A £63m plan to exploit NHS medical records has been criticised for failing to offer patients a choice over whether their personal health data is shared with hundreds of researchers.
More than 1.1 million people in the Lothians, Borders and Fife could see their medical records analysed by researchers for the benefit of private firms as part of a project dubbed the ‘Data Loch.’
Although the project – which is managed by the University of Edinburgh and NHS Lothian and funded as part of the South East Scotland City Region Deal – is not set to become fully operational until late 2022, The Ferret has established that Data Loch already combines different data sets about patients.
The stored information includes data on visits to hospitals and primary care facilities, as well as records from some local GP surgeries in the area. NHS Scotland data on prescriptions, mental health treatment and Covid-19 Shielding status are also available through the project.
Critics have demanded more transparency over how the data is used and a patient opt-out. They also highlighted the cybersecurity risks of assembling “massive datasets loaded with personal information”.
NHS Lothian insisted it would “never act to compromise patient data”. But even though the business plan for the project names huge pharmaceutical firms as potential industry collaborators – and boasts that it will attract £138m in research income – the health board says patients should not be given a choice about whether their health data is added to the “loch” of information.
The Data Loch website says in its frequently asked questions section: “There is no patient opt-out, and this is in line with the legal basis for processing.”
It goes on to use an argument made by an unnamed former chief medical officer (CMO) to justify why the project does not allow people an opt-out.
“Offering consent opt-outs on data processing, essential for delivering high quality care and…is disruptive, costly and can reduce quality and equity of care,” the CMO is quoted as saying:
According to a spokesperson for the University of Edinburgh: “Any personal data collected will be anonymised.”
But a detailed description of the information held by the project obtained by The Ferret shows that patient information in the Data Loch is pseudonymised. This means it may not be completely anonymised, and it could be possible to ‘re-identify’ individuals by matching one set of data with another one.
As a result, claimed Phil Booth of MedConfidential, the Data Loch may be in breach of UK data protection rules set out in the General Data Protection Regulations (GDPR).
After reviewing the way data is used in the Data Loch, he argued that recent GDPR guidance from privacy watchdog the Information Commissioner still applies. The guidance explains: “Pseudonymous data is… still personal data and data protection law applies.”
Booth added: “The Scottish Government’s Chief Medical Officer can “argue” all he likes, but he cannot ignore or override the law. The Data Loch is processing what GDPR says is patients’ personal data, so they have a right to be told what is being done with their sensitive medical information – and a right to opt out.”
The University of Edinburgh press office did not confirm how many people had already accessed medical records held in the Data Loch. But the project website claims it has “already supported a number of important projects investigating COVID-19”.
GP patient data
Individual GP practices were invited by NHS Lothian to share their patients’ medical data with the project in 2020. But NHS Lothian has declined to name the GP practices that have chosen to share their patients’ data with the project.
The health board did not say how many GP practices that did opt-in to the project told patients that data from their medical records would be shared with Data Loch.
Lothians MSP Alex Cole Hamilton said: “No one who goes to hospital or to their GP seeking medical treatment is expecting their data to be farmed out to researchers.”
“At a minimum there should be a clear statement setting out who will be able to access this data and a mechanism for people to opt out if they don’t want their data shared.
“In the past SNP ministers have been keen to use NHS records as a basis for storing personal data about everyone in Scotland. Alongside privacy campaigners, Scottish Liberal Democrats have defeated previous attempts to assemble massive datasets loaded with private personal information.
“In an era in which cybercrime and exploitation of personal information is rampant there are clearly serious risks attached to projects such as this.”
Scottish Greens health spokesperson Gillian Mackay MSP echoed these concerns and said: “NHS Scotland collects some of the best data in the world and it is vital this is turned into public health intelligence.
“However, this is normally anonymised and it would be unacceptable for anyone’s personal data to be used unknowingly for commercial purposes. GDPR laws must be upheld to maintain people’s trust in services.”
Concerns over the Data Loch have emerged as debate over UK Government proposals to centralise health data from GP records in England, dubbed the General Practice Data for Planning and Research, has caused controversy south of the border.
A coalition of campaign groups threatened to take the UK Government Department of Health and Social Care to court unless a patient opt-out was provided and proper public consultation undertaken. In response to the legal threat, the UK Government has put the process on pause.
A similar but little known project dubbed SPIRE is already operational in Scotland. It allows GP practices to share data with NHS Scotland and provides a national database that may be accessed by researchers from outwith the NHS.
Unlike the Data Loch, patients can opt-out of this data sharing project by contacting their GP or by using a form on the SPIRE website.
However there have been concerns raised in Scotland about the security of NHS data. In April an investigation by The Ferret found data laws to protect patient’s personal information were breached at least 1395 times in two years. Dozens of NHS staff have been disciplined.
Our requests for information on NHS data breaches were prompted by the case of a radiographer who accessed the personal records of more than 200 female patients before stalking them.
£138m in research income
Business plans describing the long-term aspirations for Data Loch show that backers are keen to expand the project to cover more than just the South East Scotland city region deal area.
The document notes that although Scotland has “a single healthcare provider and world-leading linked healthcare data assets… the current approach acts as a barrier to research and innovation at scale in the region”.
It adds: “There are aspirations to scale the Data Loch and relevant activities but the immediate focus is deploying a successful solution across the City Region.”
As part of a wider ‘data driven innovation’ programme, the Data Loch is part of a plan that hopes to attract £138m in research income, start or grow 49 new businesses and ‘interact’ with 280 companies.
The plan names several companies that the University of Edinburgh has existing relationships with who may be possible customers. Likely industry collaborators are listed as Pfizer, Bristol-Myers Squibb, AstraZeneca, and Glaxo-Smith Kline, as well as medical devices firms Abbott Laboratories, Siemens Healthineers, and LumiraDx.
“Through the Data Loch there is a large potential market to evaluate the impact of new diagnostic equipment and testing on health service delivery and outcomes,” the plan adds.
Dr Tracey Gillies, medical director of NHS Lothian, said said: “Every day, medical research and innovation is carried out by researchers across the UK using data that has been recorded during a patient’s treatment and is processed to ensure their identities are not revealed.
“This practice, which analyses symptoms, treatments and outcomes has allowed great strides and advances to be made in developing lifesaving treatments in many specialties, including cardiac care and also Covid-19. Without this research, breakthrough treatments and vaccines would be impossible.
Gillies added: “Data Loch’s purpose is to enable these data-driven health and social care innovations to improve the health and lives of the region’s population. These activities are entirely in the public interest. Patient data is not being sold to private organisations, nor is it leaving the control of the NHS.
“Access to extracts of data are provided to NHS service managers and medical researchers, approved by the NHS Lothian’s Caldicott Guardian and under strict controls. The data has identifying information removed and sits in a secure IT environment.
“NHS Lothian takes patient confidentiality extremely seriously and has a well-deserved reputation for robust governance processes. We would never act to compromise patient data.”
However, the Health board reiterated that it has no plans to offer patients the opportunity to opt out.
A spokesperson for the University of Edinburgh said: “Personal information gathered by Data Loch will not be sold to private organisations for commercial gain. Any personal data collected will be anonymised and used for important research to help improve future understanding, treatments and health outcomes for patients.”
A Scottish Government spokesperson said: “Patient data is confidential – and any suggestion it is for sale in Scotland or is being used for commercial purposes is categorically untrue.
“We take patient confidentiality extremely seriously and expect all processing of personal data to be fair, lawful and secure.”
They said the aim of the “not-for-profit” Data Loch project was to “further medical and NHS research to help deliver better services”.
“Any data provided by GPs as part of the project has identifying information removed in line with GDPR law so it cannot be associated with any individual and is subject to rigorous scrutiny to ensure that the data is used fairly, lawfully and securely,” the spokesperson added.
Photo credit: iStock.