More than a million patients opted out of NHS data sharing in a single month – a huge setback to plans to consolidate personal records from family doctor practices across England into a centralized database accessible to researchers and non-healthcare companies. Privacy activists have raised serious concerns about NHS Digital’s plans to import the medical histories of more than 55 million patients in England into a new database, including mental and sexual health records, criminal records and more sensitive information.
Following the outcry, NHS Digital has postponed the deadline for deregistration from June 23 to September 1, 2021 to give those affected more time to remove their health records from the database. However, the numbers released exclusively by The Observer have now revealed the sheer number of people who have chosen to opt out before the deadline.
With more than a million expressing dissatisfaction with the plan, it is not surprising that data theft is now threatened. NHS Digital has made a number of concessions to privacy activists in an attempt to save the plan called General Practice Data for Planning and Research.
NHS Digital has given up its September 1, 2021, but no new launch date has been announced. For those concerned about data collection but haven’t had a chance to fill out the paperwork and submit it to their GP … that’s very good news. There is no chance that your medical records will be fed into a central database in the foreseeable future.
To allay fears, NHS Digital will be launching what is known as a “listening exercise” before launching a public information campaign to raise awareness of the plans ahead of the new deadline … whenever that is the case.
Even before the consultation process begins, NHS Digital has offered activists a huge concession – patients can request their data removed at any time. Medical records that have already been entered in the database can be removed at a later point in time if, for example, you have missed the original deadline.
Previously, NHS Digital warned anyone who opted out after the deadline that future health records would be removed from the database. However, all historical data would continue to be available to researchers, academic and commercial partners of the NHS.
NHS Digital is also committed to increasing the security and privacy of the data it stores.
The centralized database will include a number of sensitive health categories, including mental and sexual health data, criminal records, full zip code and date of birth. Earlier this year, NHS Digital confirmed that anything that could be used to identify you from your GP records will be pseudonymized before uploading. However, the code to decrypt the anonymized data is stored by the NHS.
This rang the alarm bells for a number of privacy activists, as it is a very different approach to major tech companies, including Apple and WhatsApp, which do not store digital keys that could decrypt the anonymized data. Because of this, Apple refused to help FBI investigators who were hoping to unlock an iPhone that belonged to one of the terrorist suspects.
According to Apple CEO Tim Cook: “In today’s digital world, the ‘key’ to an encrypted system is information that unlocks the data, and it is only as secure as the protective mechanisms that surround it. Once the information is known, or a way to bypass the code is uncovered, the encryption can be bypassed by anyone with the knowledge. In the physical world, it would be the equivalent of a master key that can open hundreds of millions of locks – from restaurants across Banks to shops and houses. No sane person would find that acceptable. “
NHS Digital will keep the keys to unlock its anonymized data, but says it “will only re-identify the data if there is a legitimate reason to do so and if it is necessary to comply with data protection laws”. In a sample scenario of why medical records are being decrypted to reveal the patient’s identity, NHS Digital adds, “A patient may have consented to participate in a research or clinical trial and has already consented to their data being saved shared with the researchers for this purpose. “
Speaking of the indefinite delay in data collection, an NHS Digital spokesperson said: “Patient data is critical to health planning and research. It is used to develop treatments for cancer, diabetes, long-term Covid, and heart disease, and to plan how NHS services will recover from Covid. Medical research and planning benefits us all, but is only as good as the data on which it is based.
“The better the quantity and quality of the data collected, the more useful it is for researching new treatments or planning good, sustainable NHS services to meet patient needs. Hence, it is important that people make an informed decision about sharing their data, taking our responsibility to protect data very seriously, and it will only ever be used by organizations that have a legal basis and a legitimate need to use it use in health and care planning and research.
“We have listened to feedback on the proposals and will continue to work with patients, clinicians, researchers and charities to put in place additional safety precautions, reduce the red tape for GPs, and increase communications for GPs and the public ahead of the program is implemented. “
