Do the benefits of using patient data outweigh the risks? Could something go wrong, and what would be the impact?
There are huge benefits when patient data is used responsibly to save lives, improve health and care, and advance medical research. However, it is true that sharing patient data will never be totally risk-free. There must be robust measures in place to reduce the risks as much as possible. We look at the concerns people have and what’s being done to reduce the risks.
Weighing up benefits and risks
We increasingly rely on digital technologies across all areas of our lives, benefiting from access to online services and tailored information when we need it, based on data about us or people like us. At the same time, reports of misuse of data, like Facebook and Cambridge Analytica and data breaches in the NHS, have highlighted the implications for privacy.
Some people may be willing to share personal data about themselves widely, for example through social media or store loyalty cards, but others will be more cautious. Individuals are prepared to make different trade-offs, depending on the benefits they receive in return. It may also depend on the type of data, for example whether it relates to finances, health, travel or purchases.
When considering the use of patient data specifically, questions you might want to ask include:
What are the benefits?
There are huge benefits of using patient data, both for individual care, improving health and care services, and supporting research. When patients are treated in the NHS, they benefit from insights based on the data of previous patients like them. Find out more about the benefits.
What are the risks?
Sharing patient data will never be totally risk-free, but there must be robust measures in place to reduce any risks as much as possible. Surveys suggest that there are three main things people are concerned about:
- invasion of privacy, or information about medical history being revealed to others;
- loss of control if data is passed outside the NHS;
- the possibility of cyber attacks or hacking.
You can find out more about each of these issues, and what is being done to protect data, below.
Is enough being done to reduce the risks?
There must be appropriate measures in place to reduce the likelihood of any risks as much as reasonably possible. Wherever possible, anonymised data will be used. There are audit processes to scrutinise those who are using data, and robust penalties where data is misused. Find out more about how data is kept safe.
What are the consequences of not sharing the data?
The failure to record, link and share data can negatively impact patient care, and waste scarce resources. For example, looking at patterns in data is essential to monitor the long-term safety of drugs and treatments, and to identify adverse side effects as quickly as possible. Without effective use of data, services are not improved and patients will suffer.
What is the acceptable balance between benefit and risk?
This will vary from person to person. People may accept greater risks for their individual care if they are more likely to benefit. They may not want to take the same risks for other uses of their data. On the other hand, someone with a rare disease may be most at risk of loss of privacy because they could be easily identifiable from data, but they will often be the most keen for data to be used. In the search for a diagnosis or treatment, they are often willing to take more risk. Even the same individual may change their mind on the acceptable balance between benefit and risk over time.
Who decides what happens to data?
The NHS and organisations looking after patient data must be transparent about access to data, who makes the decisions and what level of choice individuals have. The national data opt-out, introduced in May 2018, allows patients some choice about the use of their confidential patient information beyond their individual care.
Where individuals do not have a choice, there must be transparency about how data is used so that there are no surprises.
At a national level, some key organisations hold patient data or have responsibility for oversight about the purposes for which it can be used. They work with others to make decisions about how to safeguard data and set the conditions under which it can be accessed.
Data breaches in the health sector
Most of the evidence on health data breaches comes from incidents reported to the Information Commissioner’s Office (ICO), the data regulator for the UK. Incidents must be reported to the ICO as soon as possible, where feasible within 72 hours of becoming aware of the breach.
The graph above is based on data from the ICO for incidents reported in the years 2019 – 2022.
In the last four years (2019-2022), 6946 incidents in total in the health sector have been reported to the ICO across the UK. 1626 incidents were reported in 2019, 1641 in 2020, 1907 in 2021, and 1772 in 2022.
To put this into context, it is estimated that in England alone the NHS interacts with 1 million patients every 15 hours and in financial year 2021-2022.
What is a data breach?
A data breach occurs when personally identifiable data is lost, destroyed, altered or disclosed. For example: a laptop containing personal data is lost or stolen; a letter is sent to the wrong address; someone without proper authorisation accesses data or passes it on; or data is hacked. A breach may be either accidental or deliberate.
What are the most typical breaches in the health sector?
The most common type of incident listed by the ICO is “other non-cyber incidents”. Out of the incidents that were categorised, the most common causes of breaches were accidental:
- Data posted or faxed to incorrect recipient – 13.36%
- Loss/theft of paperwork or data left in insecure location - 12.29%
- Data emailed to incorrect recipient – 12.05%
It is difficult to know what cause behind the incidents categorised as “other non-cyber incidents”, but this suggests that, in many cases, breaches are occurring as a result of accidental mistakes made during the course of routine care. The NHS is tackling this with increased staff training and investments in robust IT security.
What is the likely impact of a data breach on me?
Even where there has been a data ‘breach’, there may not be any impact – for example, if a laptop with data is lost, the data may not be found or used in any way. But the possibility that personal data might fall into the wrong hands may be upsetting.
The potential impact of a data breach will depend on your circumstances. For example, someone who has a sensitive medical condition may be much more concerned if part of their medical record was accidentally disclosed, than someone who does not. People may also react differently: some people may be very upset, some people may be annoyed, and others may not be at all concerned.
The impact will depend on the type of data breach. The plurality of breaches in the health sector relate to information being accidentally sent to the wrong person; the impact in these cases is likely to be significantly lower than if data is deliberately misused.
What sanctions are there for misuse of data?
The UK General Data Protection Regulation (GDPR) makes provisions for sanctions for misuse of data across all sectors. The fines for serious violations of data protection principles is up to £17.5 million or 4% of global turnover (whichever is higher), which should act as a serious deterrent against misuse. There are also criminal penalties for trying to re-identify someone from anonymised data without permission.
One concern is the possibility that someone could find out something about a person’s medical history, and use it against them. Some people are worried about the loss of privacy, damage to their reputation, or discrimination if someone found out about their condition. This may be especially true for anyone with a condition they feel sensitive about.
What’s being done to reduce the risk?
The only people that have access to your full, identifiable medical record are healthcare professionals, unless you specifically consent to share it. The data is held on secure servers, and anyone accessing the data needs a smartcard and password. There is a clear audit trail showing who has accessed the data and when.
Where data is used beyond your individual care, for example in research, only the minimum amount of information necessary is passed on so your identity is protected as much as possible. In most cases, your name and contact details would not be shared. Only a series of numbers and codes taken from a record would be seen so it looks something like this:
It is a criminal offence to misuse personal data, including trying to re-identify someone without permission. However, it won’t always be possible to know if someone has tried, or succeeded, in doing this.
Could my insurance company or employer have access to patient data about me?
No. Your employer or an insurance company will never be allowed access to identifiable information from your medical record unless you specifically give permission. Find out more about private sector organisations using patient data.
Can I be re-identified from anonymised data?
When data is used for purposes other than individual care, the data will have identifying details removed so it is anonymised. The Information Commissioner’s Office gives guidance about what details must be removed or masked, and the safeguards that must be followed to anonymise data effectively.
There are two types of de-identified data – de-personalised and anonymous – which have different risks of re-identification.
De-personalised data is data about an individual person and, even though identifiers (such as name and address) are removed, it needs to be handled with care. There is a small risk that it might be possible to re-identify the individual if the data was not adequately protected, for example by combining the data with other information about a person. Because of this, there are strict controls on how de-personalised information can be used. The higher the possibility of re-identifying someone, the greater the level of protection needed. Data protection legislation includes penalties for anyone trying to identify a person from anonymised data.
Anonymous data is information from many people combined together, for example the number of people with type 2 diabetes or the number of prescriptions for asthma inhalers, so it would not be possible to identify any individual from the data.
To learn more about de-identifying data, take a look at the guide here.
Third party access
Most people trust the NHS, but some are wary about third-party organisations – particularly in the private sector - outside the NHS accessing health data. Research shows that most people are comfortable with the private sector having access to patient data when it is used for public benefit, but some people are concerned that other organisations could potentially misuse data, or that the data could be shared onward.
Find out more about private sector organisations accessing patient data.
What’s being done to reduce the risk?
There are strict controls on how third parties, such as academic researchers or companies, can use patient data. To protect your confidentiality, organisations are only allowed access to identifiable data if there is a legal basis. They should sign contracts setting out what they can and cannot do with the data, including restrictions on passing data to other third parties.
Find out more about how your data is protected here.
Can companies use patient data for marketing or insurance?
No. The NHS will never share your personally identifiable data for marketing or insurance purposes, unless you specifically give permission. Find out more about private sector organisations using patient data.
Have there been problems in the past?
There have been instances of data breaches affecting companies having access to health:
Pharmacy 2U: in 2015, an online pharmacy was fined £130,000 for selling names and contact details of more than 20,000 customers through an online marketing company.
TPP SystmOne: one of the most common GP software systems was found to have a security issue in its enhanced data sharing function that could have allowed healthcare professionals across the NHS to access individual patient records. TPP has since developed new functionality to address these issues, and GPs can now set appropriate access.
DeepMind and the Royal Free: in 2017, the ICO ruled that the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act when it provided data about 1.6 million patients to Google DeepMind as part of a trial to test an alert system for acute kidney injury.
HCA International Ltd: a private health company was fined £200,000 for failing to keep fertility patients’ personal information secure when records of IVF appointments were sent to a company in India to be transcribed.
In 2023, an investigation revealed that 20 NHS Trusts were unwittingly sharing data with Facebook via a website tracking tool. The data included searches and website visits from members of the public who visited pages on content such as self-harm, HIV, and cancer that could reveal personal details if linked to an individual.
If NHS finds that the terms of a data sharing agreement have not been properly met, they will stop the transfer of data or work with the organisation to rectify the problem.
Digital technologies can bring many improvements to all aspects of our daily lives. However, as we increasingly rely on computers, hackers are finding new ways to attack IT systems, disrupt computer networks, and steal data. This is not just an issue for the health sector – the number of cyber attacks is rising across all sectors. In the health sector, the proportion of incidents reported to the ICO that are cyber-related (for example ransomware attacks) has more than tripled – they made up 3% of incidents in financial year 2017-18 and over 10% in 2022.
What’s being done to reduce the risks?
The NHS is trying to reduce vulnerabilities across the health and care system, both through investment in IT and staff training.
NHS England monitors threats and security incidences, and provides support to health and care organisations to help keep computer systems safe. For instance, the Cyber Security programme works to ensure that measures are actively in place to protect NHS assets and services and ensure that trusts, integrated care boards and clinical commissioning support units are aware of their accountabilities and responsibilities and undertake cyber security actions. The Data Security centre manages security threat monitoring, national incident response and provides information security consultancy, guidance and advice.
What happened with the Wannacry attack?
In May 2017, the NHS suffered its biggest cyber-attack to date. 80 out of 236 hospital trusts across England were affected in some way, and 595 out of 7,454 GP practices. Although Wannacry was not targeted directly at the NHS, nearly 1% of NHS activity was directly affected. No patient data was compromised during the attack, but Wannacry has raised awareness that cybersecurity is essential for patient safety as well as protecting privacy.
Which is safer – digital or paper?
In the past, patient records were only stored on paper. These may have been safer from cyber attacks but could easily be lost or mislaid. There are too many examples where appointments have been wasted, or even lives lost, because paper records have not been available to the right people at the right time.
Digital records have the potential to be much safer, particularly if the whole care team can access up-to-date information using joined up electronic records. However, increasing use of digital records, and the fact that data may be stored in several places, does mean that the potential impact of a data breach could be greater. Many more people may be affected, for example if a whole database is hacked, or more information could be put at risk.
On the other hand, digital technology can also be used to improve security and reduce the risks. Technology can be used to protect data, for example by restricting access (using passwords or swipe cards to control access to data), or using encryption so the data can only be read with a code. There can also be a robust audit trail showing who has accessed data and when.
The Government’s Plan for Digital Health and Social Care set a target of all Trusts having electronic patient records by March 2025 (subsequently pushed back to 2026), which includes a requirement for all organisations to have increased cyber security capabilities, resilience, clinical safety and accessibility. This commitment was supported by £2bn in funding to support organisations meet digital standards.
Find out more
Information Commissioners Office
Enforcement action and data trends
Keeping patient data safe