Response to Guardian story “NHS patient data to be made available for sale”

NHS England’s Chief Data Officer Dr Geraint Lewis said: “NHS England and the Health and Social Care Information Centre (HSCIC) welcome the increase in public awareness and debate about NHS data usage following the nationwide distribution of the leaflet ‘Better Information Means Better Care’.

“It is vital, however, that this debate is based on facts, and that the complexities of how we handle different types of data are properly understood. Patients and their carers should know that no data will be made available for the purposes of selling or administering any kind of insurance and that the NHS and the HSCIC never profit from providing data to outside organisations.”

For a detailed explanation of how the NHS uses patient data, please take a look at Dr Lewis’s blog here.


  1. disabled-dave says:

    Quote from above: “no data will be made available for the purposes of selling or administering any kind of insurance and that the NHS and the HSCIC never profit from providing data to outside organisations”

    and yet 47 million records have ALREADY been sold to insurance companies:

    So is the Chief Data Officer completely incompetent or deliberately lying?

    When I was in hospital I did NOT give permission for my data to be sold on, so I’m trying to establish if this is a criminal offence under the Data Protection Act.

  2. Anne Williams says:

    This shocking experiment was carried out in Iceland some years ago. The Icelandic government took medical records, including historical ones going back several centuries, from their entire but very small popuation of less than 300,000, and sold the lot to a commercial firm called deCode Genetics. The firm was specifically looking for rare genetic conditions, so you can guess how easy it would be to identify individuals. deCode then contracted to sell the results of its research to Hoffaman Karoche. deCode later went bankrupt and has since been sold to Amgen, so God only knows who has access to the data now.

    Now multiply the prospective outcome by the size of the British population.

  3. J Kirk says:

    So. you quote below “Unfortunately, technicalities of the Data Protection Act mean that NHS England cannot capture and record people’s objections at a national level…” In that case, how and why does the DPA allow you to capture and record (and SELL!) people’s medical records without their specific and informed consent then?

    You are also mis-representing this – there is indeed a scheme to share data with hospitals, but this is NOT the same as the scheme, the latter being a scheme to SELL not share data!

    Bona fide researchers can already apply for access to the UK Biobank scheme, which includes people who have voluntarily agreed to share their medical data with NOT FOR PROFIT organisations. So there is no need for this scheme really is there?

  4. Yvonne Singer says:

    Read Ross Anderson on line
    NHS opt out: not what it seems.

    Geraint Lewis uses words cleverly when be talks about how people can try to combine data sets in order to re identify. The implication is that they can’t succeed. They can.

  5. Ian Claydon says:

    Any transfer of private personal data from the NHS to a private organisation without prior consent is disgusting, wrong. Never mind telling us who won’t get the data. Tell us who will and why. Outrageous and vile act which horrifies and destabilises the trust and security of many, who may not understand the gravity of what you are doing. You should be ashamed and hang your heads.

  6. Alan Potts says:

    It’s all very well to say that our medical records will not be shared by third parties however, as we have only just seen in the press, a very serious security blunder by Barclays bank has led to thousands of personel details being made available to anyone who wishes to buy them.

    It isn’t only insurance companies that would seek to use our data but it seems that anyone who is willing pay for such data would have access.

    I have very serious doubts as to whether our medical records can be securely held given that a security system such as Barclays was so easily compromised.

  7. Holly Boyle says:

    How will you track that the contract you release Amber data under has been adhered to?

    If a patient suspects that Amber data about them has been released, cross referenced with other commercial datasets, and that they have been re-identified and their data used for the purposes of selling (or withholding) products or services, to whom can they complain?

    Who will investigate this complaint, and how will the released data be re-captured, deleted from 3rd/4th/5th/xth party owned datasets, and re-secured as private and confidential data?

    Who will be punished and how, for what types of data breach?

  8. Helena cermakova says:

    Still no leaflets! Didn’t know we lived in a communist state, thought my father fought hard for freedom!

  9. shaun rogers says:

    What annoys me is that I have no idea what information is in my medical records and I will have to pay a fee to find out.
    Hence I’m probably going to opt-out and may opt-in later once I’ve satisfied myself that the information is correct (if I bother).
    It’s not as though you can opt-out later, is it?

  10. Jared says:

    My private data is confidential and not yours to disclose to anyone. Do so and I will sue, and I will win!

  11. PeterC says:

    My medical data is NOT yours to sell yet you presume my consent to such a behavior. This is so wrong.

    Once I work out how to do so I will be opting OUT. I will also be encouraging those I know and care for to do the same.

    Surely the Data Protection Act requires a specific consent prior to you selling my data, are you above the law?


    • david peach says:

      I agree they should get permission from patients to access their Data none of this OPT/OUT nonsense (Totally Undemocratic )

  12. Michael Rigg says:

    This is another government cock up.
    1: it should be an opt in NOT opt out scheme
    2: this scheme makes the individual easily identifiable. It should have been devised in a manner that made it totally anonymous then most reasonable people would have been agreeable.
    As it is the information WILL be used by unscrupulous commercial interests.

  13. Mike perham says:

    Yes, but how can I be SURE ……that my data will not be sold ?

  14. Alex says:

    As a researcher, I can see the advantage of the proposed scheme; the huge quantities of information could open up the possibilities of improvements of understanding and care for a range of conditions.

    However, I think the implementation of this scheme represents a huge own-goal. I don’t find it surprising that people are becoming irritated when the first they hear about the sharing of their own very sensitive information is through a news paper and NOT the NHS.

    Would a TV or radio commercial be too much to ask?

    I understand that NHS budgets are tight, but one wonders why it could not have been arranged as a special one-off or by other means. The apparent lack of transparency, whether accidental or not, only serves to add fuel to the fires of sensationalism.

  15. kim says:

    why do you need to know my NHS number? this is identifiable data.

    i am also sure that if you have my DOB sex and my postcode there wont be anyone else who matches….. this is identifiable.

    if it is for research purposes the none identifiable data will suffice.

    you will not be having my data or my families for any reason and my GP has a code of confidentiality which mean he can not share what i discuss or results with anyone other than me or whom i say he can.

    this should not be an opt out situation but an opt in!!

    i am also discusted that it is the 1st feb 2014 and i still dont have my leaflet in the post and this is ment to go live in MARCH – cutting if fine arent we!

  16. Andrew Taggart says:

    Presumed consent is an cynical phrase used by a government that presumes ownership of its citizens rather than, radical as it might be, that we the citizens own the government, and you should spend your time making our lives better. You should stop simply governing for large corporations that will profit handsomely from all this data, fashioning new symptom controlling drugs and contacting us directly to sell them.

  17. NHS England says:

    Many thanks for all your comments – here’s some further information in response to some of the issues raised:

    If you wish to object to your GP data being used for purposes beyond your direct care, you should let your GP know. Occasionally they might ask you to fill in their own form. You don’t have to fill in a national one. Unfortunately, technicalities of the Data Protection Act mean that NHS England cannot capture and record people’s objections at a national level – your GP has the legal duty to do this under the Act. We are doing all we can to support GPs in this duty however, and if you have any questions or concerns then you can call the national patient information line on 0300 456 3531

    This blog: includes further details about the different ways information is shared and the safeguards in place to protect your privacy. For example, a robust data sharing agreement must be in place before any amber (pseudonymised) or red (identifiable) data is shared. Within this agreement, there are civil and criminal penalties which if the person receiving the data shares it with anyone other than those named on the agreement (including people within their own organisations), tries in any way to re-identify patients from amber data, or uses any data for any purpose other than that stated in the agreement.

    The Health and Social Care Information Centre has confirmed that it will publish quarterly reports detailing who has received patient data and the grounds on which it has been shared, so that you can see how your information is used.

    NHS England

  18. Harry Keogh says:

    The NHS and government organisations have an abysmal track record in (mis)managing the data it collects. I’ve lost count of the number of times ‘confidential’ data has been reported as found in the public domain by accident.

    It may very well be that the NHS will not make any profit out of this data but I don’t believe private health care, insurers, Uncle Tom Cobley and all won’t find a way to use it for their profit.

    As someone who in a previous life was responsible for receiving, cleansing and producing datasets on a huge scale, I know just how difficult it is to keep data anonymous and secure. The NHS is far too big to be able to do so successfully.

  19. Ann Lowe says:

    shame that too many people are accessing this site at 9.50am today – not very impressed with the information that was given when I rang 0300 456 3531 – a call centre that was unable to answer anything other than basic questions and that one is unable to complain to a named person or address. I was unaware that data is already being collected centrally as I opted out previously – so may or may not be used? Vague use of terms – information rather than data… what is being collected exactly? The dedicated patient information line was unable to answer what I thought were fairly simple questions (as they were not on a web site!). I am intrigued to know how the data protection act is ensuring that people should agree to data being collected rather than no action means that one has universally agreed to ALL NHS services uploading fairly personal data – I am sure that links of dob, postcode, gender would be quite identifiable with let’s say my bank records! Hopefully more media interest in this will ensure that more people are aware of the JUNK like leaflet that landed on our doorsteps really means that they know exactly what data is to be centralised and the organisations that will be able to access it. Again the call centre were only able to answer with a vague – organisations who are legally allowed to. The legal aspects, again they were unable to answer where I could look at these even though I have now found that there is a published constitution – but no list of authorised organisations who will be accessing the data. Very concerned at the method of trying to introduce this data collection.

  20. In Cognito says:

    I want to withdraw my consent for my records to be shared with anyone … It’s my information and no one elses.

    Expect law suits

  21. Steve says:

    You can find an opt-out form at

  22. Chris Cowsley says:

    This database does not meet professional integrity or secufity standards;
    Data subjects cannot see, validate & correct if necessary fhe data held on them. There is no turn-around validation.
    It can be passed on to unknown and uncontactable data controllers in Red form on the say-so of a Secretary of State.
    I do not trust the data controllers it may be passed to to use it only for the purposes for which it was originally collected before the HSC Act which legalises its transfer to
    I do not believe the Secretary of State is able to ensure conditions he imposes will be observed..

  23. Tim Turner says:

    When asked what might stop the insurance companies from reusing the data, Dr Lewis could only point to what the Information Commissioner might do. The IC is a separate regulator with little track record of going after the private sector for Data Protection breaches, but even if they did take action, it would be too late. This could have been an opt-in exercise, and then the NHS reassurances would really have been tested. As it is, many will not even receive the leaflet (I haven’t), and won’t get to exercise a real choice.

  24. H says:

    What a ridiculous retort. I would gladly give away Dr Lewis’ house for free. Is it ok if I do that because I don’t make any profit from it?
    Also, “selling or administrating any kind of insurance” is only one concern. I’d still rather it remained entirely confidential.

  25. Tom L says:

    It should be opt-out by default. More details of what constitutes ‘amber data’, along with specific details of the pseudonymisation process, should be published before people are automatically opted in without consent.

    Information on how to opt out here:

    38 degrees petition here:

    Further information here:

    Epetitions (official govt site) petition here:

  26. Erica Killoh says:

    There should be a form included with this leaflet for anyone who wishes to opt out. I will certainly not allow my details to be shared

  27. James Wright says:

    This statement goes no way to alleviating my concerns about how my data could be used.

    Once insurance companies have the data are you really trying to tell me they wont use it to help work out premiums?

    Next you’ll be telling us they’re as trustworthy as the banks!