weerapat1003 - Fotolia
The Health and Social Care Information Centre (HSCIC) has failed to comply with the first principle of the Data Protection Act by taking too long to act on patients’ data-sharing opt-outs, the Information Commissioner’s Office (ICO) has said.
Earlier in 2015, it emerged that at least 700,000 people had opted out of having their identifiable data shared as part of the Care.data programme, before the roll-out was scrapped in 2014. However, the NHS still shared those patients’ data with insurers and other services as the HSCIC did not have the resources to process that number of opt-outs.
In a letter to HSCIC’s chair, Kingsley Manning, which will be presented to the centre’s board meeting on 25 November 2015, the ICO said the organisation had “not complied with the first principle of the Data Protection Act 1998, as it has continued to share patient data with other organisations for purposes other than direct care after patients were offered an opt-out and a significant numbers of patients objected to their data being used in that way”.
It went on to say that HSCIC must honour the opt-outs by January 2016 and inform those affected.
There are two type of data-sharing initiatives patients can object to. The first – known as a type 1 objection – is specific to Care.data and allows patients to object to their personal data leaving the GP practice at all.
The second – a type 2 objection – allows patients to insist that no identifiable information held by the HSCIC will be shared with any other organisations, other than for the purpose of direct care.
As part of the launch of the Care.data programme, patients were given the two different options for opting out. However, once the Care.data programme was subsequently paused, no data was extracted from GP systems.
Read more about the data privacy of NHS patients
- A study into the data security of NHS healthcare apps highlights serious privacy shortcomings.
- NHS needs to invest in capacity and capability to use data in making healthcare decisions, says Public Health England chief knowledge officer.
- UK citizens willing to share data from wearable devices with GPs, but storing medical data in a central database less acceptable, study finds.
During the pause, the Care.data programme board decided that only a type 1 objection would be offered in the future. HSCIC was put in charge of dealing with those type 2 objections that had already been registered.
The ICO said those patients who did opt out “would have reasonable expectation that their personal data would not be included in HSCIC data releases”.
“However, the opt-outs remain on GP practice systems, and details of which patients have opted out have never been sent to HSCIC. This means the opt-outs have not been actioned and those patients’ personal data continues to be released by the HSCIC,” said the ICO.
“We understand that the number of patients affected has been estimated to be around 700,000. We note the difficulties that the HSCIC has experienced, namely that directions have not been issued to HSCIC to extract any of the data, either in relation to the Care.data programme, the type 1 opt-out, or the type 2 opt-out.”
Rather than issuing an enforcement notice, the ICO proposes an undertaking, which means HSCIC must action the opt-outs by January 2016. ...................................