Many people are uncomfortable with the idea of companies accessing health information. Find out why commercial organisations might need to use data, how the NHS works in partnership with companies, and the safeguards that are in place to protect your privacy.
- Companies are involved in many ways in the delivery of care and research across the NHS, but there are strict controls on how companies can use patient data, to protect your privacy.
- Personally identifiable patient data can only be used if there is a health benefit.
- The NHS will never share your personally identifiable data for marketing or insurance purposes (unless you specifically say that it is OK).
What companies access patient data?
Many different types of company may be allowed to use patient data, under strict conditions, for a range of purposes. These include:
- Software providers
- Pharmaceutical companies
- Analytics services
- Chemists / pharmacies
- Digital developers and tech companies
- Private healthcare providers
- Insurance companies
To find out more about why these companies may access data, see the examples below.
What about marketing?
The NHS will never share your name or contact details with companies to use for marketing purposes, unless you give consent. Pharmaceutical companies have to follow strict rules about marketing, and they are not allowed to advertise prescription medicines to patients in the UK.
It’s worth noting that you may see adverts targeted to you online, for example for non-prescription treatment or devices like hearing aids. This would be possible because of your internet searches, not because your patient data has been shared with a company. With 1 in 20 Google searches now health-related, targeted advertising is increasingly common.
Can insurance companies access patient data?
Only with your permission. All the evidence shows that people are particularly concerned about insurance companies using patient data, but there are strict controls on this use. There are two reasons insurance companies might want to use patient data:
- Individual applications for insurance
If you are applying for life insurance cover, an insurance company will want to know information about your medical history. The insurer will usually ask you questions about your lifestyle and relevant family history, but may also want to see your medical records. This is only possible with your permission. Only if you agree, your GP will then provide the relevant information to the insurer. There is currently a ban on insurers using genetic information.
You can find out more here:
- Setting insurance premiums
Insurance companies may also want to use data about health and lifestyle to help understand and predict risk, in order to work out how much insurance cover will cost. Insurers are only allowed to use anonymous data about large groups of people, and they would not be able to identify any individuals from this information.
Using anonymous patient data in this way may lead to higher or lower premiums, depending on an individual’s situation. In some cases, if insurers have access to accurate information it may actually lead to lower premiums – for example by helping them understand more about living with cystic fibrosis, or when setting travel insurance premiums for people with a cancer diagnosis. In other instances, insurers may link health data with other information, for example about different regions or age groups, to set risk calculations which could lead to some groups of people having higher premiums.
Does the NHS sell patient data?
NHS Digital, the central repository of NHS information, is not allowed to sell data for profit but operates on a cost recovery basis. It is allowed to charge for the cost of processing and delivering the service, but not for data itself. The charge depends on the type of application, amount of data requested, and the amount of work that NHS Digital will need to do.
Individual NHS Trusts will enter into different arrangements when working in partnership with companies, depending on their requirements and the services that are offered.
As new digital technologies develop, we are beginning to understand more about the value of data. While people may feel uncomfortable with the idea of the NHS ‘selling’ data, there would also be concerns if valuable data is given away to companies for free. There needs to be much more discussion about how the NHS and patients can benefit from the unique resource of NHS data. For example, if patient data is used to develop a new algorithm, should the NHS get access to that service at a reduced rate? Should the NHS be able to make a profit from commercial access to data?
Should companies be able to make a profit from patient data?
Companies are involved in the delivery of care and research across the NHS in many ways. The NHS does not have the expertise or resource to make sense of all the large and complex datasets, or to develop new drugs in-house, and so they need to partner with companies to provide these services. While companies may make a profit, for example from developing a new treatment, they should only be allowed access to data if there is a health benefit. There are strict controls on how companies can use patient data, to protect privacy.
“A lot of people worry about data going to companies that are going to use it for making drugs, but that’s good, because they’re making drugs to improve treatment.”
Nicole Larkin, patient advocate, useMYdata
How is my privacy protected?
Whoever the user, there are strict rules regarding access to patient data. Companies have to sign contracts setting out what they can and cannot do with the data, including limits on passing data to third parties. Data must be stored securely, with controlled access and robust IT systems to keep data safe, and there are strong sanctions if data is misused.
The NHS will never share your personally identifiable data to companies for marketing or insurance purposes, unless you specifically give permission.
Can companies pass data to other organisations?
Any company accessing patient data must sign a legal contract before data can be transferred. This will usually state that data cannot be passed to any third parties, unless explicitly approved in the application. Some analytics companies work with a number of different clients and may want to use the same data with different organisations but they are only allowed to do this if it has been specifically agreed, and the purpose must be approved.
Find out more about what is being done to reduce the risks and protect data here.
Companies are involved in many ways in the delivery of care and research across the NHS. Below are some examples and more can be found in our case studies.
At the GP
When you visit your GP, you’ll have seen them typing information on a computer. Companies provide the software that GPs use to keep electronic patient records. The company stores the full records but the GP is the ‘data controller’ and decides who can access the information. Companies also provide the services that allow you to access your patient records, book appointments online and order repeat prescriptions. This may mean processing some identifiable data.
All GP software must include robust IT systems to keep data safe, including controls around who can access the data and audit trails to record who has viewed it.
At the hospital
NHS hospital trusts work with analysis companies to help them understand and interpret large and complex data. This can help identify differences in the treatment provided (for example after a heart attack or surgery success rates), giving the hospital the information it needs to deliver services more effectively – providing better care and saving NHS money.
Analysis companies can also help provide insights for commissioners who plan NHS services, to compare performance between different hospitals.
Companies will only be given access to the minimum amount of identifiable data. Usually data will be de-personalised, and coded so it looks something like this:
At the pharmacy
Your local pharmacy (or chemist) is also a commercial company. Pharmacists have to meet strict standards of confidentiality as part of their professional registration.
A pharmacist may need information from your patient record to be able to provide you with the medicines that your doctor has prescribed and to check that there would not be any reaction with other medication you are taking. To do this effectively, they may need access to your Summary Care Record – they will ask for your consent first.
Pharmacies also use patient data to ensure an appropriate supply of medicines. For example, by looking at anonymous data about the numbers of people with a particular condition in an area, they can ensure they have enough medicine in stock to treat everyone.
Pharmacists may also want to target services to some patients, for example to encourage smoking cessation or to offer a review of medicines. You will only be contacted in this way if you say it’s OK.
Developing new diagnostics and treatments
For diagnosis: Technology companies are developing software tools that support clinical decision-making to help provide a diagnosis more quickly. For example, new software could be used to analyse a patient’s MRI scan, and identify any cancerous tissues more effectively than a person can.
To develop new drugs: Pharmaceutical companies need to use patient data at all stages of the drug development process – from understanding more about a disease to identifying potential drug targets, from recruiting people for clinical trials to demonstrating whether a new treatment is effective and monitoring the safety of drugs.