NHS patient data in England is set to be shared with third parties for research and planning purposes, sparking privacy and security concerns from the public and cybersecurity experts alike.
The data of 55 million patients will be gathered into a database, containing sensitive information on mental and sexual health, and criminal records by NHS Digital, who will then share this database with both academic and commercial third parties involved in research and planning, although no details on the organisations that will have access have been provided.
The idea for the database was first set out by UK Health Secretary Matt Hancock in April, and was emphasized that patients would not be directly identified in the data set.
The initiative comes about after it was stated that the UK’s response to the pandemic was delayed partially as a result of a lack of data sharing and access in a report published earlier in the year by the House of Commons Science and Technology Committee.
Patients will need to fill in a form and take it to their GP to opt-out of the database by the 23rd of by June, or their records will become an irreversible part of the data set. Opting out after this date will mean that only future records will not be shared.
The scheme has sparked backlash from privacy advocates and cybersecurity experts,
Foxglove, a campaign group for digital rights, to the Department of Health and Social Care, questioning the legality of the proposals under current data protection legislation.
The Department of Health and Social Care received a letter from Foxglove, a campaign group for digital rights, questioning the legality of the scheme. The letter states: “very few members of the public will be aware that the new processing is imminent, directly affecting their personal medical data.”
Cybersecurity experts have warned that the database will become a target for cyber-criminals, and this is not only an NHS issue, as data will need to be securely handled by third parties and suppliers.
“It is not surprising that the NHS is facing backlash in response to this move. Sharing medical data with third parties is very risky as there is no way to be sure they will have the proper security tools in place to keep the data safe. While it looks like the NHS has plans to anonymize patient data, this is not a 100% guarantee of security protection.” said cybersecurity expert George Papamargaritis, MSS director at Obrela Security Industries.
This is not the first time the NHS has attempted to create a database of this kind; a previous project called Care.data was set to be created in 2013, but was abandoned after Google pulled out of the deal due to privacy concerns.