The UK’s data protection watchdog has said it will not take regulatory action against NHS Digital after certain patient opt-outs were not properly honoured.
NHS Digital has implemented the necessary changes to meet the ICO’s approval on patient data protection – Photo credit: Flickr, Medill DC, CC BY 2.0
NHS Digital – formerly the Health and Social Care Information Centre – first came under scrutiny last year after it emerged that it had not honoured around 700,000 patients’ requests that their data was not shared with third parties for anything other than direct care.
In April 2016, the NHS body signed an undertaking to comply with the Data Protection Act after the Information Commissioner’s Office ruled that patients had been offered the opportunity to opt out of data sharing, but that these opt outs weren’t implemented.
This set out a series of steps that the body agreed to carry out to remedy the situation, by both making sure future opt outs were honoured and that patients were informed that their data may have been shared for reasons other than direct care.
In a new report published on 10 February, the ICO said that, after a follow-up assessment carried out on 16 December, it was satisfied that NHS Digital had taken the appropriate steps to address the requirements of the undertaking.
“A formal assessment by ICO good practice auditors in December identified a small amount of work to do, but the team was satisfied that the requirements of the undertaking were being met,” a spokesperson said in a statement.
“NHS Digital has agreed to the ICO’s final recommendations and, as a result, the ICO is satisfied that regulatory action will not be necessary at this stage.”
Related content
NHS Digital to change how it collects and publishes health stats
NHS England closes controversial patient data sharing programme
Health and social care integration about leadership as well as tech, say local government and NHS bodies
The December review showed that NHS Digital has created a system to process and uphold the specific opt out in question – known as Type 2 objections – and had created internal systems to receive, record and manage these objections through a central Patient Objections System.
It also found that NHS Digital had contacted any recipients of datasets in the three months where the information might relate to a patient who had asked to opt out.
Among the areas of work that needed to be done after the December visit was to alert people whose data might have been shared against their wishes. The ICO found that the initial wording used on the websites lacked clarity and needed to be revised.
This originally stated that “the HSCIC has started to uphold type 2 objections from 29 April 2016”, which the ICO said did not make clear that some data had been shared before this date.
NHS Digital has now updated this wording to read: “It was not possible for NHS Digital to honour type 2 opt-outs made before this date [29 April 2016]. This means that information may have been shared without respecting these opt-outs between January 2014 and April 2016. NHS Digital publishes registers of approved data releases showing where data has been released.”
The ICO added that NHS Digital has updated the information on both its website and on the NHS Choices site to offer more information on how the opt out systems work at the moment.
However, it is possible the opt out process will change following the government’s response to the National Data Guardian’s review into patient consent and use of data, which is expected soon.
The review proposed a new, simplified model for consent and opt-out for patients, as well as separating out opt-out systems for data that could be used to run the NHS, and data that could be used to support research.
