More information

medConfidential brings together individuals and organisations from all sections of the community, seeking to ensure that the case for confidentiality and consent in health and social care is strongly represented in the media, in the corridors of power and across the country.

We provide briefings for patients, medics, service users, care professionals and anyone concerned with care – as well as for the media, and in Westminster and Whitehall. If your organisation would like a briefing, please contact coordinator@medconfidential.org


The below briefings were the state of play when care.data was suspended in 2014. Later briefings and work are covered on our news page. Specific issues, such as AI, have separate pages and non-time sensitive proposals are covered elsewhere.


2014 Briefings and reports

2014 Parliamentary briefings and amendments:

2014 Complaint to the Information Commissioner’s Office:

2014 Other documents and reports:

Notes to the British Medical Association’s Local Medical Committees conference and Annual Representatives Meeting:

Our original public briefing, ‘A new threat to your medical privacy’, relating to plans for the NHS in England is available to download here:

Given the Department of Health’s announcement in February (493 KB PDF file) that it intends to create “electronic child health records” designed to track every child across health, education and local authorities using their NHS number as a ‘unique identifier’, we provide a copy of ‘Protecting the virtual child’ – a study commissioned by The Nuffield Foundation that examines the law and practice around children’s consent to sharing information:


2013 Protect your medical privacy FAQ (2013)

Originally written for the intended roll-out of care.data in 2013, these FAQs will be superseded when details of the new scheme become available later in 2014. For now we have added comments to clarify which of the information is still valid. Most of it is.

So what has changed?

The government has passed legislation and the NHS Constitution has been rewritten so that confidential information will be extracted from your GP-held record in identifiable form, and no longer be under the control of the doctor you shared it with.

Until recently the default position was that your medical notes were confidential and remained within your GP’s surgery systems. This is no longer true. The new default is that, on the direction of NHS England, excerpts from your records will be uploaded to the new Health and Social Care Information Centre (HSCIC) unless you say otherwise.

– ALL STILL CORRECT

When is this happening?

Pilots of the new scheme – called ‘care.data’ – took place in around 75 GP practices in England. The original plan was to begin extracting data in the Autumn of 2013, but after pressure from GP leaders, medConfidential and others, NHS England bowed to confidentiality concerns around care.data, agreed to mount a publicity campaign and delayed the first extractions until Spring 2014.

HSCIC will start extracting information from GP practices in England – not Scotland, Wales or Northern Ireland – in March 2014. We are led to believe that the first extraction will be around 1% of the population, the second extraction in April will be 10% and the third in May will extract information from 100% of the population. Data is expected to flow to HSCIC ‘customers’ a couple of months later.

– EXTRACTION NOW DELAYED UNTIL AUTUMN 2014

What information will be taken from my medical records?

Every month, details of your diagnoses, referrals, health conditions and treatments plus ‘lifestyle’ information such as smoking / drinking habits and whether you are obese will be extracted. They will be uploaded to HSCIC together with your NHS number, date of birth, postcode, gender and ethnicity.

– ALL STILL CORRECT

But they say my data will be ‘anonymised’…

First of all, the information will not be anonymised when it leaves your GP’s surgery; it will be extracted with your personal details still attached. HSCIC will then determine which parts of your information it will share with others and requests for identifiable data will be passed on to another body, the Confidentiality Advisory Group based in the Health Research Authority. Don’t be fooled by the word ‘research’ in the name, though – NHS England, for example, has already been granted a legal exemption to pass identifiable data about patients between various commissioning bodies.

Even if your information is passed on or published without identifying details, your anonymity can never be guaranteed. Re-identification of apparently ‘anonymous’ data can be surprisingly easy, and the way HSCIC will treat the data is specifically designed to allow it to link and match records at patient level.

– ALL STILL CORRECT

How will my information be used?

Aside from the de-identified data that HSCIC intends to publish, your information may also be shared with or sold to researchers and private companies; registered ‘customers’ pay extra if they receive data in identifiable form. This will be done without your knowledge and you will have no control over who receives it.

Identifiable data will also be passed to regional processing centres, local Clinical Commissioning Groups and the units that support them – which include private companies. These commissioning bodies will use your information for a number of administrative purposes, including audit and monitoring, service planning and targeting, validating invoices and to provide evidence about the effectiveness of services.

– ALL STILL CORRECT

Is it just my GP-held records that will be treated this way?

No. Extracting GP records is only the first step in a far bigger programme. Hospitals have been uploading patient records for years, and social services have been told they will have to begin from 2015 – this is, after all, the ‘Health and Social Care Information Centre’. Ultimately information about all of the medical and social care you receive will be collected and stored on the HSCIC system.

– ALL STILL CORRECT

Will I be asked for permission?

No, and they’re not intending to tell you directly either. In fact – though it finally conceded to run a junk mail door drop – NHS England initially ruled out running any sort of national publicity campaign. Instead they tried getting GPs to put up posters in their receptions or notices in newsletters.

– THE JUNK MAIL LEAFLET WAS SENT, BUT NO OPT OUT FORM

What can I do?

The good news is that you can opt out. But if you don’t want your confidential information collected or passed on by HSCIC, the onus is on you to tell your GP. Under the new legislation, GPs will not be able to stop your information being released to HSCIC unless you specifically tell them not to upload it and to make an official note of this in your record.

We provide a letter on our website that you can download, fill in and send to your GP or use as a framework for writing your own letter:

www.medconfidential.org/how-to-opt-out/

If you do have any particular concerns, we recommend you talk to your GP about them.

– ALL STILL CORRECT

Will opting out affect my care in any way?

No. Opting out of these ‘secondary uses’ of your data will not affect your direct medical care. Nor should it affect the way your GP is paid for providing you with care; that is done with aggregate, non-identifiable data.

– ALL STILL CORRECT

Why are there two opt out codes in the letter?

As we said, extracting GP records is only the first step in a much wider programme. Information about you may be collected by HSCIC from sources other than your GP, e.g. from hospitals or clinics. This information will also be identifiable, and may be linked to other data it holds or passed to other agencies and third parties.

If you want to stop HSCIC from passing on your confidential information in identifiable form to any other bodies, including private companies, you have to tell your GP to add that opt out code to your record as well.

– STILL CORRECT, BUT OPT OUT MECHANISM MAY NOW BE ‘SIMPLIFIED’

Isn’t this the same as the Summary Care Record (SCR)?

No, but it does cover some of the same data, e.g. your prescriptions. The SCR was a far more limited collection, whereas this new scheme –known as ‘care.data’ – involves a wholesale, monthly extraction of identifiable information about every patient in England.

– ALL STILL CORRECT

I’ve already opted out of SCR. Do I need to do anything?

Yes, you must opt out all over again. Though the Secretary of State for Health, Jeremy Hunt, originally stated that existing opt outs “would be respected”, there has since been a U-turn and opt outs for SCR will not be carried over to this new scheme.

– ALL STILL CORRECT

What about my data being used for medical research?

In December 2011, the Prime Minister promised an opt out for those who specifically didn’t want their information to be used for medical research . This has not happened. Your only option at this point is therefore to opt out altogether from uploads to and passing on from HSCIC or accept that your information will be used for a wide range of purposes, only some of which are to do with medical research.

– ALL STILL CORRECT

29 thoughts on “More information

  1. Adrian Bridge

    Please add me to your mailing list, if you have one.

    How about creating a proforma letter to send to ones doctor opting out of any data sharing scheme?

    Reply
    1. Phil Post author

      Hi Adrian,

      We’ll be launching a newsletter shortly. I’ll make sure to add you when it goes live.

      And, yes, we are working (hard!) towards a mechanism that will enable people to opt out simply and straightforwardly but unfortunately, as reported in the press today, under the new NHS Constitution there is no such opt out:

      http://www.dailymail.co.uk/news/article-2300824/NHS-patients-set-lose-important-controls-private-medical-records.html

      http://www.telegraph.co.uk/health/healthnews/9960728/Secret-NHS-plan-to-share-personal-records.html

      I fear there is much work still to do…

      Reply
  2. Trevor Mendham

    Hi Phil. I’m guessing the HSCIC plans are NHS England only and not relevant to those of us in sunny Scotland? Yes or no, the scope could do with being made clear on the website and in the briefing document.

    Reply
    1. Phil Post author

      Hi Trevor, great to hear from you 🙂

      The plans afoot are indeed for England, though we understand that the NHS in Scotland is considering some seperate but not entirely unrelated initiatives. And, of course, Scotland’s NHS IT runs on platforms from some of the same providers, so there may be a degree of ‘function creep’.

      You are right, though. I’ll update the site and briefing as soon as I have a moment.

      Reply
  3. Pingback: I would like to propose a SHA committee on the use of GP data in the NHS - Socialist Health Association

  4. Pingback: Patient data for sale | HEALTH ALERT!

    1. Phil Post author

      Hi Gwen,

      To opt out on behalf of your children, simply inform your GP in the same way as you would for yourself – you can fill in one of our form letters for each child or add their information on the bottom of your own form making it clear that you want your doctor to add the Read Codes to everyone’s record.

      Reply
  5. Richard Budd

    Great Jeremy,
    Since youve decided not to respect the 93C3 codes already in place (which quite clearly indicate these same people will also not want their data sharing with HSCIC either), would you perhaps care to let us (Primary Care) know what the opt out codes are then?
    Ive just read the patient information that we are now supposed to give to patients and it suggests patients should ask their practice if they have any concerns. When exactly is someone going to bother to explain to us the practice what this data sharing actually involves, and better still what the opt out codes are?
    I am extremely concerned Jeremy Hunt has decided not to respect the existing 93C3 opt outs already in place, especially since the information leaflet states this HSCIC is going live in Autumn. Its now Nearly November and its been agreed not to actively inform patients with a proper mailing campaign (as was the legal requirement for the SCR) but to instead deflect the responsibility to practices and tell them to stick a few posters up and put some opt out forms on reception?
    Unless a patient happens to have an appointment in the next few weeks AND actually notices the posters/leaflets displayed the vast majority of patients wont even be aware of the HSCIC data sharing.
    This is no doubt exactly why it was decided not to respect the existing opt out codes in place, because they dont wont the 1% of the national population that enforced their legal right not to have their personal shared via SCR doing so again.
    This implementation is underhand and quite possibly unlawful.

    Reply
  6. Stephanie

    Hi to all,
    Im finding this topic very worrying that our information can be ‘out there’ for anyone, especially the corporate institutions. I also find it insulting that our information will be’for sale’.
    I see that gaining personal/sensative information of an individual is a money making scheme but none of that money will go to whose information they access. I also feel this is will lead to sinister means, for instants, compulsary chipping (FRID) of the population.
    My questions are :-
    1) How will I know when I opt out that my information isnt given under the carpet.
    2) Will I be able to sue if my information is leaked.
    I think this corporation HSCIC oops mean goverment body is crossing the lines of our basic human rights and should be taken to task.

    Reply
    1. Phil Post author

      Hi Stephanie,

      In answer to your questions:

      1) If the opt out does not work as promised, then NHS England and HSCIC would be facing the biggest lawsuit in British history! Bad enough they’ve decided not tell people properly what is being done with their medical records. Breaking an NHS Constitutional promise to respect every patient’s right to opt out would bring the whole scheme tumbling down.

      2) You might be able to sue… if you find out! And therein lies the problem; NHS England / HSCIC say that individuals won’t be able to be identified in the data they pass to third parties – so who is liable when data leaks or is hacked or misused and people ARE re-identified? If the third party misuses the data, they’ll be breaching their contract with HSCIC – but will HSCIC constantly be sending auditors to all of its ‘customers’ to check they’re not doing something dodgy? I somehow doubt it. If there’s a data breach then apparently the Information Commissioner will have to step in – but the ICO’s powers are limited, its fines are capped at £500k (peanuts to a pharmaceutical company or insurance firm) and again the ICO will be in no position to go auditing all these companies that have our data. All of this will be cold comfort – and far too late – for those people whose medical information will by that point be on the black market FOR EVER.

      I agree that HSCIC and NHS England are playing dangerous games with our fundamental human right to privacy; the scheme remains open to challenge and may yet be deemed illegal – http://www.telegraph.co.uk/health/healthnews/10585305/EU-proposals-could-outlaw-giant-NHS-database.html – under the upcoming EU Data Protection Regulation.

      Reply
  7. Stephanie

    Hi Phil,
    Firstly thank you for your responce.
    I do believe that even if you do opt out of this very dangerous and sinister HSCIC our details will be given to this unethic panel of officals.
    What surprises me is that Doctors have not gone in force to fight this data collection of the population and say no to the HSCIC to upload these records from the surgeries without a full awareness campaign to the general public.
    Yet after reading how Doctors are groomed by pharmacutical as soon as they start thier careers as F1 ect, by giving them expensive gift/holidays they are lead like sheep under the umbrella of these black coroporations.
    I do feel there is an agenda for the mass populas and its not to help us (seen as the medical profession cant get access to this data!) more to make us unemployable if we have certain medical dispostions like depression your future employer can access your record. Also are the pharams there to find more drugs to make us unhealthy like the cancer ethic of, cut it out, burn it out or radiate it? As we all know thats a billion pound business knowing that canabaloids cure cancer but no money in that!!
    Sorry for ranting on but the whole system makes me angry and gives me no faith in all the Elites, ooops i mean goverment systems for the human race.

    Reply
  8. Thea

    If information is currently held across multiple GP surgery’s as a result of moving from one to the other, will we need to opt out with all of them? I ask as my new GP has no access to my old GP’s records for me.

    Reply
    1. Phil Post author

      Hi Thea,

      GPs who work with us tell me that the data should only be uploaded from the practice at which you are currently registered, but they cannot be 100% certain. What I’d suggest is that you opt out with your current GP and send an e-mail to the only people who’ll know for sure where they’re sucking our data up from (i.e. the Health and Social Care Information Centre) to ask them exactly what you’ve asked us.

      We’d really appreciate you letting us know what they say, as other patients may find themselves in a similar position.

      HSCIC e-mail: enquiries@hscic.gov.uk
      Postal address: 1 Trevelyan Square, Boar Lane, Leeds LS1 6AE

      Reply
  9. Tom

    What about children who are born after the deadline passes to opt out in March – will they (or their parents, on their behalf) have any chance to opt out ever?

    Reply
    1. Phil Post author

      Data only flows once you are registered with a GP so as long as you opt your baby out as soon as he or she is registered with the GP, his or her data should not be extracted. Bit of an imposition on new parents, don’t you think?

      Reply
      1. Tom

        Thanks – my wife and I have both opted out but we have a baby due later this year so will need to remember that when the little one arrives!

        Presumably GPs are under an obligation to inform parents when they register a child about data-sharing and care.data – is there any evidence of how this is happening (if it is)? It also seems incredibly harsh that there is no way to delete data once it’s uploaded, particularly for children where parents may not be aware or who may disagree later in life with decisions their parents made for them when young.

        Reply
    1. Phil Post author

      This is happening in England only. As far as we are aware there is nothing in the pipeline like this for Scotland, Wales or Northern Ireland – but if anyone knows of anything, please let us know.

      Reply
  10. Peter

    Phil,

    The whole thing seems quite incredible.

    Could you confirm that the only method available to try and ensure that identifiable information held within the NHS, and in particular within hospitals and other facilities, is not passed on to the HSCIC, is to opt-out with your GP’s surgery, including both the codes: (Read v2: 9Nu0 or CVT3: XaZ89) and importantly code (Read v2: 9Nu4 or CTV3: XaaVL)?

    It would appear that if this is correct then it becomes the responsibility of the GP to advise the hospitals etc., where such records are held, or would it be advisable to inform the hospitals directly quoting your hospital number in the process.

    Many thanks for your helpful web-site.

    Peter

    Reply
    1. Phil Post author

      Peter,

      Glad to be of help.

      The 9Nu4 code can’t stop identifiable data going to HSCIC – they are sucking it up from hospitals, clinics, etc. already. What it does (or should do) is stop HSCIC passing any of your identifiable data to anywhere else once it has arrived. The GP has effectively been made responsible for administering an HSCIC opt out, when GPs won’t even be a data controller for the data that HSCIC has extracted!

      9Nu0 should block data leaving your GP practice – there should be an announcement on this soon. So, if you want to stop data being extracted from your GP practice, you need to do the 9Nu0 opt out and if you don’t want your information gathered from anywhere else to be passed on by HSCIC, you need to do the 9Nu4 one.

      Hpope that’s clearer,

      Phil

      Reply
  11. Ian

    I’ve not been registered with a GP for 10 years, but I have attended A&E on a couple of occasions since. How do I control the upload of those hospital records? And earlier hospital and GP records?

    Reply
    1. Phil Post author

      Under the care.data scheme, information is extracted from records held by the GP practice with which you are currently registered. So you probably won’t be affected by that extraction.

      Hospital records are a different matter. As Tim Kelsey is fond of pointing out, they have been collecting hospital data for years. In theory, you should be able to use the second opt out code (which tells HSCIC not to pass on any of your confidential information once it arrives on their databases) to prevent flow of data OUT of HSCIC – but if you are not registered with a GP, it becomes rather more complicated as GPs are the ones being forced to administer both codes.

      I suggest you write to / call HSCIC direct and ask them what someone in your situation is supposed to do: enquiries@hscic.gov.uk or 0845 300 6016.

      Please do let us know how you get on.

      Reply
  12. valerie long

    My Mother & Father, in law, have recently found out about the Nhs summary care records. They were very concerned about this, & took their opt out forms to the gp, immediately. They are now receiving letters from insurance companies, & drug companies, which know about their specific health complaints.It seems their records have been uploaded already. These companies could only know this , if they have seen their Nhs records. this is very worrying!!. surely we should have been asked to opt in, by signing up, not opt out, when most people knew nothing about this. There must be a way to sue, if our records are uploaded without consent, as they are private & confidential, unless some law has been passed , to say they belong to all & sundry.

    Reply
    1. Phil Post author

      To our knowledge, at this point no data has been uploaded from GP practices under the care.data scheme. And we are watching pretty closely. It is the case that patient data has been uploaded from hospitals and other ‘secondary care’ bodies for quite some time. But to receive letters direct from drug and insurance companies about specific complaints is quite extraordinary – and we can understand how very worrying this would be. Please get in touch via coordinator@medconfidential.org and we’ll see what we can do to investigate further.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *