In the NHS of the future, will the public be left in the dark about their data?

New figures show that a very small minority of us have opted-out of the NHS confidential data sharing system – but most of us don't know what happens to our data

By Bethan John
January 11, 2019
A doctor shows a patient information on a computer screen
Almost 8 in 10 do not feel sufficiently informed about rights concerning their medical data

The NHS - which carries the dubious honour of being the ‘World’s Biggest Buyer of Fax Machines’ – is finally joining the digital revolution. The Government unveiled its long-term plan for the NHS on January 7, in which digital technology and artificial intelligence promise to lead the forward march of progress. In fact, some have even tapped the NHS’ next title to be ‘World Leader in AI’ – if only it could harness the immense value of its patient data.

But how do the people behind the data feel about this? How informed are we about the choices made with our confidential information and where it ends up?

NHS Digital poster 'Your Data Matters'
Image by North Road Suite GP surgery

One clue is to look at the number of people who have ‘opted out’ of sharing their confidential medical data outside their own care and treatment. The introduction of the General Data Protection Regulation (GDPR) across Europe last year introduced stricter rules to protect the public’s data.

The GDPR functions with an ‘opt-in’ approach – companies and organisations probably flooded you with emails asking if they could stay in touch last May. However, the NHS was able to maintain an ‘opt-out’ approach: the information gathered was deemed too vital to maintaining a high level of services, and the details of each data-transfer “difficult for the experts to understand, let alone the patients and service users.”

As such, the opt-out method was chosen; and those individuals who were too concerned about their data being used could simply choose to opt-out.

The year drew to an end, and the NHS’ provider of information, data and IT systems, known as NHS Digital, released the number of patients who have opted out of sharing their data: 1,637,560. These individuals feel that the NHS shouldn't use their personal data outside of their own treatment.

NHS Data opt-out rate, England (2018)
Click on the areas!

Opt-out rate

0% to 3%
3% to 6%
6% to 9%
9% to 11%

According to the data, the area with the lowest opt-out rate is Bradford City, in West Yorkshire, at just 3 in 100.

Bradford City also ranks first on the English Indices for Multiple Deprivation 2015 (IMD)– in other words, its residents face the harshest poverty levels in the country. Could lack of access to resources explain the low opt-out figures?

IMD by Clinical Commissioning Group, England (2015)
Click on the areas!

IMD ranked by CCG


It doesn’t appear so. Cannock Chase, near Birmingham, has the second lowest opt-out rate – it ranks 116th out of 209 on the IMD.

The highest rate of opt-outs is in Oldham, Greater Manchester, where over 1 in 10 have decided to halt the sharing their data. It ranks 34th on the IMD and is a mere 45 minute bus-ride away from Bradford City.

Blackpool has the second highest opt-out rate – almost 1 in 10. It ranks third on the IMD. Areas like Westminster and Camden in London also had a high drop-out rate. These boroughs face some of the highest levels of income inequality in the world, with super-rich rubbing shoulders with people facing dire economic circumstances. They rank 67th and 69th on the IMD, respectively.

So wealth and poverty don’t appear to be the driving force behind the numbers. What about age and gender?

NHS data opt-out rates, by age and gender

A study conducted by IPSOS Mori in 2018 showed that women were more likely than men to consider that the NHS treats patient’s medical records as confidential ‘very important’, perhaps causing the wariest among them to opt-out completely. Women are also more likely to have trust issues with the medical community due to experiences of sexism and racism, which could explain the higher incidences of opt-outs.

Part of the reason that children and teenagers have the lowest opt-out rate is because it is reliant on their parents filling out additional documents: a paper form of 7 pages, with several photocopies of official documents.

Older men, particularly those over 90, are most likely to opt-out. Frances Morley, a retired teacher, observed: “Perhaps people of an older age don’t quite understand where their data is going,” Morley said. “They might be worried of being refused travel insurance or getting their driving license revoked.”

Overall, the amount of people who have decided to allow their confidential information to be used for research is extremely high, and demographics don’t appear to be a strong factor driving the opt out rate.

Are you aware that you have to opt-out of the NHS' General Data Protection Regulation (GDPR) system if you don't want them to share your medical data beyond your own care and treatment?

Polls conducted by the author

Cybersecurity remains a huge issue, particularly after the WannaCry ransomware attack of 2017 which reportedly cost the NHS £92 million. Although the government has pledged to bring all NHS organisations in compliance with mandated cyber security standards by 2021, the lack of funding and the resignation of its first cyber security chief after just three months does not instil confidence.

Do you trust the NHS to protect your data?

Still, the public trusts the NHS more than any other institution with their data. However, they would generally like to be informed as to how it will be used.

Time and again, recommendations have been made by members of the medical community that in order for NHS data sharing to be a success, the institution must raise awareness and engage the public. Yet most people are in the dark, and there is a gulf between how people think the NHS is likely to use patient data and reality.

Do you feel like you have been sufficiently informed about rights concerning your medical data?

Firstly, most people aren’t aware of either the GDPR (7 in 10 haven't hear of it), or the NHS opt-out system. Whilst this remains also, to an extent, up to the individual patient, it is NHS Digital and NHS England’s duty to provide clear and comprehensive information, and a simple opt-out process.

The question of anonymisation is routinely posed by experts, as the idea that a patient cannot be identified from a set of anonymised data has been debunked several times. Yet the website continues to provide no extra assurances or guidances, and all ‘anonymised’ can be shared, even if the patient has opted out.

Concerns have also been raised about the ease of the opt-out process, which, if the patient struggles with digital skills, involves a long form and several photocopies of official documents.

Lack of clarity and access simply leads to public outrage and confusion, as the recent DeepMind Health controversy has shown.

Campaigners raised fears after it was announced that Google was taking over an app used in NHS hospitals by hospitals and nurses in November. Dr Julia Powles is a a legal researcher at the University of Cambridge and an expert on data sharing, artificial intelligence and healthcare. She is one of the fiercest critics of this move.

“We now have a situation, where without any public engagement, a global company has got access to the heart of one of the most prized, socialized healthcare systems in the world,” she said, speaking at the BBC’s Tech Tent.

The DeepMind statement is clear to say: “Patient data remains under our partners’ strict control, and all decisions about its use will continue to lie with them.” But many are skeptical, and polls show that only 6% of the public report high levels of trust in tech companies to use data appropriately.

DeepMind has been owned by Google since 2014, prompting some to say that Google has always owned the data, and it would be fooling ourselves to pretend otherwise.

“What really worries people, and ethics professors, and privacy lawyers, is the fact that it’s Google that’s going to be processing all of this data,” said Madhumita Murgia, a tech correspondent from the Financial Times. “They already hold and process a load of personal data about us – it’s scary. It’s a scary thought.”

Increasingly, it seems that this is not a question of ‘how’ but ‘when’ – the DeepMind case demonstrates that it is already happening.

According to a recently published report by REFORM, entitled Making NHS Data Work For Everyone, the top recommendation for the NHS is to engage with the public. There are currently no frameworks that allow patients to participate in the conversation about what fair exchange with the private sector might be when it comes to their data.

The NHS will have to navigate these choppy waters if it wishes to succeed in becoming a world leader in digital technology. The private sector is calling for increasing cooperation, and the Government has just laid out an ambitious Long-Term Plan – which includes wearable technology, virtual clinics, and expanding the genomics programme. Without real engagement and awareness from the public with regards to how personal data is being used, the NHS risks irrevocably damaging its reputation, and missing its chance to use our medical data to ethically and legally improve care and treatment.

Want to have your say? Let people know what you think on social media: