Helen Salisbury: Is presumed consent enough for sharing medical data?

Medicine is usually an activity that involves consenting adults, or adults consenting on behalf of their children. Before surgical procedures, especially if the patient will be unconscious, we ask for written consent, but in most other situations verbal consent is enough. Sometimes it’s sought informally (“Shall I examine you now?”), and sometimes consent is implied (for instance, by the patient climbing on a couch or rolling up a sleeve for a blood test). In these situations consent is presumed and, crucially, the patient can withdraw that consent at any time to stop the procedure.

Just how formal we need consent to be depends on the situation; asking for written consent before every interaction would be cumbersome and impractical. But whether it’s written, verbal, or implied, for consent to be valid it needs to be informed. Patients must understand what they’re agreeing to, although the depth of the explanation required will vary. If I arrange to take a blood test, I’ll paraphrase what I’m looking for: “I’m going to check that you’re not anaemic and that your liver and kidneys are working normally” is probably enough for most patients. But my surgical colleagues, embarking on something more serious and irrevocable, need to be formal and detailed in their discussions, so that the patient understands the risks and benefits before going under an anaesthetic and the knife.

So, how will we explain the latest plans for secondary use of GP held patient data? The rationale recently given in parliament by Matt Hancock, the then secretary of state for health, mixed up the use of data for direct patient care—which is not what this project is about—and its use for research.1 He hailed the discovery of dexamethasone’s efficacy in treating covid-19 as a triumph of big data, when it was in fact the product of a rigorous, consented, randomised controlled trial.2 He was either misleading us or misunderstanding the proposals.

As data controllers, GPs must be sure that patients have given valid consent for their data to be processed by NHS Digital before we can hand it over, at a date currently scheduled for 1 September 2021. As it remains unclear what safeguards will be in place to guarantee the security of personal medical information, we’re not yet in a position to explain to patients the risks and benefits of sharing their data.

It’s time to return to that old NHS mantra: nothing about me, without me.3 After three years of planning this may seem a shame, but NHS Digital needs to go back to the drawing board and find a better plan for data security. It needs to produce accurate and accessible information that reaches every patient, as well as easy methods by which people can indicate whether they’re willing to share their data for research and planning. Patients also need the right to withdraw their consent at any time and to remove their data from any central store.