GDPR and the national opt-out: a new opportunity for patient data

Author: Dr Natalie Banner, Understanding Patient Data Lead, Wellcome Trust

With the imminent introduction of the GDPR, organisations using personal data will need to be much clearer and demonstrate better accountability over how and why they use data, and how they protect it. This is particularly important in healthcare, which is underpinned by the relationship of trust and confidentiality between clinicians and patients. At the same time, it is increasingly recognised that better linking and access to patient data could lead to enormous benefits for patients and for the health service. In this blog, Natalie Banner explores some of the core relevant principles of GDPR and what kinds of questions need to be answered to improve transparency over the use of health data.


As we live in an increasingly data-driven world, there is growing excitement about the potential to use patient data better. The UK has rich, complex and diverse datasets covering the life course of millions of patients, about everything from blood tests to biometrics and diagnoses to diets. If these could be harnessed and linked up across the population, we would have a tremendous resource to improve healthcare and drive innovations in research for the benefit of patients. Using patient data can help us better understand the causes and pathways of disease, improve treatment and prevention, ensure patient safety, advance diagnosis and help plan NHS services so that the right care can be provided at the right time to the right people.

In light of the EU General Data Protection Regulation (GDPR), supplemented by a new Data Protection Act in the UK, there will be increasing scrutiny of organisations’ data protection and sharing practices across all sectors in the coming months. However, given its sensitivity and the vital role that patient data plays in running and improving our healthcare system, there will be particular focus on how this data is protected and used.

Information about our health is some of our most sensitive personal data and we expect it to be kept safe. Trust and confidentiality are also the bedrock of the doctor-patient relationship: there is a duty of confidence owed to the information shared in this context. Preserving this relationship of trust is foundational to the healthcare system, which means that any data collected from patients needs to be well-protected, respected and managed securely.

Most people don’t know much about what happens to data contained in their health record. If they find out that data might be used for purposes beyond their own care, but without being given much context or the ability to ask further questions, the default reaction is often – unsurprisingly – one of caution and suspicion (“Who uses my data? Why? Can I stop it?”) Creating a trustworthy system for handling and using patient data is therefore essential if we are to unlock the potential of data while ensuring people can have confidence that it is being used responsibly.

In many cases, the data used for research or planning has been through a process of anonymization to remove identifying information. Much of this could fall outside of the GDPR definition of personal data, but as there is a fuzzy dividing line between personal and non-personal data, the relevance of GDPR on the use and sharing of patient data shouldn’t be underestimated.

GDPR’s core focus is on increasing transparency and accountability for how personal data is used and ensuring that people are aware of their rights as data subjects. Improving transparency for patient data can be a challenge though: the way data flows around the healthcare system and beyond is incredibly complex; and people generally start from a low base of awareness about what patient data is, or how or why their data could be used beyond their own care. When learning about the uses of patient data, people often want clear answers to the following:

  • Who is accessing the data? People tend to object most strongly to insurers and marketing firms using patient data. The NHS is generally highly trusted to use and protect the data and hold it within the system.

  • Why do they need it? There should be a strong public benefit case for using the data, e.g. developing new treatments or improving care services, not just commercial gain.

  • What kind of data are they accessing? The data should be anonymised as far as possible unless there are very good reasons for requiring identifiable data. People may have additional questions or concerns if health data is being linked to other forms of data such as socio-economic data, shopping habits or location data.

  • How is it protected? This includes the governance of decision-making about access to the data, safeguards, data security and sanctions for misuse.

It is going to be increasingly important for anyone collecting, handling or using patient data to be able to answer these questions in an accessible, accurate way if they wish patients, clinicians and citizens more broadly, to have trust in what they’re doing.

Accountability requires that it is clear where the buck stops for the use of data, with lines of responsibility and sanctions if something goes wrong. For data controllers, decisions about who can access data must be fair, justifiable and rigorous. This often involves independent advisory groups or committees such as IGARD or CAG. Data users should be able to demonstrate their compliance with GDPR, including high standards of data security and appropriate safeguards.

Finally, data subjects have enhanced rights under GDPR, including the right to object to the processing of their personal data. This is not an absolute right as there are some exemptions, including public health emergencies, criminal justice or other public interest reasons.

A new national opt-out for patient data is being introduced by the Department of Health and Social Care, to coincide with the GDPR. This is in response to Dame Fiona Caldicott’s “Review of Data Security, Consent and Opt-outs” from July 2016, which recommended a new opt-out model to ensure people can make informed choices about how their data is used. The system will enable patients in England to opt-out of their confidential patient information being shared for purposes beyond their individual care. It will apply to NHS Digital, the central body for NHS data, and then be rolled out across the health and care system in the next couple of years.

The GDPR right to object is not, however, the same as the right to opt-out under the national opt-out policy. The opt-out applies to “confidential patient information”, whereas the GDPR covers “personal data”, which is quite broadly construed in the legislation. You also do not need to provide a reason to opt-out, whereas for the right to object you need to provide grounds relating to your situation for the objection to be upheld.

GDPR rights and patient choice over the opt-out are being introduced at the same time in the broad context of increasing focus on rights and control over how information about people is used, but they should not be conflated.

The national opt-out is an important step in creating a system for using patient data that the public can have confidence in. It seeks to recognise that patients understandably want a degree of control over information from their health records while ensuring that we are equipped to learn as much as possible from and about the health of our population. At the same time, it is not a panacea for improving public confidence. There are many questions about governance, oversight, security and access to patient data that will need to be answered as the system is implemented.

It’s important to contextualise the opt-out and provide objective information about what actually happens to patient data in practice, so that people can make an informed choice. At Understanding Patient Data we’re seeking to help support conversations about how patient data can be used, so that discussions about the opt-out and patient data rights don’t occur in a vacuum. We work with patients, medical research charities, healthcare professionals, researchers, health organisations and policy makers to champion the case for responsible uses of data, for example through the #datasaveslives campaign, while providing objective evidence about the risks and safeguards.

“Data protection” is often used as an excuse not to share data and make best use of it, but with clarity over what is and is not allowed, this needn’t be the case. Although many organisations are concerned about the additional workload that the GDPR will bring, it does create a timely opportunity. GDPR has ensured that all organisations using personal data must be clearer about what personal data they’re using, why they’re using it and what rights people have in relation to this use. It could therefore provide the chance to really make the case for the tremendous benefits of using patient data. From our work at Understanding Patient Data, we’ve found an incredible appetite for this information among patients and healthcare professionals, with high levels of interest and engagement in the resources we’ve developed. There’s also a real willingness to make the most of patient data and a sense of urgency to get this right. Perhaps then, rather than data protection being a tick-box exercise, GDPR can be the catalyst for great conversations about how data can drive real improvements in healthcare and research.

You can find out more about the work of Understanding Patient Data here.