Hundreds of patient data breaches are left unpunished, reveals The BMJ
Hundreds of organizations including drug companies, NHS commissioners, and universities have breached patient data sharing agreements in the past seven years, reveals an investigation by The BMJ today.
GlaxoSmithKline (GSK) and Imperial College London are among those that have carried out "high risk" breaches according to NHS Digital audits examined by investigative reporter Esther Oxford. This means that they are handling information outside of agreed data contracts and may be failing to protect confidentiality.
In one instance of a high risk breach, clinical care commissioners allowed sensitive, identifiable patient data to be released to Virgin Care without permission from NHS Digital. When NHS Digital's audit team tried to get access to Virgin Care to check their compliance, it was denied access for several weeks and the company refused to delete the patient data.
"It is outrageous that private companies and university research teams are failing to comply," says Kingsley Manning, former chair of NHS Digital. "How is it that these organizations can be so lax with data?"
Yet Oxford explains that none of the organizations have had their access to NHS Digital's data curtailed in light of the breaches. Instead, NHS Digital said it works with the organizations to rectify problems.
NHS Digital has the power to suspend the provision of data but any decision to curtail access to data would "need to be balanced against any negative impact to patient care", a spokesperson said. Clinical Commissioning Groups (CCGs) would be unable to commission services if they had to return data, and ceasing access to data for clinical trials would mean their benefits would not be achieved, they added.
Phil Booth, coordinator of campaigning group medConfidential, says there needs to be real consequences if companies, commissioners, and research teams breach their agreements, otherwise data sharing contracts are meaningless. "These contractual requirements aren't just for fun: a single data breach could include sensitive information about millions of patients," he said.
Natalie Banner, former lead for the Understanding Patient Data initiative hosted by Wellcome agrees that the current system "is failing to protect data adequately and a major policy shift and investment is needed."
Oxford explains that NHS Digital also has the power to report an organization to the Information Commissioner's Office (ICO) if there has been a personal data breach.
But the ICO said it could not tell The BMJ if NHS Digital had ever reported a pharmaceutical company, university, or organization for breaching a data sharing agreement, and there are no examples of enforcement action against these entities published on the ICO website.
NHS Digital has plans to provide a more secure system—known as a trusted research environment (TRE)—for organizations wanting to access health and social care data, notes Oxford. But there are fears about how TREs will work if taken up by the NHS, including how they will be made accountable and transparent.
Many are also worried about the government's plan to abolish NHS Digital and allow NHS England to take on its powers and responsibilities.
"The move is alarming," says Philip Hunt, member of the House of Lords. "NHS England has so many roles and motivations it is never going to be able to protect patient information in the way an independent body with specific responsibilities to do so would."
A spokesperson from the Department of Health and Social Care said, "The obligations that NHS Digital currently has to safeguard patient data will become those of NHS England. This will include the same level of transparency as to how data are disseminated and used."
It will take time to decide on the correct policy and to arrange the new data infrastructure, says Banner. "What's being done about NHS Digital's audits and those failures in the meantime?"
More information: Investigation: Hundreds of patient data breaches are left unpunished, The BMJ (2022). DOI: 10.1136/bmj.o1126