JJ'Studio - Fotolia

NHS Care.data: The security concerns

As NHS England restarts its Care.data programme, we look at how it is intended to work, the legislative background and the data security concerns

The Care.data programme commissioned by NHS England has prompted widespread discussion, with concerns voiced over the use and security of personal data.

The NHS has collected data from hospitals – known as hospital episode statistics or HES – since the 1980s. The purpose of Care.data is to extract data from GP practices and link it with HES to show how patients have been treated by both their GP and while in hospital.

Care.data was intended to be rolled out in April 2014, but was postponed to raise public awareness and to allow for further discussion of the risks and benefits. NHS England has recently announced the start of four pathfinder trials, from June 2015, which will seek to address some of the issues raised. However, restarting the project with the pathfinder trials is itself proving controversial. 

This article looks at how Care.data is intended to work, the legislative background and the data security concerns.

The data and the law

The Health and Social Care Act 2012 allows NHS England to direct the Health and Social Care Information Centre (HSCIC) to collect patient information from GP practices. As disclosure of this data is required by law, patient consent, which would otherwise be required under the Data Protection Act (DPA) 1998, is not needed, and neither GPs nor patients have a legal right to opt out of disclosing the information. Nevertheless, Care.data does give patients the right to opt out.

The NHS number, postcode, date of birth and gender of each patient would be extracted so data can be accurately linked with HES. Coded medical records, including medical history, would also be extracted.

The fair processing obligation that arises under the DPA applies to data collected under the 2012 Act, ensuring that the individuals are informed about how their data will be handled and why. NHS England, along with the GP practices (in effect, the data controllers) and the British Medical Association, has been providing the public with such information using leaflets and posters.

Anticipated benefits

The benefits cited in favour of Care.data are numerous. They include:

  • Identifying patterns in disease;
  • Reviewing how medical conditions respond to different treatments;
  • Helping with fair and effective allocation of NHS resources.

There has been concern about profit to be derived by the NHS from commercial exploitation of data extracted. However, although HSCIC will charge a fee to access the data, it will operate on the basis of cost recovery rather than profit.

How it would work

GPs record patient information in clinical systems. Coded clinical data of patients would be automatically extracted from those clinical systems using the General Practice Extraction Service (GPES). 

GPES is managed for the NHS by HSCIC and consists of two systems:

  • GPET-Q, which requests and receives data from the clinical systems;
  • GPET-E, an extraction system integrated with the clinical systems and run by suppliers of the clinical systems.

How secure is the data likely to be, and what are the safeguards to mitigate the risks of a security breach?


NHS England has consulted with relevant bodies to ensure that the minimum amount of personal identifiable information necessary is extracted. Only coded clinical data is extracted, leaving free-text records on GP clinical systems alone. Records considered particularly sensitive, such as those relating to HIV and termination of pregnancy, will not be extracted.

Data would be extracted once a month, so any data security risks during the extraction process are limited to this once a month occurrence.

Processing and storing

Records would be linked using an automated system with minimal human checks subject to strict rules. For example, HSCIC staff may access either the identifiers or clinical information, but not both.

Once the data has been linked, a new record would be created that does not include the identifying information and uses only a pseudonym. 

The linked data would be retained in a secure environment provided by HSCIC, which it claims “operates to the very highest technical and security standards”, before it is deleted and overwritten by the the next month’s data.


Data would be disseminated by HSCIC in three formats:

  • Anonymous or aggregated data, giving average values for large numbers of people without identifying them and not including data on small numbers of patients suffering from rare conditions due to the risk that such patients could be identified. This data may be published by HSCIC.
  • Pseudonymised data on an individual level that has had identifying details stripped out and replaced by pseudonyms. NHS England acknowledges there is a risk of patients being re-identified from this data through a “jigsaw attack”, and has accordingly placed strict controls on its release – it will be disclosed only to approved organisations for approved purposes, with penalties for misuse.
  • Identifiable data, consisting of personal, confidential data that is strictly controlled and made available only where there is a legal basis for doing so – for example, the patient gives consent or there is a public health emergency, such as an epidemic.


Systems are in place to ensure the protection of personal data under Care.data and the potential benefits appear to be significant. NHS England is not alone in its desire to create a health database; the French government is considering plans that go even further in terms of the data to be collected and its anticipated use.

So why is Care.data controversial? This is no doubt down to a number of factors: the poor reputation of UK public sector IT projects, a general fear of large ‘Big Brother’ holdings of personal data, and fear of commercialisation of the NHS. Specific to the programme itself is that there have been some inadequacies in raising public awareness, and disagreements with the way the opt-out has been worded (and even whether it is possible to manage the levels of opt-out being requested by patients).

How data obtained for one use can be applied in a different context is clearly a matter of importance to the public. Some commentators believe this to be a generational issue, with the ‘millennials’ who have grown up with digital technology being less averse to data issues than their elders. 

Clearly, however, there are still significant public perception issues with programmes that involve the digitisation of data across groups of companies (eg a single customer view for a financial institution) that will need to be balanced with the perceived benefits of achieving this data re-use. 

It remains to be seen if the pathfinder trials will address the concerns that have been raised. However, right now no one knows how the trials might result in changes to the programme.

Mike Pierides is a partner and Sarah Atkinson an associate at law firm Pillsbury Winthrop Shaw Pittman.

Read more about Care.data

Read more on Privacy and data protection