• Data from opt out patients included in two thirds of NHS Digital releases
  • NHS Digital argues releases do not pose patient confidentiality risk and comply with ICO rules
  • Lobby group says releases do not comply with rules and “go directly against what patients think is happening” to their data
  • ICO set to make key ruling on issue which could have huge implications for patient data sharing

Over two thirds of NHS Digital data releases between April and August included information about the 1.2 million patients who have asked for their records not shared for purposes beyond direct care.

Patient opt outs were not applied to 1,877 of the 2,571 data releases during the five month period, NHS Digital’s latest data release register reveals. The data was sent to NHS, research and private organisations.

It is the first time the register has explicitly said whether or not patient opt outs were applied.

Whether or not the opt outs should apply to these releases – which includes the hospital episodes statistics dataset – is the subject of a contentious debate that could have substantial ramifications in terms of how and what data is shared.

NHS Digital argued that even where it had not applied the opt outs it was acting legally, responsibly and in the best interest of patients. A spokeswoman told HSJ there was minimal risk of confidentiality issues arising from the type of data being released, which it said was anonymised in line with the Information Commissioner’s Office’s code of practice, and therefore did not contain confidential information.

The spokeswoman said where data was identifiable, patient consent had been given.

However, MedConfidential said the register “shows opt outs are not being respected” and that this was “going directly against what patients think is happening when they opt out of their data being shared for reasons beyond direct care”.

The news comes with both sides awaiting a key Information Commissioner’s Office’s ruling on the anonymisation status of the hospital episodes statistics data – which makes up around half of requests in the latest register.

NHS Digital’s latest data release classifies HES data, which contains information from acute, primary care and mental health trusts, as “anonymised – ICO code compliant”.

MedConfidential argues HES does not meet anonymisation standards and patients could be identified from the data in these releases, and says HES data from the 1.2 million patients who have asked their data not be shared should not be released.

The ICO confirmed to HSJ it is investigating the group’s argument but no date has been set for when it will make its announcement.

Academic researchers have raised serious concerns to HSJ that they will not be able to get hold of whole data sets should the ICO rule against NHS Digital and this could have major ramifications on the quality of medical research.

But MedConfidential told HSJ researchers would still be able to obtain whole data sets when necessary, and “if the correct protocols are followed”. Coordinator Phil Booth said: “There are perfectly good reasons why some researchers may sometimes require an entire data set, including those who have opted out. Researchers who have a legitimate reason to obtain the full data set can do this by getting permission from the confidential advisory group.”

The vast majority of releases are made to NHS organisations, councils and academic researchers. However, the releases that have raised the most concern are those to private firms.

Just over 10 per cent of the 1,877 releases made without opt outs being actioned were to around 20 private firms such as Capita, Harvey Walsh, McKinsey and Dr Foster – in nearly two-thirds of these cases HES data was shared.

Mr Booth said: “After the Care.data debacle, this will only make people further question whether or not the NHS can be trusted with patients’ confidential and sensitive data.”

A NHS Digital spokeswoman said: “Our public register details all data releases shared under agreement with organisations, the vast majority of whom are NHS, university or charity bodies.

“The register includes a very significant number of releases that are anonymised in line with the ICO code of practice, which means the type two opt out is not required given the data is not confidential patient information.

“We are absolutely committed to upholding patient opt-outs and continue to do so in line with legislation and working closely with bodies like the ICO and the [national data guardian]. We are also committed to making details of what we do public, which is why we added the application of opt outs to the register.”