Update: June 8th 2021. The original deadline to opt-out was June 23rd. After criticism, it’s now been pushed back until September 1st 2021.
The UK’s NHS plans to import the medical records of 55 million patients into a digital database that will be shared with third parties. Privacy activists have heavily criticized the plan, describing it as “legally problematic.”
Citizens need to opt-out of the plans before September 1st.
The health service’s IT department, NHS Digital, confirmed that it plans to scrape the medical histories of all people in England registered with a GP clinic into a single database that will be shared with commercial and academic third parties for planning and research purposes.
People who are not comfortable with their medical records being shared with third parties have only a few weeks to opt out of the plan.
Digital rights group Foxglove criticized the plan, noting that the NHS is not clear on who would access the data.
“Is it pharma companies? The health arm of Google Deepmind? If you ask patients whether they want details of their fertility treatment or abortion, or results of their colonoscopy shared with [those companies], they’re not going to want that,” said Foxglove’s co-founder Cori Crider.
People have until September 1st to opt out of the plan. The opting out process involves filling a form and taking it to your GP.
After the deadline, the medical records will be permanently transferred to the new database.
NOTE: If you opt out of the plan after the deadline, only your new medical records will not be transferred to the new database.
Here’s how to opt-out:
1. Download this simple form that we’re providing here:
2. Fill out the form.
3. Deliver the completed form to your registered GP. This can be by hand, by mail, or by email.
You can find the contact details for your registered GP here.
The form must be completed and delivered by September 1st 2021 to prevent your data from being uploaded.
Founder of privacy advocacy group MedConfidential Phil Booth expressed concerns over the slim deadline.
“They’re trying to sneak it out, they are giving you six weeks nominally and if you do not act based on web pages on the NHS digital site and some YouTube videos and a few tweets, your entire GP history could have been scraped, never to be deleted,” Booth said.
He added that the NHS is not transparent about its commercial relationship, which would make it hard to know who eventually has access to the medical records.
Per the NHS Digital website, a list of people with access to the data is published monthly, with details of whether the data was anonymized or not. Additionally, data that can directly identify a patient will be replaced with unique codes. However, the NHS will have the keys to reveal the redacted data for use “in certain circumstances, and where there is valid legal reasons.”
Foxglove has sent a legal letter to the Department of Health and Social Care, demanding answers on the legality of the plan under the country’s data protection laws.
In the letter, Foxglove expressed “serious concerns” about the lawfulness of the plan, noting that there was no explicit consent for the data collection and “very few members of the public will be aware that the new processing is imminent, directly affecting their personal medical data.” The group also threatened to sue the department.
NHS Digital insists the plan is legal as the Information Commissioner’s Office, the government agency that regulates data, has not objected, plus, it plans to submit a data protection impact assessment.
In 2013, there was a similar effort to pool all GP records into a single database. The attempt was abandoned three years later due to complaints over privacy and the commercial use of the data.