• NHS Digital now able to “respect each individual’s wishes about whether their data can be shared”
  • Data from confidential medical records is still being disseminated without patient’s knowledge
  • Information Commissioner’s Office yet to formally decide if NHS Digital has met its undertakings

NHS Digital says it has “met the terms of the undertakings” agreed with the Information Commissioner’s Office to remedy serious data breaches involving the medical records of 1.2 million patients.

The ICO issued undertakings in April after data was shared against patients’ wishes.

The deadline for these to be met was 19 October, though the regulator will make a formal judgment on whether it views the NHS data centre as compliant with the undertakings later this year.

A key condition was for NHS Digital to contact all recipients of data from the 1.2 million patients who raised a “type two opt out”, which should have prevented their information from being shared. Recipients – third parties such as research and commercial organisations – were told to delete this data where possible.

An NHS Digital spokeswoman said: “We have contacted all organisations who have received data which may have contained information about those people who had raised a type two opt-out, asking them to determine if they are able to destroy the data if they have not already done so, which is in line with the undertaking.”

NHS Digital said it had received responses from all companies and organisations. Those that were in a position to delete the data had done so.

However, the spokeswoman acknowledged that some companies have already processed the data and used it as part of a business intelligence information or for research. This data could not be destroyed or deleted.

She added that the 1.2 million patients whose data may have been used in this way, against their wishes, have now been made aware that their personal data has been shared with third parties.

NHS Digital informed patients by sending information to their GPs, sharing information with patient groups, and posting information in GP practices and on NHS websites.

A new system has been in place since April to meet the ICO undertaking to ensure that patients who wish to opt-out have their wishes processed and upheld.

“We are confident that we have met both the spirit and the letter of the undertaking, but we will await official guidance from the ICO, which will be reviewing our response later in the year,” the NHS Digital spokeswoman said.

NHS Digital agreed to seven undertakings to remedy the breaches.

The ICO took action following complaints by privacy campaigners about the way in which NHS Digital shared patient data for purposes other than direct care.

Last month HSJ reported that more than a third of the organisations that had received unauthorised NHS data had failed to respond to NHS Digital’s request to destroy it.

An ICO spokeswoman said: “We acknowledge the progress NHS Digital has made to ensure patients’ wishes to opt out of data sharing are implemented as set out in the undertaking signed in April.

“While we understand there is still a small amount of work to do, at this stage we are satisfied that the requirements of the undertaking are being met. There will be a formal assessment later in the year.”