NHS Digital will not face “regulatory action” from ICO

NHS Digital has avoided regulatory action from the Information Commissioner’s Office over its treatment of patient data.

The ICO announced on 10 February that, after an assessment into NHS Digital and the organisation agreeing to the recommendations, “regulatory action will not be necessary at this stage”.

In April last year, the ICO criticised NHS Digital, then called the Health and Social Care Information Centre, for not honouring the wishes of patients who had opted out of sharing their records beyond direct care.

The ICO published an undertaking requiring NHS Digital to make changes to how it shared patient data. NHS Digital was obliged to honour all these opt-outs, known as “type 2”, by 19 October, 2016.

In a statement, an ICO spokesperson said: “A formal assessment by ICO good practice auditors in December identified a small amount of work to do, but the team was satisfied that the requirements of the undertaking were being met”.

“NHS Digital has agreed to the ICO’s final recommendations and, as a result, the ICO is satisfied that regulatory action will not be necessary at this stage”.

The report recommended that the wording on NHS websites is changed to clarify that NHS Digital was not honouring opt outs from January 2014 to 29 April 2016. The ICO also said NHS Digital should review educational material for organisations, to place great emphasis on honouring opt-outs.

In an addendum to the report, NHS Digital agreed to meeting these two recommendations by 18 April. The wording has already been clarified online at NHS Digital.

NHS Digital spokeswoman said the organisation was “respecting type 2 opt-outs robustly and consistently across all our disseminations”.

“We have met both the spirit and the letter of the Undertaking, which has now been confirmed by the ICO’s review of our response.”

In its report, the ICO said NHS Digital had contacted patients whose data was affected and established a system to uphold Type 2 objections.

In October last year, two days after the ICO’s deadline, NHS Digital said it was complying with the rules about sharing patient information. A spokeswoman said the organisation had been respecting type 2 opt-outs since 29 April, 2016.

However, a month earlier, Digital Health News reported that some patients had still not had their wishes respected as NHS Digital was chasing up organisations to destroy the data. At this point, NHS Digital had processed more than 2.6 billion records and removed 61.7 million to honour type 2 opt-outs, using a new patient system that cleans file prior to dissemination.

The opt-out was developed in response to privacy concerns about the now-defunct care.data programme, that proposed expanding the amount of patient data collected centrally and shared with third parties.

Patients have been able to use the type 2 opt-out since late 2013, with about 700,000 people requesting their health data not be shared beyond direct care.