The Department of Health and Social Care has been selling the medical data of millions of NHS patients to American and other international drugs companies having misled the public into believing the information would be “anonymous”, according to leading experts in the field.
Senior NHS figures have told the Observer that patient data compiled from GP surgeries and hospitals – and then sold for huge sums for research – can routinely be linked back to individual patients’ medical records via their GP surgeries. They say there is clear evidence this is already being done by companies and organisations that have bought data from the DHSC, having identified individuals whose medical histories are of particular interest.
Concerns that the data is not truly “anonymous” have been raised by senior NHS officials, who believe the public are not being told the full truth. But the DHSC insists it only sells on information after thorough measures have been taken to ensure the complete anonymity and confidentiality of patients’ personal information.
In December, the Observer revealed that the government had raised £10m in 2018 by granting licences to commercial and academic organisations across the world that wanted access to so-called anonymised data. If patients do not want their data to be used for research they have to actively “opt out” of the system at their GP surgery.
Access to NHS data is increasingly sought by researchers and global drugs companies because it is one of the largest and most centralised public organisations of its kind in the world, with unique data resources.
Washington has already made clear it wants unrestricted access to Britain’s 55 million health records – estimated to have a total value of £10bn a year – as part of any post-Brexit trade agreement. Leaked details of meetings between US and UK trade officials late last year showed that the acquisition of as much UK medical data as possible is a top priority for the US drugs industry.
Now the DHSC and the agencies responsible for handling and selling data are increasingly under pressure to tighten up controls, to protect patient privacy and prevent information being misused.
Asked if it was right to say that the patient data was anonymous, as claimed, Professor Eerke Boiten, director of the Cyber Technology Institute at De Montfort University in Leicester, said: “The answer is no, it is not anonymous.
“If it is rich medical data about individuals then the richer that data is, the easier it is for people who are experts to reconstruct it and re-identify individuals.”
Boiten believes more thought should be given to controlling and limiting the sale of data to prevent it potentially being sold on by the initial purchaser to companies with huge information stores and global reach. “If Google, for instance, were to use this data and end up finding a cure for cancer, and then sold the cure back to the NHS for huge sums of money, then I think we could say we had missed a trick,” he said.
The NHS has previously faced claims that medical data from millions of patients has been sold to insurance companies.
Phil Booth, coordinator of medConfidential, which campaigns for the privacy of health data, said the public was being betrayed by claims that the information could not be linked back to individuals. “Removing or obscuring a few obvious identifiers, like someone’s name or NHS number from the data, doesn’t make their medical history anonymous,” he said. “Indeed, the unique combination of medical events that makes individuals’ health data so ripe for exploitation is precisely what makes it so identifiable. Your medical record is like a fingerprint of your whole life.
“Patients must know how their data is used, and by who. Alleging their data is anonymous when it isn’t, then selling it to drugs and tech companies – or, through intermediaries, to heaven knows who – is a gross betrayal of trust. People who are rightly concerned about such guile and lack of respect have every right to opt out, if they want their and their family’s medical information kept confidential and for their own care.”
Licences to buy data are issued by the Clinical Practice Research Datalink (CPRD), part of the Medicines and Healthcare Products Regulatory Agency (MHRA). A spokesman said any information sold had been “anonymised in accordance with the Information Commissioner’s Office (ICO) anonymisation code of practice”.
Until early December, the CPRD said on its website the data it made available for research was “anonymous” but, following the Observer’s story, it changed the wording to say that the data from GPs and hospitals had been ”anonymised” – meaning only that some measures had been taken to de-identify it.
Booth added: “Following the ICO’s code of practice does not mean that data is necessarily anonymous. The law now recognises that one of the most common methods of ‘anonymisation’ – the use of pseudonyms to obscure some bits of information – means that data is still identifiable. Indeed, the information commissioner herself says it must be considered personal data.”
Information disclosed by some of CPRD’s customers clearly suggests they can link the information back to individual patient records via their GP surgeries. The Boston Collaborative Drug Surveillance Program in the US, which uses DHSC data, says on its website: “Anonymized information from the CPRD on demographics, outpatient visits, hospitalizations and prescriptions dispensed is available to [our] researchers. Validation of diagnoses, reports of diagnostic tests and anonymized notes from hospitalizations and referrals can be obtained from the general practitioner upon request.”
If the data were truly anonymous it would be impossible to retrieve an individual patient’s medical notes.Neil Bhatia, a GP who is Information Governance Lead and data protection 0fficer in Hampshire, said: “Truly anonymous data – utterly incapable of being traced back to an individual – is very hard to achieve, given that there is so much information about us in the public domain and held by companies such as Facebookand Google, because so much of our personal data is out there thanks to the massive data breaches over the last few years. In fact, it’s almost impossible for record-level data (where each line of the dataset corresponds to an individual) to be made truly anonymous.”