You do still have choices about what’s done with your data, but the Government has still not committed to directly telling everyone what it plans to do with NHS patients’ data – nor how everyone can exercise their own choices.
If you want to wait and see, you can do that – and you can join our mailing list to know exactly what is happening when we do. The data grab paused in 2021 may restart, but the Government has not said that you will hear anything from anyone directly about its plans, nor what (if anything) will have changed from past failures. As a result, we cannot guarantee that you will have any more information then than you do now.
If you have concerns and wish to opt out now, the process is this:
Choices available to you:
None of the choices below will affect your medical care, or the data that is available for your care.
If you live in England and want to stop your GP data leaving your GP practice for purposes other than your direct care, you can do so by filling in and giving or posting the form in step 1 to your GP:
1) Protect your GP data: fill in and give this ‘Type 1’ form to your GP practice [PDF] [or MS Word version] – this one page form allows you to include details for your children and dependants as well. This is the most important step; the Type 1 opt-out is the only opt-out that will stop NHS Digital extracting your GP data.
2) If you want to stop your non-GP data, such as hospital or clinic treatments, being used/sold for purposes other than your direct care – e.g. for “research and planning“ – you must use this process:
- If it’s just for yourself, use NHS Digital’s online National Data Opt-out process – this process only works for individuals aged 13 and over.
- If you have children under 13, you need to fill in this form [PDF] and e-mail or post it back to NHS Digital – this form works for both you and your children.
- If you have an adult dependant for whom you have legal responsibility, you must use this form [PDF] and send it back to NHS Digital on their behalf.
There is no deadline for step 2, the National Data Opt-out (i.e. your non-GP data), but the sooner you do it, the sooner it takes effect. The National Data Opt-out will not stop your GP data being copied from your GP practice.
N.B. If you opted out of care.data in 2014, then you shouldn’t need to do anything now. As most people did both a Type 1 opt-out and what is now a National Data Opt-out, you can check your NHS Digital opt-out status online at NHS Digital and your opt-out status at your GP will probably match the opt-out status shown there – although if you’re not sure, giving a a Type 1 form to your GP Practice now doesn’t have any risk.
If you don’t have a printer
NHS Digital used to post forms to people, but no longer seems to (but isn’t clear what it does, besides seemingly ignore requests for forms without telling anyone).
As a result, you can e-mail printer@medConfidential.org with your postal address, stating how many adults and/or children under 13 you need forms for, and we will post you copies of the GP paper forms, for free, no questions asked. (Please do tell us if you have children under 13, or the online hospital data service hasn’t worked for you, and so you need the hospital data form as well as the GP data form).
This service is offered as a result of others who have made donations to allow us to help you. We will, of course, only use your details to send you the forms you want and we will delete them as soon as we have done that. (medConfidential is registered with the ICO to process personal data in this way.)
As new information or actions that you can take become available, we inform people via our mailing list:
GP data: As your ‘front door’ to the NHS, your GP holds the lifetime history of your GP care; all of your prescriptions, your diagnoses, your ailments, your tests and referrals – and the context for them all as well. You have the choice whether information from your GP record is copied outside of your GP practice for purposes other than your direct medical care. (This choice was created in 2010, and is between you and your GP only.) Your GP treats you; other parts of the NHS tend to treat ‘a condition’.
Other data: The National Data Opt-out is intended to cover your data being copied from all other care providers, and NHS Digital, for purposes beyond your direct care. This choice will in time cover all hospitals, etc. but can at present only be set via NHS Digital, the option to do so via your GP having been withdrawn in 2018. (N.B. The National Data Opt-out does also cover your data leaving bodies such as Public Health England, which used to run the database of every patient who has ever had cancer, as well as other databases.)
Opting out: While in 2014 you could opt out of secondary uses (i.e. non-care uses) of your NHS data with a single form, now you must use at least two different processes – three, if you have children or dependents.
Out of hours care or other choices: If the GP receptionist you speak to tells you something about ‘out of hours care’, or that they don’t have to accept opt-out forms any more – largely because Government and NHS communications on this programme have been so bad they don’t know what it is – then point them at the link on the bottom of our letter / form, which points to NHS Digital’s own statement:
If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different and they are explained in more detail below. Your individual care will not be affected if you opt-out using either option.
Re-use of your records beyond your direct medical care:
Choices not available to you
Exercising the opt-out choices linked above will protect you from some risks – certainly more risks than if you do not express those choices. Both opt-outs do precisely what the Department of Health claims they do, but they do not protect you as they could.
These choices do not, for example, currently:
- Prevent the sale of your hospital history to companies;
- Prevent the use of prescribing data by pharmaceutical marketers to influence your doctors;
- Prevent public bodies doing work with the data they have for commercial companies, such as tobacco companies;
- Prevent mistakes by those who have copies of your medical information from the above, cf. the Partridge Review recommendations.
- Prevent the non-clinical body NHS England insisting that you opt out all over again if it decides to create a new project…
As of 2021, some NHS bodies’ actions are still not compliant with the 2018 Data Protection Act, which implemented the General Data Protection Regulation (GDPR) into UK law. And several of the important safeguards promised in 2014 are still entirely missing:
- The commercial re-use loophole remains open;
- No ‘single-strike’ penalties are in place;
- No significant contractual sanctions have been applied, despite serious breaches;
- No Regulations have been laid to guide the Confidentiality Advisory Group;
- NHS Digital is still releasing huge volumes of linked, individual-level patient histories rather than using safe settings;
- The sole independent advisory group on collecting GP data – GPES IAG, the group that first raised concerns about care.data – was abolished without a full replacement.