A £63m plan to exploit NHS medical records has been criticised for failing to offer patients a choice over whether their personal health data is shared with hundreds of researchers.
More than 1.1 million people in the Lothians, Borders, and Fife could see their medical records analysed by researchers for the benefit of private firms as part of a project dubbed the ‘Data Loch.’
Although the project – which is managed by the University of Edinburgh and NHS Lothian and funded as part of the South East Scotland City Region Deal – is not set to become fully operational until late 2022, The Ferret has established the Data Loch already combines a number of different data sets about patients.
The stored information includes data on visits to hospitals and primary care facilities, as well as records from some local GP surgeries in the area. NHS Scotland data on prescriptions, mental health treatment, and Covid-19 Shielding status are also available through the project.
READ MORE: Public bodies shed property worth hundreds of millions to balance books
Critics have demanded more transparency over how the data is used, a patient opt-out, and highlighted the cybersecurity risks of assembling “massive datasets loaded with personal information”.
NHS Lothian insisted it would "never act to compromise patient data". But even though the business plan for the project names huge pharmaceutical firms as potential industry collaborators – and boasts that it will attract £138m in research income – the health board says patients should not be given a choice about whether their health data is added to the “loch” of information.
The Data Loch project website says in its frequently asked questions section: “There is no patient opt-out, and this is in line with the legal basis for processing.”
It goes on to use an argument made by an unnamed former chief medical officer (CMO) to justify why the project does not allow people an opt-out.
“Offering consent opt-outs on data processing, essential for delivering high-quality care and...is disruptive, costly and can reduce quality and equity of care,” the CMO is quoted as saying:
According to a spokesperson for the University of Edinburgh: “Any personal data collected will be anonymised.”
But a detailed description of the information held by the project, obtained by The Ferret, shows that patient information in the Data Loch is pseudonymised.
This means it may not be completely anonymised and it could be possible to ‘re-identify’ individuals by matching one set of data with another one.
As a result, claimed Phil Booth of MedConfidential, the Data Loch may be in breach of UK data protection rules set out in the General Data Protection Regulations (GDPR).
After reviewing the way data is used in the Data Loch, he argued that recent GDPR guidance from privacy watchdog the Information Commissioner still applies. The guidance explains: “Pseudonymous data is... still personal data and data protection law applies.”
Booth added: “The Scottish Government’s Chief Medical Officer can “argue” all he likes, but he cannot ignore or override the law. The Data Loch is processing what GDPR says is patients’ personal data, so they have a right to be told what is being done with their sensitive medical information – and a right to opt out.”
The University of Edinburgh press office did not confirm how many people had already accessed medical records held in the Data Loch. But the project website claims it has “already supported a number of important projects investigating COVID-19”.
GP patient data
Individual GP practices were invited by NHS Lothian to share their patients’ medical data with the project in 2020. But NHS Lothian has declined to name the GP practices that have chosen to share their patients’ data with the project.
The health board did not say how many GP practices that did opt-in to the project told patients that data from their medical records would be shared with Data Loch.
Lothians MSP Alex Cole Hamilton said: “No one who goes to hospital or to their GP seeking medical treatment is expecting their data to be farmed out to researchers.
"At a minimum there should be a clear statement setting out who will be able to access this data and a mechanism for people to opt out if they don't want their data shared.
"In the past SNP ministers have been keen to use NHS records as a basis for storing personal data about everyone in Scotland. Alongside privacy campaigners, Scottish Liberal Democrats have defeated previous attempts to assemble massive datasets loaded with private personal information.
“In an era in which cybercrime and exploitation of personal information is rampant there are clearly serious risks attached to projects such as this."
Scottish Greens health spokesperson Gillian Mackay MSP echoed these concerns and said: “NHS Scotland collects some of the best data in the world and it is vital this is turned into public health intelligence.
“However, this is normally anonymised and it would be unacceptable for anyone’s personal data to be used unknowingly for commercial purposes. GDPR laws must be upheld to maintain people’s trust in services.”
Concerns over the Data Loch have emerged as debate over UK Government proposals to centralise health data from GP records in England, dubbed the General Practice Data for Planning and Research, has caused controversy south of the border.
A coalition of campaign groups threatened to take the UK Government Department of Health and Social Care to court unless a patient opt-out was provided and proper public consultation undertaken. In response to the legal threat, the UK Government has put the process on pause.
A similar but little known project dubbed SPIRE is already operational in Scotland. It allows GP practices to share data with NHS Scotland and provides a national database that may be accessed by researchers from outwith the NHS.
Unlike the Data Loch, patients can opt-out of this data sharing project by contacting their GP or by using a form on the SPIRE website.
£138m in research income
Business plans describing the long-term aspirations for Data Loch show that backers are keen to expand the project to cover more than just the South East Scotland city region deal area.
The document notes that although Scotland has “a single healthcare provider and world-leading linked healthcare data assets… the current approach acts as a barrier to research and innovation at scale in the region”.
It adds: “There are aspirations to scale the Data Loch and relevant activities but the immediate focus is deploying a successful solution across the City Region.”
As part of a wider ‘data driven innovation’ programme, the Data Loch is part of a plan that hopes to attract £138m in research income, start or grow 49 new businesses and ‘interact’ with 280 companies.
The plan names several companies that the University of Edinburgh has existing relationships with who may be possible customers. Likely industry collaborators are listed as Pfizer, Bristol-Myers Squibb, AstraZeneca, and Glaxo-Smith Kline, as well as medical devices firms Abbott Laboratories, Siemens Healthineers, and LumiraDx.
“Through the Data Loch there is a large potential market to evaluate the impact of new diagnostic equipment and testing on health service delivery and outcomes,” the plan adds.
Dr Tracey Gillies, medical director of NHS Lothian, said: “Every day, medical research and innovation is carried out by researchers across the UK using data that has been recorded during a patient’s treatment and is processed to ensure their identities are not revealed.
“This practice, which analyses symptoms, treatments and outcomes has allowed great strides and advances to be made in developing lifesaving treatments in many specialties, including cardiac care and also COVID-19. Without this research, breakthrough treatments and vaccines would be impossible.
Gillies added: “Data Loch’s purpose is to enable these data-driven health and social care innovations to improve the health and lives of the region’s population. These activities are entirely in the public interest. Patient data is not being sold to private organisations, nor is it leaving the control of the NHS.
“Access to extracts of data are provided to NHS service managers and medical researchers, approved by the NHS Lothian’s Caldicott Guardian and under strict controls. The data has identifying information removed and sits in a secure IT environment.
“NHS Lothian takes patient confidentiality extremely seriously and has a well-deserved reputation for robust governance processes. We would never act to compromise patient data.”
However, the health board reiterated that it has no plans to offer patients the opportunity to opt-out.
A spokesperson for the University of Edinburgh said: “Personal information gathered by Data Loch will not be sold to private organisations for commercial gain. Any personal data collected will be anonymised and used for important research to help improve future understanding, treatments and health outcomes for patients.”
A Scottish Government spokeswoman said: “Patient data is confidential – and any suggestion it is for sale in Scotland or is being used for commercial purposes is categorically untrue.
“We take patient confidentiality extremely seriously and expect all processing of personal data to be fair, lawful and secure.”
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel