Cookie policy notice

By continuing to use this site you agree to our cookies policy below:
Since 26 May 2011, the law now states that cookies on websites can ony be used with your specific consent. Cookies allow us to ensure that you enjoy the best browsing experience.

This site is intended for health professionals only

At the heart of general practice since 1960

Patient records handed out to 56 private sector organisations data controller reveals

Medical record information has been released by the Health and Social Care Information Centre on more than 450 occasions, to recipients including 56 private sector organisations, according to a new register published in response to transparency concerns.

The HSCIC’s first audit of data disclosures since being established in April 2013 shows that private healthcare providers - including Bupa, BMI and Care UK - and management consultants, like McKinsey, PwC, Ernst & Young and GE Finnamore, have received patient data.

In total 160 organisations have been given data, with 104 classified as health and social care organisations – including universities and charities.

The audit of data disclosures was published to demonstrate the NHS is working to improve ‘transparency’ in the way patient data is used, after NHS England’s controversial GP data sharing scheme was delayed because of lack of public awareness.

It found that data was released 347 times in ‘pseudonymised’ form - with key identifiers removed – but identifiable data has been released on 75 occasions. The majority of records were Health Episode Statistics collected from hospitals.

The HSCIC states that all data releases were done with a strict legal basis, such as patient consent or with a section 251 exemption, where identifiable data can be released without consent if approved by an independent advisory group.

It does not profit from the selling of data and only charges the cost of recovery for creating data sets.

The reasons for disclosures varied from disease research to annual outcomes censuses.

A spokesperson for BUPA said: ‘Bupa has a dedicated company in the UK, Bupa Health Dialog, that provides analytics services for the NHS and we use the NHS data to allow us to do this work. The data is anonymised and we cannot identify any individual patient. This work helps the NHS to use its resources efficiently and benefits the UK taxpayer. The data is ringfenced by law and only specific named individuals can see or access it.’

A spokesperson for E&Y, one of the consultancies that received data, said: ‘This data helps inform statistical research on the links between quality and cost, to help NHS trusts deliver high quality safe services efficiently. It will not be resold to any organisation, and is used solely for work with our NHS clients. Data is made available under the UK Government Licensing Framework and release is compliant with the Data Protection Act 1998.’

HSCIC chair Kingsley Manning said: ‘By placing this register before the public the HSCIC is taking an important step towards the full transparency needed to help the public gain confidence in the services we provide.’

‘We are absolutely committed to encouraging scrutiny of our work and we welcome feedback on today’s register, which is important towards informing the structure and clarity of future publications and indeed to the organisation as it develops.’

‘This is about ensuring citizens and patients are clear about how data is used to improve the health and social care received by them directly and by communities as a whole.’

However, patient privacy group medConfidential claims that the HSCIC had failed to disclose particularly sensitive examples of data releases.

Phil Booth coordinator of medConfidential said: ‘Despite saying it has turned a new leaf, HSCIC is deliberately concealing releases of data that might cause itself, or ministers or other officials, embarrassment or political damage.’

‘The Information Centre’s lack of transparency is clearly not as “innocent” as its Chair has claimed.’

The HSCIC denies these allegations, saying: ’ The Health and Social Care Information Centre (HSCIC) strongly refutes any allegations that information has been omitted from this register.

Adding: ‘We are confident that the register covers all releases that were within the publicly defined scope of the document,’.

Readers' comments (4)

  • Vinci Ho

    (1) One can see this is the knee jerk action to 'prove' everybody involved in this selling of data is 'innocent'.
    (2) What are the criteria to qualify an organisation to buy data from HSCIC?
    (3) ....only specific named individuals(hence more than one) can see or access it...... So who are they?
    (4) ....it will not be resold to any organisation ....OK, understood . But do you know data and files are shared legally and illegally everyday in all kinds of websites on Internet everyday. That's why many people do not buy CD records anymore.Share the data with your 'mate' organisation , who knows ?
    (5)What about industrial espionage ? It may be very 'safe' when a data is still inside HSCIC but what if it is not anymore?
    (6)We had history where drug companies managed to manipulate with trial data to cover up potentially fatal side effect of a new drug. Credibility and honesty are always questionable out there in the wild world.

    Overall , does one believe this publication of HSCIC had substantially increased people's TRUST on how the government/DoH/NHSE et al will handle this massive amount of patients' data.
    Remember , we are talking about TRUST not merely transparency.........

    Unsuitable or offensive? Report this comment

  • Kingsley Manning was on a charm offfensive yesterday R4 5 oclock news .stressing over and over that no breach of confidence is possible.admitting the mistakes made have been serious but cannot be replicated and did in no way admit what this article reveals - trust them now?! .there is no 100% confidentiality possible when 'only specific named individuals can access it' confidentiality has already been breached unless persons have given consent. Smooth talking won't do it

    Unsuitable or offensive? Report this comment

  • This comment has been moderated

  • Yes but you are ignoring the government body (MHRA as CPRRD) who sell the data on to whom ever they wish which is not recorded in this document (and includes the ONS =sensitive data) ....

    The HSCIC doc says :
    CPRD seeks to enhance the research capability and value of its primary care database by adding details of relevant (matched) secondary care events from the HSCICs HES database. The new enhanced data will be made available to CPRD customers for use in academic research, pharmacovigilance, drug monitoring, and health outcomes analysis. CPRD operates within the MRHA, a UK Trading Fund organisation.

    Unsuitable or offensive? Report this comment

  • Don't trust the NHS, obtain a false identity to protect yourself and your data.

    Unsuitable or offensive? Report this comment

Have your say

IMPORTANT: On Wednesday 7 December 2016, we implemented a new log in system, and if you have not updated your details you may experience difficulties logging in. Update your details here. Only GMC-registered doctors are able to comment on this site.