NHS England plans to sell your personal confidential data – here’s how you can stop them from grabbing it

Patients only have until the end of February to opt out from having their personal confidential medical data extracted from GPs’ computers on a monthly basis, without their consent, and sent to a new national database called care.data.

Starting from March 2014, the Health & Social Care Act 2012 requires GPs to send each patient’s Personal Confidential Data (PCD) data to the care.data system without any prior consent – unless patients specifically opt out. It’s simple to opt out, as outlined below.

The care.data system is run by the Health and Social Care Information Centre (HSCIC), using software and services procured from ATOS, a private company.

Reasons for opting out of care.data

Once the data has been extracted, the GP practice is no longer the data controller for that information, and cannot control or protect in any way how that information is used, shared or who has access to it.

The HSCIC will be the data controller for your uploaded personal confidential data and will have total control over it.

The Care.data database will link patients’ GP medical records with personal confidential data that HSCIC also collects from from other health and social care organisations where you receive care, such as hospitals and community care.

The NHS England leaflet ‘Better Information means better care’, which households in Calderdale should receive shortly by junk mail delivery, says that the care.data database is being created in order to help Clinical Commissioning Groups make better decisions about what health services to commission, and for research.

But it doesn’t include an opt-out form.

And the NHS England leaflet doesn’t say that NHS England is selling your medical records to American drug companies and others, through the MedRed BT Health Cloud. Data in the MedRed BT Health Cloud include clinical data, demographics, education and income from 50 million de-identified patient records in the UK.

The NHS England leaflet isn’t very forthcoming about the fact that your PCD held by care.data will be easily identifiable as yours. Although patient records in care.data will be de-identified, or anonymised, by removing patients’ names and addresses, they still include post codes and dates of birth. This makes it easy for  people’s identities to be revealed, as a Royal Society report on Science as an Open Enterprise concluded:

“… a substantial body of work in computer science has now demonstrated that the security of personal records in databases cannot be guaranteed through anonymisation procedures where identities are actively sought.”

Care.data information will be extracted from the GP practice in a form that can identify you, and will include your NHS number, date of birth, postcode, gender and ethnicity, together with your medical diagnoses (including cancer and mental health), their complications, referrals to specialists, your prescriptions, your family history, details of your vaccinations and screening tests, your blood test results, your body mass index, and your smoking/alcohol habits.

The GP magazine Pulse has found that identifiable confidential patient data is already being regularly approved for release by the NHS.

Ross Anderson, who works in Security Research in the Computer Laboratory at Cambridge University, writes,

“If you don’t opt out in the next few weeks your data will be uploaded to central systems and you will not be able to get it deleted, ever. If you don’t opt out your kids in the next few weeks the same will happen to their data, and they will not be able to get their data deleted even if they decide they prefer privacy once they come of age. If you opted out of the Summary Care Record in 2009, that doesn’t count; despite a ministerial assurance to the contrary, you now need to opt out all over again.”

What care.data Personal Confidential Data transfers can you opt out of?

Opting out of care.data is simple:

  • You can prevent your PCD from leaving the GP practice, so that  your PCD doesn’t go into the care.data system  run by HSCIC with Atos software and services. If this is what you want to do, you need to tell your GP practice to add to your record the code for ‘Dissent from secondary use of GP patient identifiable data’. (The code is Read v2: 9Nu0 or CVT3: XaZ89, depending on what system the GP Practice uses.)
  • You can also prevent other PCD of yours that the HSCIC has collected from other places where you receive care, such as hospitals and community services, from leaving the HSCIC. If this is what you want to do, you need to tell your GP practice to add to your medical record the code for ‘Dissent from disclosure of personal confidential data by Health and Social Care Information Centre’ (The code is Read v2: 9Nu4 or CTV3: XaaVL.)

You can opt out either or both of these transfers of your personal confidential data.

If you change your mind later, you can opt back in.

How to tell your GP practice you are opting  out of care.data

This advice is from Dr Neil Bhatia’s care.data opt-out  webpage. Dr Neil Bhatia is a GP and Caldicott Guardian for the Oaklands Practice in Yateley. (A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. Each NHS organisation is required to have a Caldicott Guardian.)

If you have decided to opt out of care.data then it’s very easy to do so.

First, download an opt-out form or opt-out letter

    • Here is a .pdf leaflet, which can be printed double-sided and folded
    • An opt-out form available in .pdf, .doc or .rtf format is also available from medConfidential, as well as a care.data opt-out letter in doc format, or rtf and .pdf versions of the letter that you can print out and hand in, post or fax to your GP.
    • Your GP surgery may have its own opt-out form to download from its website, or an online opt-out form you can fill in online (but none of the Upper Calder Valley GP health centres does.)

There is no “official” or mandatory opt-out form that you are obliged to use, whether
produced by the HSCIC or anyone else.

It doesn’t matter which form you use.

So, fill a form in, and hand it into, post it, or fax it to your GP surgery.

That’s it. Simple.

Unless you specify otherwise, the two opt-codes (9Nu0 and 9Nu4) will then be added by your surgery, no questions asked. And your data will be protected.

Ask the GP practice for written confirmation that they have recorded your refusal of consent.

If you only want to opt out of one transfer of your PCD, specify which one:

  • to prevent your personal confidential identifiable information being uploaded from the GP practice and sent to the care.data system: opt out code v2:9Nu0 or CVT3: XaZ89
  • to stop the Health and Social Care Information Centre from passing on any identifiable data it gathers from any other care context, e.g. hospital records, clinics or social care organisations: opt out code v2: 9Nu4 or CTV3: XaaVL

Don’t forget to opt-out your children, or those for whom you have parental responsibility,
as well.

Alternatively, if you prefer not to use the downloadable form or letter, you can write your own letter to the GP health centre:

  • State that you wish to opt-out of care.data
  • Request that both the 9Nu0 and 9Nu4 codes are added to your GP records, if this is what you want
  • Remember to include full names and DOBs (and your address if you are happy to)

If you want to opt out, you don’t need to do any of these things:

  • make an appointment with your GP
  • arrange to see your GP surgery’s Practice Manager
  • ring your GP or GP surgery

If you opt-out now you can opt-in at any time in the future – if you are happy to, when
you are happy to, and at a time of your choosing. It’s your data, you should be in
control.

Help family, friends and colleagues to opt out

You can print off copies of an opt out form and give them to your family, friends and colleagues, or email it to them, send them the link to this site (or to medConfidential or www.care-data.info), or share this information on social media sites.

It should be as easy as possible for everyone who wishes to opt-out of care.data to do so.
This opt-out info is reproduced with permission from a non-commercial website and represents the personal views of Dr Neil Bhatia, GP and Caldicott Guardian for the Oaklands Practice in Yateley.

Detailed information about care.data can be found at www.care-data.info

You can also ask to have access to your own medical records at your GP centre.

NHS England care.data leaflet does not include an opt-out form

The NHS England care.data leaflet entitled Better information means better care that all households are receiving by junk mail deliberately does not include an opt-out form.

Upper Calder Valley GP Practices

So far, none of the UCV GP practice websites seem to have much information about
care.data and how to opt out. The GP Health Centre I went to to drop off my opt out form
also had no posters, leaflets or other information on display about this.

But maybe this will change, before it’s too late.

Hebden Bridge Group Practice seems to have no information on its website about care.data. Misleadingly, its downloadable booklet says

“Occasionally, GPs are contacted by outside agencies for access to medical records; no information is ever released without prior consent from the patient.”

This needs updating, because the care.data system requires GPs to release patients’ personal confidential data by default, without seeking prior consent from patients. The only way GPs can prevent patients’ personal confidential data from being extracted by the Health and Social Care Information Centre for the care.data system is if patients opt out.

Sowerby Bridge: Station Road Surgery, tel :0844 4778916 or 01422 410433. Info about care.data here.

Sowerby Bridge: Meadowdale Group Practice 01422 834 463 This VirginCare-owned GP practice has no information on its website that I can see about care.data

Todmorden Group Practice Tel 01706 811100 doesn’t seem to have any info about care.data on its website

Todmorden Health Centre Tel 01706 811 123 . This Locala- run walk in Health Centre seems to have no info about care.data on its website

Controlling other uses of your personal and confidential data

See how your GP can help you control a range of of your personal and confidential medical information – not just care.data PCD.

More on the NHS data grab

You can read  more here from Ross Anderson, who works in Security Research in the Computer Laboratory at Cambridge University.

Posted from here.

6 thoughts on “NHS England plans to sell your personal confidential data – here’s how you can stop them from grabbing it

  1. Pingback: Care.data update – can we now trust the health and care system with our confidential personal medical data? | Calderdale and Kirklees 999 Call for the NHS

  2. Just to further clarify, ironically the care.data is by default including your info, but the sharing between clinicians is by default not sharing until you give your consent. This is why it is important to ensure your know the options.

  3. I don’t want my data to be sold either. There are a few sharing data options, one of which is care.date which will be extracted and used centrally (or sold), which is what the article is focusing on.
    Another is when your GP asks if your want to share your medical record with, say, a physiotherapist at the local hospital. Or the physio asks if they can share your physio record with the GP. This is very different. Please don’t confuse the two, ensure you know what you are agreeing or disagreeing to.

  4. When people work in the NHS they should be working for you! The population of GB, where have all the advocates gone! Do any of the Caldicutt;s take there job seriously?

    • To be fair, I found out about the whole caredata shambles from Dr Neil Bhatia’s tweets, he’s a GP, Caldecott Guardian for his GP practice & the guy who created all the opt out info on the website linked to in this article. But maybe we should find out who the Caldecott Guardians are for UCV GP Practices and what they’re doing? And also contact the Caldecott Guardian for Calderdale CCG and ask what he’s doing?