NHS opt out: not what it seems

On January 23rd we had a conference call with the NHS Information Centre and a couple of its software suppliers about anonymisation. LBT readers will have followed how your GP records are to uploaded to the new central database care.data for resale unless you opt out. Any previous opt outs from other central systems like SCR will be disregarded (even if you wrote saying you opted out of all central systems), along with opt-outs from regional systems.

We’d been told that if you opted out afresh your data would be uploaded only in anonymised, aggregated form; after all the Prime Minister promised. But I persisted. How will the NHS work out doctors’ bonuses in respect of opted-out patients? Doctors get extra payments for meeting targets, such as ensuring that diabetic patients get eye tests; these used to be claimed by practice managers but are now to be worked out centrally. If the surgery just uploads “We have N patients opted out and their diagnostic codes are R1, R2, R3, …” then officials might have to give doctors the benefit of the doubt in bonus calculations.

It turned out that officials were still dithering. The four PC software vendors met them on January 22nd and asked for the business logic so they could code up the extraction, but officials could not make up their minds whether to respect the Prime Minister’s promise (and human-rights law) or to support the bonus calculation. So here we had a major national programme being rolled out next month, and still without a stable specification!

Now the decision has been taken. If you opt out, all your clinical data will be uploaded as a single record, but with your name, date of birth and postcode removed. The government will simply pretend this is anonymous, even though they well know it is not. This is clearly unlawful. Our advice is to opt out anyway while we lobby ministers to get their officials under control, deliver on Cameron’s promise and obey the law.

28 thoughts on “NHS opt out: not what it seems

  1. THANK YOU all so much for this fantastic work and for what your are undertaking. There are millions of patients without the ability or means to argue their case. Keep up the good work.

  2. I am confused by the recommendation to opt-out. For what reasons should we be against this? For research this will be a fantastic resource. It seems to me that the main objection by the public is the ‘reselling’ of data which belongs to them, with the implication that the government will make money from it. I believe that this is misleading – the prices will be trivial; data is effectively being given out for free with the intention of advancing medical research. Secondly is the ‘loss of privacy’ argument, which makes for sensational headlines but I have not been able to discern the real-life detrimental effects. I am aware of the potential for misuse of this data (by insurance companies etc) but for now such use would be illegal. Efforts should be focused on keeping it so, rather than denying valuable information to scientific advancement.

  3. Andrew, confused? Really?
    Firstly the money; On an individual basis they will be small numbers but multiply that by millions. See the point?

    Now, loss of privacy; Every conversation you have with your Doctor will become ‘public’ knowledge. Every jot and tittle. Oh and the Police will have unfettered access to this information via a convenient back door in the program.

    Valuable Information you say?; For whom? The patients? Not really. The Doctors? No not at all. This information will be of great ‘value’ to the drug companies and the Insurance services will make a killing too. (No pun intended)

  4. Just to clarify about the “bonuses” – this is referring to the Quality and Outcomes Framework and some of the Enhanced Services.
    Data for the former has been uploaded over the past ten years, but always in collated form. It is simply a total for each of the indicators and there is no reason this should not continue.
    The software that calculates these totals is from systems suppliers and is trusted and certified to do the calculation accurately. There is no reason that should continue.
    If that continues into the Enhanced Services then it is likely that it will be more secure than before. PCTs were a little inclined to ask for lists of patients as evidence of payments.

  5. It would be an interesting experiment (maybe someone has done it already?) to take the elements of this scheme, file off the name ‘NHS’ and run it through the various ethics committees usual for medical research. I wonder how many of them would approve it?

  6. Bunnyrunner says “value to drug companies” as if this is a bad thing. This information will undoubtedly be of significant value to researchers in both the public and private sectors, and Cambridge is home to many ‘non-profit’ medical research organisations.

    Now these medical benefits do indeed come at the cost of a loss of privacy, and there are many good arguments for not making the data available. But to claim this data is of no benefit at all is rubbish.

  7. Bunnyrunner, you are correct that the total revenue will be very high, but i do not believe there will be substantial profit made, certainly not compared to the potential value of such data. Maintaining a database and processing requests will doubtlessly also cost a lot of money, and personally I would prefer those requesting to pay than for these costs to be added to the NHS budget.

    In response to your privacy point, I must disagree. Researchers will have access to medically relevant details of consultations, and these will be anonymised unless further criteria are met. The ‘public’ will not under the current rules find out about your medical history. Regarding police access, I agree this would be a sensitive issue, and i was not aware of such a back door. Can the police not already access medical history for an investigation (maybe with a warrant)? Would you mind linking more info on this?

    Finally, echoing Colin, medical research, carried out by drug companies, is first and foremost for the benefit of patients. There is enormous value to the public for such a database. And again, under the current rules insurers are not allowed access to the database, and no one will be able to request an individual’s identifiable information.

  8. It really shouldn’t be that difficult to get to the bottom of all this, but just about everything I’ve read about care.data has, at best, been incomplete and at worst, contradictory.

    So, thanks Ross for the details here. It’s good to get down to the nitty-gritty.

    There are two things that still puzzle me about what you have found out:

    1. You said there was a meeting on 22 January with the four vendors to find out what was needed to code the extraction. Now, I don’t know anything about GP’s software systems (how many different ones are there? Four?), but it’s not just writing the code, it’s all the testing and verification that must surely be required – if it all starts next month, have they really tested it thoroughly?

    2. Where are the optouts actually applied? They are obviously flags set by each GP (I assume there are four differently-named flags for each of the four different systems GPs use, hence four vendors?), but is it the GP’s system that removes names, dob, etc before it is uploaded, or are all the data uploaded then the system at HSCIC applies the optouts there, before further processing?

  9. Andrew says “under current rules, insurers aren’t allow access” – precisely the point. How can we be sure those rules will never be amended in the future? Also, incompetence/corruption might allow a third party access to the data – no “rules” can accommodate those possibilities.

    A further objection is the sneaky way those leaflets were distributed to households and their wording.

  10. Thank you professor Anderson for sharing this.

    As a professional ethical hacker with experience of getting onto systems that are supposed to be secure, I must say that putting such personal identifiable information (PII) into a centralized system is a very bad idea (in the long history of bad ideas).

    Do not believe the hype: “Oh, it will be secure.”.

    Data does get into the hands of people it should not be seen by.
    Look at the number of large data breeches that have happened.

    Also,.we may believe we have a benign government today but just imagine if through some accident of future history we were governed by a malevolent dictator. Would we really be comfortable to be ruled by someone with the ability to search out a centralized database of citizens? What could possibly go wrong?
    Imagine if Hitler and the Nazis has such power.

    To my way of thinking, this is a very good reason NOT to centralize such PII data.

    Proponents of the benefits of “mining big data” will have to make do with zero-PII.

  11. According to a caredata adviser once the codes are added at your GP surgery they 100 guarantee that your data will be blocked and none of your data will leave your GP surgery! I find this difficult to believe.

    I find the whole concept of the caredata system horrendous and it should not have been allowed to happen. Once patients realise that nothing they say to their GP is confidential any more they will stop telling them important medical information and it will negatively impact on their health.

    This is the slippery slope. Using patients as guinea pigs in this way is not ethical and not right. No should mean no and any system that wants to use patient data in this way should require patients to opt in and not to opt out.

    The NHS does not understand anonymised any more than it understands confidentiality and the caredata system will be the biggest medical data disaster in history.

  12. http://www.england.nhs.uk/2014/01/15/geraint-lewis/

    Ive got a grave concern over a comment on the above link posted by ‘Xanthe’ from NHS England, in response to the opt-out codes. On the 11th of Feb (ysterday) she has stated:

    If you object to your data being shared you are objecting to ‘red’ data leaving your GP practice and/or ‘red’ data leaving the HSCIC.
    Flows of ‘green’ and ‘amber’ data are not covered by this objection as aata which are anonymised are not considered to be personal data for the terms of the DPA. Such data are not subject to a duty of confidentiality because they do not allow the individual to be identified.
    Xanthe, NHS England”

    So there you go – direct from NHS England. Amber (pseudonymised) data will go regardless.

    See here for a great article on how this is re-identified back to the individual.


    Complain, shout, write to your GP, write to your MP, make a fuss. We don’t have long to stop this.

  13. Holly,
    Thanks for copying that reply from Xanthe – it is now missing from the comments on Geraint’s piece.

    I see Stephen Duckworth asked Xanthe on 11 Feb to “review her answer” on red data, re the use of the 9Nu0 flag.

    I also see in a Pulse article that NHS England stated ‘ If people do not want their data to be shared, they can speak to their GP and information will not leave the surgery.’ This is misleading.

    I am looking for answers. But it would seem that NHS England is still dithering. It is very unfair that the GP could be the one legally in the firing line if confidential data has to be uploaded against the patient’s express wishes.

  14. OK. So I see Geraint is tweeting that ” If you make a Type 1 objection (9Nu0) then no red, amber, or green data will flow for #caredata”
    But how many people are going to see that!

  15. Long, useful blog post on 14th Feb from Eerke Boiten (NHS data sharing: taking stock) includes this:

    In the meantime, another worry appeared: that the data of people who had opted out would still be uploaded onto the system. This has been authoritatively debunked this week by Geraint Lewis; there is a sense that this is a (helpful!) change of policy rather than a clarification. (Ross Anderson’s comments suggest care.data would be used for NHS to pay bonuses to GPs, which would lead to an inconsistency: without the data of opters-out, the information would not be there. GP Neil Bhatia of medconfidential.org says care.data is not intended for this anyway, and GPs get paid via QoF/CQRS and other submissions which are nearly all anonymised/aggregated.)

  16. Hilarious discussion on what steps people might take for the protection of their health data starts at minute 14 of the BBC 4 Friday Comedy News Quiz series 9 episode 1 broadcast on Friday night 14 Feb 2014. Phil Jupitus’s vision for “World of Healthcraft” is a ripper.

    Link is here; http://www.bbc.co.uk/programmes/b03ttmf0
    (good for 6 more days)

  17. The ‘Better information means better care’ pamphlet that has been sent (it is claimed) to all households is somewhat ambiguous when it comes to who will have access to our information and privacy. Three weeks ago I tried to discover what it all meant by ring the NHS patient information number given at the bottom of the pamphlet. What I particularly wanted to know was what the following two paragraphs meant:

    1) We sometimes release confidential information to approved researchers, if this is allowed by law and meets the strict rules that are in place to protect your privacy.

    2) Information that we publish will never identify a particular person.

    The person on the NHS patient information line knew nothing about how the data would be used and I soon learned that I was talking to an outsoursed call centre. I was informed that my inquiry would be forwarded to a manager in the HSCIC who would contact me in five days. I heard nothing and got back to them a week later. The supervisor apologised and again assured me that the HSCIC would contact me within a week. Again nothing, so I rang the HSCIC who also knew nothing about the use of the data and said I had to contact the NHS patient information line. With great self-control I politely asked to speak to a manager. I was rung back by a Mr Mathew West, Caredata Team Leader, who preceded to assured me that the HSCIC will ‘never’ publish identifiable data. ‘But what about type 2 and 3 data which, according to the HSCIC website, are identifiable’, I asked. They, he explained, were not published because these types of data will be ‘released’ to customers for an ’administration fee‘, they will not be ’sold’ to the customers so the HSCIC are not publishing the data.

    So there you are, if you charge an ’administration fee’ for information to restricted customers you are not ‘publishing’ it. Mathew has a point. Trying to make a distinction between administration fee and selling is silly, but it could be argued that the sale of information to a restricted group is not publishing. On the other hand there is the established process of “restricted distribution publishing” which would cover the publication of type 2 and 3 data to restricted customers. Para 1 (above) gives the impression that the HSCIC will very sparingly release confidential information to researchers, not that it is now going to be marketed and published on an industrial scale.

    I think that the HSCIC should issue another pamphlet that fully explains their publishing policy and release a press statement apologising for not doing so earlier. I am sure the HSCIC will dismiss this suggestion out of hand because, as they put it in their Privacy Impact Assessment, ‘Some people may believe that any use of patient identifiable data without explicit patient consent is unacceptable. These people are unlikely to be supportive of the HSCIC’s functions whatever the potential benefits’. I do accept that in some exceptional circumstances identifiable data should be used without explicit patient consent (this has always been the case when trying to control epidemics etc.), but I am sure I will be dismissed as being one of ’these people’ because I object to the marketing, sale and publication of identifiable data.

  18. Just heard on BBC radio 4 PM that the upload is to be delayed for six months. If about half the 65% (YouGov poll) opt out much of the data will be useless.

  19. It turns out that NHS England caved after a lawyers’ letter from medconfidential.org. Well done Phil and Terri!

    But we cannot rest on our laurels. The most recent minutes show that the NHS Confidentiality Advisory Group approved the supply of almost all our GP and hospital records, in fully identifiable form, to suppliers of risk stratification services (whatever that turns out to mean) despite serious misgivings about confidentiality. They nonetheless gave permission for six months and expect to get some sort of reassurance about how patient opt-outs will be managed (see pages 31–34). Yeah, right.

  20. “… medical research, carried out by drug companies, is first and foremost for the benefit of patients.”

    Sure about that? Not, first and foremost for the benefit of their shareholders? I am really very distantly related to an expert when it comes to PLCs, or whatever they’re called these days, but I’d got the impression that the welfare of their shareholders was one of their most significant responsibilities. I could be really cynical and talk about giving priority to drugs that manage symptoms over those that actually cure, etc, but as Big Pharma saved my life, I’m hardly one to criticise…

    Anyway. Well done folks. Without doubt you have, collectively, raised the general visibility of this issue. If my octogenarian mother talks to me about it, you must’ve done something right… 🙂

    And if you’re doing a head count – yes, I got a leaflet. Yes, it was buried among the pizza flyers, just underneath the free paper. How do you do a thumbs-up emoticon? 🙂

  21. We found out that, as usual, the Department of Health have been lying; they have been selling bulk NHS data in identifiable form to insurance companies, despite their claims this would be illegal. The smoking gun was a document from the Staple Inn Actuarial Society which describes how they “purchased” HES data, and linked it up with data from credit reference agencies. We passed this evidence to the Telegraph; see also the Mail and the Guardian.

  22. “2. Andrew | February 8th, 2014 at 15:38 UTC

    I am confused by the recommendation to opt-out. For what reasons should we be against this? For research this will be a fantastic resource.

    It seems to me that the main objection by the public is the ‘reselling’ of data which belongs to them, with the implication that the government will make money from it.

    I believe that this is misleading – the prices will be trivial; data is effectively being given out for free with the intention of advancing medical research.

    Secondly is the ‘loss of privacy’ argument, which makes for sensational headlines but I have not been able to discern the real-life detrimental effects.”

    your assumption that “I believe that this is misleading – the prices will be trivial; ” is wrong see the still currently public domain and available pdf

    care of NotGruntled
    03 March 2014 11:07pm


    grab that public public domain PDF before it disappears

    “One document that has not reached those parts that the government would rather not is the following from the Health and Social Care Information Centre – “Data Linkage and Extract Service Service Charges 2013/14” which sets out the charges for our data being sold.

    In particular data that has all personal information as a bespoke service.


    “…Other fees that may be applied include:

    DVD production and delivery £300 [per dvd],
    Our standard practice is to dispatch data using a Secure Electronic File Transfer system. If there are legitimate reasons why data should be loaded onto a DVD, this fee will be charged covering the production process and secure delivery.”

    and if there were any doubt that the Health and Social Care Information Centre and its affiliates are taking you’re personal and private data and turning it in to a “product(s)” for commercial profit then the PDF at the end states quite clearly
    “You will be notified in advance if any such fees apply to the product(s) you request.”

    “the ‘loss of privacy’ argument, which makes for sensational headlines but I have not been able to discern the real-life detrimental effects.”

    you require a real life example, then take any of the prior PHORM STORM examples such as the massive effect that the worlds credit reference agencies http://www.experian.co.uk/creditreference‎ etc adding this data to their commercial database and running derivative works of your private and personal data for commercial profit , that’s illegal under piracy for commercial profit etc, and yet was put forward as an option to commercialize UK data for profiteers

  23. “paul said: …Would we really be comfortable to be ruled by someone with the ability to search out a centralized database of citizens? What could possibly go wrong?
    Imagine if Hitler and the Nazis has such power….”

    they did , in fact that’s exactly how they calculated that there where far more Jews in Germany than they first estimated…

    those that fail to remember history are doomed to repeat it.

    the US already banned several Canadian people from crossing into the american colonies at the border due to accessing the medical records of their personal and private Canadian mental health records for instance, so its not an isolated case, US Eugenics programs where also a direct result of the prior Business relations between IBM and the Hitler regime etc…

  24. “13 holly
    someone else said:Flows of ‘green’ and ‘amber’ data are not covered by this objection as aata which are anonymised are not considered to be personal data for the terms of the DPA.”

    their wrong, on the contrary, it my understanding that any “aata which are anonymised ” is in fact a “derivative work” of your personal and private data property and so under common law is required to have a written contract with the owner of that personal data I.E you, its not the doctors/NHS property, you have just allowed they the convenience of storing it for you…

    its been a while since i looked in to this since the Phorm Storm stuff as regards all things “derivative work” but perhaps Ross etc can clarify more…

Leave a Reply

Your email address will not be published. Required fields are marked *