Government health data sharing may break EU law

News by Tim Ring

Imminent moves to gather all English health data together may breach planned new EU data protection regulations

A Government plan to collect the health data on every person in England on a single database – and then share the information among health professionals - is being threatened by data privacy fears and the likelihood that it will break the upcoming new European-wide data protection law.

The NHS is leafleting all 22 million households in England this month to explain that from April, under the ‘' programme, electronic patient records from every GP practice in the country will be centrally gathered and shared with researchers from academia and pharmaceutical companies.

Under the plan, the Government's Health & Social Care Information Centre (HSCIC) will merge this new swathe of GP data with existing hospital information, and more data from social care and community services. Each person's record will be anonymised, using their date of birth, postcode, NHS number and gender to identify them, rather than their name.

The scheme will allow people to opt out of sharing their data - but campaigners point out that the planned EU data protection law currently insists that individuals must have the right to directly ‘opt in' to data sharing.

The proposal has pitted medical charities, who insist the NHS data sharing will save lives, against privacy reformers, who support the right of people to actively choose to share their data.

Charities and medical research organisations including Arthritis Research UK, Cancer Research UK, Diabetes UK, the British Heart Foundation and the Wellcome Trust last week launched a joint advertising campaign urging people not to opt out.

And in a press statement, Dr Jeremy Farrar, Director of the Wellcome Trust, said: “Patient records will provide a rich source of important data that can help researchers develop much-needed treatments and interventions that can improve and even save people's lives."

But in an emailed statement to, Nick Pickles, director of Big Brother Watch, criticised the fact that “some research organisations seem to think patient choice and consent is an annoyance, rather than an issue of respecting people's right to decide what happens with their private medical records”.

He added: “As ever, there seems to be a deliberate effort to exaggerate the implications of a proposal to undermine its objective, namely ensuring people have the right to decide what happens to sensitive information about them. Given the growing evidence that supposedly anonymous research data can be re-identified, a risk that is only going to increase, this seems an entirely reasonable position that respects and protects our privacy.”

Another concern is that data may not be anonymised in all cases. HSCIC will be able to share identifiable information about people with researchers providing they are “approved organisations for approved purposes, and there must be a legal contract in place with penalties for any misuse of the information”.

Permission to share must be granted by the Secretary of State for Health or the Health Research Authority (HRA), on the basis that the research is in the public interest and it is not possible to use anonymous information nor to ask the individual's permission (for example if there are extremely large numbers of patients involved).

HSCIC is trying to calm people's fears over this. A spokesperson told “Readers should be reassured to know that the HSCIC Board last week agreed that a report detailing who we give data to and the grounds on which it has been released, will be made public on the website every quarter.

“We are absolutely committed to the public understanding what is being done with their information as well as to people realising they have a right to object, if they feel uncomfortable with the process.”

NHS England's Chief Data Officer Dr Geraint Lewis has also insisted that the data will not be for sale, saying: “Patients and their carers should know that no data will be made available for the purposes of selling or administering any kind of insurance and that the NHS and the HSCIC never profit from providing data to outside organisations.”

But for those people still worried, the guidance explains: “If you do not want information that identifies you from being shared outside your GP practice, inform a member of staff at your practice. They will make a note of this in your medical record. This will prevent your information being used other than where necessary by law, such as in case of a public health emergency.”

Meanwhile, the UK Government was already trying to water down the draft EU data privacy law - and this threat to its flagship medical data sharing programme has only increased those efforts.

The Ministry of Justice has been negotiating for the EU legislation to be less prescriptive and to balance the needs of civil liberties while allowing for economic growth - on the grounds that in its current form it will cost UK businesses up to £360 million a year.

Now the fear that could infringe the law been raised by Department of Health officials, according to a 21 January report in The Daily Telegraph. A DoH spokesperson confirmed to “We are fully aware of the negative impact this (law) would have on both and UK research and we are working with the Ministry of Justice to negotiate changes.”

The programme has already been implemented in a small number of GP surgeries who have been piloting the scheme since June 2013.

The Government said national rollout has now started across all GP practices in England. They are currently being sent an information pack containing guidance and materials so they can begin the process of engagement with patients - and allow time to raise patient awareness so that any objections can be recorded.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews