The Health and Care Bill and private companies’ access to patients’ health and care data

Introduction 

There’s been a pause in the government’s attempts to extract information from individuals’ GP records and store it centrally. The pause is largely in response to public outcry. However, among other fears, the Health and Care Bill currently in process through Parliament raises renewed concerns about intrusion into patient privacy by providing new powers to allow increasing access to our personal health and social care data. This may include access by private companies.

NHS Digitalisation

NHS and social care services are already undergoing rapid digitalisation with, for example, the use of electronic patient records, the introduction of digital tools for patients to manage their own health conditions, and the automation of history taking and diagnosis.

 While digitalisation may offer benefits for some patients, and may increase the efficiency of some services, it allows new opportunities for the private sector, including potential access to the NHS’s hugely valuable stores of data, claimed to be worth around $10 billion per annum. Already large multinational technology companies such as Google and Microsoft are taking significant new roles in the digitalised NHS, with the boundary between public and private services becoming increasingly blurred and even normalised.

The NHS Long Term Plan, published in 2019 by NHS England (NHSE), places huge emphasis on digitalising health services. It describes how digitally-enabled care will  ‘go mainstream’ across the NHS and transform how services are delivered: for example, clinicians, as well as patients ‘managing their own health’, will be relying on digital tools (see 5.8). In addition, ‘population health management’ (PHM) will be integral to local health systems (ICSs) in identifying specific groups of patients for targeting, and planning NHS services accordingly (5.26).

Notably, PHM is based on the analysis of vast data sets and reliant on new, expensive infrastructure and services that only the private sector has the resources to provide.  ICSs are dependent on support from NHSE’s Health Systems Support Framework(HSSF), which

provides a quick and easy route to access support services from innovative third party suppliers at the leading edge of health and care system reform, including analytics, population health management, digital and services transformation.

The Framework lists around 200 NHSE-accredited organisations that are mostly private companies and often US-owned.

As the LTP argues, one of the priorities driving the digitalisation of the NHS is to “encourage a world leading health IT industry in England with a supportive environment for software developers and innovators.” (p.92) In other words, NHS data is being transformed from a resource for the public good into a source of private profit.

Patient data

The LTP describes the protection of patients’ privacy and patients’ control over their data as a key priority driving digital transformation.  However, this claim has been rather undermined by a couple of sneaky attempts to obtain data from patients’ records on the Q.T., first through the care.data initiative in 2016 and later with the ‘GPdataGrab’ (officially, the GP Data for Planning and Research Directive) announced in April 2021.

The GPdataGrab, for example, aimed to collect patients’ entire GP records without consent, unless patients became aware of the initiative and so had a chance to ‘opt out’. The data was to be stored in a centralised database from which it could not only be accessed by third parties, including private companies (for a fee), but potentially copied and stored on an external site.

NHS Digital (the national provider of information, data and IT systems for those working in the field of health and social care) has a dubious history in the business of releasing information about patients. Clearly patient data, if released under strict regulations, is invaluable for academic research, service planning and policy making. But since 2016, over 40 companies from pharmaceutical corporations to global management consultancies (e.g. AstraZeneca and McKinsey and Company) have had access to years of sensitive medical records from hospitals across England. And a look at just one month’s figures from NHS Digital’s Data Release Register shows that, in 88% of cases where patient data had been released, opt-outs had been ignored.

With GPdataGrab, the public was assured that extracted data would be anonymised in that it would not include patients’ names, NHS numbers or postcodes. However, it could still contain details about their sex, ethnicity, sexual orientation, diagnoses, immunisations, referrals, appointments, test results, plus information about mental and sexual health, and which members of staff had provided treatment. The assurances of anonymity have been described as ‘worthless’ due to the ease with which many individuals could be identified from the details that remained available.

Despite the lack of fanfare about the data grab by NHS Digital there was huge public outcry about the scheme. This, together with doubts about the legality of sharing data without patients’ consent, led to a pause – or so we thought. It now appears that the Health and Care Bill will provide alternative ways for the government and others to gain access to our health records.

The Health and Care Bill

The Bill does not deal with digitalisation per se, only data, under the heading of ‘information’. As the Bill’s Explanatory Notes(ENs) clarify, taken as a whole, the Bill’s data provisions aim to enable increased sharing and ‘more effective’ use of data across the health and adult social care system. (EN 64)

The Notes also mention how the government’s response to Covid 19 has been key in showing how data can be used to improve services and the operation of the health and care system (EN 65). However, they fail to mention that the Secretary of State for Health and Social Care, in response to the pandemic, made special arrangements to allow health bodies, local authorities and ‘others’, including private companies such as Palantir, to access and process confidential patient information without consent.

The Bill’s provisions on data concern information standards, increased sharing of information, the Health and Social Care Information Centre, and regulations for medicine information systems.

  • Information standards

Provisions in Part 2 of the Bill will enable the Department of Health and Social Care (DHSC), as well as NHSE, to use delegated powers to publish mandatory (and so far unspecified) standards for the processing of information, including how data held by service providers can be shared across the health and care system.  These powers will also

  • enable ”a person publishing an information standard” to waive the requirement to comply, and
  • enable the Secretary of State to make regulations that create exceptions to the power for public bodies concerned with health and care to require information from each other or from private providers (our emphasis).

It’s worth noting that the Bill’s inclusion of powers for delegated legislation has raised considerable concern. There are in all 138 delegated powers in the Bill, seven of which allow for a Minister to amend or repeal primary legislation (‘Henry VIII powers’). Concerns about delegated powers include that these can be broadly defined and then used in ways that go beyond the apparent intention of the legislation, and that the legislation may avoid parliamentary scrutiny.

In the case of the Bill’s proposed information standards, it seems that the Secretary of State will have a free hand, should he or she wish it, to both ease the private sector’s access to NHS data, and exempt the private sector from supplying information.

As the same time, it remains unclear whether information standards will be sufficiently rigorous to maintain confidentiality, to deny the use of personal data by companies for private gain, or even to overrule private companies’ ability to claim ‘commercial confidentiality’.

  • Improved sharing of information 

The Bill’s Explanatory Notes (70 to 75) state that there needs to be more certainty among health and care organisations about what information they can share and when.  With that in mind, it seeks to amend the Health and Social Care Act (HSCA) of 2012 by introducing a power to allow an (unspecified) health or social care body to require another health or social care body to share information relevant to the provision of health and care services in England (Chapter 1B, 251D, Subsection 1). This is to exclude personal data (i.e. information relating to an identifiable individual), which is currently subject to UK data protection legislation. However, with growing digitalisation, making personal data anonymous (for instance, stripping it of details such as age, gender or NHS number) is becoming increasingly difficult – notably, when anonymised data is combined with other data sets, as with PHM.

This new power is to complement an existing duty on health or adult social care providers or commissioners to share information “with certain persons” about individuals, where this “in the individual’s best interests”(section 251B of the HSCA 2012).  As The Bill’s Explanatory Notes say, “the intention is to require organisations to share anonymous information they hold” if required to do so by a relevant organisation” (EN 74). The Explanatory Note goes on to say “organisations are not required to undertake any process of anonymisation for the purpose of complying with the requirement”. However, looking at the Bill itself, this puts things rather differently, stating that “Subsection 1 does not require a person to process information so as to render it into a form in which it must be provided” (251D Subsection 4), leaving open the question of whether the data has already been anonymised or whether non-anonymised data can be transferred.

On top of which, EN 79 states that, in relation to the collection of information about adult social care, whether care is publicly or privately provided, “[t]he Government considers that data showing details relating to care received by individuals is more useful than aggregate data“ (i.e. data obtained by combining information from different individuals) (our emphasis). Among other purposes, this data on individuals will enable the monitoring of people’s journeys across the whole care system. We found no indication that the consent of individuals will be sought prior to their data being shared.

Collecting personal data on an individual’s care would seem to breach patient privacy – unless the Bill is relying on changes to the UK GDPR. A less rigorous approach fits with the 2021 findings of the Government Taskforce on Innovation, Growth and Regulatory Reform. The Taskforce argues that the UK GDPR has led to people being bombarded with complex requests for consent, such as agreement to cookies on every visit to a website, and suggests a ”more proportionate” framework instead. Granted, constant consent requests are tiresome, but the proposed framework is less concerned with personal inconvenience than the needs of business. It aims to allow people’s data to flow more freely and “drive growth across healthcare, public services and the digital economy” in what will become “a cutting edge business landscape”.

  • The Health and Social Care Information Centre/NHS Digital

The Health and Social Care Information Centre (HSCIC) (trading as NHS Digital) was set up to collect and store data and information about health and social care users (primarily in England). NHS Digital’s data sets contain information from care records and health and care organisations, including primary, secondary and emergency care. Data is available to be shared not just with local authorities, hospital trusts, and universities, but also with private companies. It’s claimed that information is never passed to marketing or insurance companies without consent (but whose consent is required, or how it is obtained, is not specified).

Under the heading of ‘General duties of the HSCIC etc.’, Clause 81 of the Bill aims to amend the HSCA (2012) to

put beyond doubt NHS Digital’s power to share data in connection with health care or adult social care. This could include for example, commissioning, planning, policy analysis and development, population health management, assessment of the quality of services and individual’s experiences of them, workforce planning, research for purposes which benefit or are relevant to the provision of health or adult social care and developing innovative approaches to the delivery of health and adult social care. (EN 700)

A considerable number of these functions will be carried out by organisations listed on the Health System Support Framework, many of which, as noted above, are private companies.

  • Medicine information systems

The Bill will amend the Medicines and Medical Devices Act (MAMD) 2021 to introduce a delegated power for the ‘appropriate’ authority (in the case of England, Scotland and Wales, this will be the Secretary of State) to make regulations governing how the HSCIC/NHS Digital will establish and operate systems of information relating to the safety, quality and efficiency of medicines (Inserted Chapter 1A, 7A, subsection 1). The power will allow the Secretary of State to specify the provisions included in the regulations, in other words, the power is open-ended, ostensibly to allow prompt response to emerging risks as they develop.

Currently, companies and other legal entities that have the authority to market a medicine (known as Marketing Authorisation Holders or MAHs) cannot oblige healthcare providers to share data with them, and healthcare providers seem reluctant to do so. This reluctance has been explained by a lack of trust on trust on the part of clinicians and patients, and partly because of the additional burden of data entry on healthcare providers. This has resulted in insufficient information being made available to MAHs for them to meet their objectives (EN 198).

Rather than dealing with why there is a lack of trust on the part of clinicians and patients, the Bill amends the MAMD Act of 2021. According to the Bill’s Explanatory Notes, the Bill will create powers through which one or more medicines information systems can be set up and operated to allow the creation of centrally-held UK-wide medicine registries. These will be based on existing, routinely collected data, which will be supplemented by ‘bespoke’ data extracts, ostensibly introduced to reduce the burden of data entry on healthcare professionals (EN 199). Details on the nature of “bespoke data’, who will undertake such extraction and the safeguards governing this process are not given.

With regards to the routine collected data, new regulations referred to in amendments to the MAMD Act potentially allow the HSCIC/NHS Digital to determine which information relating to human medicines “may or must” be entered or retained in an information system (Inserted Chapter 1A, 7A, subsection 2a). They also allow for the potential inclusion of information about individuals (ibid, subsection 3c and d), and for the use or disclosure of information held in an information system (ibid, Subsection 2c). One concern is that the Bill will provide a flexibility to adapt the regulations in future (without primary legislation), possibly in anticipation of the ‘personalised care’ flagged up in the LTP that may require the sharing of personal information.

Overall

The government has been forced to pause plans for the extraction of data from patients’ GP records. However, it appears that if the Health and Care Bill is passed, the protections currently safeguarding personal data may be undermined by unspecified regulations or diktat from the Secretary of State.  The Bill will change how health and social care data will be collected and shared. It raises concerns that our privacy may be about to be disregarded in the interests of the health and care system – and, increasingly, in the interests of private companies.

The Health and Care Bill will have long-term and worrying implications for the NHS and its patients, not least for our personal privacy.  The response has to be total opposition to the Bill. For more information about what you can do, visit our Scrap the Health and Care Bill page.