Government confirms national opt-out for patient data
- 12 July 2017
The government has confirmed that patients will be able to opt-out for sharing their data beyond direct care.
The promise was made in the government’s response to Dame Fiona Caldicott’s, the national data guardian review into data protection, and says that the national opt-out will be implemented from March 2018.
Published 12 July by Department of Health, the report says there will be an opt-out option for patients who do not want to share their data beyond direct care, which will be applied across the health and social care system.
This comes as last week the Information Commissioner’s Office found a data transfer between the Royal Free NHS Foundation Trust and Google’s DeepMind did not comply with the Data Protection Act.
Helen Stokes-Lampard, chair of the Royal College of GPs, said: “What is essential is that the NHS is beyond reproach when it comes to the use of patient data for any purpose, that patients have trust in the way their data is being used, and that they are confident it will be kept secure.”
The report describes the opt-out as a “significant step forward”, and says “it will provide a single and simple mechanism for individuals to opt-out of their data being shared beyond their direct care”.
Dame Fiona’s report recommended ten data security standards, and the government has accepted the recommendations from the NDG’s report.
By March 2020, patients will be able to use an online service to see how their data collected by NHS Digital has been used for purposes other than their direct care.
Phil Booth, co-ordinator at privacy campaign group medConfidential, said in a statement, that he welcomes the clear commitment that patients will know how their medical records have been used, both for direct care and beyond.
“This commitment means that patients will have an evidence base to reassure them that their wishes have been honoured”, Booth said.
“Some of the details remain to be worked out, but there is a clear commitment from the Secretary of State.”
The report says that the NDG review found that patients believed their data was already being shared for direct care, and that in general patients were content with anonymised data being shared for purposes beyond direct care.
The report says NHS England and NHS Digital will be commissioned to develop a framework, agreed with Dame Fiona, Department of Health and the ICO, to support the system in sharing data for direct care and safeguarding children and adults by July 2017.
The government response says that by December 2018, patients will be able to see who has accessed their summary care record.
The report says the government will adopt the recommendations from the Care Quality Commission in its review, Safe Data, Safe Care. The CQC will now also have to inspect for data protection standards, and this will be supported by the redesigned information governance toolkit.
Existing opt-outs, so called Type 1 opt-outs, will be protected until 2020 and then there will be further consultations on any changes.
Keith McNeil, chief clinical information officer at NHS England, said: “If we can endow health and care data with relevance and purpose through intelligent analysis and interrogation, we can then feedback relevant information to clinicians on the front line to better inform the care of their patients.”
However, he said that to realise these benefits, patients and the wider community need to have confidence that their confidential data will only be used appropriately. “Only for the purpose of improving their healthcare, the care of their family and friends, and the care of future generations.”
The report also stated that NHS Digital will develop and implement a mechanism to de-identify data on collection from GP practices by September 2019.
There will also be UK data protection legislation implemented in May 2018 which will provide a framework to protect personal data and impose severe penalties for data breaches and “reckless or deliberate misuse of information”.
12 Comments
Closing the stable door…. I was one such victim of carelessness and blatant negligence. Instead of pursuing a complaint as supported by my MP and Dame Fiona, I decided to try to take on the many headed hydra and get closure by a less draconian measure, knowing I’d never eat lunch in this town again if taking on the NHS. Quelle erreur. After 18 months of obfuscation, every attempt has been blocked, websites have disappeared, an entire GP practice has dissolved, whole depts in the Trust hospital HQ likewise… Not one body can confirm the record is “shut off” as however thoroughly it is logically deleted, it will pop up even at an optician appt. During these 18 months of perpetual distressing limbo and weight loss, NHS Digital, quangos, franchises, CAPITA (who he?), HSCIC, Public Health, CQC, CCG, IG, and sundry other South East, Southern, Central authorities have sent the SAR application despite my having sent Passport & DL a squillions times. Silly moi. This only served to identify me as the thorn in their side. This is a Breach of Data Protection and FOI matter. I need to know who accessed my record and when, whilst unknowingly opted in without permission, whether they still are able to, and if services like opticians, dentists and pharmacists will see it in future on their terminals. This is the County Summary automatically accessed in the area by such services. Needless to say this is the tip of the iceberg as it is inextricably linked to a cover up and blatant attempt at discrediting me following two poor surgical outcomes. But I have tenaciously clung to the naive belief that the truth will out. Silly moi.
IS THERE AN AUDIT TRAIL for the patient or not? We must be told.. CCG says see GP. GP says see CCG OR FILE A COMPLAINT. Web page of services who can access went down soon after I started asking the question.
Until I have full and unrestricted access to my data I’m opting out.
Besides how many times can the likes of the Royal Free get away with flogging data off to google before people start to lose trust in the system.
The fact it is opt out is disappointing at best, but that’s what you get when you have a state enforced healthcare system and no choice.
That said GDPR requires consent be explicit and informed and if you don’t already have proper consent you cannot just assume it.
So I would imagine that come May 2018 if you haven’t been explicitly informed and given the option to opt out you can only be amused to have opted out.
With all the confusion that seems to be around with data sharing lets give the patient records back to the patients as it is their information. If they require treatment and want the care professional to see their data then this should be made available by the patient at the point of care with an electronic chip and pin card. Banks do this and so should health and social care. Part of the investment required could come from the freeing up of onsite and offsite storage costs. The TPP System one issue is not just relevant to TPP it is possible to share records across other providers with other GP records and no consent model is within the system from a patients perspective. Access to GP records is created through a legitimate relationship when the patient registers at the practice and there is no consent to share model in some of the systems from a patients perspective. The only way to tackle this is to ask every time can I view your record? Lets stop complicating this and get on and deal with it.
this is the right approach but those who work in health and social care need to be honest about the quality of health data up and down the country, very varied, however that should not stop people making a start and trying to level off NH IT Services, there really is no reason, just excuses, integrate health data nationally
It should be the Patient, the last two times I’ve changed gp practice my record has been shared without my consent (I have no problems with this tough) BUT bizarrely I lost access to my records each time it was ‘transferred’ (it wasn’t transferred, my records remained on the same computer system just the consents altered).
There are a number of problems with the government response as far as patient opt-outs and use of patient data goes.
1. one of the major changes was that all GP records would be uploaded to NHS Digital (a statutory safe haven) unlike the current Type 1 opt-out where the information never leaves the GP surgery/record.
2. consent/opt-out only applied to two very broad categories – use for running NHS and “research and health improvement”.
I note the lack of detail in the Implementation Plan (Annex G) on how the consultation, public information and implementation of the changes from Type 1 and 2 opt-outs and the new model are to be managed.. apart from further consultations…
this must be “done” @ the national level (bit like the integration of care … DATA) I just hope … there is enough apprpriately skilled resource who can “do” @ the nationwl level?
I thought all the opt-outs had already been guaranteed about four years ago? Or is it just more wool-pulling, and come 2020 they’ll just allow data to be shared regardless of patients’ wishes?
I read this IGA paper and was surprised that not a single mention was made of the EU-GDPR and the repeal of the DP Act. The impact of changes in the law in Articles 7 and 9.2 (a-j) for legitimising the processing of special category data should have a significant impact on this discussion.
Also the lack of clarity as to whether an opt out under “A” is a withdrawal of explicit consent 9.2 (a) or an objection to processing Article 21. The IGA may not acknowledge the GDPR but it will become law in May 2018 just as all these opt outs are coming on-line.
Presumably all patients are going to be able to:
1. See the data, before they make an informed decision on wether to share or not
2. Decide who they want to share their data with e.g. the NHS, Kings Fund etc
3. Which data they are prepared to share e.g. data from a hip pathway, data from a child abuse pathway etc.
… surely, if the above requirements aren’t met, any patient in their right mind could only really put a big X (no) in the appropriate boX ?
Let’s all get practical eh ?
Will patient level data be available for commissioning of primary care services?
Comments are closed.