Opt-outs have been honoured – NHS Digital
- 21 October 2016
NHS Digital says it is now complying with rules about sharing patient information, after the deadline imposed by ICO passed on Wednesday.
Last month, Digital Health News reported that some patients who had opted out of sharing their data beyond direct care, known as a type-2 opt-out, had not yet had their wishes respected.
In an undertaking agreed in April, The Information Commissioner’s Officer had given NHS Digital till 19 October this year to honour the opt-outs. The failure to do so years after patients requested their information not be shared was “unfair”, the ICO said.
On Thursday, an NHS Digital spokeswoman said the organisation was “now respecting type 2 opt-outs robustly and consistently across all our disseminations” and had been doing so since 29 April.
“We are confident that we have met both the spirit and the letter of the undertaking, and we await the ICO’s review of our response.”
NHS Digital has been processing type-2 opt-outs centrally and removing them from datasets but until recently some opt-outs at the fringes were still not being honoured.
A report to the NHS Digital in September showed that some research bodies and other organisations that have received data from opt-out patients had yet to destroy it.
NHS Digital had contacted 151 customers, which have received data since 2014 on patients that have since exercised a type 2 opt-out, to request they destroy this data. As of 23 August, 58 organisations had yet to respond.
However, on Thursday a NHS Digital spokeswoman said all organisations covered by the ICO undertaking that had held personal data about type-2 opt-out patients had now confirmed this data has been deleted.
The ICO spokeswoman said the acknowledged "the progress NHS Digital has made to ensure patients’ wishes to opt out of data sharing".
“While we understand there is still a small amount of work to do, at this stage we are satisfied that the requirements of the undertaking are being met."
A formal assessment will be carried out later this year.
The task of weeding out record of patients that have opted-out of sharing their data has been a big one, with NHS Digital sifting through 2.6 billion records and removing 61.7 million so far.
The opt-outs, both type-1 and type-2, were developed in response to privacy concerns about the now-defunct care.data programme, a scheme that proposed expanding the amount of patient data collected centrally and shared with third parties.
Patients have been able to use the type 2 opt-out since later 2013, with about 700,000 people requesting their health data not be shared beyond direct care.
The future of existing opt-out schemes is also unclear, with a new regime likely in the wake of the National Data Guardian Dame Fiona Caldicott’s third review of data security and patient opt-outs in July.
The report recommends either a two-option opt-out, where patient could opt-out of use beyond direct care and/or for research, or a single opt-out covering both.
But Dame Fiona has previously said, if accepted, her scheme would have “challenging” implications for the 50 existing NHS opt-out schemes.
A government response to her report is expected within the next few months, and NHS Digital will be tasked with embedding the new opt-out scheme into national data collection and sharing programmes.