Privacy fears grow over £50m NHS care.data project

An internal risk assessment carried out by the NHS has echoed concerns raised by privacy groups about the care.data project, which is due to kick off in March.

The controversial system will see GPs share patient information, including diagnosis, medication, weight and blood pressure. All UK households will automatically have their details included in the 50 million centralised database, but will have the chance to opt-out by informing their GP.

Records will be partially anonymised. The system will not list names, but it will use date of birth, full postcode, NHS Number and gender details.

The Royal College of General Practitioners has confirmed the NHS will not be selling patient information to insurance companies. However, data will be made available to researchers and other private companies - including pharmaceutical firms and government contractors - if they can prove they will benefit patient care or enable further scientific advances.

"We have been informed by NHS England that the Health and Social Care Information Centre does not make a profit from providing data to other organisations; that data will not be sold to insurance companies for the purposes of insurance and that confidential data can only be disclosed where allowed by the law," said Professor Nigel Mathers, RCGP honorary secretary.

Despite the NHS insisting the database will improve patient care, privacy groups have voiced their concerns about security. The NHS reportedly loses 2,000 patient records on a daily basis and centralising information will make it a prime target for hackers. An internal NHS risk assessment report, obtained by The Telegraph, has revealed possible problems the system may cause.

"While there is a privacy risk that the analysts granted access to these pseudonymised flows could potentially re-identify patients maliciously by combining the pseudonymised data with other available datasets (a technique known as a jigsaw attack) such an attack would be illegal and would be subject to sanction by the Information Commissioner's Office," it was noted in the report.

There are also fears patients may withhold important information about their health for fear this will no longer be kept confidential.

"The extraction of personal confidential data from providers without consent carries the risk that patients may lose trust in the confidential nature of the health service," it continues.

"This risk is two-fold; firstly, patients will not receive optimal healthcare if they withhold information from the clinicians that are treating them; and secondly, that this loss of trust degrades the quality of data."

With six weeks to go before rollout, the Royal College of General Practitioners claims the NHS has not done enough to make the public aware of the initiative.

"We urgently need a renewed national push by the authorities to ensure that patients are fully informed, in clear terms, about the benefits of the scheme, what their rights are, and what their rights to opt out are," Mathers added.