What actually happened with care.data? (2013 – 2016, in brief)

The story of what happened up until 2013 is here, as is what happened after 2016.

This brief summary covers what happened with the care.data programme, from its inception in 2013 to its cancellation in 2016.

The Roadmap

The goal was to take patients’ GP data, link it to the rest of their data from across the NHS, and to make it available to any organisation that wanted to use it – this having been more or less standard practice for patients’ hospital data since the late 1990s.

Posters in GP’s surgeries

The original plan, first mooted in summer 2013, was that a poster in a GP surgery would be sufficient to tell patients of the pending extraction of their entire medical history.

In practice, this worked out about as well as any reasonable person would expect and had to be rethought when the Information Commissioner said this would not meet fair processing.

Junk mail leaflets

Following the failure of its poster plan, NHS England decided that rather than following the precedent of the Summary Care Record, and writing to each patient, it would send an unaddressed leaflet to every house.

The Government claimed these leaflets would go to every house, but it did not invoke the special protocols it has with the Royal Mail to deliver public communications to every household, and so the leaflet was only sent to those who had not opted out of junk mail.

The leaflets were often delivered folded into pizza leaflets; some were not delivered at all.  Polling after the leaflets should all have been delivered suggested only 30% of the public had any idea the scheme existed.

Press coverage

When the leaflets were being posted out, there was some press coverage of the project. This led to scrutiny, discussion, and the problems of the project became self-evident.

Continued press coverage was extensive; it was accurate, and it was also scathing.

Today Programme

After initial press coverage and Parliamentary Questions, the BBC Today Programme picked up the question with a head-to-head interview between NHS England and medConfidential. The defence given by the Director of Patient Information at NHS England was, “There have been no data losses in over 25 years.”

Scrutiny continued in the press, with various statements in the leaflets sent to patients being shown to be inconsistent. Freedom of Information requests revealed major data losses in each year for which information was held.


48 hours after the public were given assurances that GP data would be ‘as safe as existing hospital data’ and that it would never be used by insurers, a report was published by insurers that had used data from HSCIC’s predecessor body.

The public, Parliamentary, and professional backlash was significant and, facing growing opposition, care.data was suspended.

Sir Nick Partridge, a non-executive Director of the HSCIC, was tasked with overseeing a review of releases. It was published a few months later.


Shortly before the final deadline for amendments, the Government added a ‘restriction’ to the Care Act 2014 that required NHS patients’ data be used for the “provision of” care or “the promotion of health”.

It is still unclear what “promotion of health” means in practice, though the continued provision of data to firms that provide market access and market insights to commercial organisations suggests it includes such forms of marketing.

The Health Select Committee was highly critical of many aspects of what had transpired, and proposed changes into the future.

care.data Advisory Group (CDAG)

Reflecting the broad base of concerns about the care.data programme, an “advisory group” was constituted, chaired by a member of the NHS England Board. It met monthly and had a free and frank discussion amongst a wide range of expert members, reflecting a diverse base of views.

Data Release Register

Following the Partridge Review, the HSCIC publishes an irregular register of data releases on a discretionary basis.

Safe settings

After a discussion at the Health Select Committee, the Health and Social Care Information Centre began work on examining and constructing a network of “Safe Settings”, so that HSCIC could retain management and audit trails of data usage, but users could still perform their analyses.

‘Pathfinder’ announcement

NHS England pre-announced it would write to all of the CCGs in England and ask them if they wished to become a ‘pathfinder’ for the care.data programme. This did not happen.

Instead, NHS England selected / dragooned four areas for this “honour”, which were:

  • Leeds – a large city, home to HSCIC and NHS England
  • West Hampshire – which has terrible data processes and needed support
  • Somerset – home of the care.data programme’s SRO
  • Blackburn with Darwen – (we never worked out why they were picked)

National Data Guardian (NDG)

Reacting to ongoing public concern, the Secretary of State appointed a National Data Guardian to oversee data use in Health and Adult Social Care in November 2014.

Promised to be a statutory body “at the earliest opportunity”, Dame Fiona Caldicott was appointed as the first National Data Guardian.

Letters and Booklets

The care.data programme continued its communications and public engagement work, holding various public events to show the booklet that would accompany a letter and opt-out form that would go to every patient registered with a GP.

The opt-out shown to the public covered both their GP data and all their other NHS data as well.

Opt-Out Implementation

In the Summer of 2015, the Senior Responsible Owner of the programme at NHS England told the care.data Advisory Group that the promise to patients that “opting out will not affect the care you receive” had been “vetoed”.  It transpired this was false.

The care.data Advisory Group was abolished in October 2015, to be replaced by a “Strategic Oversight Board” which met only once, with no privacy organisations participating, before it too was abolished.

Caldicott Review

Announced in September 2015, two days after the care.data pathfinders were due to commence, and initially intended to report in January 2016, the Caldicott Review of Consent was finally published in July 2016 and went on to a public consultation.

High-level Resignation

The “visionary” of care.data and its Senior Responsible Owner resigned in October 2015 and left NHS England in December, moving to Australia a few weeks later. He did not and has not apologised for his part in the fiasco.

The Ambition Never Dies

While the care.data programme was finally cancelled in July 2016, the desire for data and the powers to require it be provided all remained.

See here for more detail on care.data’s successor, GPDPR.