For anyone (like me) who is no longer resident in England, you can find your NHS number with [1], then use it (plus a UK VPN) to opt out here [2].
As I understand it, [2] covers hospital data etc, but not GP data, which is the recent data grab and the subject of the article. I have written to the GP I was last registered at to see if they still hold any data on me, and whether they were intending to share it without my consent. I attached the opt-out form [4] anyway.
[3] says on "Minimum length of retention of GP records" that "Electronic patient records (EPRs) must not be destroyed, or deleted, for the foreseeable future.", and paper ones are kept until 10 years after death.
I made a point of emailing them about this (and suggest you do so too) - I'm not sure it is legal to prevent me from managing my data, despite living outside the UK. I understand they want to prevent foreign actors from misusing the service, but this is not it.
As if making it opt-out isn't bad enough, for some, they can't even opt-out. What a s*t show this entire process has been.
What's the betting that this data is being sold for 'research' to raise a few more pounds to combat the coming economic crash?
The National Opt-out [2] does not prevent NHS digital from accumulating your records in a central database (in pseudonymous form - not anonymous). It only prevents them from sharing your record with others - for now...
The type 1 opt-out with your GP should prevent your records from even being sent to NHS Digital at all. The difficulty with this one is that it's a paper form only and has to be handed to the GP by the 23rd, there is no web service to opt out of this.
NHS Digital have also hinted that they will be trying to remove the type 1 at some point in the future.
As someone who works in HealthTech in the UK, I can see why NHS Digital sees a need for this.
We really should be enjoying the benefits of a centralised National Health Service in this country, but the divide and conquer management strategy gives individual GP practices and Hospitals (run by NHS Trusts) a lot of independence. That independence extends to IT systems, meaning you have various patient record systems in use around the country and a set of standards and APIs mandated to allow them to communicate.
I would personally prefer those patient records to be on software provided and administered by a technical organisation with the expertise to understand the security risks involved and working full time on that problem. Hospitals and GPs could then get on with treating patients rather than having to employ their staff to figure out the tech side. So why isn't NHS Digital doing that instead?
I expect most people actually believe the NHS already have their medical records, and in a sense they do, it just has many different custodians all around the system.
Yeah, this is a pre-privatisation setup; rather than run the whole thing as a national enterprise, have a set of separate "playing at shops" organisations engaged in a pseudo-market of buying services from each other.
I would personally prefer those patient records to be on software provided and administered by a technical organisation with the expertise to understand the security risks involved and working full time on that problem.
So would I, but it is not clear that any such software or technical organisation exist yet. NHS Digital might be trying to move in that direction with things like the TRE for working with COVID data, and that is commendable. However, it was not long ago that another proposed response to COVID was installing an unnecessarily privacy-invasive app on everyone's phones, so evidently we are still a long way from the non-clinical people with power and influence over these huge systems also understanding and respecting their implications.
The only sure way we know to prevent inappropriate disclosure and use of sensitive personal data is not to hold that data in the first place. Obviously that is impractical with medical records, so for now, the next safest thing remains to have the data held by and accessible to as few people as possible instead of creating one huge target and a single point of failure. That might be unfortunate for those with a legitimate interest in working with larger data sets for good reasons, and it might slow down or even prevent beneficial advances in medical knowledge, and I expect we'd all agree that these are not desirable outcomes. We have to balance those losses against the enormous risk to the whole population if confidentiality and ultimately trust between doctor and patient is compromised, because that could be what is at stake here.
You're right, of course, and that is why the situation is how it is. NHS Digital also seem reluctant to become custodians of the data and only administer services that have to be done centrally, such as HSCN and NHSMail, and those services tend to involve a lot of external contractors - so the in-house talent may well be missing. But by siloing the data, we're just trusting doctors and hospitals to know what is best and that can't be a good idea either. The WannaCry attack a few years ago was good evidence of that.
On a side note, I can't imagine how hard it must be for the NHS to do anything when essentially an internal transfer of data within the organisation is labeled as "Your medical records are about to be given away" by the media. They seem almost to be victims of how open they are about these data transfers and I sense an exasperation between the lines when reading their response [https://digital.nhs.uk/data-and-information/data-collections...].
I agree that there are serious problems with non-experts administering these systems at local levels as well. There's no good answer right now, IMHO, only less bad ones. But there is a huge difference between the two main policies here in the scale of damage that could be caused by a catastrophic failure.
For the same reason, I have limited sympathy for the idea that this is just another internal data transfer and people are getting worked up without cause. The NHS isn't really a single organisation, the people pushing for this aren't really clinical staff, and there has been a long and undignified history of screw-ups when it comes to patient confidentiality and larger data sharing schemes. Caution does seem to be in order here.
Especially with the fact that very recently 10% of vaccinated individuals were secretly location tracked to see if it changed their behaviour it would be difficult to put trust in a central authority that they wouldn't abuse this data.
Not sure if NHS has this concept, but in other health systems, the NHS equivalent (an economy that operates a health system o.b.o a government) is a set of service providers, with data custodians at the edges. Custodians hold accountability for health information privacy, where service providers are accountable to a custodian. It all rolls up into these entities. Health admins tend to forget that the relationship they are scaling is between physicians and patients, and it is not the government managing the vetrinary system for a person farm. This health system as proxy for public policy issue is dangerous.
If you see my previous comment on this thread about objections to data collection, an opposing view of another health tech and policy expert would be really valuable to the discussion.
That's more or less how it ends up working in the NHS, and I guess it's Conway's Law playing out again rather than being intentional.
Health is particularly difficult because it's both data that needs to be accessible by a large number of different people/organisations and also about as sensitive as you can get. Any attempt to make the data more secure necessarily slows access, but making the data more accessible also makes it less secure.
Having seen the quality of some of the systems holding this data on the edges, I would rather see a central database and a lot of funding go into the technology of that system. Why? Because I agree with your other post, that technical controls are the only solution. Controls that could make it impossible for the data to be misused or leaked, or at least make access auditable. That's where the research and funds should be spent.
Ideally, that could be done by every data custodian at the edge, but I just don't think that will happen. It's easier to solve the problem in one place than in 10s or 100s or 1000s of places.
In the UK, there are lots of central data repositories holding pretty sensitive information. I think it's fair to say that the government wouldn't have much problem finding your health data, along with detailed census/tax/internet/phone/travel data, if they decided they wanted to.
This is more or less how it works in Israel. The EMR is owned and controlled by the state. Four private HMOs compete (in the literal sense) to provide services as efficiently and high quality as possible, according to their government licenses.
It marries the public sector ability to build giant-ass systems for its citizens, with the private sector's ability to compete. Moving here from Canada I'm beyond shocked how much more efficient, higher quality, and cheaper this system is. I could never go back now.
For example: the second I get a prescription it's available in 100% of the pharmacies in the country (that carry my drug). All I have to do is walk in to the one I want, swipe y card, and ya'ala done. I can even check on an app what pharmacies have said drug in stock, and plot a route there.
1. 4 HMOs total, not hundreds. That's a big difference, it's still pretty centralized.
2. The HMOs actually compete on very little, mostly customer service. They are heavily regulated and have to provide services to a spec that's spelled out by the government, including pricing.
3. These 4 HMOs are mostly historic in origin; starting a new one would probably need to be initiated by the government.
4. For example, your example of (digital) prescriptions being filled by any pharmacy: that's an regulation codified in law. And while 100% of pharmacies can fill it, only those with an arrangement with your HMO will give you the subsidized price.
I'd argue that all I really want them to compete on is customer service. All in all this sounds pretty perfect to me. We get quality care, but some element of competition. I've lived under three different types of systems - this seems by far the best.
If this was 30 years ago, there would be no corporations involved directly, but the entire analysis of these records would be done in government institutions or academic hospitals.
Corporations would only be there to provide the hardware and basic software such as OSes.
Can we please get a law that any crowdsourced data and all derivative works belongs to the public?
And can corporations please go back to their role of building products that aid in research, such as computer hardware and software? Combining "building software and hardware" and "needing to look at data" is a source of trouble. Your software can look at the data, but not you. We'll run the software.
The fact that GPs are acting as some kind of custodians for this data isn't it also the same problem? This data should belong to their owners: the patients.
There are quite a few problems with that in the case of medical records.
Some of this information may be urgently needed at a time when the patient is not capable of giving informed consent for its disclosure or does not have it immediately available.
Some of the information may be vital to the future healthcare of the patient and would cause serious harm to them if it were lost.
And in more of a more morally grey area, some information might be harmful to the patient if they had it. For example, consider the implications of bluntly disclosing various mental health diagnoses to someone who doesn't fully understand what they mean and whose condition means they won't necessarily respond rationally or beneficially to the information.
In this case, having the records kept locally by exactly one organisation that is run by medical professionals who are bound by strong professional ethics seems like a reasonable policy.
This creates strawpeople of ideal government and an ideal medical industry, and gives all power and trust to them.
We need to find solutions within the realities of government and industry power and effectiveness.
Also, there is no reason people can't make this decision for themselves. Who are you to tell me what I must do with my personal medical records? I may decide those risks are worthwhile.
I don't think the NHS actually has the right to keep information from you simply on the "might be harmful" rationale, but I don't think that particular data protection fight has happened yet.
My instinct has always said that transparency should prevail on this kind of issue. However, as it happens, I have previously discussed this exact subject with multiple friends who work in clinical healthcare roles, and I have to acknowledge that they have almost invariably disagreed with my instinct. Given that I'm fairly sure some of them have personally treated people with serious mental health problems, I tend to defer to their expertise on this one.
I don't know what the law actually is (and perhaps none of us do since as you say the issue doesn't seem to have been tested yet) but if the medical experts are almost universally of the same opinion then I probably know what the law should be.
The keeping information private one is interesting, and more complex than it looks. I know of a case of someone who was having problems with NHS, requested her records, found some very nasty comments, complained, had her care switched to another team, and did so much better.
1) preauthorization directive
2) encrypted backups
3) no. The real reason is doctors are really scare of opening medical records and the multitude of clerical errors in them
Copy pasting in the US is so rampant one has to wonder how much liability is dormant in the different EMRs
I think transparancy is the answer. In Estonia, if someone's medical record is viewed, it is recorded irrevocably. If there is suspicion that this access was not authorised or out of reach, the state itself will prosecute if you don't want to.
> There are quite a few problems with that in the case of medical records.
Only if you have a paternalistic view
> Some of this information may be urgently needed at a time when the patient is not capable of giving informed consent for its disclosure or does not have it immediately available.
What if I accept the risk I may die due to bad luck/odd circumstances to still refuse the information being handled out by anyone but me?
> Some of the information may be vital to the future healthcare of the patient and would cause serious harm to them if it were lost.
Likewise, what if I accept future risks? I have more skin in the game from losing my records than an hospital losing them anyway.
> And in more of a more morally grey area, some information might be harmful to the patient if they had it.
Then what about I refuse having the information, in exchange of the information also being unavailable to anyone else?
Many people here seem to have the view "more information is good" but not collecting it in the first place seems better to me.
Hence I do no healthcare in the US, only in SE Asia where most services are available in English and Chinese anyway.
Note that if you haven't previously opted out from similar plans for data sharing, you'll probably need to opt out of two separate systems this time, one for sharing your GP records and one for sharing records from other sources like hospitals.
The deadline for notifying your GP surgery to avoid data starting to leak appears to be 23 June.
Also note that in some situations, for example if you want to opt young children or vulnerable adults you care for out of these systems as well, you may be in print-and-post territory even if you could opt yourself out using an online system.
Australia had similar with https://www.myhealthrecord.gov.au/ a few years ago. At the time you had to opt out iirc. At least apparently you can opt out at any time and your records will be permanently deleted.
Firstly, to be strictly accurate, the data here will not be anonymous, only pseudonymous.
But in any case, we are talking about a long list of often very specific observations for almost everyone included in the data set. The chances of even supposedly anonymised data with that much detail being subject to reidentification are quite high, and there are plenty of organisations that might be able to infer enough to do it, by comparing against other data sets they already hold.
There is no way to know, because it's impossible to quantify either the expected costs or the expected benefits.
On the benefit side, there is simply no way to know what good things could come from giving the right person easier access to this data. Maybe the only thing between us and a cure for ten different types of cancer is a one-week number crunching exercise by the right university research group. Maybe we'll go twenty years and no big advances will result that wouldn't have happened anyway.
On the cost side, as ever with privacy, most of the real damage in the event of a breach isn't likely to be directly financial. What is the cost to a 20-year-old struggling with their identity if information about their sexual health leaks and betrays their situation to their friends and family before they want to be open about it?
How many jobs might be lost by women in their 30s or 40s because someone at the potential employer discovered they'd been having treatments that could be related to pregnancy or fertility in recent years and took steps to avoid hiring someone who might need maternity leave soon?
What might happen to your ability to get health or travel insurance ten or twenty years from now if you ask your doctor today about a symptom that is probably nothing but could be a sign of a serious condition? Or to your children's ability to get insurance in the future, if you ask about a symptom that could relate to a hereditary condition?
How many people, fearing the answer to these kinds of questions if their health records are shared, might not ask the doctor about something potentially important at all? How often will that conversation that never happens prove to have devastating consequences because a serious condition then went undiagnosed and untreated? A chilling effect on doctor consultations alone could easily cost many thousands of lives. Just look at the big drop in the number of urgent referrals for people with potential cancer symptoms since the COVID restrictions have meant relatively few people are seeing their GP in person.
The only thing we really know is that this is probably a one-way trip. Once Pandora's box is open, it is unlikely it will ever be closed again. And we're being asked (or not, apparently) to take that trip based on vague, hypothetical future benefits, without any reference to the potential dangers, even though there have been quite a few examples of confidentiality breaches arising from sharing this kind of data in the past.
I suppose a cynic might say the actual cost/benefit right now is therefore infinite, because in the absence of better arguments and data about the benefits, it's prudent to assume a division by zero.
I’m guessing the primary use
of this data will be for US pharmaceutical companies to find out exactly how much the UK market is worth so they know how much they can pay lobbyists to put pressure on Uk-US trade negotiations.
That seems rather uncharitable. The primary use of the data almost certainly will be what it's claimed to be, helping various legitimate research groups to do their research and helping various legitimate organisations within or supporting the NHS to make sensible plans.
The real problem is the inherent risk that other uses will also be made of the data, legally or otherwise. Compliance with the rules for using this sort of data properly and securely has not historically been 100%, and this is Pandora's box. If anything ever seriously breaches, that's game over for the privacy of tens of millions of people, for life.
It's also being done very quickly, very quietly, potentially illegally, and on an opt-out basis, which should be reason enough for us to be extremely sceptical about the whole process even without the doctors here raising questions about the medical ethics involved from a professional perspective.
No as they can already get that from drug sales figures via the distribution suppliers like https://www.alliance-healthcare.co.uk/pharmacy-solutions/who... and few other players in the market who do all the logistics of supplying drugs to hospitals and pharmacies.
I worked at Unichem (now alliance-healtcare) upon the system that would produce that data that other companies would buy. No patient specific - just volume of drugs for area's and with that, still happens today.
I'm not convinced opting out is the thing that protects people. More information going to the folks that can use it to help people is the option with the most protection for folks. Having health care that is responsive in the right ways helps people. Better medicine is better for everyone.
Folks like you - the ones with strong opinions - can opt out. It is like this because more people participate, much like organ donor programs get more folks by a "yes by default" policy. And like organ donation, more is better in this case.
If you have trust issues with the government or don't trust the safety of the rollout, perhaps elect a better government.
> So please, take a default that protects people first.
Their argument is that having high-quality data to plan healthcare is protecting people.
If people want the state to manage and pay for your healthcare, the state needs information to plan that for everyone. You can already 'opt out' entirely by purchasing your own healthcare if you aren't prepared to contribute.
The state has been planning national healthcare in the UK since shortly after WW2 without needing this before. So far, I have yet to see any argument from any medical professional that the proposed centralisation of fully detailed individual patient records is reasonable or necessary for the proper commissioning of personal healthcare within the NHS system. Evidently the doctors objecting in the linked piece don't buy that argument, and although it's not explicitly stated, it's quite likely that some of those GPs are also involved with their area's CCG.
Similarly, it is already possible for research groups to contact patients with certain conditions indirectly (via the clinical professionals treating them) and invite them to participate in research programmes that they might be able to help. Again, there is no need to create the most risky personal data lake in the history of the UK to achieve this.
the first link predates the movie and isn't really the same thing. IIRC they don't edit babies in the movie.
(you're arguing with a biologist who worked in this field, I'm making the point that the movie has not fundamentally come true, even if there are some details are the edges that resemble it).
Everything is in place for Gattaca to come true. With more centralized control of health care expenditures, the incentives of bureaucrats will be lined up and full tracking of one's genetic makeup, life choices, and current conditions, the sky is the limit.
> So far, I have yet to see any argument from any medical professional that the proposed centralisation of fully detailed individual patient records is reasonable or necessary for the proper commissioning of personal healthcare within the NHS system.
The health service itself is arguing for it.
> it is already possible for research groups to contact patients with certain conditions indirectly
As the health service describes, an issue with this is that asking people to opt-in creates health planning assumptions that are biased, harming some groups.
Branding aside, there is no single health service in England. The NHS is made up of many organisations and they cooperate to provide each individual's healthcare. To be clear, it is NHS England and the DHSC who are apparently pushing for this, and neither of those organisations has a direct clinical role.
> If people want the state to manage and pay for your healthcare, the state needs information to plan that for everyone. You can already 'opt out' entirely by purchasing your own healthcare if you aren't prepared to contribute.
This is literally going against the underlying principles of the NHS. There is no 'transaction' going on here. I already contribute to the NHS through my taxes.
> This is literally going against the underlying principles of the NHS.
Bizarre claim. The underlying principle of the NHS is socialised healthcare. Opting out of contributing to allow the NHS to plan for everyone's healthcare is the opposite of being social.
> There is no 'transaction' going on here. I already contribute to the NHS through my taxes.
If you swap out private insurance companies for NHS (due to differences in funding), this is similar to the path the US is on right now. Within the next 1-3 years private insurance companies will know even more about your health than any single provider, and will use this more detailed insight to improve how they model, risk, and determine benefits for you in their favor. The people in charge of the funding fueling healthcare want to use data to improve their control of the money.
Is this possible because of Brexit or is it just more unlawful data collection in the UK? If I (in Denmark) switch GP my new GP can't see my journals without me filling out a form to allow it and hospitals definitely can't access them no matter what as it is two independent systems.
It's surely on shaky ground. The GDPR rules are still the main ones that will apply at present, and those require stronger protections by default for sensitive types of personal data such as health data. A massive data lake like this with such a generic purpose and an opt-out permission scheme is obviously not in the spirit of those protections. For it to be permitted by the letter of the law, the government will have to rely on one or more of the specific provisions relating to public health or the like, and given that even those still have quite a lot of specific compliance requirements, it's not immediately obvious to me which one(s) would allow something as broad as this.
Obviously under our political system the government can legally do whatever it wants if it can get a law through Parliament to say so, but to achieve that they'd have to be open about what they're doing and convince enough MPs and Lords that it's justified.
I had a check and it looks like the law was passed in 2012[1]. They say that gave them a legal responsibility to hold clinical information, combined with instruction from government that should be enough for this to fall under another basis in GDPR without consent being required. Not saying it's right, especially with the risk of the data being shared further once they hold it, but it'd probably be difficult to challenge.
Yes, that is probably the relevant national law for NHS Digital itself.
Then presumably they're relying on GDPR points 9(2)(h) and 9(2)(i) with reference to that national law to argue that the default prohibition on processing health data in paragraph 9(1) doesn't apply.
And then they've got public interest/official authority under 6(1)(e), or perhaps compliance with a legal obligation under 6(1)(c), as a lawful basis.
But all of that just means the processing wasn't automatically prohibited under the GDPR. All the normal rules including the principles set out in Article 5 still apply as well, and those principles include purpose limitation, data minimisation, storage limitation, and integrity and confidentiality. There are also some specific obligations around professional secrecy under Article 9 because it's health data.
Given the extremely broad scope of the intended data lake here, the ambiguity about who might end up with access to it, and the extremely sensitive nature of the data, I don't think I'd want to be the one defending NHS Digital when the seemingly inevitable ICO investigation comes.
Well, it was meant as a question but I can see it came out as an accusation but after having read about the unlawful GCHQ data collection court case the other day and then this article saying that this is "unwarranted, unparalleled in its scale and implications and quite possibly unlawful" I arrived at unlawful. Especially as this seems to go back quite some years in different forms and I'm quite positive that the EU (GDPR etc.) would not like this. But I'm neither a lawyer or live in the UK (though I do have family in England so I follow the happenings more than most foreigners I guess).
In England when you move GP records are sent to the new GP without any action from the patient (although in practice this doesn’t always work). If you move to another part of the UK this doesn’t work because the devolved nations manage their own health systems.
Apparently, there is no retroactive opting out. If you opt out after the 23 June, only new data after your opt out date will be excluded. Everything before can and will be sold, shared, etc
The point of this move is to remove a burden from GPs. They'll no longer have to worry about securely handing over data to third parties. Each GP does it in a different way with different levels of skill. This thing will make NHS Digital the first point of contact for third parties to get to the data rather than GPs. The article seems to stress that your data will now be up for sale to corporations but this is already happening to GPs.
My perception of the NHS is that it is currently swamped in paperwork. I'm not sure why we are paying highly qualified doctors to spend huge amounts of time filling in endless documents in triplicate. Does anyone know if this digitization will have any effect.
If you want to look at the bigger picture, possibly the most fundamental problem we have in England is that there aren't enough doctors. Despite the capacity problems and delays at GP surgeries that most of us have experienced at some point, there has been a downward trend in the full-time-equivalent GPs per capita in England over the past decade or so.
It's also likely that the decreasing availability of GP appointments is causing an increase in people turning up at major A&E centres instead, where it may cost far more to treat them for a non-urgent condition that a GP could have dealt with instead if one had been available within a reasonable period.
Just to add to the pressure, we also have a population that is living longer, so GPs may increasingly be helping the elderly to manage multiple conditions as well.
Reducing non-clinical overheads for doctors that take time away from patient care is certainly important, but the bottom line is that our society needs more doctors or the quality of healthcare will continue to decline.
My issue with it is central data repositories create a kind of secret surveillance para-bureaucracy with no individual accountability.
What is frustrating is efforts like this are trying to squeeze the toothpaste out of the tube, and I suspect before current techs we have today like differntial privacy and tokenization make anonymous sharing and analysis viable. Medical researchers are people like anyone, they aren't some kind of preisthood, and they are going to leak and share the data and use it for political purposes as their opportunities and incentives change.
The technical controls researchers actively resist are basic corporate controls as simple as identifying everyone who logs in to view the datasets with their real names, background checks on people with admin credentials on personal health databases, probabilistic watermarking and dating cuts of datasets shared with researchers so that any leaks can be traced back to a specific accountable people to contain it, and requiring a public record and accounting of the research and projects they were using the data for, using synthesized data in technical test environments and not real health information. These are basic corporate controls that aren't part of the research culture. Some places may have them, but I wouldn't be surprised if the organizations conspire to neglect their processes.
The benefits they say are for using ML for research and it will cure all manner of diseases and detect others early. This sounds great, but what is missing are legal consequences for exploiting people via their data. People aren't managed livestock, so the prestige of a few researchers needs to be balanced with the quality of the society these new data powers create. If your worst political enemy is an exception to the principle of the confidentiality of this data, then you aren't suited to access it, and to be allowed to do so compromises the whole system for everyone.
A test people could use for privacy is whether you would be ok with the activist groups operating in universities, communist party of china, and their federal police force having secret legal access to health records, and if they aren't, what rules do we need to compensate?
Inadmissability of data in any of these data sets in legal proceedings seems like one useful control. Personal penalties for abuse and leaking of this data would be another. Licensing and professional regulation of individuals who administer systems that process personal information that has been obtained without explicit consent of individual data subjects seems complex, but I could see some version of it happening in the next 20 years.
Without these additional controls, it's just a data grab, and these GP's are right and in fact brave to resist it.
As I understand it, [2] covers hospital data etc, but not GP data, which is the recent data grab and the subject of the article. I have written to the GP I was last registered at to see if they still hold any data on me, and whether they were intending to share it without my consent. I attached the opt-out form [4] anyway.
[3] says on "Minimum length of retention of GP records" that "Electronic patient records (EPRs) must not be destroyed, or deleted, for the foreseeable future.", and paper ones are kept until 10 years after death.
[1] https://www.nhs.uk/nhs-services/online-services/find-nhs-num...
[2] https://your-data-matters.service.nhs.uk/
[3] https://www.bma.org.uk/advice-and-support/ethics/confidentia...
[4] https://medconfidential.org/how-to-opt-out/