This site is intended for health professionals only

NHS data extraction programme poses ‘enormous threat’ to privacy

Prominent Conservative MPs have questioned the legality of the Government’s data extraction programme, saying it poses an ‘enormous threat’ to patient privacy and trust in the health service.

Former shadow home secretary and Conservative party leadership contender David Davis, MP for Haltemprice and Howden, said the extraction would present a ‘honeypot of data’ to hackers.

NHS England’s programme will share confidential information from GP records with commissioners, research organisations and private companies in de-identified and identifiable forms. NHS England wrote to all GP practice in England in the last two months informing them they must make patients aware of the extracts, and their right to opt out of having data shared.

The Information Commissioners Office has previously told Pulse that if GPs do not take reasonable steps to make patients aware then they could face legal action under the Data Protection Act (DPA).

Speaking at the Conservative party conference in Manchester, Mr Davis said the duty to share data set out in the Health and Social Care Act did not necessarily override the DPA.

He said: ‘Unless the Health and Social Care Act overrides the Data Protection Act, then it’s not an exemption to it. It wouldn’t be the first time the Information Commissioners Office had got it wrong, got poor legal advice.

He added: ‘If you put records on the internet you put the DH in a position where they have a honeypot of data. If hackers can take on Microsoft, how long until they get to the DH - a department which has never had a successful IT project?

‘There are big gains to be won here in research and access, but an enormous threat to privacy and patient trust. We need stratification, anonymisation and proper accountability. If you steal my data it’s a step down from blackmail. If you steal my data you should go to prison.’

Health Select Committee member, former GP and MP for Totnes Dr Sarah Wollaston echoed concerns.

She said: ‘The point is, there is an issue of potential legality, whether or not GPs will be in breach of data protection. My issue is that people of capacity should have the ability to opt in, but this absolutely should be an opt-in system.

She urged patients to access their medical records and correct any errors. Medical records will be full of other people’s notes, mistakes’ and ‘perjorative remarks’, she said.

She added: ‘A model of sharing records in Torbay meant you didn’t have to repeat your story to lots of different profession. It’s important because sometimes patients were discharged and there was a change to their drug regime and I didn’t know about it until two or three weeks later.

‘But this should be done with the proviso that you have the right to opt out. These are your records, not the health secretary’s.’