> The data we supply is normally pseudonymised. We only provide identifiable data when there is a lawful basis to do so i.e. with patient consent, approval under section 251 of the NHS Act 2006 which enables The Health Service (Control of Patient Information) Regulations 2002, or where appropriate statutory regulation is in place.
> Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required use of identifiable patient information but because patient consent had not been obtained to use people's personal and confidential information for these other purposes, there was no secure basis in law for these uses. [NB. There are a few exceptions where there is a legal basis for disclosure e.g. reporting of notifiable diseases]. Section 251 was established to provide a secure legal basis for disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practicable, having regard to the cost and technology available.
>"and where seeking consent was not practicable," //
As they have your contact details and next of kin details then seeking consent must be quite practicable.
I expect them mean "commercially financially viable". Those people the NHS can't simply look up a phone number for (from doctor's surgery records) and ask (or ask their guardian/parent) must be in the few hundreds [of those they have sufficient medical information for to be used in a scientific study].
I guess that's what it says, practicable with regard to cost.
To look at one random example, the first study on the list of approvals in 2013 was the "ETPOS: European Transfusion Practice and Outcome Survey". Apparently they took data from 10,000 patients who had blood transfusions and tried to see if there was any correlations between practices such as "ratio of red blood cells to other blood component therapy, such as plasma and platelets" and health outcomes. I guess it was deemed that phoning each of the patients was impractical.
Robot Dialer: The NHS wish to sell your medical data for use in a study of people who had blood transfusions. Press 1 to accept, 2 to refuse, 3 to speak to an agent.
Robot Dialer: You pressed 1 to accept; can we use your data for future studies? Press 1 to accept, 2 to refuse, 3 to speak to an agent.
Robot Dialer: You pressed 2, can we contact you to ask about using your data in specific studies in the future? Press 1 to accept, 2 to refuse, 3 to speak to an agent.
Umpteen marketing companies appear to be able to afford to do this sort of calling (yes even though it's against the law for them to contact me as I'm on the no-call database [which wouldn't apply to the NHS]).
If it's too costly then the studies can hardly be worthwhile? Remember the NHS wasted £10 Billion on a single IT project over the last 10 years. What would this auto-dialer have cost? £10k in "management", couple of thousand in IT staff and set-up (join study NHS numbers with main database ID table and contact info tables, select phone numbers; set-up dialer script, test, initiate) maybe £500 in direct call costs. They most likely already have systems in place to do auto-dialed calls for disease outbreaks [UK Environment Agency use one for flood warnings].
"... or where appropriate statutory regulation is in place"
You do know that means civil servants have written a statutory order, it has been signed by the minister (might have to be Secretary of State) and it has been placed in Parliament for a week (no vote required). [Exact details may be wrong but that is the overall concept of statutory orders].
My comment is based on a general understanding of statutory orders/secondary legislation and there may be specific reasons why it doesn't apply in this case but it appears to me to be a significant hole in the text you quote that you may not have noticed.
I think "statutory regulation" just means there has to be a law allowing it ("statute" meaning law). From reading their website the other day, I got the impression that the case they had in mind was certain laws about containing contagious diseases, which could override privacy laws.
Reading on Wikipedia, "Statutary orders" and "statuatory instruments" seems to be particular ways of delegating law-making power from parliament. I don't think they are directly relevant here (since there has to be some enabling legislation)? But the section 251 thing already allows the Secretary of State for Health to disclose data, so if you are worried about ministers operating without parliamentary oversight, that is indeed possible....
"This would be straight up illegal in the US due to HIPAA, which guarantees a patient's right to privacy."
That is a blanket statement which is false. Some of what NHS is providing would be illegal in the U.S. Some of it is actually legal. I am mostly responding to the blanket statement.
