Patient data sent to global drug companies ‘may not be anonymous’

The data of millions of NHS patients’ sent to international drugs companies may not be anonymous, experts in the field have claimed.

Privacy campaigners have labelled it a “gross betrayal of trust”, arguing that simply following the Information Commissioner’s Office (ICO) anonymisation code of conduct does not mean a patient’s identity is protected.

Senior NHS figures have claimed that data taken from GP surgeries and hospitals and sold on for research can routinely be linked back to a patient’s medical records through their GP surgery, the Observer has reported.

Patients whose medical information is of particular interest to international companies have already been identified, they added.

The Department of Health and Social Care said it only sells on information after thorough anonymisation measures have been taken.

Licences to buy data are issued by the Clinical Practice Research Datalink (CPRD), run by the Medicines and Healthcare Products Regulatory Agency (MHRA).

The CPRD anonymises data in accordance with the ICOs anonymisation code of practice, a spokesperson said.

Furthermore, patients are unable to access information on whether their data has been sold, campaigners said.

Phil Booth, coordinator of privacy group medConfidential, told Digital Health News: “If a patient is concerned, they have no way to find out whether their data is sold within CPRD.

“When a patient asks their practice, there is no public information for GPs to give them, even if the GP fully believes in the ideals of what CPRD is doing.”

Booth said the public was being betrayed in the sale of their data.

“Following the ICO’s code of practice does not mean that data is necessarily anonymous. The law now recognises that one of the most common methods of ‘anonymisation’ – the use of pseudonyms to obscure some bits of information – means that data is still identifiable,” he said.

“Removing or obscuring a few obvious identifiers, like someone’s name or NHS number from the data, doesn’t make their medical history anonymous.

“Indeed, the unique combination of medical events that makes individuals’ health data so ripe for exploitation is precisely what makes it so identifiable. Your medical record is like a fingerprint of your whole life.

“Patients must know how their data is used, and by who. Alleging their data is anonymous when it isn’t, then selling it to drugs and tech companies – or, through intermediaries, to heaven knows who – is a gross betrayal of trust.”

Professor Eerke Boiten, director of the Cyber Technology Institute at De Montfort University in Leicester, echoed similar concerns in the Observer.

“If it is rich medical data about individuals then the richer that data is, the easier it is for people who are experts to reconstruct it and re-identify individuals,” he said.

A spokesperson for the MHRA “strongly refutes” the allegations patient data is de-anonymised.

“CPRD is a not-for-profit government research organisation which follows strict rules on protecting patient data and is fully compliant with ethical, information governance, legal and regulatory requirements and has rigorous processes in place to protect patients’ data,” they said.

“Ethically conducted research using CPRD patient datasets has brought enormous benefits to patient care, including providing evidence for the National Institute of Health and Care Excellence blood pressure targets for patients with diabetes, as well as working with universities, regulators and the pharmaceutical industry who research the safety of their medicines.”

Access to NHS patient data is becoming increasingly sought by researchers and drugs companies due to the centralised, substantive nature of the data.

Representatives from NHSX, NHS England and Improvement and NHS Digital have previously met with big pharma and tech companies, including Mircosoft and Amazon, to discuss potential uses for patients’ personal records.

Papers from a meeting held in October 2019 revealed plans for a “single, standardised, event-based, longitudinal patient record” containing the data of 65 million patients, pulled together from GPs, hospitals, mental health professionals, demographics registers, prescription records as well as information from the private health sector.

It estimated the patient data could be valued at up to £10 billion a year.

NHS England chairman, Lord David Prior, chief executive Simon Stevens and NHSX chief executive, Matthew Gould attended the meetings.

Following revelations of the meetings, concerns the NHS was risking a repeat of care.data if it’s not transparent with the public were raised.

Professor Joe McDonald, director of the Great North Care Record, said “secretive” meetings with big companies to discuss how to monetarise patient data risked jeopardising patient trust.

DHSC has been contacted for further comment.