For now, you must use the NHS Digital process for you and your children separately to cover some data online, and the paper form for your whole family to protect your GP data. Yes, this is a mess…

---

A National Data Opt-out launched on 25 May. As a result, you may have to take several steps to make a consent decision for yourself, and extra steps for your dependent children.

It has been announced that, from October 2018, you should be able to easily view how data about you has been used, so you can verify the effects of your consent choices. We await delivery of this promise. [Dec 2018: we’re still waiting]

People who have already opted out of the use of their data for purposes beyond their direct care were written to personally during the summer of 2018, but there was no commitment to directly inform those who have not opted out. In other words, unless you happened to see a poster or hear a radio ad, you and a very large number of NHS patients were likely kept in the dark.

Until you can see how data about you is actually used, in detail, the Government expects you to base your decision solely upon the various statements and assertions that are made about it. We provide links to evidence below of ways in which some of these statements and ‘guidance’ are breached in practice.

In the absence of evidence that reassures you, medConfidential’s advice is (as it always has been) to follow the precautionary principle – opting out now is safer, as you can change your mind at any time. Once your data has been copied or released, however, it cannot be recovered.

As new information or actions you can take become available, we inform our mailing list:

---

Re-use of your records beyond your direct medical care:
Choices available to you

None of these choices will affect your medical care, or the data that is available for your care.

GP data: As your ‘front door’ to the NHS, your GP holds the lifetime history of your GP care – your prescriptions, your ailments, your tests and referrals, and the context for them all. You have the choice whether information from your GP record is copied outside of your GP practice for purposes other than your direct medical care. (This choice was created in 2010, and is only between you and your GP.) Your GP treats you; other parts of the NHS treat a condition.

Other data: The National Data Opt-out covers your data leaving all other care providers, and NHS Digital, for purposes beyond your direct care. This choice will, in time, cover all hospitals, etc. and can be set either via NHS Digital or (for now) your GP. The National Data Opt-out also covers all data leaving bodies such as Public Health England, which runs the database of every patient who has ever had cancer, and other databases.

For GP data You can express your wishes about the use of only your non-GP data online, or both your GP and non-GP data by filling in and giving this form to your GP:

If you have children, see this page.

 Just you: give this form to your GP [PDF] and do it online for other NHS data.

If you have have children under 13, NHS Digital’s new online service excludes them. See this page for the process of those with children.

---

Re-use of your records beyond your direct medical care:
Choices not available to you

Exercising the opt-out choices above will protect you from some risks – certainly more risks than if you do not expressing those choices. Both opt-outs do precisely what the Department of Health claims they do, but they do not protect you as they could.

These choices do not, for example:

• • Prevent the sale of your hospital history to companies

• • Prevent the use of prescribing data by pharmaceutical marketers to influence your doctors

• • Prevent public bodies doing work with the data they have for commercial companies (such as tobacco companies)

• • Prevent mistakes by those who have copies of your medical information from the above (Partridge Review recommendations)

• Prevent the non-clinical body NHS England insisting that you opt out all over again if it creates a new project

Compliance with the 2018 Data Protection Act (which implements the General Data Protection Regulation in UK law) has not yet been assessed.

And, in many ways, the safeguards promised in 2014 are still entirely missing:

• • The commercial re-use loophole remains open

• • No ‘single-strike’ penalties are in place

• • No significant contractual sanctions have been applied, despite serious breaches

• • No Regulations have been laid to guide the Confidentiality Advisory Group

• • NHS Digital is still releasing huge volumes of linked, individual-level patient histories rather than using safe settings

• The sole independent advisory group on collecting GP data – GPES IAG, the group that first raised concerns about care.data – was abolished without a full replacement

The best way to have confidence in how your wishes will be respected, and in how your data will be used next month, is to see how your data was used last month. This, for reasons we list above, remains impossible.