Do the benefits of using patient data outweigh the risks? Could something go wrong, and what would be the impact? 

There are huge benefits when patient data is used responsibly to save lives, improve health and care, and advance medical research. However, it is true that sharing patient data will never be totally risk-free. There must be robust measures in place to reduce the risks as much as possible. We look at the concerns people have and what’s being done to reduce the risks.

Weighing up benefits and risks

We increasingly rely on digital technologies across all areas of our lives, benefiting from access to online services and tailored information when we need it, based on data about us or people like us. At the same time, reports of misuse of data, like Facebook and Cambridge Analytica, have highlighted the implications for privacy.

Some people may be willing to share personal data about themselves widely, for example through social media or store loyalty cards, but others will be more cautious. Individuals are prepared to make different trade-offs, depending on the benefits they receive in return. It may also depend on the type of data, for example whether it relates to finances, health, travel or purchases.

When considering the use of patient data specifically, questions you might want to ask include:

There are huge benefits of using patient data, both for individual care, and to improve health, care and services across the NHS. When patients are treated in the NHS, they benefit from insights based on the data of previous patients like them. Find out more about the benefits.

Sharing patient data will never be totally risk-free, but there must be robust measures in place to reduce any risks as much as possible. At the moment, most of the ‘data breaches’ in the health sector occur when information is accidentally posted, faxed or emailed to the wrong person. Surveys suggest that there are three main things people are concerned about:

You can find out more about each of these issues, and what is being done to protect data, below.

There must be appropriate measures in place to make any risks as low as reasonably possible. Wherever possible, anonymised data will be used. There are audit processes to scrutinise those who are using data, and robust penalties where data is misused. Find out more about how data is kept safe.

The failure to record, link and share data can damage patient care, and waste scarce NHS resource. For example, looking at patterns in data is essential to monitor the long-term safety of drugs and treatments, and to identify adverse side effects as quickly as possible. Without effective use of data, services are not improved and patients will suffer.

This will vary from person to person. People may accept greater risks for their individual care, if they are more likely to benefit. They may not want to take the same risks for other uses of their data. On the other hand, someone with a rare disease may be most at risk of loss of privacy because they could be easily identifiable from data, but they will often be the most keen for data to be used. In the search for a diagnosis or treatment, they are often willing to take more risk.

The NHS and organisations looking after patient data must be transparent about access to data, who makes the decisions and what level of choice individuals have. The national data opt-out, introduced in May 2018, allows patients some choice about the use of their confidential patient information beyond their individual care.

Where individuals do not have a choice, there must be transparency about how data is used so that there are ‘no surprises’. For example, NHS Digital has an independent review process to assess applications to use data and a data release register showing where data is sent and for what purpose. 

Data breaches in the health sector

Most of the evidence comes from data breaches reported to the Information Commissioner’s Office (ICO), the data regulator. Until May 2018, the health sector was the only sector that had to report all breaches.

Graph from the ICO showing the main type of data breach in the health sector in 2017 was data posted or faxed to the wrong recipient.

The graph above is taken from www.ico.org.uk, 18 May 2018.

In financial year 2017-2018, a total of 1,214 breaches were reported to the ICO from the health sector. To put this into context, the NHS deals with over 1 million patients every 36 hours and in 2017, there were over 100 million hospital outpatient appointments across the NHS.  

A data breach occurs when personally identifiable data is “lost, destroyed, altered or disclosed”. For example: a laptop containing personal data is lost or stolen; a letter is sent to the wrong address; someone without proper authorisation accesses data or passes it on; or data is hacked. A breach may be either accidental or deliberate.

The three main types of breaches in the health sector in 2017 were:

  • Data posted or faxed to incorrect recipient
  • Loss / theft of paperwork
  • Data sent by email to incorrect recipient.

This suggests that, in the majority of cases, breaches are occurring as a result of accidental mistakes made during the course of routine care. The NHS is tackling this with increased staff training and investments in robust IT security.

  • Even where there has been a data ‘breach’, there may not be any impact – for example, if a laptop with data is lost, the data may not be found or used in any way. But the possibility that data about them might fall into the wrong hands may cause some people emotional distress.
  • The potential impact of a data breach will depend on your circumstances. For example, someone who has a sensitive medical condition may be much more concerned if part of their medical record was accidentally disclosed, than someone who does not.  People react differently: some people may be very upset, some people may be annoyed, and others may not be at all concerned. 
     
  • The impact will depend on the type of data breach. The majority of breaches in the health sector relate to information being accidentally sent to the wrong person; the impact in these cases is likely to be significantly lower than if data is deliberately misused.

Data protection has always been strongly regulated, but new legislation, in force from 25 May 2018, introduces much stronger sanctions for misuse of data across all sectors. The penalty for organisations breaching the new legislation will be up to £17 million or 4% of global turnover, which should act as a serious deterrent against misuse. There are also new criminal penalties for trying to re-identify someone from anonymised data without permission.

Privacy

One concern is the possibility that someone could find out something about a person’s medical history, and use it against them. Some people are worried about the loss of privacy, damage to their reputation, or discrimination if someone found out about their condition. This may be especially true for anyone with a condition they feel sensitive about. 

  • The only people that have access to your full medical record are the healthcare professionals involved in giving your individual care. The data is held on secure servers, and anyone accessing the data needs a smartcard and password. There is a clear audit trail showing who has accessed the data and when.
     
  • Where data is used beyond your individual care, for example in research, only the minimum amount of information necessary is passed on so your identity is protected. In most cases, your name and contact details would not be shared. Only a series of numbers and codes taken from a record would be seen so it looks something like this:

Example of coded de-personalised patient data. Not based on real people.
Example of coded de-personalised patient data. Not based on real people. 

  • It is a criminal offence to misuse personal data, including trying to re-identify someone without permission.

No. Your employer or an insurance company will never be allowed access to identifiable information from your medical record unless you specifically give permission. Find out more about companies using patient data.

In nearly all cases, when data is used for purposes other than individual care, the data will have identifying details removed so it is anonymised. The Information Commissioner’s Office gives guidance about what details must be removed or masked, and the safeguards that must be followed to anonymise data effectively.  

There are two types of anonymised data – de-personalised and anonymous – which have different risks of re-identification. We explain more about what anonymised means here.

Identifiability spectrum

De-personalised data is data about an individual person and, even though identifiers (such as name and address) are removed, it needs to be handled with care. There is a small risk that it might be possible to re-identify the individual if the data was not adequately protected, for example by combining the data with other information about a person. Because of this, there are strict controls on how de-personalised information can be used. The higher the possibility of re-identifying someone, the greater the level of protection needed. The new data protection legislation introduces penalties for anyone trying to identify a person from anonymised data.

Anonymous data is information from many people combined together, for example the number of people with type 2 diabetes or the number of prescriptions for asthma inhalers, so it would not be possible to identify any individual from the data.

Third party access

Most people trust the NHS, but some are wary about third party organisations outside the NHS accessing health data. Surveys suggest people feel particularly uncomfortable with the idea of companies using patient data. Some people are concerned that other organisations could potentially misuse data, or that there is no control over what happens to data once it is passed outside the NHS.

Find out more about how and why companies access patient data.

There are strict controls on how third parties, whether academic researchers or companies, can use patient data. To protect your confidentiality:

  • Organisations are only allowed access to identifiable data if there is a legal basis, and requests are independently scrutinised to ensure the purpose is to improve health. They must sign contracts setting out what they can and cannot do with the data, including restrictions on passing data to other third parties.
     
  • NHS Digital now audits companies to check how data is being used, stored and deleted.

No. The NHS will never share your personally identifiable data for marketing or insurance purposes, unless you specifically give permission. Find out more about companies using patient data.

There have not been any reports of major data breaches as a result of patient data being transferred from the NHS to third parties for purposes beyond individual care.

We know of four data breaches involving companies using health data that have been reported to the Information Commissioner’s Office between 2014-2017. These are:

  • Pharmacy 2U: in 2015, an online pharmacy was fined £130,000 for selling names and contact details of more than 20,000 customers through an online marketing company. 
     
  • TPP SystmOne: one of the most common GP software systems was found to have a security issue in its enhanced data sharing function that could have allowed healthcare professionals across the NHS to access individual patient records. TPP has since developed new functionality to address these issues, and GPs can now set appropriate access.
     
  • DeepMind and the Royal Free: in 2017, the ICO ruled that the Royal Free NHS Foundation Trust failed to company with the Data Protection Act when it provided data about 1.6 million patients to Google DeepMind as part of a trial to test an alert system for acute kidney injury.
     
  • HCA International Ltd: a private health company was fined £200,000 for failing to keep fertility patients’ personal information secure when records of IVF appointments were sent to a company in India to be transcribed.

The NHS Digital audit team has also picked up some instances where the terms of a data sharing agreement have not been properly met, and they have stopped the transfer of data or worked with the organisation to rectify the problem.

Cybersecurity

Digital technologies can bring many improvements to all aspects of our daily lives. However, as we increasingly rely on computers, hackers are finding new ways to attack IT systems, disrupt computer networks, and steal data. This is not just an issue for the health sector – the number of cyberattacks is rising across all sectors. In the health sector, 37 cyber incidents (for example ransomware attacks) were reported to the Information Commissioner’s Office between April 2017-2018, mainly on a small scale. 

The NHS Chief Information Officer has said that “it is not a question of ‘if’ but ‘when’ the next cyberattack occurs”, and the NHS is trying to reduce vulnerabilities across the health and care system, both through investment in IT and staff training.  

  • The National Data Guardian conducted a review of data security across the NHS. All her recommendations, including those for strong leadership and better training, are now being adopted.
     
  • A new Data Security and Protection Toolkit has been introduced, requiring health and care organisations to meet 10 key standards.
  • The Government has spent £60 million to reduce the risk of cyber-attacks since the Wannacry attack, for example upgrading firewalls and networks at major trauma centres and ambulance Trusts. In April 2018, it was announced that a further £150 million will be invested to improve cybersecurity over the next three years.
  • A new multi-million pound Microsoft security package will ensure all health and care organisations only use the most up-to-date and supported software, with the latest security settings.
  • NHS Digital monitors threats and security incidences, and provides support to health and care organisations to help keep computer systems safe. There is now a programme to assess how prepared NHS Trusts are and identify any IT vulnerabilities, and a new NHS Digital Security Operations Centre will be set up.

In May 2017, the NHS suffered its biggest cyberattack to date. 80 out of 236 hospital trusts across England were affected in some way, and 595 out of 7,454 GP practices. Although Wannacry was not targeted directly at the NHS, nearly 1% of NHS activity was directly affected. No patient data was compromised during the attack, but Wannacry has raised awareness that cybersecurity is essential for patient safety as well as protecting privacy.

In the past, patient records were only stored on paper. These could easily be lost or mislaid; most of the breaches reported to the ICO across all the health sector relate to patient information on paper or to outdated and insecure technologies like faxes. There are too many examples where appointments have been wasted, or even lives lost, because paper records have not been available to the right people at the right time.

Digital records have the potential to be much safer, particularly if the whole care team can access up-to-date information using joined up electronic records. However, increasing use of digital records, and the fact that data may be stored in several places, does mean that the potential impact of a data breach could be greater. Many more people may be affected, for example if a whole database is hacked, or more information could be put at risk.

On the other hand, digital technology can also be used to improve security and reduce the risks. Technology can be used to protect data, for example by restricting access (using passwords or swipe cards to control access to data), or using encryption so the data can only be read with a code. There can also be a robust audit trail showing who has accessed data and when.

Find out more

Information Commissioners Office
Enforcement action 2017

NHS Digital
Keeping patient data safe

Nuffield Council on Bioethics
A Review of Evidence Relating to Harm Resulting from uses of health and biomedical data
Professor Graeme Laurie, University of Edinburgh, Ms Leslie Stevens, University of Edinburgh, Dr Kerina H. Jones, Swansea University, and Dr Christine Dobbs, Swansea University (2014)

Big Brother Watch
NHS Data breaches – 2011-2014