Latest plans announced by the UK’s Health and Social Care Information Centre (HSCIC) have resulted in a flurry of media controversy condemning NHS England (NHS) for advocating the sale of patient data to third parties for profitable gain.

HSCIC, together with the NHS, has pioneered a new scheme, known as the ‘care.data’. From March 2014, patient data from GP practices will be extracted, anonymised and aggregated in a central database for sale to third parties such as drug and insurance companies. Such data will include information about every hospital admission since 1980, family history, vaccination records, medical diagnoses, referrals, health metrics such as BMI and blood pressure, as well as all NHS prescriptions. This information will be combined with other confidential patient data, such as date of birth, postcode, gender, and NHS number, to allow the NHS to assess patient care. The NHS then intends to sell such pseudonymised information to any organisation which can meet certain questionable criteria for conditions of release. These include broad circumstances such as for health intelligence, health improvement, audit, health service research and service planning. Critics have condemned such moves as highly controversial, considering that most patients believe any information shared with their GPs is given in the strictest confidence; yet this will be shared automatically as part of the care.data scheme unless patients explicitly opt-out.

The British Medical Associations supports the initiative, which advocates the secondary use of patient data. Interestingly, the scheme has also received approval from the ICO, on the grounds that the Health and Social Care Act 2012 permits the NHS to extract patient data under the care.data scheme, which provides a lawful basis for processing data for the purposes of the Data Protection Act 1998. The NHS insists that the data will only be used for the benefit of the health and care system to improve the quality of care delivered to patients.

In spite of these reassurances, privacy critics fear that the scheme will result in patients losing track of their data, with no information about whom their information has been shared with, and for what purposes it may be used. Mark Davies, Public Assurance Director of the HSCIC, has also raised concerns by commenting that there is a small risk that patients could be re-identified, given the potential for third parties to match the pseudonymised patient data against their own records.

To ease anxiety, the NHS is in the process of sending out leaflets titled ‘Better Information Means Better Care’ to 26 million households as part of an awareness campaign about the scheme. Critics have similarly condemned this campaign, for failing to clearly explain the privacy risks to patients and inadequately highlighting the right to opt out of the scheme. Ultimately the scheme opens up a chasm of uncertainty about the confidentiality of patient data entrusted to the NHS in its capacity as a data controller.