You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Anyone weigh in on this? Anyone here opted out? If not, you have until 25 Aug (thanks to an extension)
patients were given just over a month to be made aware of the project and opt out if they wished to do so. NHS Digital released the plans on 12 May this year and gave a deadline of 23 June for people to omit data from the GPDPR, which has since been pushed back to 25 August following pressure from the Doctors’ Association UK (DAUK). If patients do not opt out by this time, they will not be able to do so in future.
The information set to be included in the database includes data about: sex, ethnicity, sexual orientation, diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, mental and sexual health. Notably, it includes details about which staff have treated patients.
https://www.medicaldevice-network.com/features/nhs-data-grab-gpdpr/
Opted out.
Yep, opted out of both bits. Think I might have been one of the first at my practice as they didn't seem to know what the firm's were about.
Thought I'd missed the deadline for this, will get myself opted out ASAP!
england only so no need to opt out
Slightly playing devil’s advocate, if the data is anonymised, then what is the issue, it will make a very powerful dataset to inform decision making making on how to deliver future healthcare.
Can someone point me to the evidence that shows it’s a really bad idea for me, or the country?
If the data was staying with the NHS and I was confident that the NHS would remain a public body for the long term, then yes, use my data to improve the system.
It's the bit about them saying They'll not "sell" your data but will recover costs from 3rd parties.
The Tories tried this in the past, and fortunately failed. If it's so legitimate, why try and sneak it through quietly during a pandemic
When the NHS is finally sold off and the insurance companies refuse or hike your premium for where you live think back to this.
At some point, the frogs need to realise the water is getting warmer.
The data is not properly anonymised. Its quite easy to unravel it and work out who is being referred to is my understanding. the parts of the data that make people identifiable will not be removed - but replaced with a code which can be reversed - there is even a clause that allows commercial companies to reverse this. If it was properly anonymized then there would be no way to reverse engineer the anonymization - instead a clear pathway to do so has been deliberately left in
Note exempting it from GDPR =- that means they intend and expect that personally identifiable information will be sold
NHS data has always been available for proper research. this is to sell it to commercial concerns like insurance companies who will dig down into the data to at best use it to disadvantage certain groups ie if they work out that people is ( for example) a particular postcode in conventry are more likely to do certain develop certain illness then they will use that to alter the way they offer insurance - which will have the effect of disadvantaging particular ethnic groups.
The data is so granular that identifying individuals will be possible from it as well as identifying individuals from reverse engineering the anonymisation
We (my company - we run drug trials for pharma and biotech) buy data like this from the US insurance providers.
We use it to identify doctors/clinics that treat a large number of the types of patient that we are looking for to be enrolled one of our trials, eg: have been diagnosed with disease x within the last 12 months, and are currently being treated with drug Y or Z. We can then approach that doctor to see if he wants to be an investigator in our trial. My understanding is that you can tweak the sensitivity to hone-in on a reasonably small subset of patients - but we would never be interested in actually identifying those patients (we are prohibited from doing so anyway).
The commercial side of pharma might use the data to identify potential prescribers of their new product, in order to focus their sales efforts I suppose - but there is no particular impact on the individual.
In the UK you are pretty well protected against the evil pharma empires by the national regulations, pharma codes of conduct and the NHS. As always, its the US constantly plumbing the depths of commercial shit****ery that tends to set precedents for this kind of stuff, particularly in the context of their dumpsterfire of a healthcare industry.
I am pretty relaxed about this.
Edit: who knew that shit****ery wasn't in the swear filter? Edited-out in consideration of the sensitivities of small children, the elderly and infirm.
We use it to identify doctors/clinics that treat a large number of the types of patient that we are looking for to be enrolled one of our trials,
My understanding is that you can tweak the sensitivity to hone-in on a reasonably small subset of patients – but we would never be interested in actually identifying those patients (we are prohibited from doing so anyway).
exactly the sort of use of the data that would be illegal under EU law and GDPR and this data grab removes those prohibitions
And does anyone really believe that a " code of conduct" will prevent this? Its insurance companies that are the real worry not pharma. If they can identify individuals and its in their commercial interest to do so then of course they will
And does anyone really believe that a ” code of conduct” will prevent this?
I wrote:
In the UK you are pretty well protected against the evil pharma empires by the national regulations, pharma codes of conduct and the NHS
The threats of massive fines are certainly effective in driving compliance in my industry.
No idea about the US insurance industry
Can someone point me to the evidence that shows it’s a really bad idea for me, or the country?
Never any I’ve been convinced by just some saying it might be. I’ve not opted out.
Link to NHS Digital pages on this
The data isn't sold for profit - there is cost recovery for providing the data, and these costs are really modest compared with what it cold be sold for commercially
The same system/processes have already been in place for hospital data for years - it's being extended to GP data as this is now extracted from GP systems and held centrally.
There is a massive public good in this dataset being available for research which needs to be balanced against the risk of misuse or data breach. If you aren't happy then opt out
I am pretty relaxed about this.
+1
Companies (pharma and healthcare logistics) I've worked for use to buy data plus sell theirs, it's one of the reasons modern medicines work so well.
Do you really think there will not be creep on who has access to the data? its obviously being set up to do so by the removal of safeguards and exemption from GDPR
Obviously the use of nhs data for research can be good. Its also obvious that this goes well beyond that and the lack of proper anonymization shows this
if it was just for research it would be properly anonymized. FFS there is even clause to allow removal of the psuedoanonymisation
Once your data has been put into this scheme when there is further creep in scope in the future you will not be able to remove your data from it.
the government have also done the bare minimum to tell people about the use of this data and to tell people of their rights to opt out
The same system/processes have already been in place for hospital data for years – it’s being extended to GP data as this is now extracted from GP systems and held centrally.
the hospital data is anonymised properly and has safeguards built in . This data grab does not.
This is definitely just for English NHS data? I'm liking the idea of sharing the data, but it would have to be fully anonymised and not able to be identifiable. I've no real concerns of people knowing that A person or persons have had a twisted low energy lightbulb removed from a body cavity, but I'd have real concerns if they could identify me as one of the people who has had to have said low energy twisted lightbulb removed (and even more so if it reported the number of times it had to be removed).
I'm slightly concerned but not enough to do something yet as it seems to be English NHS data only...if/when it comes to rest of the UK, then I suspect I'll be opting out.
This is definitely just for English NHS data?
Yes
IIRC Scotland has a system to to share data for research but with much better protections. Certainly I have heard no protests about scottish NHS data and that vocal minority of SNP / Sturgeon haters would be all over it if they could.
I've opted out along with my NHS wife nurse
FFS there is even clause to allow removal of the psuedoanonymisation
Of course it does, how else do you think it will manage allowing people who've consented to take part in a research project to share their data? Or for approved research projects to find volunteers for projects?
They've made pretty strong statements about what they're not going to do with the data. If that changes, I'll reconsider my options, as it stands at the minute, I'm content for my data to be collected.
Research does not need people to be personally identifiable. The "medical research" bit is anyway a cover for selling this data to commercial firms. How on earth do you think they can do research now with properly anonymised data? Note its going to be GDPR exempt.
Once it changes and it will - and the words given are very different to what the bill allows - it too late - you cannot get your data back.
Their fine words contain safeguards but the bill does not.
there is no way on earth a company should be allowed to trawl the data, find individuals and ask them to join a research project. Thats reversal of consent and goes totally against all the principles of confidentiality.
They’ve made pretty strong statements about what they’re not going to do with the data. If that changes,
But given these laws, codes of conduct and statements have worked for the last few decades you've got to realise they're going to suddenly be ignored surely? After all, the government wears blue ties and, especially under the guidance of someone with so little desire for their own beatification as Boris, is absolutely dead set on the political and career seppuku that would be the dismantling of the NHS.
, I’ll reconsider my options, as it stands at the minute, I’m content for my data to be collected.
You cannot do this. Once your data is shared thats it. You cannot withdraw the consent.
there is no way on earth a company should be allowed to trawl the data, find individuals and ask them to join a research project. Thats reversal of consent and goes totally against all the principles of confidentiality.
Is that going to happen?
As I explained, we’re not allowed to do that now - it’s literally against the law, and nothing to do with gdpr
Thats what Nickc thinks is going to happen and its allowed for in the bill. The pseudoanonymised data contains a code for the personally identifiable information that can be decoded on request and of course can be reverse engineered.
Nickc seems to think its needed for research
If they have no intention of doing so why build the capability into it?
The circumstances where pseudonymisation can be reversed is covered in the NHS Digital Q&A I provided a link to above
Either you accept what NHS Digital say or you don't and can opt out
Thats what Nickc thinks...
Nickc seems to think
No disparagement of Nickc intended, but if this was a conversation about vaccine take-up you'd be less than complimentary about an argument based on "but I read on social media".
I didn't say nickc was right. My comment batfink quoted ( brilliant name BTW) was to point out the issues with what Nickc was stating.
there is no way on earth a company should be allowed to trawl the data, find individuals and ask them to join a research project. Thats reversal of consent and goes totally against all the principles of confidentiality.
Company x are looking at a vaccine/drug to cure disease Y. They ask NHS digital for data on GPs with patients who have disease Y and ask them to take part in a trial. Patient of the GP give consent to company x and with consent as proof, are given reversed data on patients. No one is having to trawl through personalised data
You cannot do this. Once your data is shared thats it. You cannot withdraw the consent.
If they make such huge changes to the scope of the data use, than they will have to ask again to make sure people are still content. If that's not the case and they don't, I'll probably make this face
And get on with my day,
Please tell me that's an actual photo of you nick
If they make such huge changes to the scope of the data use, than they will have to ask again to make sure people are still content. If that’s not the case and they don’t, I’ll probably make this face
there is no way of doing this. Once your data is included then it cannot be removed
Its not a huge change - its in there now that this can be done. why build in the capability if not to use it?
I feel it's my civic duty to take part.
The benefits of large data sets and the new super-computing tools to analyse that data are only going to improve the standards of healthcare and drugs for society as a whole.
That far outweighs the risks. It's like giving blood or getting a vaccination, there are risks and my data may get leaked or I may suffer some sort of medical issue, but there are societal benefits and to me the risks are worth it.
The reality is the vast majority of the most effective drugs are and have been developed by private organisations. There may be risks sharing data (and it is highly anonymised) but they are worth it.
I'll put my hard hat on.
But given these laws, codes of conduct and statements have worked for the last few decades you’ve got to realise they’re going to suddenly be ignored surely?
It'll be those last few decades where we were part of the EU and had a strong set of principles that governed the EU - now we have left the EU, we don't have so much principle - hence this sort of thing being done. I suspect this has been getting worked on since the start of Brexit murmurings.
And as much as I hate being the saddo that waves Brexit about, it has had a massive impact on this - if we hadn't left the EU, we wouldn't be discussing this as it wouldn't be happening. This is about maximising profit from things that were previously not available to be profiteered in such an open way. If it wasn't, then it would be entirely anonymised.
Please tell me that’s an actual photo of you nick
Obviously 🙂
and it is highly anonymised
This is the point. It is not anonymised. Itsd pseudoanonymised, the pseudo anonymisation can be reverse engineered and there is a route to remove the anonymisation actually in the legislation - and its allowed to breach GDPR
If it was properly anonymised it would be impossible to trace individuals from the data set. If yo can trace individuals then its not anonymous
You cannot do this. Once your data is shared thats it. You cannot withdraw the consent.
They have caved in on this now and said that it will offer patients the option to opt out at any stage, with historic data being deleted even if it had been uploaded.
But it sounds a bit like trying to put a genie back into a bottle.
The data is held centrally for 'users' to run queries against rather than get copies of the entire dataset, but in practice there is nothing to stop you running a query that can extract the entire contents and can be done very easily and I'm guessing often. I'd like to know how this type of behaviour will be monitored.
how do you withdraw your consent?
I feel it’s my civic duty to take part.
..said the lemming to his lemming friends. Jump he said, and they did.
Thankyou Teej, but I think you’ve made a slight error according to what I’ve read. You CAN opt out in future, but all the information they’ve already collected belongs to them, they just won’t be allowed to collect any more.*
Not much help then really is it?
Anyone who thinks this is for the good of anyone, other than the American insurance and pharmaceutical companies waiting to hoover-up the NHS, is in my opinion, a fool.
*Edit, I stand corrected.
This is the point. It is not anonymised. Itsd pseudoanonymised
Your NHS number, date of birth and Postcode are coded, and can be un-coded. (pseudorandomised) the rest of the data is anonymised (name address etc) and is only shared by consent
Company x are looking at a vaccine/drug to cure disease Y. They ask NHS digital for data on GPs with patients who have disease Y and ask them to take part in a trial. Patient of the GP give consent to company x and with consent as proof, are given reversed data on patients.
It would only work this way if it was a non-interventional/retrospective study or some sort of treatment registry. Usually these are done by the NHS or various research foundations to understand how patients with a disease are actually treated in the real world. They are of very limited use commercially.
Commercial research tends to be interventional/prospective in nature - you are usually testing a new drug. When you consent to take part in that study, you are agreeing for the trial sponsor (pharma company), it’s agents (me) and a whole raft of other people: auditors, regulators etc, to have full access to your entire medical record. Any data that is collected has personal identifiers removed. A link still exists between the patients unique trial subject number and their actual name… but that’s limited to a single piece of paper that’s retained by the doctor. We check that they are recording the names, but we don’t ever collect them.
In fact we have rafts of policies and procedures for how to deal with doctors who inadvertently send us the names of their patients - it’s like that scene out of monsters inc when they find the sock on the monsters back
They have caved in on this now and said that it will offer patients the option to opt out at any stage, with historic data being deleted even if it had been uploaded.
I had not ;picked that up but its still half assed - how are they going to extract that data from the data sets that have already been given out?
how are they going to extract that data from the data sets that have already been given out?
Same way they would under gdpr, a nice letter followed by considering whose pockets are deeper, followed by a strongly worded letter and forgetting all about it. At least this time they're being honest about their unwillingness/inability to enforce it.
They don't always sell data, didn't they give some of it away to Amazon recently? I assume that was because Amazon couldn't afford it and said pretty please.
They don’t always sell data, didn’t they give some of it away to Amazon recently?
No.
They don’t always sell data, didn’t they give some of it away to [S] Amazon [/S] the next person who happened to use the bus stop recently?
FTFY
Dispiriting thread. The way this has been pitched ain't exactly great (bmj editorial here) , at a time when we really don't want to undermine trust in the NHS, but you won't find many researchers (uni or industry based) who think opting out is somehow a good idea. You're really not socking it to the man by doing this. All you're doing is skewing the data a bit and making vital research more difficult to do.
the problem is not medical research - I have no issue with this. Its that it seems more likely that all sorts of other folk can get their hands on personally identifiable data from this as the tories will want to monetarise it and its set up for them to do so
they make a big fuss about the medical research side - but refuse to say insurance companies for example will be banned from getting it
Its also the fact that its not properly anonymized as it should be.
Im opted out on the simple basis that I don’t trust Boris further than I can throw him. Based on his current form if he says something can’t or won’t be done then it’sa racing certainty it will be. After 13 years in the NHS I have no confidence in the senior management to do anything except what their political matters tell them
Amazon was given access to NHS data under a shady deal. NOt patient data but everything else.
the contract will also allow the company access to information on symptoms, causes and definitions of conditions, and “all related copyrightable content and data and other materials”.
the contract will also allow the company access to information on symptoms, causes and definitions of conditions, and “all related copyrightable content and data and other materials”.
So the sort of thing that might come in handy for saying "alexa, my child has a cough and a temperature, what's wrong with them" that sort of thing?
Its also the fact that its not properly anonymized as it should be.
This is untrue, for the third time....
that sort of thing?
yes, exactly that sort of thing.
Nickc - its simply is true. If it can be de anonymised then its not done properly
this is one of the major criticisms with it. the data can be tracked back to individuals - indeed the bill actually has a built in method to do so and also it can be done without permission using modern data mining techniques.
check the BMJ for this.
You really need to read up and understand this.
check the BMJ for this.
yes, do
From Angela Coulters ed https://www.bmj.com/content/373/bmj.n1413 her view is that:
This is indeed a sensitive issue but opting out may not be the best response
matty handjob being **** or whatever, johnson being a massive shit, is not going to be cured by anyone opting out. Though clearly (again from the editorial):
For too long arguments about who should have access to their data have raged above patients’ heads or behind their backs. Opting out is an unsatisfactory solution. It is time to make more strenuous efforts to involve the public in designing and implementing secure systems for extracting benefit from this important resource.
Distracting irrelevancies about amazon aside, for sure folks don't trust our pols - does this mean they should opt out of organ donation? Donating data is similarly contributing to the common good.
the best response is for the government to put proper anonymization in place and proper legal safeguards in place including no exemption from GDPR
As they refuse to do this and its 100% clear that the data can be traced back to individuals and can me misused then opting out is the only way a citizen can be sure their personal data is safe
Once again - its not the medical research that is the issue - its all the other ways the data can be used to the detriment of individuals and groups
there is a lot of criticism in the BMJ over this
If your data is safe why exempt it from GDPR
Are you really happy with the use of it for marketing? for insurance ?
wrote so0mething deleted it, I'm not going to engage/spend any more energy arguing with you about it.
For Scotland TJ is right, all the PII can be brought back
Nickc - you have shown that you do not understand the differnce between anonyonised and pseudo anonymized and they way you desribed data being used for research is as batfink pionted out currently illegal and unethical
I ask again - are you happy that insuance companies and marketing companies will be able to access individuals personal and sensitive data with the individuals identified- because under this proposal they can
its not the medical research that is the issue – its all the other ways the data can be used to the detriment of individuals and groups there is a lot of criticism in the BMJ over this
link please
TJ - I think we do understand it (anonymised data).
Just because an encryption key exists to reverse the anonymisation does not mean it is not anonymised.
When the data is given the key is not.
Credit card data works in exactly the same way. Details are encrypted but without the key, it's impossible to decipher, much like the anonymisation.
There may be occasions where it is necessary to identify a source (say someone with some mutant gene that threatens humanity). In this case, the key might be requested by the data user.
Whether that is available to the user will be up to the quango.
Just because that function exists for extreme circumstances is not the same as saying the data is not anonymised.
And anyway, the receptionist at the GP will likely have far more juicy access to personal info than any pharma org, which I'd be far more worried about!
Just because an encryption key exists to reverse the anonymisation does not mean it is not anonymised.
CSI: Edingburgh will crack the code.
you have shown that you do not understand the differnce between anonyonised and pseudo anonymized
I absolutely do understand it, it's literally part of my job. I get that you're anti technology, I get that you constantly need the affirmation of sticking it to the man. Crack on. Go you. It's absolutely not worth my time or effort to get into this with you as experience as told me, you're not interested in discussion, you're interested only in seeing the world your way, so there's the end of it.
They are very welcome to my data, if there is even the slightest hint that it will make even the tiniest difference in making another human beings life better then that's enough for me.
I realise to most that that might seem like a naive and trusting approach but what's the worst that could happen to me? Those nasty Tories run off with £50 notes overflowing from their swag bag, or maybe, maybe, one day an insurance company charges me an extra £10 because I once had haemorrhoids.
I'm also on the organ donor list, perhaps I should cancel that in case Boris tries to cash it in early and I wake up in a bath full of ice cubes. He's bound to you know, he's done it before, my aunty Joan told me.
I just know people will be trying (and succeeding) to use this data to screw people over, and I fully expect one day they'd be successful against me. Specifically that I'd be made to pay/contribute more towards some healthcare provision, within whatever form the healthcare industry system will look like in 20 years.
No nickc - you neither understand my motivations, nor want to understand them nor do you understand the issues here
Its not about sticking it to the man, its about understanding the real harm that misuse of the data can cause
You want to be willfully blind to the potential harm - then keep on sticking your head in the sand
its not about medical research. its about the other companies such ass insurers or marketing that can get this data
its about the total refusal of the government to put in simple safeguards to protect the data
if its as benign as you think why will they not anonymize it properly?
if its only totally ethical medical researchers then whey will the government not limit it to them?
Answer me that. If its as benign as yo claim then why is there no legal method to ensure its benign?
if the data was to be properly controlled, anonymized and not personally identifiable then I would have no issue
so why does the government refuse to do this?
You are so determined I have nothing of value to say that yo will not listen not will you even attempt to understand how this data with so minimal legal protections could be used for massive harm. any alternative point of view you have to shout down because you do not and do not want to think about the implications
I say again - its not about medical research. I trust them in general. Its about the lack of controls on who gets the data and what they can do with it
It would be very easy for the government to ensure the safety of the data and to ensure privacy but they refuse to do so. why?
@batfink IQVIA, Parexel or covance?
Or are you at one of the smaller ones?
I started a similar thread before they extended the deadline, i have opted out. I disagree with the pseudo anonymised data, plus i fail to see why they are not using the existing process of data access which is actually controlled.
Fwiw i work as a clinical trial auditor and we would be shut down if we tried some of the stuff that could be possible with this data.
GDPR doesn't apply to scientific research (look at the exclusions), but secondary use of data is a potential minefield.
My concern isn't medical use, more the other potential usages
Thank you graham - showing I am not a paranoid loony on this but actually understand the implications of the lack of controls
The worst that can happen? Well Mr non smoking fit as **** individual due to previous health outcomes and social/geographical conditions we have decided to cancel your life policy....
Not £10 for your piles.... thats the best that could happen.
Risk management is all about known risks which are formed into a risk model/algorithm, this data allows a risk model that will drive up profits and reduce loss.
On more basic note, why do you think the Tories want to sell it? For the greater good?
As someone who works in this area...
OPT THE **** OUT.
Risk management is all about known risks which are formed into a risk model/algorithm, this data allows a risk model that will drive up profits and reduce loss.
Let me elaborate a bit about this for anyone who's interested. There is an entire industry of companies, with thousands of people (statisticians, programmers) working with data to produce risk models for all kinds of insurable risks (weather, fire, health... dozens). All those people working away at this, and getting good money for it. They use terms like "management of loss cost" when talking about death in service cover. When talking about health/life, they use terms like "longevity risk" (you living longer than the insurer hoped) and refer to "mortality improvement" (advancements in medicine) as if it was a problem (which for them, it is). Whether you're health as a nut (Garmin data please?) or the opposite (Clubcard data please), they're hungry for data and it won't be used for your benefit. It doesn't even matter if it's not data about you specifically; they'll match you to a cohort based on what they think you're like.
This is at the direction of the government, yeah? I'm out.
There's a lot I want to say about this, it is part of my day job, but it's gone 2am so I'll just drop two things.
1) "Pseudo-anonymised" is bullshit. It's either anonymous or it isn't. If data can be used to identify an individual or, crucially, if it is anonymous data which could be combined with other data to personally identify an individual, then it falls under GDPR.
2) Remember the early Track & Trace debacle where the government originally wanted to create their own central-database oriented system rather than use globally recognised and developed API-based systems? In isolation I likely wouldn't care about this and regular readers will know that I'm not one to reach for the tinfoil, but that's a coincidence too far for my liking and I'm deeply concerned about their motivations here.
And point 3 out of 2,
Of course, this has all been well publicised and everyone is well aware of it.
Oh.
On a technical point, UKGDPR absolutely does apply to scientific research if personal data is processed. There are exemptions for some types of research from certain data subject rights if a number of safeguards are applied, so lots of qualifiers. That's a dangerous misunderstanding to say it doesn't apply across the board d so just to clear that up.
Apologies, the specific area gdpr does not apply to is the right to be forgotten and opt out after entry into a clinical trial or data usage where it could affect regulated data, i can see how they would take that item to apply to medical data but it would be a very poor interpretation of the rules.
I realised after the edit window had closed
“Pseudo-anonymised” is bullshit. It’s either anonymous or it isn’t.
Not quite. My understanding is the data elements that can identify a person will be tokenised e.g. changing my NHS number of 1234 to WXYZ using some clever hashing algo, after all the 3rd party consumers have to have some kind of unique identifier to piece together events for a patient over time. In theory the 'good side' will have access to the token management system for things like adding/deleting data records and the 'dark side' will have access to a meaningless token that still allows them to uniquely identify a set of related events. My worry is that the token management system will be abused in the future.
That and the data is so granular that data mining could certainly get down to very small groups and in some cases individuals.
If the anonymisation can be undone then its not anoymous