Another week, another data privacy controversy involving the NHS. This time, Open Democracy has alleged that hundreds of hospitals have been directed to share confidential medical records with Palantir Technologies. Trusts have reportedly been given until the end of March to upload pseudonymised patient data – including dates of birth, postcodes, and medical histories – to a new Palantir database called Faster Data Flows.
It comes after campaign groups acting on behalf of doctors and patients threatened legal action over NHS England’s procurement of another £480 million data platform, arguing that questions about data protection have not been answered.
Then there’s the public perception that this is a bad idea. There’s a lack of trust in government to deliver without corruption or cronyism when it comes to health; a lack of trust in the ability of technology companies to keep that data safe; and a lack of trust in organisations that are motivated by profit to not use that information for another, less altruistic, purpose.
Two previous attempts to create a centralised database of primary care in the UK had to be abandoned following public and media criticism. The most recent proposals for a GP Data for Planning and Research (GPDPR) programme was paused in 2021 after it descended into a PR battle as much as an infrastructure project. Millions of people opted out before the benefits could be explained.
In Spain, electronic health records were introduced more than 20 years ago, improving communication between patients and healthcare providers, and raising clinical outcomes. And, in Estonia, an e-ambulance system detects the position of someone calling for help in less than 30 seconds, and provides paramedics with access to their medical information on their way to the emergency.
Leaders have to be transparent about what type of patient data is being collected, who it is shared with, and what it is being used for. People need to be assured that their data is safe, that they can opt out of certain uses of their data, and that it won’t be sold to companies in the pursuit of profit – anywhere along the supply chain. Much of this, of course, is already covered by the UK GDPR.
It’s not an easy conversation to have. Particularly because the NHS has form here. Google ended up in the High Court over its use of confidential medical records of 1.6 million Brits shared by the NHS without their knowledge or consent. And last year, the personal information of tens of thousands of people was leaked in a massive data breach involving a firm that managed the printing of sensitive patient letters for NHS organisations.
There isn’t a quick fix to this problem. Trust takes time. But, as a first step, the NHS needs to show it’s committed to building a culture of privacy compliance throughout the organisation. After all, the future of health care in this country will not be powered by GPs diligently locking filing cabinets filled with patient records. We need a digital health care system, built with privacy at its heart.
Nigel Jones is the co-founder of The Privacy Compliance Hub, a no-nonsense platform created by two ex-Google lawyers that makes compliance easy for everyone to understand and commit to.