Caring, sharing: what should the NHS be allowed to do with our data?

NHS England (NHSE) recently postponed their controversial scheme to share GP data with organisations outside the NHS, just weeks before the intended implementation date.

The scheme, known as care.data, was subject to mounting criticism from campaigners, journalists and lawyers in relation to the adequacy of the public information campaign and the lack of detail about the final particulars of the scheme.

The ethical and legal implications of care.data are complex. Most people would probably agree that in the right hands medical data has the power to do good, but that transparency about the purpose of the scheme and the ability of patients to “opt out” out of it, are essential.

Leigh Day is instructed by medConfidential (a campaign for confidentiality and consent in health care) in relation to the lawfulness of the care.data programme. At the centre of medConfidential’s campaign is the safety of the patient; most patients believe that their GP records are private, but the scheme in its present form threatens to destroy that vital relationship of confidence between patient and GP.

A lot of people might be surprised to know that NHSE doesn’t need patient consent to share data where it will be used for “medical purposes” (a wide and ill-defined phrase). However, the Secretary of State gave a policy commitment that patient objections would be respected through an “opt out” and by doing so (probably inadvertently) created a legal duty to ensure that all patients in England are properly informed about its operation.

The public information campaign so far has not effectively communicated who will be given access to patient data and for what purpose – nor has it accurately described a patient’s ability to extract their data from the scheme if they change their mind after the initial upload.

Public mistrust in the scheme may prevent patients from discussing sensitive health issues with their GP in fear that a private company (for example, Bupa) or even a government department (such as the DWP) may obtain this information and use it for improper purposes. Public information is therefore essential to maintain trust between patient and GP. 

I think most people, including myself, would agree that medical data has the huge power to do good. However, once it is shared, it cannot be unshared, and when the public lose trust in their GPs, it cannot be easily regained. It is therefore vital that NHSE use this time to rethink the mechanism and purpose of care.data, and to properly inform the public so they may choose whether they want to be part of the scheme.

Interestingly, developments in EU privacy law might require explicit consent to be provided by patients for this kind of data processing in the future. The simultaneous development of both NHSE’s plans for care.data and EU privacy law will be an interesting relationship to observe over the next six months.  

Kate Egerton is a solicitor at Leigh Day 

You might also be interested in…