The government’s plans to combine NHS patients medical records into a single database face a challenge in the courts.
Campaigners from five groups are demanding the Department of Health and Social Care (DHSC) extend its opt-out deadline of June 23rd or face being sued.
On May 12th, health secretary Matt Hancock directed NHS Digital to collect sensitive health data in records from GP practices in England from July 1st, with citizens given until June 23rd to opt out.
The move, which updates existing practices, may make sensitive data saleable to commercial companies and other third parties, as is already possible with hospital data.
Lawyers acting for five campaigning groups plus Conservative MP David Davis have announced said they will challenge the DHSC on this decision, arguing the measure is being pushed through without proper consultation or informed consent, contrary to data protection regulations. They are seeking an injunction to stop the plans from going ahead on July 1st.
While health data such as that in GP records is inarguably valuable for academic research, campaigners say the terms of the data sharing agreements published by NHS Digital are vague.
In May, NHS Digital said: “We only seek to recover costs associated with providing data to meet approved data applications. We do not operate on a profit-making basis. Data will only be used for the benefit of health and care.”
ever, there is no published list of commercial organisations to which the data might be sold, leading to worries that private health insurance companies could be in the queue.
Diarmaid McDonnell of Just Treatment, one of the groups bringing the action, said: “For many patients this is not just about their data – it’s about the future of the NHS. We’re sleepwalking into a health system where profits are prioritised over patients, with big tech and pharma corporations at the helm, shaping every decision about the care NHS patients receive.”
Campaigners also take issue with the psudonymisation of the data, pointing out that while names, postcodes and other identifiable data may be obscured, the NHS holds the decryption key that and says that individuals can be re-identified “in certain circumstances, and where there is a valid legal reason”.
Under the terms of the GDPR, which UK data protection law still follows, psuedonymised personal data still counts as personal data and cannot be shared without consent, as there is always a risk of reidentification.
Campaigners have described the new proposals as a ‘data grab’. Among the details to be uploaded to the new database are information about diagnoses, physical / mental health, sex life / sexual orientation, lifestyle, social cirumstances, religion, ethnicity, patient demographics, test results, medications, referrals and appointments.
NHS patients in England who opt out after June 23rd can prevent any new information being uploaded from their GP record, but not data that existed in tehir records before this time.
Dr Rosie Shire, a GP at Doctors’ Association UK told the FT. “Patients need to give informed consent to their data being used. We can’t see why the government won’t do this in a less rushed and more transparent way.”
MP David Davis said: “My constituents don’t expect when they sit down with their family GP that their sensitive health data is going to be able to be accessed by all and sundry. I support a future-fit NHS but it’s got to be done in a way everyone can trust.”
The case is being brought by openDemocracy, Just Treatment, Doctors’ Association UK, The Citizens, the National Pensioners Convention and David Davis MP through the legal firm Foxglove.
Read the original article here