Campaigners raise alerts over UK health data sharing deals
Privacy campaigners have criticised a contract between the NHS and Amazon allowing the tech giant to use health information, and deals that give pharmaceutical companies access to patient record data.
A heavily redacted copy of the Amazon contract was released by the UK Department of Health and Social Care, following a series of Freedom of Information (FOI) requests by Privacy International and other organisations. The deal allows Amazon, without charge, to use information from the NHS website covering definitions, causes and symptoms of medical conditions, as well as “all related copyrightable content and data and other materials”.
The medical information is available to users of Amazon’s virtual assistant Alexa, while other materials including the NHS logo can be used for marketing purposes. The company is allowed to distribute the data – which excludes patient data – around the world, and to utilise it to make “new products, applications, cloud-based services and/or distributed software”, according to the contract.
When the partnership was first announced in July, the NHS called it “mutually beneficial”, although the contract shows that Amazon has not paid the NHS to access its content.
Eva Blum-Dumontet, a senior research officer at Privacy International told Global Government Forum that she and her colleagues are concerned about a lack of transparency on the contract. “Large sections of the contract have been redacted and at this stage it is impossible for the British public to know what exactly the NHS has promised to share with Amazon.
“What’s all the more problematic is that in their letter to us, the Department of Health said they had considered the public interest and Amazon’s commercial interest when sharing this heavily redacted contract with us. They decided Amazon’s commercial interest supersedes the public interest and this is why so many sections have been removed.”
She said Privacy International is now asking government for the release of the unredacted contract.
While Privacy International said in a blog on its website that it is good news that Amazon is using the NHS as a trusted source of information for medical queries, it said we “should not be naïve about the intentions of big companies that are preying over the NHS”. It alluded to instances in which dominant online platforms had engaged in various forms of data exploitation and said Amazon has a “worrying track record on privacy”.
“The agreement between the Department of Health and Amazon seems to clearly allow the latter to use the information provided on the NHS website for a handful of purposes, including advertising or marketing. As Amazon is already making or planning to make moves into healthcare, we find this alarming,” Privacy International said.
“To guarantee that partnerships do not happen at the expense of patients”, it called on the Department of Health to become more transparent.
Transparency over sale of NHS data
The Department of Health and Social Care has also been accused by another advocacy group of a lack of transparency this week, over concerns that the sharing of NHS patient data with private companies could lead to individual patients being identified. The datasets have been through processes to anonymise the information, but campaigners argue that the depth of information available on individual patient journeys could render people identifiable.
The Observer reported at the weekend that pharmaceutical companies are paying up to £330,000 (US$250,000) a year each for licences that allow them to access the data of millions of doctor’s surgery – or general practitioner (GP) practice – patients, for research purposes. The information is available through the Clinical Practice Research Datalink (CPRD) which received more than £10m in revenue through issuing the licenses last year.
MedConfidential – which campaigns for data confidentiality – says that one in seven UK GP practices is sharing data with the CPRD, and believes that although the CPRD says the data is anonymised, patients could still be identified. Phil Booth, a coordinator at the advocacy group, told Pulse that “it’s clear from the linkages that the data is in fact pseudonymised and therefore [under GDPR and the Data Protection Act 2018] must be considered personal data”.
Uniquely identifiable
“The level of rich detail in an individual-level, linked, longitudinal medical history makes it uniquely identifiable even if the patients’ name and NHS number have been removed/replaced with a pseudonym,” Booth explained. “One does have to be concerned about the individual re-identification. Especially as there is no indication how, or even that, CPRD does any proactive monitoring or audit of how the data it sells is used by its customers.”
Booth added that “there is no transparency in the process”. CPRD is required, according to its own website, to publish a list of its direct clients and funding organisations that may benefit directly from the research. However, Booth said that information about the companies buying the data – and the uses to which they put it – is not displayed clearly on the relevant government agency sites.
He said there was evidence on CPRD’s website that US companies additional to those featured on a list provided to the Observer (after an official request was made) were using UK data. “Our detailed examination of CPRD’s approved studies shows multibillion-dollar companies like Optum, Pfizer and Sanofi named in multiple studies over the past year, but not on the list of licensed commercial organisations its officials provided to the Observer,” Booth said.
He called this lack of transparency “deeply concerning” and said that patients should be told how their data is used.
“Enormous benefits” to patient care
Dr June Raine, chief executive of the Medicines and Healthcare products Regulatory Agency, a government body that includes CPRD, told the Observer that the sale of data under licence to commercial organisations, as well as research bodies such as universities, had been fully compliant with “ethical, information governance, legal and regulatory requirements”. She also said that “rigorous processes” were in place to ensure the privacy of patients.
Research using CPRD datasets has brought “enormous benefits” to patient care, she added, including providing evidence for blood pressure targets for patients with diabetes and improving medicine safety.
The pharmaceutical companies accessing patient data from the CPRD include Merck (referred to outside the US and Canada as MSD, Merck Sharp and Dohme), Bristol-Myers Squibb and Eli Lilly.
About Mia Hunt
Mia is a journalist and editor with a background in covering commercial property, having been market reports and supplements editor at trade title Property Week and deputy editor of Shopping Centre magazine, now known as Retail Destination. She has also undertaken freelance work for several publications including the preview magazine of international trade show, MAPIC, and TES Global (formerly the Times Educational Supplement) and has produced a white paper on energy efficiency in business for E.ON. Between 2014 and 2016, she was a member of the Revo Customer Experience Committee and an ACE Awards judge. Mia graduated from Kingston University with a first-class degree in journalism and was part of the team that produced The River newspaper, which won Publication of the Year at the Guardian Student Media Awards in 2010.
Related Posts
