The investigation shows that 102 Scottish GP practices added sensitive patient data to the ‘Data Loch’ research database.
The extensive database enables researchers to access and view information on patients’ health, with records uploaded by medical practices.
According to The Ferret, GPs at a host of practices across Scotland shared information pertaining to a patient’s age, sex and ethnicity.
Information on medical diagnoses and referrals to other services – including hospital visits and the use of mental health services – are also held on the database.
Notably, documents suggest that written notes from doctors will also be uploaded to the database.
The investigation has raised concerns over data privacy, with suggestions that GPs would have been unable to conduct a data protection impact assessment (DPIA) when they agreed to participate.
An earlier version of the Data Loch website shows that a DPIA had been drafted, noting that it would be “modified as the programme progresses in consultation with data controllers”.
However, this has since been removed and project leaders “insist the project can operate under the auspices of an existing NHS Lothian DPIA document,” The Ferret’s Ally Tibbitt writes
According to Irvine, impact assessments are key to minimising data protection risks and the risk to individuals whose data is being processed.
“Data protection impact assessments should be carried out prior to any process beginning if it contains large amounts of special category data, so health data,” she said.
“The outcome of a DPIA is to identify risks and to mitigate those risks,” Irvin added.
Although the Data Loch project is yet to launch fully, the database has already been used to carry out a number of research projects; several of which were Covid-related initiatives.
The Information Commissioner’s Office (ICO) advised that it is “aware of concerns” over the Data Loch project and is “engaging with the relevant controllers to discuss their data protection compliance”.
In a statement, the regulator emphasised the importance of data protection legislation as a means of ensuring privacy and compliance.
“Data protection law enables organisations to share data safely and, when it comes to using health information, there are particular safeguards that must be put in place to protect people’s privacy,” a spokesperson said.
“This includes ensuring that people’s data isn’t used or shared in ways they wouldn’t expect.”
Trust and Transparency
In its statement, the ICO said that the “success of any project” relies heavily on trust and confidence in how data is used.
“It is crucial that, from the start, thought is given to ensure that risks are minimised and how the processing can be explained clearly to people,” a spokesperson said.
Despite this, at the time of writing, there was no evidence that participating GP practices have updated their privacy policies after opting into the scheme.
Irvine echoed the ICO comments, noting that since the onset of the coronavirus pandemic the use of data has proved critical to tackling health issues, but she emphasised that the process needs to be clear and open.
“A lot of this is about telling people what’s happening with their data, being transparent and making sure people understand how that data will be shared,” she said.
“This type of sharing will take place and it needs to take place to protect us. But it’s not being clear about that which causes the mistrust.”
As part of its response to the coronavirus pandemic, NHS Lothian told DIGIT it accelerated the Data Loch alpha phase to include “limited and approved research” using Covid-19 datasets within Lothian’s secure data storage.
Through this, the health authority said a number of developments have been facilitated, including the creation of data-driven personalised recovery care pathways for post-Covid patients and treatment for ‘long Covid’.
The use of medical data has been a hotly-debated subject since the onset of the coronavirus pandemic. Earlier this year, NHS services in England came under fire amid plans to transfer patient data to a centralised system.
Concerns were raised that patient data stored on the NHS digital database could be shared with third-party organisations. The government subsequently delayed the move following threats of legal action.
The Data Loch project has been subject to previous scrutiny. In June, an earlier investigation by The Ferret criticised it for failing to offer patients the opportunity to opt-out of the initiative.
In response to the latest investigation, Labour MP Ian Murray again told the publication that patients should be given the opportunity to opt out.
“As with all medical research, appropriate safeguards need to be in place,” he told the publication.
“If patient data is being shared outside the NHS then it needs to be completely anonymised or patients should have the option of opting out – and at the very least should be informed,” Murray added.
NHS Lothian Response
Reacting to the investigation, NHS Lothian Medical Director, Dr Tracey Gillies, said the project activities are “entirely in the public interest” and insisted that an “initial DPIA” was finalised ahead of the Data Loch launch in April 2020.
“NHS Lothian takes patient confidentiality extremely seriously, and has a well-deserved reputation for robust governance processes,” she said.
“As part of the governance for this project, a data protection impact assessment was finalised in April 2020 ahead of the DataLoch launch,” Dr Gillies added.
The Data Loch programme is currently in its “alpha” phase, according to NHS Lothian, and as the project develops the DPIA’s will “evolve to reflect changing requirements”.
Dr Gillies reiterated that only approved NHS clinicians and NHS Lothian medical researchers are given access to extracts of data through the scheme.
“The data has identifying information removed and sits in a secure IT environment,” she explained. “Patient data is not being sold to private organisations, nor is it leaving the control of the NHS.”
- Personal data breaches drop 20%, says Information Commissioner
- Amazon drone delivery project hit with alleged layoffs
- Hackers paid bounty by UK government for first time
The Data Loch website explains that the data repository is held within the “secure NHS Lothian IT infrastructure,” with access to the data restricted to a “dedicated team of data scientists”.
Patient data is then transferred to the National Safe Haven, which is managed by Public Health Scotland.
“This infrastructure is one of several Safe Havens across Scotland already dedicated to safeguarding NHS information and which are required to meet the best practice national standards for access and information security,” the website explains.
Once testing of this set-up is complete, Data Loch then moves to the Edinburgh International Data Facility, using data from the wider region.
According to the Data Loch website, the combination of secure infrastructure, governance policies and processes “ensures protection from attack or unauthorised use”.