Last month, the UK government announced plans to share NHS patient data with third parties, sparking an outcry from privacy campaigners. Underpinning this move will be the development of a database containing the medical records of roughly 55 million patients in England who are registered with a GP clinic, including information of a highly sensitive nature, such as mental and sexual health.
This data will be made available to academic and commercial third parties involved in healthcare research and planning, an area that has come under the spotlight during the COVID-19 pandemic.
Initially, patients were only given a deadline of June 23, 2021, to opt-out of the scheme, and to do so, they would need to fill out and physically take a form to their local GP surgery. However, this date has since been pushed back by two months after concerns were expressed about the short-notice nature of the opt-out and questions raised about the potential privacy and data protection implications of the scheme.
To discuss these issues in more depth, Infosecurity recently spoke to Jonathan Whittle, lawyer and senior manager at Your Lawyers.
Whittle firstly outlined the legal issues the government may face should the plans continue in their current form. He noted that under the UK GDPR law, health information is placed under a special category meaning that “explicit consent” must be offered to the individuals involved i.e. a clear option to agree or disagree with its collection, use or disclosure. “With explicit consent that includes transparency about what you’re going to do with that data – and if they don’t have that, then I don’t see that there’s any real legitimacy in sharing that data,” he explained.
According to Whittle, the government and NHS must also go to great lengths to ensure this data is secured. He pointed out that health information has become an increasingly lucrative target for cyber-criminals. For example, a recent study found that health records are sold on the dark web for an average of $250, which compares to just $5.40 for payment card details. He commented: “Buyers of health information can create fake IDs, purchase medical equipment and drugs, and make false insurance claims – there’s real value to that data.”
Therefore, he believes the planned database will become an “obvious” target for cyber-criminals. Furthermore, should a breach occur in which personally identifiable data is accessed, litigation claims will undoubtedly follow, potentially costing the taxpayer vast sums.
As such, Whittle believes that before any data is made available for sharing, third parties should satisfy the government and NHS that they have adequate security measures in place, including multi-factor authentication and anonymization. In addition, while NHS Digital has emphasized that it will replace any personally identifiable information with codes, Whittle said that this alone might not be sufficient. “Surely there’s going to be a key to the code, and if there is, you can ultimately get that information,” he added.
That’s not to say the plan is not without its merits, and Whittle sees the two-month delay as an opportunity “to make sure the ducks are all in a row.” Moreover, if managed properly, the scheme could have enormous benefits for researchers, such as responses to having the COVID-19 vaccine. “As long as there’s no way of intercepting the anonymized data then I can certainly see the benefits,” he emphasized, adding that “if you’re going to share it, firstly get consent and then second it’s got to be as safe as it comes – the Fort Knox of data sharing.”
"If you're going to share it, firstly get consent and then second it's got to be as safe as it comes - the Fort Knox of data sharing"
Going forward, there also needs to be continual checks to ensure the security is working properly, and perhaps most crucially of all “if somebody refused consent, that refusal is respected.”
Putting in place such stringent rules governing the sharing of patient information is not just about following the law. Whittle outlined the potentially enormous impact of this information being breached or misused, at both individual and societal levels. For example, people who have highly sensitive medical issues are vulnerable to suffering mental health problems from having details about their lives revealed. Whittle highlighted the case of the data breach by the sexual health clinic 56 Dean Street in 2015, in which the email addresses of around 781 HIV patients were accidently revealed. “It had spiralling effect on these people – deep depression, anxiety disorders,” he explained. “These are people who will suffer psychiatric illnesses as a result of the sharing of their private medical data.”
Therefore, people in this sort of position will be very fearful about losing control over their medical data, including concerns over who has access to it and whether it will stay secure in their hands. Whittle added: “It’s not just the distress or fear about the actual breach itself but it’s about that loss of control over that private information. It’s your right to choose how you share your private information and if you lose that right that in itself is a massive affront to you and to society as a whole.”
There could also be significant long-term consequences to society from this kind of approach to data sharing, according to Whittle. In an age where data is increasingly utilized to inform policy decisions in areas like health, it is critical to ensure people are not put off from sharing it for research purposes going forward. “The more data breaches there are, the less people have confidence in sharing their information, which this can have a wider impact – there’s obvious benefits of researchers having access to people’s health information,” he outlined.
The plans to enable the sharing of patient data in England with third parties are on the one hand very understandable – the benefits this information can have for planning and research purposes could be vast, particularly in light of the COVID-19 pandemic. However, it is important this initiative is undertaken in accordance with the UK GDPR, with explicit consent offered and stringent security controls put in place to protect individual identities and the data that is shared. If these areas are not addressed properly, the ramifications could be severe – in the form of litigation claims, to the health of vulnerable patients and perhaps even society at large. It is important the two-month delay to the scheme is used to ensure these kinds of measures in place, reassuring patients that they will suffer no blowback from allowing their data to be shared in this way.