8 June 2018 — MedConfidential
The UK’s new Data Protection Act, which implements the EU-wide General Data Protection Regulation, came into force on 25th May. Significant changes are underway, but how much will change in the NHS?
What just happened?
The day before GDPR came into effect, staff at NHS Digital were ordered not to release any “anonymised” patient data. Data releases were resumed the following day, but NHS Digital is still discussing what it terms “operational issues” (i.e. what patient information can now be considered “anonymous”) with the Information Commissioner’s Office.
What both GDPR and the ICO make clear is that your medical records can no longer be sold in ‘pseudonymised’ form. So what NHS Digital calls ‘Hospital Episode Statistics’ is now, in law, identifiable and therefore personal data, under both EU and UK law. We expect NHS officials will catch up with reality at some point later this year, unless they find another interpretation to hide behind.
While GDPR does permit the processing of personal data for legitimate “public tasks”, it recognises health data as a special category – and the new National Data Opt-out (also launched on the 25th May) recognises a clear distinction between the provision of individual care or treatment and the use of patients’ identifiable data for purposes beyond their direct care.
The list of public tasks for identifiable data to which the National Data Opt-out doesn’t apply (e.g. public health emergencies) is very short, and has been the subject of agreement for years. We would hope officials don’t try to unpick this just days after it came into effect.
What’s about to happen?
medConfidential understood the NHS would begin sending letters to patients who have made a Type-2 objection from Monday 4th June. This does not appear to have happened, and – despite being asked – NHS Digital appears reluctant to confirm exactly when the letters will be sent, or even if the process has already begun.
If you have previously opted out, it may take up to 4 weeks for your letter to come; the intention is that the letters will be sent out in batches.
Despite undertakings in the aftermath of the care.data debacle, no-one who has not already opted out will be sent a letter informing them of their right to do so. And, from recent draft text medConfidential has seen, and given that NHS Digital is apparently still selling patients’ data that by GDPR’s definition is identifiable, we are not confident that the letters that are sent will be accurate.
N.B. A Type-2 objection is the opt-out that tells NHS Digital not to pass on your information for purposes beyond your direct care; Type-1 objections, which inform your GP (not) to do the same thing, are unaffected. For now.
What can you do?
If you did opt out previously, making a Type-2 objection, and you receive a letter about the new National Data Opt-Out we would very much like to hear when you got it. Please let us know via firstname.lastname@example.org
Though it refuses to send letters to everyone who will be affected, NHS England is once again mounting a ‘communications campaign’ along the lines of what was done for care.data – it has dropped the junk mail leaflets this time, but is running some radio and TV ads (have you seen them? we’d like a copy) and providing posters and flyers for GP practices, hospitals and other places people receive care.
If you’re making a choice for your children, the process advocated by NHS England requires you to send 4 forms of ID and documentation to an NHS office to opt out. If it’s just for you, and you haven’t previously registered a Type-2 objection, you can use that process to opt-out if you choose. medConfidential’s opt-out form (available since late 2013), which we have updated in light of the recent changes, still works for everyone – and can cover your GP data as well.
With all that is and will be changing, we strongly recommend you get yourself a Patient Online account if you don’t already have one, so you can see the information your GP already makes available to you. We provide more information about this on the ‘For patients’ section of our website.
Though it will still be some time until you can see how all of your data has been used, by which organisations and for what purposes, a Patient Online login to your GP’s system should already allow you to see how your GP data is being used.
Phil Booth & Sam Smith
8th June 2018
P.S. We shall, of course, send future Bulletins as matters become clearer, with practical actions you, your loved ones and (in some cases) patients can take. We are very grateful for your continued support – for your donations and regular subscriptions, and for the tremendous job you do in spreading the word.