The health data of 150,000 patients has been wrongly shared for up to three years, after opt-out requests were not sent to NHS Digital following a GP system supplier “coding error”.
In a written statement to MPs today (2 July), Jackie Doyle-Price, parliamentary under secretary of State for Health, said that NHS Digital had “recently identified a supplier defect”.
This meant that the preferences of 150,000 patients who wanted the Type 2 opt-out (where individuals do not want NHS Digital to share confidential patient information it had collected from across the health and care service for purposes other than the individuals care) were not sent to NHS Digital.
The error occurred over a three-year period between March 2015 and June 2018, in GP practices running TPP’s SystmOne.
As a result, Doyle-Price said their health data was “used in clinical audit and research”, adding that the error had “now been rectified”.
She also told MPs that “there is not, and has never been, any risk to patient care as a result of this error”.
The error is particularly embarrassing as it comes in the midst of a new national NHS campaign, informing patients of their right to set preferences over who can access their personal NHS data.
NHS Digital, the responsible NHS agency, said it would be writing to all TPP GP practices to ensure they were aware of the issue.
In a written statement, Nic Fox, director of primary and social care technology at NHS Digital, apologised “unreservedly” for what happened, confirming it had been “caused by a coding error by a GP system supplier (TPP)”.
He added: “We worked swiftly to put this right and the problem has been resolved for any future data disseminations.
“We take seriously our responsibility to honour citizen’s wishes and we are doing everything we can to put this right. No patient’s personal care and treatment has been affected but we will be contacting affected individuals.”
Fox also claimed the issue would not have been able to occur using the National Data Opt-Out, which was launched on 25 May.
NHS Digital has also contacted the Information Commissioner’s Office (ICO) and the National Data Guardian for Health and Care about the issue.
The organisation also said it was “not aware of any other objections that have not been honoured and believe this to be a standalone issue”.
John Parry, clinical director at TPP, said: “TPP and NHS Digital have worked together to resolve this problem swiftly. The privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information.
“In light of this, TPP apologises unreservedly for its role in this issue.”
TPP added that it would continue to work with NHS Digital to ensure “that testing and assurance of patient data extracts is enhanced to ensure that errors of this nature do not occur again” and to “make sure that patient wishes are always treated with the utmost importance”.
6 July 2018 @ 08:15
The ICO recently investigated TPP around their model for data sharing between clinical services. I can’t help but think that they missed the elephant in the room that is SystmOne’s functionality in handling data sharing with 3rd parties. The use of a simple Read code to indicate consent/dissent without any means other that accessing the patient record of understanding what was being discussed at the time simply isn’t up to the job. I can’t see how the system can meet current rules in terms of being able to give granular consent to data sharing.
5 July 2018 @ 20:06
Perhaps the sharing of data should be done on a consensual basis. Then perhaps a bit more care would be taken to correctly code the consents, as otherwise data wouldn’t be received by NHS Digital.
And if this wasn’t realised for 3 years, who knows what data is being shared at the moment which might (or might not) come to light in the future?
5 July 2018 @ 12:58
Remind me again how Primary Care systems and their suppliers are so much better than those used elsewhere in the NHS 🙂
3 July 2018 @ 16:24
I love being proven right. There’s nothing good about this company.
3 July 2018 @ 14:01
Do we know the scope of this? Was it all practices or only a given region? Was it all extracts or only a specific one? How do I know if my patients were impacted?
3 July 2018 @ 14:12
The extract is done via GPES so it will potentially affect every practice but it might only be a very specific set of conditions where the error occurs, so if you never met those conditions you wouldn’t have any issues but there’s a potential for EVERY TPP practice to have the error. Does that make sense?
3 July 2018 @ 15:25
It is reported, by Pulse Today, that the patients affected are those who registered their Type 2 Opt out between March 2015 and June 2018. Data from the records of these patients has been processed in disregard of their Type 2 Opt-out from April 2016 – June 2018. Given the length of time that this has been going on, it seems probable that all patients in this cohort have been affected. NHS Digital is distributing patient data all of the time. It certainly did not pause when Care.data was (supposedly) scrapped – when many patients probably thought that this meant that the abuse had stopped. That of course was the whole idea. Nothing is ever what we are supposed to believe it is.
3 July 2018 @ 15:47
But why has the error occurred? Were those opt outs just not being collected, was it every patient or a subset?
3 July 2018 @ 16:14
It affected all TPP practices
EMIS practices (the majority) were unaffected, as such patients have already started receiving the NHS DIgital National Data Opt Out letter (whereas TPP patients with a Type 2 objection wouldn’t have)
3 July 2018 @ 17:58
I don’t entirely follow your logic, Dr Bhatia. You seem to be implying that the conversion of a Type 2 Opt-out to a National Data Opt-out triggers a letter notifying the patient of this. So far, so good. You also seem to be implying that the process of conversion from Type 2 Opt-out to National Data Opt-out has not yet got as far as any TPP practices. OK. But all that follows from that is that no patient with a TPP practice can have any way of knowing whether their Type 2 Opt-out has been transmitted to NHS Digital or not. It may be true that all TPP practices are affected, but this does not follow from what you say about conversion of Type 2 to National Data Opt-outs. Perhaps I have missed your point?
While it is quite right that this latest technical bungling by TPP and/or NHS Digital is an absolute disgrace, and TPP is being shielded by the DHSC and the ICO, which is a further disgrace, what really worries me is that this incident grabs the headlines, and they can then proudly announce that the problem is fixed, and everyone will say, ‘That’s alright then’. Meanwhile the real, much bigger problem is conveniently obscured by the convenient smokescreen of ‘TPP bungles again!’.
The real problem is that technical bungling is just one of numerous ways in which all opt-outs fail to be implemented, in most cases intentionally, by being ignored, illegally overruled, or illegally circumvented using the lie that the data being shared is anonymous and unidentifiable. This is not true, and if it were true, the data being collected would not serve the key purpose for which it is being collected. This is the declared purpose of Care.data and remains the current policy, declared, but not too loudly lest patients might hear. This is the policy of creating complete linked records for every citizen in England. Nobody can link genuinely anonymous unidentifiable data with other data relating to the same patient. The biggest lie of all is the one about “sufficient anonymisation”. If data can be linked it is not anonymous or unidentifiable. If data is anonymous it cannot be linked and that doesn’t serve the government’s policy. See Lord Mitchell’s letter to the Financial Times, 5 March 2018, about the “treasure trove” of longitudinal data owned by the NHS. Lord Mitchell is concerned that they will not get the best price for it. All these big tech companies in the USA are loaded with cash, they must be made to pay up! So much for the professions of TPP and NHS Digital to have a deep concern for confidentiality. They do not give a toss about confidentiality. They are not going to fix anything but the technical glitches, which are but a drop in the ocean of corruption.
4 July 2018 @ 09:44
All those with a Type 2 opt-out recorded by NHS Digital will have (or will shortly) receive a letter (like this http://s691044752.websitehome.co.uk/NHSD_letter.pdf ).
TPP patients would not have had their Type 2 opt-out at their GP surgery transmitted to NHS Digital, so wouldn’t receive the letter.
Once this is sorted, they will, plus or within the letter of apology. I don’t know when the TPP Type 2 op-touts will be uploaded to NHSD – maybe they have already been now.
6 July 2018 @ 10:59
There seem to be two possible explanations: either *all* TPP practices used a CTV3 Code not recognised for upload to NHS Digital (and TPP did not think a total lack of Type 2 opt-outs needed investigation) *or* the practices Coded correctly but TPP, for some reason (inadvertently or deliberately) having the correct Codes from the practices failed to notify NHS Digital – as they were required to do.
I’m not sure which makes me more uneasy – especially as I am registered with a TPP practice & have both Type 1 *&* type 2 opt-outs recorded – I hope!
6 July 2018 @ 13:36
I am not sure which makes me more disturbed: the technical bungling that led to a very serious breach of the confidentiality of 150,000 payttients’ records over a period of three years; or the ludicrous comments by a Government Minister and by TPP that “no patient’s care has been affected”. Are they out of their minds? It has always been clear that TPP are a commercial IT company with no understanding of the concept of confidentiality, but a minister from the Department of Health might reasonably be expected to understand that confidentiality is a crucial part of healthcare. Of course the care of 150,000 patients has been seriously affected. In fact, insofar as this incident has undermined the trust of any patient who is aware of it, the care of the majority of the patient population of England has been seriously affected – unless they had zero trust in the NHS anyway, which probably applies to a good many by now.
3 July 2018 @ 09:33
Last year TPP appeared on the front of the Daily Telegraph with a data infraction. Sanction from NHS-D? Nothing.
Likely sanction from NHS-D over this infraction, anyone?
Likelihood Frank Hestor receives a knighthood for services to UK (no – wait, England) Healthcare?
3 July 2018 @ 15:44
But why has the error occurred? Were those opt outs just not being collected, was it every patient or a subset?
3 July 2018 @ 05:02
This cannot ever be “put right”. If your family silver is stolen there is at least a possibility of retrieving it. If data is misappropriated, once it is out there it can never be retrieved. That TPP have a contract signed by the Secretary of State for Health, which gives them access to patient data is an absolute outrage. This is not the first time TPP have given half the world and his wife access to patient records. Just don’t anyone EVER ask me to entrust my personal data to SystmOne or to NHS Digital. This has gone too far. If my GP cannot protect the confidentiality of my medical records by placing them out of reach of TPP and of NHS Digital, then I cannot access primary care, or any healthcare. Not even private healthcare is now safe from the predatory NHS. Saying that patient care has not been affected is ludicrous. If the confidentiality of my medical records has been violated for three or more years and I have been lied to about what has been done with my confidential information, then, ipso facto, my care has been affected. This is not my idea of “do no harm”.
3 July 2018 @ 09:26
Bertl- your confidential information has not been violated and patient care has not been affected. Any audits that have been undertaken where your health data has been used, all identifiable information is anonymised. Your data has not been taken or shared externally, so hasn’t been misappropriated. The TPP system SystmOne is used in a vast majority of GP practices around the UK as their standard patient record system and NHS digital manage a lot of the data. In order for your information to not be handled by either of these companies you would have to move to a different country- where they will have their own digital processes and companies that have your data.
3 July 2018 @ 16:27
But if I have opted out of my data being shared, you do not have permission to process my data in this way… as a data subject.
3 July 2018 @ 15:32
It does seem like TPP have some kind of Whitehall angel looking after them.
2 July 2018 @ 16:27
The wonderful GPES investment pays off once again!
3 July 2018 @ 09:23
Bertl- your confidential information has not been violated and patient care has not been affected. Any audits that have been undertaken where your health data has been used, all identifiable information is anonymised. Your data has not been taken or shared externally, so hasn’t been misappropriated. The TPP system SystmOne is used in a vast majority of GP practices around the UK as their standard patient record system and NHS digital manage a lot of the data. In order for your information to not be handled by either of these companies you would have to move to a different country- where they will have their own digital processes and companies that have your data.
3 July 2018 @ 11:10
that’s not true.
the type 2 opt out is there to prevent identifiable data being shared/disseminated/sold by NHS Digital.
Identifiable data has been extracted from Bertl’s GP record (unless, sensibly, a Type 1 opt out is in force), provided to NHS Digital, and disseminated at NHSD’s whim.
more information about the Type 2 opt out at http://www.yourNHSdatamatters.info
if you’re interested
3 July 2018 @ 15:30
“The TPP system SystmOne is used in a vast majority of GP practices around the UK as their standard patient record system and NHS digital manage a lot of the data.”
Not true. EMIS have far and away the largest share of practices. TPP is a poor number 2
5 July 2018 @ 18:18
It is also not true that the majority of practices use SystmOne. Currently EMIS (who are not as far as we know affected) are the biggest supplier with about 4,500 of the 7,500 practices in England.
Of course no one should have to change practice to protect their data.
5 July 2018 @ 19:29
Changing practice will not protect anyone’s data. It is too late with regards to the system failure under discussion here, and besides, the far greater threat to everyone’s data is what NHS Digital are doing with it, regardless of any opt out. The opt outs are all a sham. TPp might be more likely to continue to bungle, but bungling is not the main threat.
3 July 2018 @ 12:38
I am well aware of the roles of NHS Digital and TPP but, as Dr Bhatia says, those whose Type 2 opt-outs have not been implemented, have had the confidentiality of their records violated in anyone’s terms. I have “sensibly” had both a Type 1 and a Type 2 opt-out registered since 2014. I don’t believe that anyone’s Type 2 opt out has ever been implemented, certainly not before 2016, and even then, only when NHS Digital decide not to override it. Frankly all opt-outs offered to NHS patients are fraudulent. Their function is to appear to give us a choice without actually doing so because they are ruthlessly determined to misappropriate all health data. Opt-outs are either always either ignored, or overruled on the grounds of a statutory obligation to process the data (at the behest of the Secretary of State or NHS England), or they are circumvented by using pseudonymised or so called “sufficiently anonymised” data or using the “Patient Identity – Identity Withheld Structure” (the terminology is deliberately opaque). As experts in clinical informatics admit, none of these types of data are either anonymous or unidentifiable. The whole system is riddled with duplicity and what NHS Digital are doing contravenes the GDPR.
Opt-outs are worthless because they are only implemented if nobody wants the data. The real point about the events reported in this article is not primarily to do with opt-outs, it is to do with the coercive appropriation or disclosure of personal confidential data to organisations that consistently demonstrate that they can be trusted in nothing and that manifestly don’t give a toss about confidentiality. If NHS Digital get their hands on any of my data, other than the minimum required for NHS registration, to which I have implied my consent by using the NHS, the confidentiality of my records has thereby been violated – before they even distribute or sell the data to Uncle Tom Cobley and all. The DHSC, NHS England and NHS Digital need to stop lying about everything. TPP are simply beneath contempt. I will not have them processing my records. If I have to forego healthcare to prevent this, so be it.