Is selling our medical data to insurers a crime – or not? By Jane Fae

26 February 2014 — OurNHS   

As more revelations emerge about the sale of our hospital data to the insurance industry, misleading claims that a massive expansion in data collection is totally safe, are failing to convince.

As NHS England continues to pour out new claims over what may lawfully be done with patient data, the result is not so much clarity as more confusion. NHS England’s senior managers are not helping – apparently by-passing governance structures and providing knee-jerk responses in their efforts to defuse public concern.

Suspicions were first raised by an NHS information governance assessment released in August 2013, which stated:

“In the eyes of the law, a government department, a university researcher, a pharmaceutical company, or an insurance company is as entitled to request and receive de-identified data for limited access as a clinical commissioning group…”.

care.data’s most trenchant critics used this to warn that patient data could potentially be sold for commercial and insurance purposes.

In response, NHS England’s data organisation the Health and Social Care Information Centre (HSCIC) added the following carefully worded denial to their website:

“HSCIC and NHS England are clear that the use of care.data for insurance purposes is, and will remain, strictly illegal. This document was commissioned by the Independent Advisory Group in order to help their deliberations and has no formal status”.

So HSCIC are ignoring their own advisors.

Patient data boss Tim Kelsey told Radio 4 last week that use of patient data by insurance companies to improve their business was “unlawful”. He went on: “it would be a criminal offence. It is currently a criminal offence to do”.

Some three weeks ago, we asked HSCIC where they were taking legal advice from.

No answer.

We put to them our own understanding of the existing law, that the Secretary of State for Health could legitimise such use of data where he “considers it to be in the interests of the health service in England or of the recipients or providers of adult social care in England for the direction to be given”, under Schedule 254 to the Health and Social Care Act 2012.

One might argue that directing the HSCIC to hand over data to an insurance company is not obviously “in the interests of the health service” (or patients). But could it be considered so by a Secretary of State minded to expose the NHS to market forces and endless “fundamental change”? Stranger things have happened.

Was HSISC now stating that the Secretary of State did not have these powers? Again, no answer.

Yesterday, more revelations. The Telegraph reported that the hospital records of every patient in the country had already been sold to an actuarial consultancy and used to benefit the insurance industry.

The Department of Health’s first response was to claim “the rules changed last year so this would no longer be allowed”.

Later in the day the official statement from HSCIC stating that “greater scrutiny should have been applied”. Which suggests they do not believe that the rules have changed in respect of this data release.

Throughout yesterday, we continued to press the Department of Health, NHS England and HSCIC for answers. Where in the law as it currently stands, does it make clear that sharing information with insurance companies is not allowed – as Tim Kelsey claims?

NHS England ducked the question, merely re-iterating it “would be unlawful for person level data to be used for anything other than benefits to patients”. They went on: “No data will be made available for the purposes of selling or administering any kind of insurance”.

HSCIC helpfully added: “the use of care.data for insurance purposes… is, and will remain, strictly prohibited”. Furthermore, “any organisation receiving identifiable or pseudonymised data” will be required “to sign a data sharing contract and a data sharing agreement”.

The last couple of admissions are interesting. In law, a criminal offence is one that may be subject to state enforcement. Contractual obligations are not criminal matters. “Prohibited” is not quite the same as “criminal”.

Does this matter? Almost certainly yes.

As medical writer Ben Goldacre put it clearly in the Guardian and on Twitter, what is happening now is a tragedy caused directly by the ‘bungled implementation’ of care.data. Addressing Tim Kelsey directly, he claimed: “Until that is recognised, and fixed, care.data is inflicting demonstrable harm on public consent for health data collection, daily”.

Trust and communication also play a part. Last week we reported a minor piece of misinformation: Tim Kelsey’s claim that NHS England had contracted directly with the Royal Mail to doordrop 100% of English households. In fact, neither of these claims were precisely true.

Yesterday Ben Goldacre highlighted a presentation by independent company i4Health to “clean, normalise, update and maintain” data sets. Tim Kelsey tweeted that he didn’t know i4health but they wouldn’t get care.data. Superficially, this may be re-assuring. In fact, it appears to be yet another instance of NHS England increasingly prepared to circumvent its own governance procedures.

The lesson not yet learnt is that a series of assertions by high profile figures, without back-up detail, has exactly the opposite effect desired. Far from inspiring confidence it promotes further concern. As one senior media figure argued yesterday, the strategy may work with the usual suspects – non-techy liberal critics of the scheme – but is nowhere near adequate for dealing with the technical geek tendency that now has care.data in its sights.

If release of data for insurance purposes is a criminal offence, it should not be too hard to explain why, in law. For now, however, we have the continuing claim that it would be unlawful – and a complete absence of detail to back that up.

About the author

Jane Fae is journalist and campaigner on IT, the law and sexuality. She writes extensively on  individual privacy in the face of creeping state intrusion, for Register (the leading IT industry website), the Guardian and the Independent.

This article is published under a Creative Commons Attribution-NonCommercial 3.0 licence. If you have any queries about republishing please contact us. Please check individual images for licensing details.                                                 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.