• NHS Digital suspends release of patient data amid confusion over 11th hour GDPR guidance
  • Releases resume but “operational issues” with anonymising patient data being discussed with Information Commissioner’s Office
  • Comes on the day NHS England launches a public campaign to promote data sharing in the NHS

The release of millions of patients’ anonymous data was temporarily suspended last night, amid concerns that it may fall foul of new data regulations, HSJ has learned.

Emails seen by HSJ show on Thursday night, the day before new EU-wide general data protection regulations came into effect, staff at NHS Digital were ordered not to release any “anonymised” patient data.

The direction came from NHS Digital’s medical director, Martin Severs, who was concerned that GDPR guidance released at a late stage by the Information Commissioner’s Office could mean this patient data was no longer legally deemed anonymous.

In another email, sent around midday today, Professor Severs said the data sharing could resume.

“After this morning’s pause and detailed discussions with senior managers and subject matter experts we should continue the normal practice of disseminating data anonymised,” he said.

However, the email also suggested questions remained about what patient information is now considered anonymous and could therefore be shared without compromising a patient’s privacy.

“There are some operational issues which the ICO document raises, which we are working through with the ICO and will inform everybody when we have reached an agreement with them,” it said.

NHS Digital is the designated national “safe haven” for NHS patient data, and holds confidential information about millions of patients.

Much of this information, such as Hospital Episode Statistics data, is shared regularly with hundreds of outside organisations in an “anonymous” form, theoretically making it impossible to identify any patients.

The information is used by researchers and commercial companies but also the NHS to plan health services and track public health.

NHS Digital anonymisation practices have been challenged before, by privacy group MedConfidential in 2016, but the ICO did not uphold the complaint, finding they were in-line with its own code of anonymisation.

Confusion has now arisen because the ICO code is based on the previous UK law that, as of today, has been superseded by the Data Protection Act 2018, introduced to bring the UK into line with GDPR.

Among many other changes to data regulations, under GDPR a broader range of information is now deemed personal and identifiable and therefore subject to new protections and penalties if misused.

In theory, this means information that was previously deemed anonymous may now be deemed identifiable.

On Thursday night, the ICO updated some GDPR guidance that made it clearer a tougher standard will apply on what information will need to be removed to mask a patient’s identity. However, it has yet to update its code of anonymisation to reflect the law change.

The confusion comes on the same day NHS England launched a new six-week publicity campaign to re-build the public’s trust in the NHS’s ability to handle and share their data securely in the wake of the failed Care.data scheme.

NHS chief clinical information officer Simon Eccles said: “This campaign will highlight to the public how the health and care system uses their data, safely and securely, to improve the care they receive, plan services and research new treatments and to tell the public ‘their data matters to the NHS’.”

To coincide with new tougher fines and transparency requirements under GDPR, the NHS has also launched a new national patient opt-out today.

This will allow patients to opt-out of sharing their identifiable health data beyond individual care, such as for NHS planning or research, in most instances.

NHS Digital will start applying the opt-out to national data collections from today, with other health and care organisation expected to honour patients’ preferences by March 2020.