Intended for healthcare professionals

Editor's Choice

The red flag patient data breaches of a wannabe global data superpower

BMJ 2022; 377 doi: https://doi.org/10.1136/bmj.o1174 (Published 12 May 2022) Cite this as: BMJ 2022;377:o1174
  1. Kamran Abbasi, editor in chief
  1. The BMJ
  1. kabbasi{at}bmj.com Follow Kamran on Twitter @KamranAbbasi

The design of economies, argues Gerry McCartney, is too important to leave to economists (doi:10.1136/bmj.o1075).1 The World Health Organization’s Council on the Economics of Health for All is intruding on a conversation dominated by the International Monetary Fund and others to put the case for “wellbeing economics.” Similarly, is the oversight of patient data too important to be left to data specialists?

A new investigation by The BMJ finds that drug companies, NHS commissioners, and universities have “repeatedly violated data sharing agreements” (doi:10.1136/bmj.o1126, doi:10.1136/bmj.o1187),23 underscoring the fears that many people hold about data privacy. It is an open secret that health data are seen as a commercial goldmine. Ben Goldacre, in a government commissioned review of the opportunity that routinely collected health data offer, advised that frank public discourse was required about the challenges posed by commercial exploitation of personal health data (doi:10.1136/bmj.o1018, doi:10.1136/bmj.o927).45 That conversation now seems even more urgent.

At an international conference before the covid-19 pandemic, I asked an executive responsible for personal data at a multibillion dollar global corporation about its policies on data privacy and permissions, and it was clear that even the world’s leading, and richest, companies are playing fast and loose with patient data. Our investigation found that every single one of the 33 organisations audited by NHS Digital in the past year had breached data sharing agreements. Since audits began in 2015, inspections have revealed hundreds more breaches.

The point of monitoring and regulation is to identify data breaches and take appropriate action. A data breach means that data are being handled outside agreed data contracts, and confidentiality might be compromised. As well as the breaches being extensive, we found little or no evidence of “enforcement action” by NHS Digital. Clearly, NHS Digital must act and be seen to act to prevent future breaches, but greater government control is not the answer. NHS Digital’s statutory independence needs to be reinforced if the public is to regain confidence in safeguarding personal data. One option for England’s Department of Health and Social Care is to abolish NHS Digital and seize further control of patient data through NHS England. That’s likely to make matters worse. In the meantime, NHS Digital plans to set up a “trusted research environment” for organisations seeking to access health and social care data.

The business opportunity of building the world’s most comprehensive datasets with health data at their core runs into billions of pounds, according to a report by management consultancy Ernst and Young. This causes acute alarm and requires immediate scrutiny. The UK government is perfectly aware of this commercial potential, as it seeks to become a global data superpower. This is a government that glibly enriched friends, associates, and corporations during a pandemic that resulted in over 100K excess deaths. It is a shoulder shrugging bystander as oil and gas companies increase their already immense profits, while the poorest in society choose between paying for food or their energy bills (doi:10.1136/bmj.o947, doi:10.1136/bmj.o938, doi:10.1136/bmj.o606).678 Pound signs, it seems, trump the red flags of lapses in principle.

The design of economies, you might say, is too important to be left to economists and ruling parties.

References

View Abstract