Many people are uncomfortable with the idea of private sector organisations accessing health data. Find out why private sector organisations might need to use data, how the NHS works in partnership with them, and the safeguards that are in place to protect your privacy.
By private sector organisations, we mean organisations that are not part of the state or voluntary sector. They are for-profit but can work with the public sector in public-private partnerships.
Note that in Northern Ireland, Health and Social Care (HSC) is the publicly funded healthcare system, rather than the NHS. In this guide we use the term ‘NHS’ to generally cover the overall national health service in the UK.
- Private sector organisations are involved in many ways in the delivery of care and research across the NHS, but there are strict controls on how they can use patient data to protect your privacy.
- Most of the time, private sector organisations can only access anonymised or pseudonymised data for the purposes of helping deliver an NHS service or to undertake approved research projects. For more information on identifiability, please see our guide to large datasets.
- Personally identifiable patient data can only be used if there is a clear health benefit.
- The NHS will never share your personally identifiable data for marketing or insurance purposes (unless you specifically say that it is OK).
What types of private sector organisations access patient data?
Many different types of private sector organisations may be allowed to use patient data, under strict conditions, for a range of purposes. These include:
- Software providers
- Pharmaceutical companies
- Analytics services
- Digital developers and tech companies
- Private healthcare providers (such as private hospitals)
- Insurance companies
To find out more about why these companies may access data, see the examples below.
What about marketing and targeted advertising?
The NHS will never share your name or contact details with companies to use for marketing purposes, unless you explicitly give consent. Pharmaceutical companies have to follow strict rules about marketing, and they are not allowed to advertise prescription medicines to patients in the UK.
You may see adverts targeted to you online, for example for non-prescription treatment or devices like hearing aids. This would be possible because of your internet searches, not because your patient data has been shared with a company. With 7% of Google searches now health-related, targeted advertising is increasingly common.
Can insurance companies access patient data?
Only with your permission. Evidence shows that people are particularly concerned about insurance companies using patient data, but there are strict controls on this use. There are two reasons insurance companies might want to use patient data:
- Individual applications for insurance
If you are applying for life insurance cover, an insurance company will want to know information about your medical history. The insurer will usually ask you questions about your lifestyle and relevant family history, but may also want to see your medical records. This is only possible with your permission. Only if you agree, your GP will then provide the relevant information to the insurer. There is currently a ban on insurers using genetic information.
If you are applying for private health insurance, the insurance company will also want to know information about your medical history and health. How much information you will be asked to share depends on what type of underwriting is chosen.
- Moratorium underwriting is the most common form of health insurance underwriting. With this option, you do not need to disclose your medical history or share any data. Instead, it is agreed that all pre-existing conditions from the past five years are excluded from coverage until you have been free from treatment, diagnosis or advice for a set amount of time.
- You can also opt for full medical underwriting, where you provide more details from your medical history and your insurer can decide whether to include them in your coverage.
When making a claim, your insurance provider may require information from your medical records. For instance, if you have a moratorium policy and make a claim, your insurance provider may ask your GP to provide information to confirm that this is not a pre-existing condition from the past five years. Your GP will then only provide the specific information required in order to process the claim.
You can find out more here:
- Setting insurance premiums
Insurance companies may also want to use data about health and lifestyle to help understand and predict risk, in order to work out how much insurance cover will cost. Insurers are only allowed to use aggregated anonymous data about large groups of people, and they would not be able to identify any individuals from this information.
Using anonymous patient data in this way may lead to higher or lower premiums, depending on an individual’s situation. In some cases, if insurers have access to accurate information it may actually lead to lower premiums – for example by helping them understand more about living with cystic fibrosis, or when setting travel insurance premiums for people with a cancer diagnosis. In other instances, insurers may link health data with other information, for example about different regions or age groups, to set risk calculations which could lead to some groups of people having higher premiums.
Does the NHS sell patient data?
NHS England is not allowed to sell data for profit but operates on a cost recovery basis. It is allowed to charge for the cost of processing and delivering the service, but not for data itself. The charge depends on the type of application, amount of data requested, and the amount of work that the NHS will need to do.
Individual NHS Trusts will enter into different arrangements when working in partnership with companies, depending on their requirements and the services that are offered.
As new digital technologies develop, we are beginning to understand more about the value of data. While people may feel uncomfortable with the idea of the NHS ‘selling’ data, there would also be concerns if valuable data is given away to companies for free as this would redirect time, effort and money away from frontline services.
There needs to be much more discussion about how the NHS and patients can benefit from the unique resource of NHS data. NHS England have recently published their new Value Sharing Framework for NHS data partnerships that sets out the NHS’s thinking on these issues in more detail. According to the Framework, the NHS should seek a share of commercial value arising from the use of NHS data, proportional to the NHS’s contribution to the project. However, more detail is needed about how this will work in practice.
Should private sector organisations be able to make a profit from patient data?
Private sector organisations are involved in the delivery of care and research across the NHS in many ways. The NHS does not have the expertise or resource to make sense of all the large and complex datasets, or to develop new drugs in-house, and so they need to partner with companies to provide these services. While companies may make a profit, for example from developing a new treatment, they should only be allowed access to data if there is a health benefit. There are strict controls on how companies can use patient data, to protect privacy.
“A lot of people worry about data going to companies that are going to use it for making drugs, but that’s good, because they’re making drugs to improve treatment.”
Nicole Larkin, patient advocate, useMYdata
How is my privacy protected?
Data privacy is protected by strict regulations in the UK, including both broad legislation like the Data Protection Act, Human Rights Act and UK General Data Protection Regulation (GPDR), and specific regulation such as Section 251 of the NHS Act and statutory guidance for NHS England’s protection of patient data. The Information Commissioner’s Office is the UK’s regulator for data protection, but various organisations such as the NHS Health Research Authority and General Medical Council have regulatory responsibilities.
Whoever the user, there are strict rules regarding access to patient data. Companies have to sign contracts that set out what they can and cannot do with the data, including limits on passing data to third parties. Data must be stored securely, with controlled access and robust IT systems to keep data safe, and there are strong sanctions if data is misused.
Further safeguards are being put in place, e.g. The NHS is planning a move away from a system of data sharing (wherein data is transferred to third parties) to a system of data access where NHS data is stored in a Secure Data Environment (SDE) that can be accessed by approved users but data cannot leave the platform. This is thought to further improve the security of data and minimise the risk of data getting into the wrong hands or being used for the wrong purposes. Surveys have shown that the general public are more comfortable with this model of data access.
There are also these data environments (referred to as Trusted Research Environments, Data Havens, Databanks, etc) that hold health data for research in each nation across the UK.
Can private sector organisations pass data to other organisations?
Any private sector organisation accessing patient data should sign a legal contract before data can be transferred. This will usually state that data cannot be passed to any third parties, unless explicitly approved in the application. Some analytics companies work with a number of different clients and may want to use the same data with different organisations but they are only allowed to do this if it has been specifically agreed, and the purpose must be approved. The use of Secure Data Environments (SDEs) where data cannot leave the NHS’s platform are thought to reduce the risk of companies transferring data to other users.
Find out more about what is being done to reduce the risks and protect data here.
How does the public feel about private sector organisations’ access to patient data?
Research shows that most people are comfortable with the private sector having access to patient data if a few conditions are met, with the most important factor being that the activity should have a clear public benefit. However, awareness is low, with our research showing that 63% of the public are unaware that the NHS grants access to data to private sector organisations.
Private sector organisations are involved in many ways in the delivery of care and research across the NHS. Below are some examples - more can be found in our case studies.
At the GP
When you visit your GP, you’ll have seen them typing information on a computer. Companies provide the software that GPs use to keep electronic patient records. The company stores the full records but the GP is the ‘data controller’ and decides who can access the information. Companies also provide the services that allow you to access your patient records, book appointments online and order repeat prescriptions. This may mean processing some identifiable data.
All GP software must include robust IT systems to keep data safe, including controls around who can access the data and audit trails to record who has viewed it.
The data can be stored in the cloud (software and services that run on the internet) or in on-premise data centres, both of which may be provided by private sector organisations.
At the hospital
NHS hospital trusts work with analysis companies to help them understand and interpret large and complex data. This can help identify differences in the treatment provided (for example after a heart attack or surgery success rates), giving the hospital the information it needs to deliver services more effectively – providing better care and saving NHS money. To do this, they may use data analysis and data visualisation tools from the private sector.
Analysis companies can also help provide insights for teams who plan NHS services, to compare performance between different hospitals.
Companies will only be given access to the minimum amount of identifiable data. Usually data will be de-personalised, and coded so it looks something like this:
At the pharmacy
Your local pharmacy (or chemist) is also a commercial organisation. Pharmacists have to meet strict standards of confidentiality as part of their professional registration.
A pharmacist may need information from your patient record to be able to provide you with the medicines that your doctor has prescribed and to check that there would not be any reaction with other medication you are taking. To do this effectively, they may need access to your Summary Care Record – they will ask for your consent first.
Pharmacies also use patient data to ensure an appropriate supply of medicines. For example, by looking at anonymous data about the numbers of people with a particular condition in an area, they can ensure they have enough medicine in stock to treat everyone.
Pharmacists may also want to target services to some patients, for example to encourage smoking cessation or to offer a review of medicines. You will only be contacted in this way if you say it’s OK.
Developing new diagnostics and treatments
For diagnosis: Technology companies are developing software tools that support clinical decision-making to help provide a diagnosis more quickly. For example, new software could be used to analyse a patient’s MRI scan, and identify any cancerous tissues more effectively than a person can.
To develop new drugs: Pharmaceutical companies need to use patient data at all stages of the drug development process – from understanding more about a disease to identifying potential drug targets, from recruiting people for clinical trials to demonstrating whether a new treatment is effective and monitoring the safety of drugs.