medConfidential statement on continued sale of hospital records

During the failed Care.Data project, NHS England and the Department of Health said “patients have a choice” about how their data is used – they could opt out if they wished.

NHS Digital, the bit of the Department of Health that sells data to companies, has gone back on the Secretary of State’s word on a critical detail, and Jeremy Hunt has given up. To the Information Commissioner, they now say: there is no choice about whether your hospital data is sold. NHS Digital admit and demonstrate that it continues to be sold.

The opt out was the gift of the Secretary of State, and he has taken part of it away again. Merry Christmas everyone.

On that basis, other legal options remain open to patients. This is not the end, but it is the end of the beginning.

The opt out has begun to be implemented – it does do some things – but the main purpose of opting out of your hospital data being sold, is that your hospital data doesn’t get sold. That is the part that continues to happen in spite of the NHS promise to you as a patient.

We are obviously disappointed that Jeremy Hunt has chosen to go back on his word, and continue selling the nation’s private hospital history to anyone who fills in a form correctly, after he offered patients a choice to opt out of that.

The ICO has ruled that it was the Secretary of State’s choice, and he was entitled to make it. This does not affect rights available to patients under the Data Protection Act.

If patients are concerned, we suggest they join our newsletter at, and we will provide a detailed update shortly – it is likely to involve a trip to the post box.

We will have a more detailed analysis of the contradictory parts of the ICO response in due course.


Notes to Editors

    1. was the extension of GP data to link it with Hospital data, and continue the practices used in ongoing releases of hospital data. The Government was very clear that if patients didn’t want their hospital data used, they could opt out:
      NHS England: 
    2. NHS Digital’s convoluted policy statement is the 5th bullet point here: 
    3. For alternate approaches, we note s10 of the Data Protection Act allows a person to dissent from processing, and purposes beyond direct care are subject to legal dissent. The opt out was supposed to be the convenient way of expressing dissent; it is not the only way. 
    4. This decision is about data flows as they exist today. Looking forwards to future changes, NHS Digital argue that this implementation is entirely consistent with the future Caldicott Consent Choice under review by the Government following a public consultation. That is in the hands of the Government. 
    5. The NHS Digital Privacy Impact Assessment for the Hospital Episode Statistics shows that reidentification from this data could happen:
    6. The recipients of data releases, which includes releases containing data on patients who had opted out, can be seen here:
    7. For what patients can do about this change, see: