The lesson from the NHS Care.data row: You can't keep privacy issues private any more

Editor in chief

The rumbling, growing row over the NHS England Care.data service has become an instruction manual for how not to handle data privacy in the digital age.

For anyone not aware of the issue, Care.data is the new service that will upload all GP patient records in England to a central database, to be used for medical research by both the NHS and private companies such as pharmaceutical firms.

A similar service already exists for hospital records, but this is the first time it has been extended to basic GP records – effectively, all of our medical histories.

The likely benefits of the service are immense. The ability to mine that information and use modern big data analytics promises to lead to important new insights into patterns of health and ultimately to better treatment regimens and more effective drug development.

The downsides are obvious to anyone who has followed the growing awareness of data privacy in the age of mass data collection on the internet.

Perceived risks

The perceived risks of people’s most sensitive personal information being misused, hacked into, leaked, abused or sold for use by insurance companies are genuine and heartfelt by many.

Initially, the backlash against Care.data came only from knowledgeable privacy campaigners such as Phil Booth and Helen Wilkinson, who set up MedConfidential.org to spread awareness and challenge NHS England.

But as we have come nearer to the first upload of GP data to the service, the issue has broken onto the front pages of national newspapers. Evidence is mounting that the so-called publicity campaign by the NHS – sending leaflets as junk mail to every home in England – has failed to adequately inform the public about the implications and their rights.

Executives at NHS England insist they are aware of the risks, and maintain that the service has been designed to protect patient privacy. But their actions in a digital world fail to match their words.

Anonymity and opt-outs

At the heart of the matter are two issues: the ease or otherwise of being able to use supposedly anonymised patient records to identify individuals; and the right to opt out of the scheme entirely.

The NHS argues that it will be too difficult to re-identify someone from an anonymous personal record within many millions of records – a justification that might hold true for the vast majority of situations today. But anyone with knowledge of the speed of development in big data will tell you that we are not far away from readily available, highly advanced tools that can easily analyse and mine huge haystacks of information for very small needles.

In the digital age, a process of anonymisation that does not take into account rapid developments in analytics and cross-database data matching is clearly open to potential future abuses.

Opting out of the scheme is easy, says the NHS. Just tell your GP. Let’s put aside for the moment the number of stories of patients asking their GP surgery, and being told they don’t know what they’re talking about. The real problem here is that the opt-out is a once and only opportunity.

Once Care.data is live, with your medical records included, there is no going back. You cannot subsequently change your mind and withdraw your data. If you approve of your children’s records being included in Care.data, then when they are old enough to decide for themselves (and living in an even more technology enabled world) they will have no right to opt out.

In a digital age, offering any service that uses personal data without a perpetual opt out – ideally, easily available online – is increasingly unacceptable.

Throughout the process, it seems the NHS England approach has been to emphasise the benefits of Care.data – which are considerable – and attempt to play down the privacy concerns as acceptable and manageable. This has led critics to accuse the NHS of trying to sweep privacy issues under the carpet, and hide the very real concerns from the public.

Lead on privacy

For me, the biggest lesson learned from the growing row is that in this digital age, the NHS strategy was completely the wrong way round.

Any public sector body – or any business dealing with large amounts of personal data – needs to put data privacy issues front and centre of their argument.

Lead with privacy. Go beyond what the law dictates; beyond what data protection rules and watchdogs mandate. Be as openly paranoid about data privacy as the biggest conspiracy theorists. Offer affected individuals as much opportunity to change their minds and opt out as you possibly can.

Then, and only then, will people genuinely listen to and understand the reasons you need their data. And chances are, they will be happy to hand it over.

It seems likely that NHS England will continue to bulldozer Care.data through, and as a result the privacy arguments are only going to get fiercer. There will be more bad headlines, there may even be legal action. Medical bodies such as the Royal College of General Practitioners, which has already expressed its concerns about the process while supporting the aims of the service, will raise their voices and pressure on NHS England will increase.

It will become a test of resilience for the Care.data champions, not a test of the benefits delivered.

For the record, I intend to opt in to Care.data – by which I mean I won’t exercise my one-off right to opt out and will accept being automatically opted in (click here if you want to know how to opt out).

For my personal circumstances, the benefits of the service are worth it, as I have nothing (yet) in my medical history that I would be cautious about sharing in public. Moreover, with someone very close to me suffering from a rare form of cancer, anything that helps medical researchers learn about that condition and come up with more effective treatments becomes a priority.

But even then, I would be so much happier if I had the ability to opt out in future should my health situation change and I had something I wanted to keep completely private between my GP and me. And for a lot of people, that worry may be enough to want to opt out now – if only they fully understood that they had to.

The risks to Care.data of future scandal are very real. But it could all have been so different. It may be too late to change in this case, or maybe change will subsequently be forced on the NHS through circumstance or law.

But for any other organisation wishing to gain the benefits of big data analysis from their customers’ personal data, the launch of Care.data remains an example of how not to go about it.

Update: 19 February 2014

By absolute coincidence or dumb luck (much as I would like to pretend it was prescience), a few hours after this article was published, NHS England announced that Care.data roll-out was being delayed by six months to address concerns about the use of data and patients’ right to opt out. That’s a welcome and sensible move.

But it’s now an opportunity to move away from the analogue thinking around data privacy that has led to this delay. The messaging to patients needs to stop taking the line, “This will be great – trust us, we know what we’re d oing”, and change to “Please can we use your data, and this is why we want it”.

It’s no longer enough for the NHS – or any part of government – to assume a patrician approach to people’s personal data. It’s our data, they need to convince us why they want to use it, and make sure we remain in control of how it is used. It is worth NHS England making the argument, because the benefits of Care.data, when introduced properly, will be worth it.