A doctors’ surgery is a place of trust where patients divulge their most private concerns and ailments. On July 1, a vast pooling of surgery records will begin in England, with the NHS sharing data scraped from as many as 55m patients. It is an exercise lacking in transparency that risks eroding that trust at a time when the health service is held in high regard. The plans must be rethought, urgently.
English surgeries hold digitised decades-long records on an entire population: almost a unique data trove in the world. The pandemic has shown how invaluable such a large data set is when it comes to rapid treatment. The idea is to now use it to improve planning for the next health emergency, and better target health campaigns. Unfortunately, the government has not explained adequately how the NHS will safeguard patients’ records, or which third parties will have access to them. A threat of legal action now looms.
Attempts by NHS Digital, which runs the health system’s IT, to assuage concerns leave more questions than answers. It says that it does not sell data but that it does charge organisations for access. “We do not allow data to be used solely for commercial purposes,” it pledges. The word “solely” does much heavy-lifting in that sentence.
Precedent does not inspire confidence. In 2017, the Information Commissioner’s Office ruled that an NHS Trust broke data protection laws when it shared 1.6m patient records with DeepMind, a unit of Google.
A shocking aspect of the new plan is how little the general public knows about it, and how hard it is to dissent: to opt out, patients must fill out a form and deliver it to their surgery by June 23, at a time when surgeries are overwhelmed. Patients must be able to make informed consent about such a novel use of their data, and must be able to opt out more easily.
In 2013, the Care.data project also aimed to pool general practitioner records, forewarning patients by leafleting them at home. After a predictable outcry, the plan was scrapped and the government pledged to learn lessons. The main lesson it seems to have learnt is not to properly inform the public this time around: while flyers detailing the new plans have been available in surgeries, access has been limited during lockdowns.
The timing is also suspect. The pandemic has forced trade-offs between privacy and public health through initiatives such as test-and-trace systems — themselves not without controversy. The government seems to be taking advantage of this to push through an even larger data-harvesting exercise.
A natural instinct would be to demand an opt-in rather than opt-out process. Alas, when offered that choice, people understandably choose not to share their data. And when it comes to data sets’ value, size matters.
Academics and researchers must be able to use the data for projects in the public good without the risk that it is then exploited for commercial gain, unless patients give their explicit informed consent. One model is how the Office for National Statistics makes sensitive census and tax data available through a tightly controlled environment where information can be used but not passed on.
There is no good reason for rushing an exercise with vast privacy implications. The government must properly explain how patient data may be used and by whom. Otherwise, the risk is that the public understandably views a potentially worthwhile project with distrust, and the NHS’s brand becomes tarnished through no fault of frontline workers. Sunlight is indeed the best disinfectant.