Data breaches ongoing as NHS Digital pushes opt-outs
- 26 September 2016
Some patients who opted out of sharing their data beyond direct care have not yet had their wishes respected, as NHS Digital chases up organisations slow to destroy data.
The Information Commissioner’s Office gave the organisation till 19 October to honour the “type 2” opt-outs, claiming it failure to do so years afterward opt-outs have been introduced was "unfair".
Since April, NHS Digital has been processing type-2 opt-outs centrally and removing them from datasets but some opt-outs at the fringe are still not being honoured.
A report to the NHS Digital board earlier this month showed that some research bodies and other organisations that have received data from opt-out patients have yet to destroy it.
NHS Digital has contacted 151 customers, which have received data since 2014 on patients that have since exercised a type 2 opt-out, to request they destroy this data. As of 23 August, 58 organisations had yet to respond.
It also showed 54 GP practices had not yet told NHS Digital whether their patients had requested a type 2 opt-out and some data flows had been stopped until patient’s wishes could be respected.
So far, NHS Digital has processed more than 2.6 billion records and removed 61.7 million to honour type 2 opt-outs, using a new patient object system that cleans file prior to dissemination.
The opt-out was developed in response to privacy concerns about the now-defunct care.data programme, that proposed expanding the amount of patient data collected centrally and shared with third parties.
Patients have been able to use the type 2 opt-out since later 2013, with about 700,000 people requesting their health data not be shared beyond direct care.
In a statement an NHS Digital spokeswoman said: "We take seriously our responsibilities to uphold patient’s choices about how their data is used… We remain on schedule to complete this work within the timescales outlined.”
The board paper stated that “work is progressing well but there remain a few risks which are highlighted”.
This included “slow progress” on embedding type 2 opt-outs into data provided to Public Health England. Progress on implementing type-2 opt-outs in Data Services for Commissioners Regional Offices had been better but the timetable was still tight.
“There is a significant amount of work to do in a short period of time and there is little room for anything to go wrong.”
The process NHS Digital uses to de-identify patient data is also facing a challenge that could further complicate the opt-outs. MedConfidential has complained to the ICO about the dissemination of de-identified Hospital Episodic Statistics data, which have not thus far been subject to the opt-out.
The ongoing attempt to honour historical opt-outs also comes as the government tries to develop a new opt-out system based on the National Data Guardian Dame Fiona Caldicott’s third review of data security and patient opt-outs, released in June.
The report recommends either a two-option opt-out, where patient could opt-out of sharing beyond direct care and/or for research, or a single opt-out covering both.
The recommendations are the subject of ongoing consultation, with a series of public meetings being held in September and October.