By Stephen Adams
A secret plan to sell confidential medical records to private companies for as little as £1 has been drawn up by officials.
From next month, GPs will start sending detailed NHS patient records to a central database for the first time under the new General Practice Extraction Service (GPES).
Yet doctors do not have to tell patients about the project, described by campaigners as an ‘unprecedented threat’ to medical confidentiality.
The records – held for every person registered with a GP – will contain details of medical conditions, as well as ‘identifiable’ information including a patient’s NHS number, postcode and date of birth.
Private firms such as Bupa can then apply to the Health Service to buy and use data from the records for research.
The project is being driven by NHS England, the new super quango, after Health Secretary Jeremy Hunt made it clear he wanted a data revolution in the Health Service.
Mr Hunt argues that sharing GP records with universities and private companies will provide a valuable tool for medical research, monitoring flu outbreaks and screening for common diseases.
But privacy campaigners last night warned there were ‘huge risks’ with putting so much patient information into so many hands.
Shami Chakrabarti, director of Liberty, said: ‘The more people who have access to sensitive data, the greater the risk that it will not be protected properly. We’ve seen that on umpteen occasions in the past.
‘And when there’s a financial element involved, it introduces all sorts of incentives that are not necessarily about protecting privacy.’
Phil Booth, of campaign group medConfidential, said: ‘They are presenting this as some anodyne thing that’s only going to be used for health research. But this is a massive re-engineering of how everybody’s medical records are going to be used. It is an unprecedented threat to our medical confidentiality.
Mr Hunt believes that allowing universities and private groups access health information easier will attract pharmaceutical companies and life sciences firms to the UK.
From next month, 100 GP surgeries in England will upload details from patient records to a central database held by the Health and Social Care Information Centre (HSCIC).
Sensitive medical information will be included – for example whether a patient suffers from a condition such as cancer, heart disease or depression – as well as lifestyle information such as alcohol consumption.
Names and addresses will not be uploaded, but ‘patient identifiable data’ including date of birth, postcode, gender and ethnicity will. Using publicly available records such as electoral rolls – which contain postcode and dates of birth information – malicious individuals could then identify who the patient records belong to.
There are 55 organisations accredited to apply for identifiable or sensitive data. Most are NHS bodies but also on the list are Bupa, the hospital comparison firm Dr Foster and the Institute for Fiscal Studies.
The HSCIC currently charges tens of thousands of pounds for carrying out a typical ‘data extract’ request.
But last month Geraint Lewis, chief data officer at NHS England, announced proposals to reduce these costs to just £1 a time. Ms Chakrabarti added: ‘NHS England are not promoting an honest debate about this, either with individual patients or the public at large.’
Initially, only information put on medical records from April 1, 2013, will be included on the uploads to HSCIC.
However, Mr Booth claims NHS England want to include full medical records going back 20 years.
He said: ‘This is a wholesale rewriting of the deal between patient and doctor. When people go to the GP, they go for medical treatment – they don’t expect commodification of their patient record.’
An NHS England spokesman denied the organisation was failing to tell patients about the scheme or promote it.
And a Department of Health spokesman said: ‘Jeremy Hunt has made clear that any patient who does not want personal data to be shared securely with HSCIC will have their objection respected.’