Patient data leaves NHS - officials answer our questions

Nearly 300 million confidential medical records have transferred officially from the government to an academic organisation outside the NHS, Computer Weekly has learned.

The transferred records contain patient-identifiable information on nearly every stay by patients in hospitals in England, and visits to an accident and emergency department. Also within the transferred records are 215 million confidential files on visits to outpatient departments.

The downloaded files contain dates of birth of patients, their postcodes, NHS numbers and local hospital numbers.

Since 2007 the patient-identifiable records have been downloaded, with official approval, from the Secondary Uses Services, a central database of medical records which is run by BT under the NHS’s £12.7bn National Programme for IT [NPfIT]. 

The disclosure about the transfer of confidential medical files outside the NHS exposes what the British Medical Association and lawyers say is a lack of public debate about the use of patient data in medical research. 

For several months the transfer of patient-identifiable information from the Secondary Uses Service [SUS] has been investigated by the BBC Panorama programme. Since its investigation began the Department of Health has launched a consultation into the wider uses of patient information in health research and managing and planning care.

Computer Weekly has learned that BT has amassed on the SUS about one billion medical records dating back to 1996, most of which are identifiable. Every day NHS trusts send about one million records to be uploaded onto the SUS. Patients whose details are stored in the SUS database may have several records depending on how often they use the NHS.

With official approval, confidential information has passed from the SUS, and its smaller predecessor system the NHS-wide Clearing Service, to an academic organisation, the Dr Foster Unit, which is partly funded by a private company.

The Dr Foster Unit has received for research purposes 500 million health records, which includes 180 million inpatient and day cases. The unit has 285 million files which include patient-identifiable information.

Research based on SUS data is essential, for example to improve treatments – for example by identifying abnormally high numbers of deaths in certain areas. But the British Medical Association is concerned that patients have not given their specific consent for their confidential information to be uploaded to the Secondary Uses Service. 

Grant Ingrams, chairman of the British Medical Association’s GP IT committee, told Computer Weekly that the Department of Health should not keep a “farm of data for people to go fishing in”. He said: “As a country we have not thought about this enough.. the majority of the public may not be comfortable with the mass extraction of their data for research.” 

He said information from SUS should ideally be made anonymous before it leaves the NHS.

“There has not been any true debate about the rights and wishes of patients with regard to their private information,” he said.

Some experts have questioned whether there is a solid legal basis for the SUS.

Mark Watts, head of IT and data protection at legal firm Bristows, says the law is complex, involving both the data protection act, medical confidentiality and a patient’s right to privacy.

“There are various question marks regarding [the Department of Health’s] compliance with these. It isn’t clear what, if any, information has been provided to patients about the use and sharing of their patient data within the NHS, nor is it entirely clear on what legal basis certain secondary uses of patient data are taking place.” He added:

“It’s important that all uses and sharing of patient information collected by the NHS not only comply with the law, but clearly comply with the law. Otherwise, patient confidence in the handling of their information may be undermined and, moreover, important medical research may be impeded by uncertainty in the minds of researchers that their activities are lawful.”

At their regular meetings, members of the Patient Information Advisory Group a statutory body, have expressed various concerns about the uses for wider research of patient-identifiable information.

At a meeting last year, the group’s members said there would be a benefit for the Department of Health in “regulations being laid before Parliament” which subject the department’s plans to the “democratic process and enable proper public debate and scrutiny.”

The group added: “This would then reduce the likelihood of legal challenge as the Secondary Uses Service would then have a solid legal grounding for obtaining, holding and processing identifiable data in order to produce [anonymised] data extracts…for analysis”.

Asked whether the work of the SUS has a firm legal basis, a spokesperson for the Department of Health said: “The lack of a clear legal basis does not mean that an activity is unlawful as there are various obligations on the Secretary of State and issues of public interest in maintaining the NHS that would need to be considered.”

A spokesman for NHS Connecting for Health, which runs parts of the national programme, said that if patients wish to stop uploads of their files onto SUS they should apply under the Data Protection Act – though they may need to show that having their uploaded will cause them distress.

Connecting for Health says that the only organisation outside the NHS which receives patient-identifiable records from the SUS database is the Dr Foster Unit, an academic unit within the Division of Epidemiology Public Health and Primary Care at Imperial College, London. 

Dr Foster Unit receives several grants for its research. It is funded mainly by a grant from Dr Foster Intelligence, which is a joint venture between the NHS Information Centre and a private company Dr Foster.

The Dr Foster Unit is not an NHS organisation, says Connecting for Health. The Unit operates in a secure area which can be accessed only by swipe card and has diskless workstations. Only named individuals with special clearance have access to the unit which has a secure private network with no internet or public network connections.

Electronic transfers of patient-identifiable information from SUS to the Dr Foster unit have been approved by the Patient Information Advisory Group and by Connecting for Health. The Advisory Group approves or rejects requests for the use of confidential medical data where it is considered impractical to obtain the consent of patients.

The Dr Foster Unit holds about 10 years of inpatient records. It removes identifying information from the records it holds – a process known as “pseudonymisation” –  before it passes the anonymous files to Dr Foster Intelligence. The Dr Foster Unit emphasises that it passes no patient-identifiable information to Dr Foster Intelligence.

The Dr Foster Unit also emphasises that there has never been a breach of confidentiality of its records. Monthly extracts from the SUS are encrypted to a 256 bit Advanced Encryption Standard, are put on a DVD and sent by secure courier to the Dr Foster Unit where the package can be signed for only by named individuals within the unit. Passwords are given to the unit separately.

The files are kept in a secure server room with swipe card access by named individuals. Staff at Dr Foster Unit access the data by password-protected dumb terminals which are not linked to the internet. The data is cleaned, stripped of NHS numbers, dates of birth and postcodes, and passed in anonymous form to Dr Foster Intelligence.

Tim Kelsey, chair of the Executive Board of Dr Foster Intelligence, said:

“Dr Foster Intelligence is a joint venture half owned by the NHS which was set up to improve the quality of patient care. It provides, for example, the NHS and the general public with analysis of death rates in order that hospitals can improve clinical outcomes.

“Some hospitals have been able to dramatically reduce the number of avoidable deaths because of the availability of this information. Dr Foster uses a number of data sources to power these analyses – key is its partnership with Imperial College, which is both an NHS hospital Foundation Trust and a leading university and has been a world leader in the analysis of patient data to improve health services for many years.

“Neither Dr Foster Intelligence nor any Dr Foster company has ever used – or had access to – confidential patient data in its work. Anonymised data is essential to helping the NHS – as with all public services – understand how it can improve the quality of its provision.”


Panorama: “You Can Run” will be broadcast at 8.30pm, 27 October on BBC One. Simon Boazman investigates how much information is held on him, whether it is secure and if he can reduce his data trail.

The SUS – and officials answer our questions

What is the SUS?

The Secondary Uses Service is a database of all medical care in England paid for by the NHS. Professor Ross Anderson of Cambridge University says the database contains details of diagnosis, treatment codes, operations and what drugs were prescribed. The SUS is run by BT as part of a scheme to modernise the NHS, the National Programme for IT [NPfIT]  which was launched by the government in 2002 .

How much information is passed from SUS to the Dr Foster Unit?

Extracts from the SUS database to the Dr Foster Unit – which are approved by a statutory body the Patient Information Advisory Group – include most NHS inpatient and outpatient records, totalling about 50 million a year.

NHS trusts provide a million updates to SUS records every day. SUS holds about one billion medical records, often several for each patient. Data submissions by NHS trusts for uploading to SUS are for the most part mandatory.  The Dr Foster Unit says it holds about 180 million inpatient and day case administrative electronic records dating from 1996/7 and 320 million administrative outpatient records dating from 2003/4 in total. “About 70 million of the inpatient records and 215 million of the outpatient records (records since financial year 2005/6) include patient identifiable data,” says the Dr Foster Unit. The Unit does not pass any patient identifiable information to Dr Foster Intelligence.  

Some benefits of giving researchers patient data?

• Research into prevention and treatment of diseases
• Highlighting anomalies in numbers of deaths in particular localities or hospitals
• Reducing risks through a greater understanding of HIV prevention, and the relationship between smoking and lung cancer.
• Informs the development of new treatments and health policies

Can patients opt out of having their confidential medical data going onto the SUS database?

Yes, but with difficulty. Jeremy Thorp of NHS Connecting for Health said in a statement to Computer Weekly: “Patients can say they do not want to have their records on SUS – this would involve them making a formal request, under the Data Protection Act, for identifiable data to be removed on the grounds that its presence there causes distress, and we would, of course, act on such a request.”

Does SUS have a clear legal footing?

No. A statutory body, the Patient Information Advisory Group, said in 2007: “The Advisory Group agreed that there would be benefit for the applicant in regulations being laid before Parliament in order to subject this to the democratic process and enable proper public debate and scrutiny.

“This would then reduce the likelihood of legal challenge as the Secondary Uses Service would then have a solid legal grounding for obtaining, holding and processing identifiable data in order to produce effectively pseudonymised data extracts but which met the utility requirements for analysis.”

A few months before, the Advisory Group said: “Much of the current NHS activity involving access to and use of patient identifiable data has no clear or secure basis in law …”

We asked Connecting for Health whether the sharing of patient-identifiable information with people who are not directly involved in the care and treatment of the patient is a legal grey area. Karen Thompson of the Patient Information Advisory Group said in a statement to Computer Weekly:

“The common law duty of confidentiality in relation to confidential patient information is largely untested in this country. What we do know is that the information must be confidential in nature and that often the relationship in which it is imparted will give rise to a duty of confidentiality.

“It must also not be trivial in nature or otherwise in the public domain. The duty of confidentiality is not absolute. There is a need to balance both the private interests of an individual and the public interest in maintaining trust in a confidential service with the public interest in disclosure.

“No-one would dispute that NHS clinical staff owe patients a duty of confidentiality. Given that clinical care is usually delivered by teams rather than individual clinicians, it is reasonable for consent to be implied for information to be shared within that clinical care team and with other teams to support the care of the patient e.g. when a GP refers a patient to a hospital care team.

“The difficulty is that the NHS needs to use patient information for a range of secondary uses, of which patients are largely unaware. In some instances, anonymised data will suffice but sometimes identifiers are needed (fully identified data is not generally required) to be able to link and de-duplicate records about the same patient from different sources so that they are not counted twice.

“It is, the fact that patients are largely unaware of how their data are used by the NHS for these secondary uses, which means that there is no basis for implying consent for disclosure to staff outside the clinical care team.

“The question then arises whether there is sufficient public interest to warrant disclosure. DH policy is that there must be a substantial public interest sufficient to warrant disclosure. The powers under S251 were created so that essential NHS activities and medical research could continue where identifiable data was necessary and where consent was not practicable. The scrutiny by PIAG providing a counterbalance e.g. the additional safeguards required through conditions of approval.”

Are there attempts to wind up PIAG, the Patient Information Advisory Group, which considers requests for the use of patient-identifiable information in research, and is widely regarded as independent of government, and replace it with an organisation that will be more amenable to government requests for patient-identifiable information to be shared widely? Karen Thompson of PIAG replied:

“The Health and Social Care Act 2008, which received royal assent at the end of July creates powers to establish a National Information Governance Board. The NIGB will replace PIAG as the statutory body with responsibility for advising the Secretary of State on the use of patient information and use of Section 251 powers. It has additionally been given new powers. PIAG will therefore be abolished as a statutory body, this is expected to occur by the end 2008.

“The NIGB membership comprises of a majority of independently appointed members (the same as PIAG) and the remaining members are representatives from some of the key stakeholder bodies.

“The interim NIGB has formally invited PIAG members (and the majority have agreed) to form a committee of the NIGB, which will deal with the approvals process for use of S251 powers and advise the NIGB on confidentiality and other ethical issues.

“That a majority of NIGB members are independently appointed and that the experience and knowledge of the current PIAG membership will be retained has provided assurance in relation to the concerns previously expessed by PIAG members.”

What are government plans for the SUS?

The Patient Information Advisory Group noted in its minutes dated 25 June 2008 that there are plans to make extracts from the Secondary Uses Service database available to external agencies and commercial organisations once the data has been made anonymous, a process known as pseudonymisation.

Can police, social services and other agencies view identifiable patient data on SUS?

Yes, in certain circumstances, for example:
– where there is a legal duty to give information about people
– when the public good is deemed to be of greater importance than confidentiality


Concern as patient records leave the NHS – Computer Weekly

Panorama’s “You can run” – BBC website’s short summary of the broadcast tonight (27 October 2008)

The SUS – Connecting for Health’s website  

Catholic Bishops warn over the SUS – E-Health Insider

The SUS – evidence to Health Committee of the House of Commons

Sharing patient records – Whitehall consults – Computer Weekly