What are the risks around patient data?

There are huge benefits of using patient data, both for individual care, improving health and care services, and supporting research. When patients are treated in the NHS, they benefit from insights based on the data of previous patients like them. Find out more about the benefits.

Sharing patient data will never be totally risk-free, but there must be robust measures in place to reduce any risks as much as possible. Surveys suggest that there are three main things people are concerned about:

• invasion of privacy, or information about medical history being revealed to others;
• loss of control if data is passed outside the NHS;
• the possibility of cyber attacks or hacking.

You can find out more about each of these issues, and what is being done to protect data, below.

There must be appropriate measures in place to reduce the likelihood of any risks as much as reasonably possible. Wherever possible, anonymised data will be used. There are audit processes to scrutinise those who are using data, and robust penalties where data is misused. Find out more about how data is kept safe.

The failure to record, link and share data can negatively impact patient care, and waste scarce resources. For example, looking at patterns in data is essential to monitor the long-term safety of drugs and treatments, and to identify adverse side effects as quickly as possible. Without effective use of data, services are not improved and patients will suffer.

This will vary from person to person. People may accept greater risks for their individual care if they are more likely to benefit. They may not want to take the same risks for other uses of their data. On the other hand, someone with a rare disease may be most at risk of loss of privacy because they could be easily identifiable from data, but they will often be the most keen for data to be used. In the search for a diagnosis or treatment, they are often willing to take more risk. Even the same individual may change their mind on the acceptable balance between benefit and risk over time.

The NHS and organisations looking after patient data must be transparent about access to data, who makes the decisions and what level of choice individuals have. The national data opt-out, introduced in May 2018, allows patients some choice about the use of their confidential patient information beyond their individual care.

Where individuals do not have a choice, there must be transparency about how data is used so that there are no surprises.

At a national level, some key organisations hold patient data or have responsibility for oversight about the purposes for which it can be used. They work with others to make decisions about how to safeguard data and set the conditions under which it can be accessed.   

Find out more about how decisions are made on who can access and use patient data, and what choices you have. 

A data breach occurs when personally identifiable data is lost, destroyed, altered or disclosed. For example: a laptop containing personal data is lost or stolen; a letter is sent to the wrong address; someone without proper authorisation accesses data or passes it on; or data is hacked. A breach may be either accidental or deliberate.

The most common type of incident listed by the ICO is “other non-cyber incidents”. Out of the incidents that were categorised, two out of three most common causes of breaches were accidental:

• Data posted or faxed to incorrect recipient – 12.98%
• Unauthorised access - 12.79%
• Data emailed to incorrect recipient – 12.41%

It is difficult to know what cause behind the incidents categorised as “other non-cyber incidents”, but this suggests that, in many cases, breaches are occurring as a result of accidental mistakes made during the course of routine care. The NHS is tackling this with increased staff training and investments in robust IT security.

However, it is important to note an uptick in reported incidents of unauthorised data access and for organisations to ensure staff are aware that accessing health records without cause is a criminal offence.

Even where there has been a data ‘breach’, there may not be any impact – for example, if a laptop with data is lost, the data may not be found or used in any way. But the possibility that personal data might fall into the wrong hands may be upsetting.

The potential impact of a data breach will depend on your circumstances. For example, someone who has a sensitive medical condition may be much more concerned if part of their medical record was accidentally disclosed, than someone who does not.  People may also react differently: some people may be very upset, some people may be annoyed, and others may not be at all concerned. 

The impact will depend on the type of data breach. The plurality of breaches in the health sector relate to information being accidentally sent to the wrong person; the impact in these cases is likely to be significantly lower than if data is deliberately misused.

The UK General Data Protection Regulation (GDPR) makes provisions for sanctions for misuse of data across all sectors. The fines for serious violations of data protection principles is up to £17.5 million or 4% of global turnover (whichever is higher), which should act as a serious deterrent against misuse. There are also criminal penalties for trying to re-identify someone from anonymised data without permission.

The only people that have access to your full, identifiable medical record are healthcare professionals, unless you specifically consent to share it. The data is held on secure servers, and anyone accessing the data needs a smartcard and password. There is a clear audit trail showing who has accessed the data and when.

Where data is used beyond your individual care, for example in research, only the minimum amount of information necessary is passed on so your identity is protected as much as possible. In most cases, your name and contact details would not be shared. Only a series of numbers and codes taken from a record would be seen so it looks something like this:

It is a criminal offence to misuse personal data, including trying to re-identify someone without permission. However, it won’t always be possible to know if someone has tried, or succeeded, in doing this.

No. Your employer or an insurance company will never be allowed access to identifiable information from your medical record unless you specifically give permission. Find out more about private sector organisations using patient data.

When data is used for purposes other than individual care, the data will have identifying details removed so it is anonymised. The Information Commissioner’s Office gives guidance about what details must be removed or masked, and the safeguards that must be followed to anonymise data effectively.  

There are two types of de-identified data – de-personalised and anonymous – which have different risks of re-identification.

De-personalised data is data about an individual person and, even though identifiers (such as name and address) are removed, it needs to be handled with care. There is a small risk that it might be possible to re-identify the individual if the data was not adequately protected, for example by combining the data with other information about a person. Because of this, there are strict controls on how de-personalised information can be used. The higher the possibility of re-identifying someone, the greater the level of protection needed. Data protection legislation includes penalties for anyone trying to identify a person from anonymised data.

Anonymous data is information from many people combined together, for example the number of people with type 2 diabetes or the number of prescriptions for asthma inhalers, so it would not be possible to identify any individual from the data.

To learn more about de-identifying data, take a look at the guide here.

There are strict controls on how third parties, such as academic researchers or companies, can use patient data. To protect your confidentiality, organisations are only allowed access to identifiable data if there is a legal basis. They should sign contracts setting out what they can and cannot do with the data, including restrictions on passing data to other third parties.

Find out more about how your data is protected here.

No. The NHS will never share your personally identifiable data for marketing or insurance purposes, unless you specifically give permission. Find out more about private sector organisations using patient data.

There have been instances of data breaches affecting companies having access to health:

Pharmacy 2U: in 2015, an online pharmacy was fined £130,000 for selling names and contact details of more than 20,000 customers through an online marketing company. 

TPP SystmOne: one of the most common GP software systems was found to have a security issue in its enhanced data sharing function that could have allowed healthcare professionals across the NHS to access individual patient records. TPP has since developed new functionality to address these issues, and GPs can now set appropriate access.

DeepMind and the Royal Free: in 2017, the ICO ruled that the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act when it provided data about 1.6 million patients to Google DeepMind as part of a trial to test an alert system for acute kidney injury.

HCA International Ltd: a private health company was fined £200,000 for failing to keep fertility patients’ personal information secure when records of IVF appointments were sent to a company in India to be transcribed.

In 2023, an investigation revealed that 20 NHS Trusts were unwittingly sharing data with Facebook via a website tracking tool. The data included searches and website visits from members of the public who visited pages on content such as self-harm, HIV, and cancer that could reveal personal details if linked to an individual.

If NHS finds that the terms of a data sharing agreement have not been properly met, they will stop the transfer of data or work with the organisation to rectify the problem.

The NHS is trying to reduce vulnerabilities across the health and care system, both through investment in IT and staff training.

NHS England monitors threats and security incidences, and provides support to health and care organisations to help keep computer systems safe. For instance, the Cyber Security programme works to ensure that measures are actively in place to protect NHS assets and services and ensure that trusts, integrated care boards and clinical commissioning support units are aware of their accountabilities and responsibilities and undertake cyber security actions. The Data Security centre manages security threat monitoring, national incident response and provides information security consultancy, guidance and advice.

In May 2017, the NHS suffered its biggest cyber-attack to date. 80 out of 236 hospital trusts across England were affected in some way, and 595 out of 7,454 GP practices. Although Wannacry was not targeted directly at the NHS, nearly 1% of NHS activity was directly affected. No patient data was compromised during the attack, but Wannacry has raised awareness that cybersecurity is essential for patient safety as well as protecting privacy.

In the past, patient records were only stored on paper. These may have been safer from cyber attacks but could easily be lost or mislaid. There are too many examples where appointments have been wasted, or even lives lost, because paper records have not been available to the right people at the right time.

Digital records have the potential to be much safer, particularly if the whole care team can access up-to-date information using joined up electronic records. However, increasing use of digital records, and the fact that data may be stored in several places, does mean that the potential impact of a data breach could be greater. Many more people may be affected, for example if a whole database is hacked, or more information could be put at risk.

On the other hand, digital technology can also be used to improve security and reduce the risks. Technology can be used to protect data, for example by restricting access (using passwords or swipe cards to control access to data), or using encryption so the data can only be read with a code. There can also be a robust audit trail showing who has accessed data and when.

The Government’s Plan for Digital Health and Social Care set a target of all Trusts having electronic patient records by March 2025 (subsequently pushed back to 2026), which includes a requirement for all organisations to have increased cyber security capabilities, resilience, clinical safety and accessibility. This commitment was supported by £2bn in funding to support organisations meet digital standards.