ICO rules out regulatory action over NHS Digital data opt out concerns
Data regulator has concluded organisation has taken sufficient steps to address and inform patients of previous failings to uphold data protection commitments
The Information Commissioner’s Office (ICO) has decided not to take regulatory action against NHS Digital after being satisfied with its work to ensure the rights of patients wishing to opt out from sharing their personal data were met following a previous failure.
A spokesperson for the UK data regulator said it acknowledged that NHS Digital had made progress to ensure patients that had chosen to not share data for purposes other than direct care, identified as a 'type 2' objection, were being honoured.
NHS Digital signed an undertaking in April last year to take actions to remedy a failure to honour an estimated 700,000 type 2 opt outs, which was linked to “legal and technological reasons”.
As the national provider of information, data and IT systems for the NHS, the organisation - previously known as the Health and Social Care Information Centre (HSCIC) – was also required to make affected patients aware of a failure to prevent their information being shared since early in 2014 despite the opt out.
The ICO performed a follow up in December on the undertaking, requiring some additional work from NHS Digital around its previous failure to correctly implement opt outs that had been received.
“A formal assessment by ICO good practice auditors in December identified a small amount of work to do, but the team was satisfied that the requirements of the undertaking were being met,” said the ICO. “NHS Digital has agreed to the ICO’s final recommendations and, as a result, the ICO is satisfied that regulatory action will not be necessary at this stage.”
The commitments in the undertaking included amending published material to make it clear that objections received prior to April 29, 2016 were not honoured. The ICO also called for a means of assessing the effectiveness of efforts to ensure awareness at GP offices and other organisations about the failure to enforce the opt outs.
“If NHS Digital confirms its agreement to take the recommended steps, the ICO is satisfied that regulatory action will not be necessary at this stage,” said the data regulator in a notice published earlier this year.
Wider questions still remain over future models of consent for how patients can choose to opt out of sharing their health information, with NHS England considering hundreds of responses to a consultation held on the issue.
It is understood that among the key privacy considerations facing NHS England, a decision needs to be taken on whether patients should be provided with either one or two questions concerning how they would wish to share personal information for purposes other than direct care.
The consultation over a new consent model was launched last year as NHS England announced it would be scrapping its previous flagship care.data project, designed to make use of patient data extracted from GP records with the aim of informing clinical planning.
The decision to abandon care.data was taken based on recommendations by National Data Guardian Dame Fiona Caldicott over concerns about privacy and how patients were informed of their rights to withhold or control personal data.