The NHS needs to get its house in order before handing over our health records

A doctor’s consulting room is a special place, a space where we can share our most private thoughts and concerns. When we go to a hospital, we reveal ourselves so that we can get help. We trust our doctors. And doctors take a solemn pledge to uphold that trust.

It’s a principle as old as medicine itself, enshrined in the Hippocratic Oath as a promise to keep anything heard “in the course of my practice… sacred and secret within my own breast”. But it’s a principle increasingly at risk in the modern world.

Healthcare in the 21st century is spread across surgeries, hospitals and clinics. And the NHS is putting systems in place to send medical information at the click of a button, so that doctors can have that information at their fingertips wherever they are.

But data that can be sent electronically is difficult to control – a problem health professionals know all too well, after hundreds of drug companies, private providers and universities were found to have breached data sharing agreements.

In this networked world, once information is released it’s impossible to get it back in the bottle. In the wrong hands, medical records are like dynamite.

So when the NHS starts to use new technology to share our health records, it has to be done right. It has to be done with our consent.

Sadly, the current system is a mess. NHS England uses confidential records in two ways: for individual treatment, and for research and planning. Patients can stop their data being used for research and planning through the National Data Opt-out. But it’s not clear what this opt-out does in practice, or even what the NHS actually means by the phrase “research and planning”.

Good Law Project is working with data experts to get to the bottom of this and work out exactly how the NHS deals with data privacy requests. We’re working with patients to find out if the NHS is acting in accordance with the law and preparing legal challenges in areas where we believe it’s not.

We think the National Data Opt-Out doesn’t comply with data protection law. Article 21 of the GDPR, known as the “right to object”, provides a vital safeguard so that anyone can stop their personal information being used in ways they oppose.

Some of the data held by the NHS has been “de-identified”, a process which is supposed to make it impossible to connect the data with individuals. But conflicting statements from NHS England have raised doubts over whether the right to object under GDPR legislation applies to de-identified data. And the NHS has so far failed to reveal the steps it has taken to make sure this data is properly anonymised.

This isn’t the first time the NHS has tried to modernise its data systems. The National Programme for IT launched in 2002 with an initial cost of £6.2 billion, but was mired in concerns over patient records and dismantled in 2011. The scheme launched two years later, but foundered over similar problems and was scrapped in 2016 at a cost of £10 billion.

Instead of getting its house in order, the NHS has given a £330 million contract to the US spy-tech company Palantir, owned by a Trump-supporting billionaire who thinks the NHS “makes people sick”.

NHS England says Palantir’s Federated Data Platform will join up the information held by different trusts, improving treatment, reducing waiting times and supporting both research and planning across the healthcare system. But it’s unclear what rights patients will have to determine how their data will be used.

To have confidence in the new platform, patients need to know where they stand. We want to make sure the National Data Opt-Out is fit for purpose. We want to make sure we can all trust the system that handles our medical records as much as we trust the doctors we speak to in the privacy of the consulting room. is the UK’s leading digital-only political website, providing comprehensive coverage of UK politics. Subscribe to our daily newsletter here.