Patient data sent to global drug companies ‘may not be anonymous’
- 11 February 2020
The data of millions of NHS patients’ sent to international drugs companies may not be anonymous, experts in the field have claimed.
Privacy campaigners have labelled it a “gross betrayal of trust”, arguing that simply following the Information Commissioner’s Office (ICO) anonymisation code of conduct does not mean a patient’s identity is protected.
Senior NHS figures have claimed that data taken from GP surgeries and hospitals and sold on for research can routinely be linked back to a patient’s medical records through their GP surgery, the Observer has reported.
Patients whose medical information is of particular interest to international companies have already been identified, they added.
The Department of Health and Social Care said it only sells on information after thorough anonymisation measures have been taken.
Licences to buy data are issued by the Clinical Practice Research Datalink (CPRD), run by the Medicines and Healthcare Products Regulatory Agency (MHRA).
The CPRD anonymises data in accordance with the ICOs anonymisation code of practice, a spokesperson said.
Furthermore, patients are unable to access information on whether their data has been sold, campaigners said.
Phil Booth, coordinator of privacy group medConfidential, told Digital Health News: “If a patient is concerned, they have no way to find out whether their data is sold within CPRD.
“When a patient asks their practice, there is no public information for GPs to give them, even if the GP fully believes in the ideals of what CPRD is doing.”
Booth said the public was being betrayed in the sale of their data.
“Following the ICO’s code of practice does not mean that data is necessarily anonymous. The law now recognises that one of the most common methods of ‘anonymisation’ – the use of pseudonyms to obscure some bits of information – means that data is still identifiable,” he said.
“Removing or obscuring a few obvious identifiers, like someone’s name or NHS number from the data, doesn’t make their medical history anonymous.
“Indeed, the unique combination of medical events that makes individuals’ health data so ripe for exploitation is precisely what makes it so identifiable. Your medical record is like a fingerprint of your whole life.
“Patients must know how their data is used, and by who. Alleging their data is anonymous when it isn’t, then selling it to drugs and tech companies – or, through intermediaries, to heaven knows who – is a gross betrayal of trust.”
Professor Eerke Boiten, director of the Cyber Technology Institute at De Montfort University in Leicester, echoed similar concerns in the Observer.
“If it is rich medical data about individuals then the richer that data is, the easier it is for people who are experts to reconstruct it and re-identify individuals,” he said.
A spokesperson for the MHRA “strongly refutes” the allegations patient data is de-anonymised.
“CPRD is a not-for-profit government research organisation which follows strict rules on protecting patient data and is fully compliant with ethical, information governance, legal and regulatory requirements and has rigorous processes in place to protect patients’ data,” they said.
“Ethically conducted research using CPRD patient datasets has brought enormous benefits to patient care, including providing evidence for the National Institute of Health and Care Excellence blood pressure targets for patients with diabetes, as well as working with universities, regulators and the pharmaceutical industry who research the safety of their medicines.”
Access to NHS patient data is becoming increasingly sought by researchers and drugs companies due to the centralised, substantive nature of the data.
Representatives from NHSX, NHS England and Improvement and NHS Digital have previously met with big pharma and tech companies, including Mircosoft and Amazon, to discuss potential uses for patients’ personal records.
Papers from a meeting held in October 2019 revealed plans for a “single, standardised, event-based, longitudinal patient record” containing the data of 65 million patients, pulled together from GPs, hospitals, mental health professionals, demographics registers, prescription records as well as information from the private health sector.
It estimated the patient data could be valued at up to £10 billion a year.
NHS England chairman, Lord David Prior, chief executive Simon Stevens and NHSX chief executive, Matthew Gould attended the meetings.
Following revelations of the meetings, concerns the NHS was risking a repeat of care.data if it’s not transparent with the public were raised.
Professor Joe McDonald, director of the Great North Care Record, said “secretive” meetings with big companies to discuss how to monetarise patient data risked jeopardising patient trust.
DHSC has been contacted for further comment.
2 Comments
Of course there is substance to these allegations. The lie about anonymization of patient data has been peddled by the DHSC and the NHS ever since Care.data. Anyone who trusts this bunch of predators is insane. Cheap attempts to discredit Phil Booth, who at least has the courage to keep on telling the truth about this outrage, is not an argument. The really frightening thing is that everyone who should be defending the rights of patients is in the Government’s pocket. The medical profession are either willing to abuse their patients or contractually bound to doing so. There is nobody to appeal to: not the ICO, not the Parliamentary and Health Service Ombudsman, who simply endorses the ICO’s rulings, and there is no access, for most people, to any Judicial remedy although this is a legal right. There is no Legal Aid for this type of case, the Ministry of Justice refers you to the DHSC, who refers you to your local Citizens Advice Bureau! I am not joking. You could not make up a travesty of justice on this scale but, make no mistake, it has been happening for a long time and there is no reason to think anything will change. The predators know that they can get away with this industrial scale abuse, because they have ensured that nobody has any way of defending themselves. This is how the abuse of power always works.
Whether there is substance to these allegations or not, it is damaging at a time when full focus is on developing patient trust for a digital first strategy. Care.data all over again, which left a scar for years
Comments are closed.