Hundreds of doctors have shared their patients’ medical records with researchers through a controversial project called ‘Data Loch’.
The UK privacy watchdog is to probe NHS Lothian, the University of Edinburgh and local medical practices after new documents obtained by The Ferret named more than 100 GP practices that added patients’ medical records into a giant research database.
Information shared by GPs include records containing the age of patients, their sex and ethnicity, diagnoses, treatments, frequency of visits and referrals to other services.
Documents show that even doctors’ full written notes will be uploaded to the database and analysed with computer software.
The £63m ‘data loch’ project is a partnership between NHS Lothian and the University of Edinburgh, funded by taxpayers as part of the South East Scotland city region deal.
At the heart of the project is a sophisticated database that allows researchers to access information on hundreds of thousands of people’s health.
In addition to local GP records, the database also includes information on hospital visits, prescriptions, mental health and Covid-19 status.
GPs would not have been able to consider a data privacy impact assessment (DPIA) for the project when they signed-up to participate as university researchers managing the Data Loch on behalf of NHS Lothian admitted this document still has not been finalised.
Guidance from the regulator, the Information Commissioners Office, says: “The ICO also requires you to do a DPIA if you plan to… profile individuals on a large scale.”
Campaigners from MedConfidential say data protection laws require doctors to consider the impact of any new patient data sharing initiative, and they should have been provided with the correct documentation.
The group has called for more scrutiny of the project from politicians and regulators while claiming that NHS Lothian “appear to have thrown a decade of best practice on patient data management away, with this project.”
In response NHS Lothian insisted it would never “compromise patient data.”
In total 102 out of a total of 120 GP practices eligible to join the project, opted to share patient data.
A full list of participating medical practices that shared patient data is published below.
Private sector access
Whilst the project is not yet fully operational, dozens of researchers have already used the database to conduct 11 different research projects, using an additional £127,000 worth of research funding.
The Ferret found no evidence that participating GP practices updated their privacy policies to reference the Data Loch, or inform patients that medical records would be shared with researchers outside the NHS.
Fears about the project have been raised by local politicians and campaigners. They are concerned over cyber security risks associated with putting together such large databases of sensitive personal information, and a lack of clarity over how the data could be used in future.
The business plan for the project suggests that private firms could benefit from the dataset. As part of a wider "data driven innovation" programme, those behind the Data Loch project say they will attract £138m in research income, start or grow 49 new businesses and "interact" with 280 companies.
The Data Loch website says: “DataLoch is currently considering the governance requirements for allowing access to de-identified extracts of data by private sector organisations.”
Campaigners have raised concerns over plans to share de-identified data - as this is not the same as fully anonymised data. Researchers have shown it may be possible for third party organisations supplied with medical data to re-identify individual people from pseudonymised or de-identified data.
The business plan names medical firms Abbott Laboratories, Siemens Healthineers, and LumiraDx as possible industry collaborators. The Ferret has since learned that Professor Nick Mills, project lead for the Data Loch at the University of Edinburgh, has received payments for speaking at events or consultancy with all three of these firms.
The University said: “None of these relate to the DataLoch project and none of the companies are engaged in projects with the DataLoch data repository.”
No dedicated Data Protection Impact Assessment
An earlier version of the Data Loch website apparently acknowledged that a dedicated DPIA for the programme would be required. It said: “a Data Protection Impact Assessment has been drafted and will be modified as the programme progresses in consultation with data controllers.”
The University confirmed in a Freedom of Information request that a draft DPIA specific to the Data Loch "is not complete."
But since The Ferret began investigating the project, reference to this draft DPIA has been removed from the Data Loch website and project operators now insist the project can operate under the auspices of an existing NHS Lothian DPIA document.
Phil Booth of MedConfidential reviewed the latest documents and said he was concerned that data protection laws may have been broken.
In his view, NHS Lothian should have shared a Data Protection Impact Assessment (DPIA) to GP practices, specific to the Data Loch, when they were asked to sign-up to the scheme.
This DPIA should have been completed and published before any research was undertaken using the Data Loch, he argued.
Booth continued: "By law any GP signing up to this scheme should have been provided with a DPIA from NHS Lothian before providing any data, a document that has not even been finalised yet."
“By grabbing so much data from GPs and failing to offer even rudimentary information to patients or a means to opt-out this risks undermining hard earned trust, just when it is needed most."
Booth said far more scrutiny from local politicians and the Information Commissioner - which regulates data protection law across the UK was urgently needed.
He also pointed out that a plan to force GP’s in England to share data in a similar fashion has been repeatedly delayed after concerns were raised in Westminster.
“In many respects it seems that this project is worse than the GP data grab in England that has caused a great deal of controversy among the medical profession and sparked debate in Westminster.
Following our earlier report into concerns surrounding Data Loch, an Information Commissioners Office (ICO) spokesperson told The Ferret they were now “aware of concerns” over the project. They said the commissioner would be “engaging” with NHS Lothian and other data controllers involved to “discuss their data protection compliance.”
The ICO spokesperson said: “Data protection law enables organisations to share data safely and, when it comes to using health information there are particular safeguards that must be put in place to protect people’s privacy. This includes ensuring that people’s data isn’t used or shared in ways they wouldn’t expect.
“There is a statutory obligation to carry out a Data Protection Impact Assessment before embarking on certain types of processing including the processing of health data on a large scale. By carrying out a DPIA an organisation can comprehensively analyse the proposed processing and identify and minimise data protection risks.”
“Ultimately,” they added, “the success of any project will rely on people trusting and having confidence in how their personal data will be used.”
Alex Cole-Hamilton MSP, leadership candidate for the Scottish Liberal Democrats, previously said he was worried about “serious risks” associated with the project.
"“In an era in which cybercrime and exploitation of personal information is rampant there are clearly serious risks attached to projects such as this,” he told The Ferret.
If patient data is being shared outside the NHS then it needs to be completely anonymised or patients should be given the option of opting out - and at the very least should be informed.
Ian Murray, MP for Edinburgh South
Ian Murray, Labour MP for Edinburgh South, said public trust is at risk and patients should have the “option of opting out.”
He added: “We are rightly incredibly proud of the world-leading medical research which takes place in Edinburgh, funded by being part of the UK. I have seen for myself the incredible work that researchers in the city carry out.
“But as with all medical research, appropriate safeguards need to be in place. If patient data is being shared outside the NHS then it needs to be completely anonymised or patients should have the option of opting out - and at the very least should be informed.
“If that isn’t happening, it risks eroding public trust.”
In response a spokesperson for the University of Edinburgh said: “DataLoch is a partnership between the University and NHS Lothian which will see a secure repository of health and social care data developed for the Edinburgh and South East Scotland region to help find solutions to the major health and social care challenges we all face.
“We are building from existing systems to offer a more efficient, safe approach to store, define, link, and improve quality and usability of data from across the region to inform research and service improvements. We have and will continue to comply with legal requirements for the use of this data.”
NHS Lothian declined to respond. In an earlier statement, Dr Tracey Gillies, Medical Director, NHS Lothian said: ““NHS Lothian takes patient confidentiality extremely seriously and has a well-deserved reputation for robust governance processes. We would never act to compromise patient data.”
The Lothian Local Medical Committee, an organisation that represents GP practices in the area, did not respond to our request for comment.
According to NHS Lothian 102 out of 120 medical practices invited to participate in the Data Loch project agreed to share their patient data. At the time of writing, The Ferret could not identify any practices that referenced the Data Loch project in their online privacy statements.
Photo credit: iStock
Once again, Ally Tibbitt has misunderstood Data Protection Law. Their last article about DataLoch conveniently overlooked whole articles of the Data Protection Act (Articles 6 and 9 specifically). This time they have taken a complete non-issue and blown it out of proportion.
Patient data collected by General Practitioners belongs to the GPs. They are perfectly within their rights to share this data, in line with the Data Access Framework. They share data because the research it supports materially changes the evidence base on which their practice rests.
The National Health Service (Scotland) Act 1978 requires that the NHS “may conduct, or assist by grants or otherwise any person to conduct, research into any matters relating to the causation, prevention, diagnosis or treatment of illness” The NHS has a statutory duty to support research. In the current climate it is important that any research it supports be as cost effective and efficient as possible in terms of data collection.
Twenty years ago none of the important and life-saving research that uses this data would be possible. It took far too long, and this meant it was simply too expensive to manually collect the information from consenting patients directly. The health data research being conducted in Scotland today is some of the most cost effective anywhere. The information governance procedures in place are robust, exhaustive, and led by competent experts. The work being done right now is simply world-leading.
I’m so tired of seeing people like Tibbitt try to drag the state of Scottish medical research back to the 1990s.
“Tired” has offered a decent defence of the position, but fails to embrace the concerns of patients in all of this. The whole affair smacks rather of a degree of disrespect for people’s sensitive information.
It may well be true that GPs can do whatever they like with patient data without the patient’s permission (and surely it must be time for this to be reviewed), but, as is being demonstrated in the robust debate at Westminster, this should not be accepted without scrutiny. Data breaches/hacking are all too common and it seems that lessons are never learned.
It would be interesting to know how many patients from these 102 practices that have signed up might have objections now that they are aware.
I am one such patient Anne and I await a response from the ico after taking complaints forward to Lothian Health Board who have told me they are using Public task so tough cookie, and my GP who has refused to answer any of my concerns to date. I will forward all my letters and responses to The Ferret as soon as ico respond to my request for an opt-out.