The Department of Health has amassed a central database of one billion confidential records on patient visits to hospitals and is transferring extracts to an academic organisation outside the NHS.
Computer Weekly has learned that the central database, called the Secondary Uses Service, contains over one billion records and is expanding rapidly. NHS trusts are submitting new records for uploading onto the database at a rate of one million a day.
The data is used for important medical research, aimed at improving NHS treatments and healthcare.
But experts are concerned the data is being used without patients giving specific consent for their private medical information to be uploaded to the Secondary Uses Service. Grant Ingrams, chair of the British Medical Association GP IT committee, says patient-identifiable information in the Secondary Uses Service should be made anonymous before it is transferred to any other organisation.
Computer Weekly has also learned that the government's own advisers question whether there is a solid legal basis for the Secondary Uses Service database. One of the legal issues is whether the government should amass private, identifiable data on patients for purposes not directly connected to their care or treatment.
Although lawyers, doctors and IT specialists recognise the benefits of medical research based on patient data, they say that people may be losing control of their medical information which has traditionally resided in GP practices or the IT systems of local hospitals.
The Secondary Uses Service is run by BT for NHS Connecting for Health as part of the £12.7bn NHS National Programme for IT.
It contains records on nearly all patients in England who have stayed in hospital, visited outpatients, or attended A&E. It includes patient-identifiable information such as postcode, date of birth and NHS number. It also has coded medical information on diagnoses, and any treatment given, whether a hysterectomy or a heart operation.
For every patient on the system - tens of millions are on it - there are usually multiple records.
With official approval, patient-identifiable records from the database are downloaded monthly onto a DVD encrypted to the 256-bit Advanced Encryption Standard and despatched by secure courier to the Dr Foster Unit, an academic organisation which is said by Connecting for Health to be outside the NHS.
The unit is part of the Faculty of Medicine at Imperial College, London, and is the only organisation outside the NHS to receive patient-identifiable information from the Secondary Uses Service. It keeps the data in secure offices, on diskless workstations which have no links to the internet. It has received nearly 300 million records, which include patient-identifiable records from the Secondary Uses Service.
The Dr Foster Unit is funded by various grants. Its primary funding is from a separate organisation, Dr Foster Intelligence - a joint venture between the NHS Information Centre for Health and Social Care - and a private company, Dr Foster, which provides healthcare information. The Dr Foster Unit passes only anonymous records to Dr Foster Intelligence. Dr Foster Intelligence provides the NHS and the general public with analysis of death rates in order that hospitals can improve clinical outcomes.
The use of patient data for medical research is seen by experts as a necessity, for example to analyse whether people living near electricity pylons or phone masts have more health problems than those who do not.
But the government's own advisers, the Patient Information Advisory Group, which is a statutory body, has questioned whether the government has a solid legal grounding for obtaining, holding and processing identifiable patient data to produce anonymous data extracts for analysis.
Whitehall officials, however, say lack of a clear legal status for the Secondary Uses Service does not make the database unlawful.
Computer Weekly has further learned the Department of Health plans to make wider use of the Secondary Uses Service by making extracts available to commercial organisations, after removing data from records which identifies the patient, such as date of birth, NHS number and postcode.
A spokesman for the Dr Foster Unit said that it carries out research into why healthcare outcomes can vary, for example between different hospitals, to improve patient care and treatments. That is why it needs to hold large amounts of data.
He said that stringent measures safeguard the confidentiality of patient information and there has never been a breach of confidentiality. The unit does not pass any identifiable data to Dr Foster Intelligence, he said.
For several months the transfer of patient-identifiable information from the Secondary Uses Service has been investigated by the BBC Panorama programme. Since its investigation began the Department of Health has launched a consultation into the wider uses of patient information in health research and managing and planning care.
Panorama: "You Can Run" will be broadcast at 8.30pm, 27 October on BBC One.
Dr Foster Intelligence
Dr Foster Intelligence is a joint venture, half-owned by the NHS, set up to improve the quality of patient care. It provides, for example, the NHS and the general public with analysis of death rates, so hospitals can improve clinical outcomes.
"Some hospitals have been able to dramatically reduce the number of avoidable deaths because of the availability of this information. Dr Foster uses a number of data sources to power these analyses. Key is its partnership with Imperial College, which is both an NHS hospital Foundation Trust and a leading university," said Tim Kelsey, chair of the executive board of Dr Foster Intelligence.
He said that neither Dr Foster Intelligence nor any Dr Foster company has ever used, or had access to, confidential patient data in its work. "Anonymised data is essential to helping the NHS - as with all public services - understand how it can improve the quality of its provision."
Read more on Tony Collins's IT projects blog >>