-your-health-and-care-information/your-information-choices/opting-out-of-sharing-your-confidential-patient-information (accessed on 17 May 2018).
NHS Digital (2018a). ‘Care information choices’. NHS Digital website. Available at: http://content.digital.nhs.uk/careinfochoices (accessed on 15 May 2018).
NHS Digital (2018b). ‘Data Access Request Service (DARS): pre-application checklist’. NHS Digital website. Available at: https://digital.nhs.uk/services/data-access-request-service-dars/data-access-request-service-dars-process/data-access-request-service-dars-pre-application-checklist (accessed on 4 May 2018).
NHS Digital (2018c). ‘Data Access Request Service (DARS): process’. NHS Digital website. Available at: https://digital.nhs.uk/data-access-request-service/process (accessed on 17 April 2018).
NHS Digital (2018d). ‘Hospital Episode Statistics’. NHS Digital website. Available at: www.digital.nhs.uk/data-services/hospital-episode-statistics (accessed on 12 April 2018).
NHS Digital (2018e). National Data Opt-out Operational Policy Guidance Document. Available at: https://digital.nhs.uk/services/national-data-opt-out-programme/guidance-for-health-and-care-staff (accessed on 25 May 2018).
Parliament Street (2018). Getting the NHS ready for the GDPR [online]. Policy paper. Parliament Street website. Available at: http://parliamentstreet.org/blog/2018/policy-paper-getting-nhs-ready-gdpr/ (accessed on 13 April 2018).
Pelzel F (2017). ‘Big Data will be biased, if we let it’. Towards Data Science website. Available at: https://towardsdatascience.com/bias-in-big-data-for-the-non-tech-90fc53729025 (accessed on 16 April 2018).
Piel FB, Parkes BL, Daby H, Hansell AL, Elliott P (2018). ‘The challenge of opt-outs from NHS data: a small-area perspective’. Journal of Public Health. Available at: https://academic.oup.com/jpubhealth/advance-article/doi/10.1093/pubmed/fdy059/4953715 (accessed on 16 April 2018).
Powles J, Hodson H (2017). ‘Google DeepMind and healthcare in an age of algorithms’. Health and Technology, pp 1–17.
Robling MR, Hood K, Houston H, Pill R, Fay J, Evans HM (2004). ‘Public attitudes towards the use of primary care patient record data in medical research without consent: a qualitative study’. Journal of Medical Ethics, vol 30, no 1, pp 104–9.
Sterckx S, Rakic V, Cockbain J, Borry P (2016). ‘You hoped we would sleep walk into accepting the collection of our data’: controversies surrounding the UK care.data scheme and their wider relevance for biomedical research’. Medicine, health care, and philosophy, vol 19, no 2, pp 177–90.
Stevens L (2017). NHS Digital directed to replace type two opt-outs. Available at: www.digitalhealth.net/2017/09/type-2-opt-outs-replaced-with-national-data-opt-out-plan/ (accessed on 4 May 2018).
Stockdale J, Cassell J, Ford E (2018). ‘“Giving something back”: A systematic review and ethical enquiry of public opinions on the use of patient data for research in the United Kingdom and the Republic of Ireland’. Wellcome Open Research, vol 3, p 6.
Triggle N (2014). ‘Care.data: How did it go so wrong?’ BBC News, 19 February. Available at: www.bbc.co.uk/news/health-26259101 (accessed on 4 May 2018).
Tully MP, Bozentko K, Clement S, Hunn A, Hassan L, Norris R, Oswald M, Peek N (2018). Investigating the extent to which patients should control access to patient records for research: a deliberative process using citizens’ juries. Journal of Medical Internet Research, vol 20, no 3, pp e112.
UK Parliament (2014). Care Act 2014 Section 122. Available at: www.legislation.gov.uk/ukpga/2014/23/section/122/enacted (accessed on 4 May 2018).
Understanding Patient Data (2017a). ‘Learning more about blood cancer’. Understanding Patient Data website. Available at: https://understandingpatientdata.org.uk/case-study/learning-more-about-blood-cancer (accessed on 27 April 2018).
Understanding Patient Data (2017b). ‘Planning services for people living with and beyond cancer’. Understanding Patient Data website. Available at: https://understandingpatientdata.org.uk/case-study/planning-services-people-living-and-beyond-cancer (accessed on 4 May 2018).
Wellcome Trust (2015). Delays faced by researchers trying to access data from HSCIC [online]. Evidence submission to House of Commons Health Select Committee. Available at: https://wellcome.ac.uk/what-we-do/our-work/our-policy-work-using-patient-data-research (accessed on 16 April 2018).

Comments

This system would use people data even if they out-put bcs under the emergency act now - !!!!!!!!!!! loop hole !!!!!! now they got all data back even if you out-put before !!!!!!!!!!!!!

I was sent the gp survey, which i ignored, then a reminder, which went in the bin,

The problem I have is that as a normal member of the public, not a medical professional, I had no idea my data was being shared with 3rd parties (mori) who are clearly not part of the NHS.

I have never given consent for this, or indeed ever been asked. I'm now wondering how many times details were given to other companies and how many other mailing lists etc I'm on as a result.

If my practice had asked if i wanted to be on a survey panel that would be a different matter but either they or the wider NHS apparently have just decided to give out personal info and somehow I'm supposed to be grateful. I'm very pissed off.

David Peach and C Coyne are both talking from a point of view uninformed by either how the NHS uses data or how the use of data relates to other issues. TTIP and international trade agreements have nothing to do with the use of NHS data and it is irrelevant to NHS Privatisation (mostly an evidence-blind conspiracy theory not an evidence-based summary of anything that is actually happening).

Nobody has ever proposed making personal NHS data available for free to profit the private sector. In fact that would be illegal under current legislation. And accessing the data is remarkably hard even when it is pseudonymised and used entirely for the purposes of improving the NHS and the treatments it offers.

Perhaps more importantly and certainly more relevantly, it is easy to show cases where the NHS needs to know who was treated in order to improve anything. Take someone admitted to hospital for minor surgery. Imagine they are treated with a new anaesthetic, thought to be better than existing ones. They are discharged, apparently cured. But 3 months later, they are readmitted to hospital with a bladder problem and they die. Now imagine that this happens to a lot of patients and that the bladder problem is caused by the anaesthetic. With no linked records (and we don't actually need the name and address to be released to find this out, just some way of knowing the linked records refer to the same patients) we can't even see the cause of the problem. With even pseudonymised records we can instantly tell that many of the patients treated with that anaesthetic suffered later bladder problems. This is the sort of issue routinely dealt with by researchers who want access to the linked data (and, remember, they don't need to risk revealing any actual identities but the identities must be recorded somewhere or they can't tell the same patient was readmitted).

So, feel free to let your unfounded paranoia lead you to withhold your details. but you will deny the system the ability to know what works or doesn't and to improve the treatment offered to all. If you are happy with that, fine. But I'm not.

As you point out _If its no longer about you its about your condition. Therefore there is no need to name or fix the location of the patient. As with the last time with the OPT/OUT solution i and many more did not obtain the form so that presumed consent "Which was Wrong". Also will every member of the public be allowed access to OPT/OUT forms if not, the OPT / IN solution or SILENCE IS NOT CONSENT is more appropriate and more democratic.

I have a completely different view to those expressed so far. All medical treatments, from chewing willow-bark for a headache to advanced personalised healthcare, are based on a knowledge-bank built up over generations through observations and research. Once secondary-use data has been robustly anonymised - and that is perfectly possible and indeed routine throughout the NHS - it’s no longer about “you” but about “your condition”, and refusing to share it to strengthen and improve that shared knowledge-bank is like taking a train without buying a ticket or swiping “carrots” when you’ve actually bought avocados.

The issue of the sale of data is completely separate (and I happen to oppose it implacably).

I completely agree with the above comments. The entire system is riddled with duplicity and lies. Confidentiality has been redefined out of existence. We are constantly told that our information "will be kept safe and confidential". There is no confudentiality in the NHS and the word is being used to mean "legally processed". Anything is legal if you pass legislation to make it legal, including data theft. All opt-outs are fraudulent: If one opts out, or objects, in all cases opt-outs/objections will be ignored, overruled or circumvented by use of "sufficiently anonymised data" or the "Patient Identity - Identity Withheld Structure". We are told that our data will only be shared in anonymous form, but none of these types of data are either anonymous or unidentifiable. They can all be linked with other data relating to the same individual, so they cannot be anonymous and are certainly identifiable. We are told that under the GDPR we have a legal right to objecrt to processing of our data. If you have registered for the national data opt out, this supposedly prevents secondary use of your data. If you then object to a hospital submitting your data ti the Secondary Uses Service (SUS) managed by NHS Digital, you will almost certainly be told that your objection cannot be upheld because the hospital has a contractual obligation to submit SUS data for every episode of hospital care. According to the GDPR the hospial has to produce a compelling case for overriding your objection. In the NHS, it doesn't have to do so. Just how exactly is there a compelling case for submitting SUS data where a patient has opted out of secondary use of their data. The fact is that we are up against a ruthless determination to pillage all of our data, whether we like it or not, and do whatever the NHS/DHSC please with it. There is an immensely powerful lobby of people who would like unlimited free access to data without consent. The only way to protect your privacy is to avoid having an NHS record.

I agree with David Peach's fundamental points. My biggest concern however is that under the standard Trade Deals the EU have already negotiated (e.g. CETA with Canada) or are currently being negotiated, (TTIP - the Trans Atlantic Investment Partnership, or whatever it's called these days, between the EU and USA) specifically allows for Corporations to prosecute Governments that wish to change policies in the best interests of their nation. Unless it is specifically excluded from the the terms of such deals (as is allowed if a government wishes – not likely with the current UK Gov’t), our NHS is at huge risk of being forced into the disastrous USA style of insurance based funding.

For example, in the case of Germany, following the Fukushima nuclear plant disaster (which is still years later pumping pollution into the seas) decided to dismantle their own similarly structured nuclear plants. Germany was then prosecuted by big corporations, which under the terms of the Trade agreements can sue for the loss of their potential FUTURE profits. One of many, many such cases around the world. The cost of these prosecutions is still unknown publicly as these are privately heard court cases, with 3 judges making the decisions. Importantly, as far as is known, not one of these cases found in favour of the Governments.

So, if we sign up to this kind of deal, and a decent government in the UK wished to substantially reverse the privatisation of the NHS, or legislate to limit the maximum profit to be made from PFI contracts on Hospitals they've built, they would face the same private courts and with no right for the public to know the outcome. Typically it is USA/multinational Corporations involved in such cases; and the USA would love to introduce their own existing Insurance based 'health care system' here in the UK. In the USA the most frequently reported reason for both bankruptcy and suicide is this 'insurance' running out just when it is most needed.

By the way, from memory, the Canada:EU Trade agreement is an exception, as Canada wished to protect it's own Health services from predators and specifically excluded it from the agreement. Not something I believe our current government is likely to do.

The OPT/OUT system is an evil way of COERCION , Individuals should be in control of their DATA, Names and Addresses should always be withheld. You can get the state of Health of the Nation without personal confidential named Health Data and their addresses. If you need that permission should be acquired and remember if you cannot get "Response it is still not Consent" Conservative Social Care Organisations (CHERRY PICKERS) and PRIVATE HEALTH i.e. BUPA, NUFFIELD etc. and INSURERS are completely NO NO when it comes to Names and Addresses