back to article 'Maybe we haven't been clear enough about med records opt-out', admits NHS data boss

NHS data chief Tim Kelsey admitted today that the health service had failed to adequately inform patients about how they can opt out of having their GP medical records shared throughout England. A leaflet carelessly posted out in among junk mail to 26.5 million households across the country was not "clear enough on the website …


This topic is closed for new posts.
  1. AMBxx Silver badge

    How about

    Posting on here how we can opt out? Then everyone post to Facebook, Twitter etc,

    1. Warm Braw Silver badge

      Re: How about

      Because there isn't a single, simple process.

      You have to contact your GP to opt out. Your GP may have a website and there may be a form on it for you to print out. If there is a form, it will have two different levels of opt-out, neither of which is clearly explained but relate to some specific internal coding process used by the NHS.

      It's almost as if they wanted to make it hard to say no.

      1. Anonymous Coward
        Anonymous Coward

        Re: How about

        While they have indeed made it as hard as possible to opt out (the original plans didn't even allow for an opt -out at all), the fact that there isn't an "official" form just allows for you to use any formal request you like. The MedConfidential site has links to template letters you can use, even spelling out the codes they need to apply to your records.

      2. Hollerith 1

        Re: How about

        My GP practice has their own forms sitting front-and-centre on the reception counter. They can't officially encourage people to opt out, as they would lose their charter or whatever, but they ask each patient pointedly. I told them I had already opted out and my doctor nearly shook my hand with joy.

    2. Skoorb

      Re: How about

      To opt out of the GP Extraction Service (GPES) you ask your surgery to put the opt out code on your medical record. When GPES comes across a record with that code it skips it and nothing gets pulled out in the first place.

      Hospitals (broadly all NHS providers who are not your GP) have been submitting information to this systems forerunner (The Hospital Episode Statistics) for 25 years or so; this is where stats in the news about death rates and waiting times come from. If you want to stop a hospital including you in their returns you need to contact them; the medico-legal department or Customer Care team are a good place to try.

      If you are having difficulty ring the helpline on 0300 456 3531.

    3. Anonymous Coward
      Anonymous Coward

      Re: How about

      " How about Posting on here how we can opt out?"

      Oh the sheep want to "opt out". Isn't that so-o-o-o-o cute! They are just SO ADORABLE when they bleat like that!

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh the sheep want to "opt out". Isn't that so-o-o-o-o cute!

        Fuck off.

        1. gazthejourno (Written by Reg staff)

          mod hat on

          Get a room you two.

    4. NeilB
    5. Anonymous Coward
      Anonymous Coward

      Re: How about is your friend

  2. Anonymous Coward
    Anonymous Coward

    Junk Mail

    As I opt out of junk mail, I haven't received anything about this through my door, and a quick google round I can only find propaganda from one extreme or the other. I'd be happy for the NHS to use the data internally, but I don't want it to be given to any private company. Is there an option to do that, and where do I go to sort it out?

    1. Anonymous Coward
      Anonymous Coward

      Is there an option to do that

      Nope, it's in or out. If you want to control your data you have to opt out.

      1. HollyHopDrive

        Re: Is there an option to do that

        "... there had never been a "single example of that data being compromised".

        No, in 25 years there has never been an example

        a) PUBLICLY

        b) reported properly

        c) spotted

        And as we all know past performance is no guarantee of future performance.

        It concerns me because as we all know, data governance has historically never been that good in public bodies. I know from time I've spent in the 90's on government projects data was whizzed about with little care. Dev & Test databases were just copies of live. Code and snapshots just left on network shares and I'm sure I saw the odd contractor laptop on the LAN.

        So, smells of bullshit to me.

        Also, this data is worth a fortune to some people so I'd imagine anybody who can 'borrow a copy' would get a handsome reward. And lets be honest, its not like the private sector is known for its honesty - why would an insurance company not like this data - even unofficially.

        Thats why I opted out, and god help the doctor if he still decides to give my (and my families) data away. You can't stop it once its out there which is a major objection of mine! Maybe if they were more transparent about what they will actually give away I'd be a lot more willing.

        Its a good idea but very badly implemented with what looks to me very little safeguard. (a promise to be really really careful honest - isn't a safeguard!)

        Right....where is my tinfoil hat...

        1. Will Godfrey Silver badge

          Re: Is there an option to do that

          "... there had never been a "single example of that data being compromised"

          Interesting sentence. Does that mean there have been a number of examples?

          1. Anonymous Coward
            Anonymous Coward

            Re: Is there an option to do that

            Another problem is defining what is in the NHS.

            Most people would define their GP as being part of the NHS, yet when I was working for the NHS GP's weren't allowed to post jobs on the NHS jobs site as a GP's practice is a for profit independent business which simply bills the local NHS trust on an agreed charging scale for the work they do. The local NHS trust did not consider GP's part of the NHS and ran services directly in competition with GP's to get the job done cheaper.

            I suspect that the definition of what is "in" and "out" of the NHS is going to be so nebulous and flexible to be worthless, especially if the people involved in selling the data are politicians.

    2. Skoorb

      Re: Junk Mail

      This is where it gets difficult; many providers of NHS care are in fact private companies, or the NHS uses private companies or charities to perform research; Dr Foster are a great example of this.

      You can stop information leaving the Health and Social Care Information Centre, which is closest to what you mean. This means that information related to you or your care should not get passed outside the organisation responsible for NHS statistics and information; regardless of whether it goes to an NHS organisation or not. You do this by asking for the following code to be placed on your record at your GP:

      ‘Dissent from disclosure of personal confidential data by Health and Social Care Information Centre’.

      code: Read v2: 9Nu4 or CTV3: XaaVL depending on which system your GP uses.

      As I mentioned above, if you want to stop yourself being included in hospital returns (which are nothing new) you also need to ask the relevant NHS Trust(s) or other relevant provider to exclude you as necessary.

      In your case, you should probably read the detail at

  3. Gordon Pryra

    Radio 4 this morning

    I listened to some idiot women describing a data base to me. She kept talking about how the data was "Anonymised" but, of course, it can’t all be anonymised, there is a "unique identifier (tm)" for each person which has the various “coded data linked too”!!

    But it’s ok because “it’s all coded.....”

    10 years ago, technobabble worked, people didn’t understand what people were talking about when they were talking about computers.

    Now technobabble just shows the speakers incompetence, when I don’t understand what someone is saying about computers it is no longer because I don’t understand about computers but because the speaker is an idiot or lying.

    I have worked for the NHS, and no fucking way would I give them access to my data if I could help it.

    I suggest you opt out before this stuff is used against you

    1. Tsung

      Re: Radio 4 this morning

      I agree I heard that very same interview, in the same sentences she was saying the data was anonymous and yet has a unique ID (NHS ID) that links back to you. But it's OK they have no plans to sell it to private companies. The explanation was as clear as mud, she had no idea what she was talking about. As for the coded bit, I guess she means something similar to hash tags on twitter.

      Another question I have to ask listening to this interview, she said they have been doing this for the past 25 years. So I'm not sure why they needed a new system now? sounds to me like opting out is a wise choice.

      1. Tony Green

        Re: Radio 4 this morning

        "they have no plans to sell it to private companies"

        This is distinctly different from "they will NEVER sell it to private companies".

        Weasel words, weasel words...

        1. Anonymous Coward
          Thumb Down

          Re: Radio 4 this morning

          Which is still distinctly different from "they will never SELL it to private companies".

  4. Christoph

    The NHS promises not to sell your data.

    How much is that promise worth once the NHS has been privatised?

    Come to think of it, this data will be extremely commercially valuable. Is it being collected simply to boost the eventual sale value of the NHS?

  5. Evil Auditor

    If I opt out...

    Does that mean that they won't lose my data somewhere on a train with all the others?

  6. Alastair

    Example opt-out

    You can use pretty much any means you like to opt out. There's a good form (and lots of other info) at

  7. Anonymous Coward
    Anonymous Coward

    Site created by a concerned doctor

    Basically write a letter to your GP asking them to add two codes to your (and anyone for whom you are responsible) medical record. The site has template letters containing the codes.

  8. Anonymous Coward
    Anonymous Coward

    Opted Out Testerday

    GP had what looked like a self generated form. I only opted out as I don't trust the Government not to move the goalposts on who can access the data at a later date. Of course they may either "accidentally" miss the opt-out flag during the import or decide it is in my "interest" to opt me in later, but at least I tried.

    AC because whatever the shrink says they are out to get me!

  9. Anonymous Coward
    Anonymous Coward

    Identifiable Data

    It's absolute rubbish to claim that the data can't be re-identified. OK, perhaps not ALL of the data but consider this example:

    If I've got the "Maternity Data Set" (see HSCIC website for details), then if you give me any newspaper report about any well-known woman (celebrity, politician, sportsperson, etc.) who has just given birth, I can tell you with a high degree of certainty from that one data set alone whether that person had a sexually transmitted infection during their pregnancy, for instance.

    *Any* data set that has any significant use will have enough detail to identify certain individuals - individuals for whom you know enough about them such as date of birth, roughly where they live, etc.

    The only way you can sufficiently anonymise such data sets is either by aggregation - in which case you lose a lot of the meaning and you still have problems should the aggregation in any area result in a total of "one" - or by stripping enough information out of it that everyone loses interest in trying to make use of it.

    1. Gareth Jones 2

      It's worse than that...

      According to the Beeb, Tim Kelsey, NHS England's national director for patients and information, said "Can I be categorical? No one who uses this data will know who you are."

      However, if we hop over to NHCIC's web site and look at it's scale of charges* we see "Standard extract – containing personal confidential data" for a mere £2,782. It also lists "Patient status and/or tracking" as a "Product".

      Maybe Mr Kelsey "mis-spoke". Or maybe we are just being lied to. Anyone want to let this bunch have all your medical records so we can find out?


  10. Adrian 4 Silver badge

    What leaflet ?

    I haven't seen any leaflet from the NHS.

    I have, however, had a leaflet from the local practice asking me if I want to opt in or out of a data sharing arrangement with 'any other NHS service that uses the same computer system'.

    It's not clear if this is the same thing, but as far as I can tell it's opt-in (there's no mention of a default).

    1. Anonymous Coward
      Anonymous Coward

      Re: What leaflet ?

      Nor have I had one stuffed through my letterbox yet.

      I opted-out a fortnight ago.

      I understand the deadline is pretty soon.

      I'd advise people to avoid waiting for the leaflet and just follow the instructions on the links posted earlier in the comments.

  11. JimmyPage

    Out of interest ...

    what are the sanctions or remedies in the inevitable cases where someone who has dotted i's crossed t's and done everything correctly, in order and in time to opt out, finds they *haven't* been opted out ?

    If, as I suspect the answer to this question is measured on a scale from "fuck all" to a generic "we know how important etc etc" with no way to (a) unring the bell, and (b) gain any recompense, then you can't help but feel "what's the point ?".

    We can only hope that as time rolls on, and more people realise how irrevocable a loss of personal data is, the clamour for proportionate punishments grows.

    People like Max Moseley are a good example.

  12. no_RS

    How do you check what they have done

    How would you check that the surgery or others have followed your instructions regarding the opt-out for your data. I did receive a leaflet but it was wasn't very clear and personally this whole thing is the wrong way around, your data should stay private unless you say it can be released.

    Once the data is out there you can't get it back so why is it assumed you can chuck it out by default.

    1. Anonymous Coward
      Anonymous Coward

      Re: How do you check what they have done

      Call or write to your surgery and ask them to confim that the two codes have been added to your medical records as requested.

  13. Anonymous Coward
    Anonymous Coward

    NHS appointment data never compromised?

    I can tell you of a constant, daily compromise of that exact data that has been happening for years and is probably still going on.

    A few years ago I worked as a contract programmer on an NHS system used by doctors to refer patients to specialists and then by the specialists' secretaries to arrange appointments. All such systems require data for testing and the standard procedure is to use fake or anonymised data, so you'd expect the NHS to have a large test database of fake data.

    Wrong. After I had been there for about a week I was testing part of my code that printed the appointment letters when the manager supervising me came over and told me to make sure I put the printouts in the shredder. Apparently the database was real data from a few years earlier and it had not been anonymised at all. Their only concession to privacy is it was from a different part of the UK to where I was working. Unfortunately for them I am originally from that area and was able to look up the cancer treatment appointments of one of my parents' friends. I already knew the person had battled cancer and did this to check if it was real data because I could not believe what I had been told.

    I was on a 6 week contract. There was no criminal records check or other screening process.

    (Anon because it was a well paid contract and a good place to work so I don't want to shoot myself in the foot if the chance ever comes up again.)

  14. TallPaul

    Kelsey lies

    'Kelsey insisted this morning that that argument was flawed. "I'm really pleased we're having the debate, but it's not identifiable," the NHS data chief said.'

    Kelsey is simply lying. His very own document "Care Episode Statistics: Technical Specification of the GP Extract"* makes it very clear that they are aware of the dangers of "malicious re-identification of patients from inference (a so-called “jigsaw attack”)" (see page 13, paragraph 3). They are going to attempt to mitigate this by controlling who can get access to enough data to do that, but the danger still remains.

    Ultimately their defence (and this is acknowledged in another document I can't lay my hands on again at the moment) is legal, in that it would be an offence to re-identify patients. I can't see that working well if there is sufficient rewards from, say, a tabloid for passing on the information they desire.


    1. Anonymous Coward
      Anonymous Coward

      Re: Kelsey lies

      Legal penalties are an acceptable defence, but the penalties need to be severe, such as everyone involved in re-identifying a patient being given 10 lashes per patient record re-linked.

      but most importantly the data should never be sold, the data should only ever be used to provide healthcare for the patients!

  15. Forget It

    Where is the option for so I can keep the right half of my body private?

    The the left hand won't know that the right hand is doing!

    Sounds like the organization running this scheme.

    1. Anonymous Coward
      Anonymous Coward

      Too late.

      Your body is now the property of the Body-parts-are-us Futures Exchange run by friends of someone in the Government.

      You could ask them how to opt-out, but if they told you then they would have kill you..

    2. Anonymous Coward
      Anonymous Coward

      You think the lack of information is an accident or the result of incompetence?

  16. Anonymous Coward
    Anonymous Coward

    Why is that whole mess not opt-in to begin with?

    1. Zimmer


      No one in their right mind would opt in! And apathy would prevent the rest from opting in, too .

    2. JimmyPage

      Premium rate phone numbers

      why not make them opt in too ?

      I suspect the answers to both are remarkably similar.

  17. JimmyPage
    Big Brother

    I call this "The Facebook Conundrum"

    (although Facebook tends to be used with other C-words).

    Despite the fact I have never been near Facebook, they know an awful lot about me. First off they know I don't have a profile. They know who my friends are. And were. They know when I make new friends. They know who I work for. Who I used to work for. They know what music I like. What films I like. My age. My marital status. Number of kids I have. Simply by cross-matching all the chatter from people who have my email address in their contacts list.

    No one can be anonymous in a non-trivial dataset. The only crumb of comfort, is that the politicians too dumb to understand this now, will find out the hard way.

  18. Anonymous Coward
    Anonymous Coward


    To be honest I'm not sure what nefarious use my medical records could be put to anyway.

    What's the risk?

    1. Hollerith 1

      Re: Risk?

      How about: You get an STD from playing away from home. Your shared email at home suddenly fills up with STD medical adverts directed to you by name.

      Or: you have a disability that you don't want your agency to find out about. They cross-check and find you and all about your disability and you don't get the job.

      Or: You get an embarrassing condition you'd rather be kept private. You find your FaceBook page targeted with ads for creams for this condition.

      Or: your insurance company decides to hike your premiums because they found out about a temporary condition and have added you to the 'risky' file without your even being aware of it.

      I coudl go on and on...

    2. Martin-73 Silver badge

      Re: Risk?

      To be honest I'm not sure WHY you got downvoted 4 times, you asked a simple question. Very well phrased, and people downvoted you for it? PAH! Have an upvote for asking the question

  19. Don Jefe

    Policies for Career Advancement

    There's this thing that happens in any large organization, public or private, but giant public organizations are the easiest to observe. As the organization grows, and stays alive longer, they lose sight of their mission and focus their attentions inward.

    A pamphlet that is worthless to their customers is a good example of this. The people that put the pamphlet together know the ins/outs, nooks and crannies and internal definitions of their organization and it skews their development and review of the document.

    Staff forgets how horribly confusing it all was when they started, but years, or decades later, they know every detail of their processes. They unintentionally plug the 'missing info' into documents and processes: A trees/forest visibility kind of thing.

    It's always institution wide as well. As staff near total assimilation into the collective their mission shifts from providing quality service to customers to making certain all the fields on the FAP2014 form are populated and entered into the system by 09:03 on the first Wednesday following a full moon: "It really is too bad the customers aren't getting good service, but hey! If the FAP2014's aren't filed correctly, on time, that reflects poorly on me. I'm not risking my raise for some random person".

    It really sucks, because new staff have to work with the internal rules. Sara in FAP Assistance has been doing that job for 23 years, and if things aren't done her way she ruins everybody's month. So a big, slow and developmentally challenged organization gets slower and even less useful.

    You can overcome a lot of that in a private organization if you want. If it's a choice between filing wholly internal forms correctly, and on time, or ensuring good customer service, you just correct or fire the staff who have issues prioritizing issues. Sometimes that happens, sometimes not. A lot depends on how many lawsuits you're willing to put up with. You'll certainly win the employee suits, but it's still expensive and time consuming.

    Public organizations are terrible at dealing with it. To a large degree they are screwed by their own rules which have been tailored to make performance metrics look good, not to actually improve things. Unless they are law enforcement or intelligence agencies, government agencies have to follow government rules. It's pretty stupid, all of it.

    I wouldn't be opposed to considering proposals that tie government employee salaries, promotions and raises, maybe agency budget as well, to customer (taxpayer) satisfaction. Like most businesses, more money can't fix the problems in public agencies, so if their budget doesn't increase it won't actually hurt the taxpayer.

    1. phil dude
      Thumb Up

      Re: Policies for Career Advancement

      brilliant ;-)


  20. Trollslayer

    Private companies are involved

    And the data includes health details, POST CODE and NHS numbers.

    I handed in an opt-out form and my GP wasn't surprised (was seeing him about something else).

  21. John Robson Silver badge

    And for those of us who don't see junk mail (either because the dog eats it or someone else recycles it, or because the whole lot is instantly recycled) and haven't visited a GP in a couple of months....

    Stupid process - should be a simple question at your next appt. (or next routine hospital visit if that's sooner)

  22. Anonymous Coward
    Anonymous Coward

    Wrong - NHS data HAS been compromised

    NHS data chief Tim Kelsey is wrong. We have already seen what happens when too many people have access to our medical records.

    Does anyone remember the case of 94-year-old Rose Addis? Her family criticised the competence of Whittington Hospital after the lady had spent an entire weekend waiting for treatment in a hospital corridor. It created such a furore that in defence of the hospital (its medical director was a Labour activist) Tony Blair appeared on TV and, in a complete betrayal of patient confidentiality, made public the private medical records of this poor lady.

    1. Don Jefe

      Re: Wrong - NHS data HAS been compromised

      Compromised is one of those magic words that sound important, but because the word has so many different meanings, depending on who says it, the subject and who they're saying it to.

      If we narrow the field of use solely to IT, the following are just a few examples of how 'compromised' could be used within a single organization:

      1) For an executive at (x), 'compromised' data could be an accounting error that forces them to rectify and restate four years of financial reporting.

      2) For a systems security person 'compromised' data could mean malformed server side action that is allowing people in through what should only be an exit.

      3) For a database admin 'compromised' data could mean an automated process has been forcing an alpha datatype into a time field for the last nine weeks and all staff who were scheduled for the 07:Toucan shift have now accrued over $79 million in overtime.

      Pick any IT role and plug 'compromised' in anywhere you like, and the meaning won't be the same for any two or more people. The severity of the 'compromised data' is also different depending on your role and how the data affected you.

      For #1 up there, it doesn't matter, at all, to the company groundskeeper, but everyone in finance is sick with stress because the Executive Director/CEO just publicly executed the CFO.

      Make your own examples if you like, regardless, the fact remains 'compromised' is plastic in shape and appearance and it's never the same twice (if it is twice or more its a breach, not a 'compromised' thing). So it's perfectly acceptable for an exec to say 'data hasn't been compromised'. It hasn't, at least in his view anyway.

      As a rule, words with plastic meanings should be avoided if you aren't going to share your definition. Without that agreed upon definition someone could prattle on for days about the organizations stability while knowing full well they spent the last nickel 55 days ago.

  23. Anonymous Coward
    Anonymous Coward

    There's one country on earth that could have really decent health/disease/treatment statistics available promptly and in the long term too. How would you smart guys organise it, if you were in charge of the system?

  24. Anonymous Coward

    Kelsey insisted this morning that that argument was flawed. "I'm really pleased we're having the debate, but it's not identifiable," the NHS data chief said.

    Kelsey is a fool or a knave. The data is being exported with a unique identifier, the NHS number.

  25. Anonymous Coward
    Anonymous Coward

    checking you are opted out

    Perhaps an FOI request to the quack asking for records that have been exported. After all data accesses will be monitored and audited.

    hahahahaha. only kidding.

    1. Anonymous Coward
      Anonymous Coward

      Re: checking you are opted out

      An enabling act was passed earlier exempting the released data from Data Protection. Once it is out there it is no longer your data. Welcome to Big Data US Style.

  26. Anonymous Coward
    Anonymous Coward

    It's already happening

    If you have had dealings with non-GP elements of the NHS, such as hospitals, your un-anonymised data is already being held by the HSCIC for sale to whoever comes up with a feeble 'it's medical' excuse for getting their hands on it. It's not clear how you can stop them from doing that.

    We provide information for our medical treatment, and most of us quite reasonably assume that the data will not be used for any other purpose. We certainly wouldn't envisage it being given away top some accountable quango to sell off. that's one breach of the Data Protection Act. And it's a long standing breach since the NHS is already playing merry hell with data from hospitals.

    Medical data has never gone through a data cleansing exercise, and is notoriously inaccurate, which makes the entire exercise a waste of public money.

    The anonymity of the data subjects is in no way safeguarded by the process, so there's another breach of the DPA.

    What we really need is for all this stupid 'look at me, I'm a great commercial hero' activity to be stopped, the perpetrators top be kicked out, and the NHS to start to provide reliable care for patients on a national basis.

  27. BarryUK

    Christ, the whole tinfoil hat brigade is in tonight. Why the rush to opt out? This data will save lives - thousands of lives. Good data analysis is at the heart of all successful medicine. People need this data so they know which treatments work and which don't.

    Frankly if you opt out of this you should opt out of the whole NHS and sod off to BUPA.

    1. Anonymous Coward
      Anonymous Coward

      Can I suggest you try reading

      No one is arguing about the NHS use of the data, it is the selling of the data including individually identifiable data to more or less anyone who has a couple grand to spare, and the surreptitious way that the whole process has attempted to be slipped under the radar of the average person.

  28. Tuck426

    Nudged into Acceptance?

    I'm interested in the approach to presenting the choices to the public. I suspect that the UK Government Behavioural Insights Team have been at work applying 'Nudge' theory. Especially the 'Status Quo' bias.

    As much distance as possible has been put between a person and their opting out: (a) You are default opted In (b) you are forced into a manual process to change that choice and (c) your important notification leaflet is hidden amongst the pizza offers.

    I wonder if this duplicitous approach is expected to create trust?

  29. Anonymous Coward
    Anonymous Coward

    I work for a small software house providing niche software for the NHS, which holds a database of patient data. I can tell you that patient data confidentiality is taken *extremely* seriously.

    All patient data is encrypted, and access to the de-encryption keys is restricted to only a few senior managers, and the use of which is carefully logged and audited. In all the years I've worked here, I've never seen patient data, despite doing core development on the application and database. This is because access to the live system is locked down internally, and all development is done on data that's first been scrubbed of patient identifiable data.

    The management know that if there was a breach of patient confidentiality, the company's reputation would be in tatters; a situation that could financially ruin the company. I would guess that patient confidentiality is take far more seriously in the private sector, than in the NHS itself.

    On the general point of opting out of data sharing, the NHS is just beginning to realise what a wealth of information they have available. Our own database is used, in a completely anonimised way, to plot trends in treatment and outcomes, and identify treatments that are more or less effective. This anonimised use of patient data is improving clinical care and directly positively affecting patients' lives.

    I would urge you NOT to opt out of data sharing; I haven't!

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022