Is the government telling us the truth about GDPR and our NHS medical data?

Campaigns Democracy Health Law

First appeared in  on 25 June 2018

If you want to make sure your medical data isn’t shared with third parties for unknown purposes, you may need to take action now. Here’s why – and how.

Image: Yuri Samoilov/Flickr, CCBY licence.

If you happen to visit your doctor in the next few weeks, you may (or may not) spot a new poster or leaflet; they are NHS blue, with a yellow stripe at the bottom, headlined “Your Data Matters to the NHS”. Like all those e-mails you’ve been receiving asking you to opt in to receiving marketing, the poster and leaflet has been prompted by GDPR – but it’s about something rather different, and the choice you are being offered is an opt out, not an opt in.

Simply put, if you have concerns about what’s being done with your medical records – who is getting access to them, and how are they being used – you have the right to opt out of uses of your own health information for purposes beyond your individual care.

This ‘new’ National Data Opt-out that you may (or may not) hear of is in fact based on one of the old opt-outs, formerly known to doctors and Government as a ‘Type 2’, renamed so that – by 2020, we are told – care providers all across the NHS and care system will be able to see and honour your consent choice about what happens to your medical data.

Great, in theory. But in practice?

If you do see the poster, and follow the link – it’s – you’re told you can exercise your right to choose using a new ‘digital’ opt out process. Unfortunately, NHS Digital’s new process ignores the reality of many patients’ lives and – despite Government digital guidelines – fails to serve families, or the most vulnerable. So much for bridging the digital divide, and reaching the ‘furthest first’…

Notably, too, if your family has children under the age of 13, or if you look after a dependent older relative, then things are even more complicated. Rather than giving a simple instruction to your doctor, those who would prefer their children’s data wasn’t sold to third parties for unknown purposes, will be required to send to NHS Digital, by post, four pieces of ID and documentation along with a seven-page form. So much for Jeremy Hunt’s much-vaunted commitment to a ‘paperless’ NHS

So much for the process – what then happens to your information?

The poster and leaflet go on to say:

In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used.”

You only have to look at (our slightly more readable version of) NHS Digital’s Data Release Register at to see that little substantive has changed in practice.

NHS patients’ data is still being sold to a variety of customers – including for-profit ‘information intermediaries’ which continue to serve commercial customers of their own, including pharmaceutical marketers and private providers.

The law, however, has changed.

As of May 23rd, the UK has a new Data Protection Act 2018 – replacing the expired 1998 Act and bringing the provisions of GDPR into UK law.

NHS Digital, however, holds itself to the Information Commissioner’s old, pre-GDPR, non-statutory Code of Practice on Anonymisation – claiming this allows it to continue to ignore 1.4 million patients’ opt-outs, as it carries on selling ‘Hospital Episode Statistics’ data.

This approach has passed its sell by date; GDPR provides a wider definition of what is ‘identifiable’ data – i.e. data that can be used, including by combining it with other sources of data, to identify individuals, even if supposedly anonymised. UK law agrees with this wider definition, at least in theory – and both GDPR and our new Data Protection Act agree that any information about a person’s physical or mental health is sensitive personal data, and requires additional protections.

Given that ‘Hospital Episode Statistics’ (HES) consists of ‘patient-level’ lifelong medical histories – each row in the data referring to a single person, with every individually-dated hospital event they experienced linked together using a ‘pseudonym’, and containing many other items of data that can act as ‘identifiers’ – it can count as ‘identifiable’ data under the new law and therefore also sensitive personal data, as medConfidential and others have been saying for years – although confusion over the new laws seems to have stretched to the top of NHS Digital, and discussions are ongoing.

Why does this matter? Your medical history is like a fingerprint – unique to you, and identifiable by almost trivial means: a mother with two children is over 99% likely to be identifiable from their children’s birth dates alone, and a single news report could provide the information required to identify the unfortunate subject’s entire hospital history. A single breach of HES could expose millions of patients’ hospital histories, a disaster orders of magnitude greater than the loss of the HMRC Child Benefit discs in 2009.

This also means that, as of May 25th, any customer of NHS Digital receiving full copies of HES is now handling identifiable, sensitive personal data – so if any patient’s opt-out is not being honoured (i.e. if their row of data is not being removed from HES) then, once again, NHS patients are being lied to. You can check for yourself the lists of organisations with projects that ignored opt outs, and those that honoured them, at

Aside from the posters and leaflets, some patients are being written to directly. But only those who already opted out – clearly NHS England is content, as it was in 2014, for large parts of the rest of the population to remain in the dark. (While NHS Digital must write to those patients who opted out already, it is NHS England’s responsibility to communicate with everyone else.)

Is what patients are told true? The opt-out should apply to all identifiable data; is that what NHS Digital is doing?

NHS England is looking to “empower the patient” by giving already empowered patients marginally more, while ensuring it remains accountable to no-one. For example, aside from “research and planning” uses, how does NHS England itself use data? And can a patient see the list?

medConfidential works to ensure every use of patients’ data is consensual, safe, and transparent. Unlike NHS Digital, NHS England has largely avoided writing down who does what with patients’ data and why, and because of that has accumulated a massive transparency backlog. Though they go beyond research and planning, NHS England’s current uses are likely (almost) all legal – but it can’t explain how, and some of its proposed future uses are still obscure.

medConfidential believes there need be no conflict between good research, good ethics and good medical care; indeed we are enthusiasts of lawful, ethical medical research. By and large, the standards researchers have to meet mean their use of NHS patients’ data already meet GDPR requirements – the paperwork they have to fill in has helped in that.

Commercial deals

Many people have concerns about private companies doing data processing for the NHS; cases such as the illegal deal between Google DeepMind and the Royal Free Hospital suggest some caution is justified. The most toxic problem, however, remains commercial reuse by ‘information intermediaries’ – some of which appear in the list of organisations that have breached not only their contracts with NHS, but existing data protection law.

Promises about the NHS “always being clear about how [patient information] is used” (that poster again…) ring somewhat hollow, while for-profit companies continue using contractual agreements with the NHS as a figleaf to do work for commercial customers such as Pharma marketers who – despite promises elsewhere that patient information won’t be used for “marketing purposes” – use the information to market to doctors.

Patients should know how their information is used if they are to make an informed choice. ‘Your NHS Data Matters’ provides some information about this, but omits some of the more unpalatable truths about what is happening – undermining the important promises it makes.

If after checking what the NHS says and what it does, you do have concerns, medConfidential suggests you opt out now. Opting out will not affect your individual care, and you can always opt in later – e.g. when you are satisfied proper protections are in place.

If you use medConfidential’s opt-out form, your GP data will be covered as well as your hospital data.

About the author

Phil Booth co-ordinates medConfidential – campaigning for medical data privacy. For more on how the changes will affect your medical records, visit medConfidential’s ongoing ‘masterclass’ blog series.