£140 could buy private firms data on NHS patients

Bupa approved to access sensitive medical records as campaigners question patient consent for release

Private health firms, including Bupa, could pay £140 to identify potentially millions of patients and then access their health records, detailing intimate medical histories, under a new national arrangement in the NHS, the Guardian can reveal.

The records, which include sensitive information about hospital visits, such as a mother's history of still births, patients' psychiatric treatment and critical care stays, allow individuals to be identified by use of postcode, gender and age as well as their socioeconomic status.

On Monday the government slipped out the news that private insurer Bupa was approved to access England's "sensitive or identifiable" patient data, housed centrally by the Health and Social Care Information Centre (HSCIC). It is now among four private firms that have passed the government's vetting procedures.

The charging structure for "bespoke patient-level extracts" was revealed when HSCIC put up a "cost calculator" to work out how much prospective customers would pay for sensitive hospital data. The "indicative fee" for a full set of 20 years' inpatient data was about £8,000 including £140 to make the records identifiable.

On the information centre's website, the Data Access Advisory Group says it "considers applications for sensitive or identifiable data". Once they have been approved, organisations have to apply to extract identifiable NHS data.

The prime minister has argued that companies such as Britain's key life sciences firms should be able to benefit from the NHS's vast collection of patient data. But critics argue that this amounts to putting the NHS "up for sale".

Campaigners say the health service is aping commercial practice – pointing out that only last week the country's largest mobile phone operator announced it was selling the internet habits of its 27m customers.

Phil Booth, coordinator at patient pressure group medConfidential, said: "People are rightly concerned when details of their mobile use or online habits are sold on; now we learn that the NHS is selling masses of highly sensitive medical information to private companies. Like millions of other patients, I'm certain I never gave my consent for that."

The Guardian has established that private companies are already attempting to access patient records which can identify individuals.

In July a private research firm Civil Eyes was granted access to sensitive "consultant code" data. However, in the same month Dr Foster, which produces a guide to good hospitals, was refused permission to obtain patient mental-health data which included date of birth, gender, marital status and NHS number.

Labour called for the practice to be "suspended immediately pending a full investigation". Shadow health secretary Andy Burnham said: "Patients will be appalled to learn that the government appears to be auctioning off their personal information to the highest bidder.

"We warned David Cameron 18 months ago that greater safeguards were needed on the use of data in the NHS. He failed to provide them and, in his drive to commercialise the NHS, he has allowed this unacceptable situation to arise. Ministers need to tell us whether they knew about this practice and whether it was given their approval".

The HSCIC said that it "only provides identifiable data when there is a lawful basis to do so, eg, with patient consent. The data we provide is normally anonymised. We do charge a fee to cover administrative costs of operating an extract/data linkage request. We are committed to ensuring information about our services are presented in a transparent and accessible way and will continue to develop our website to ensure further clarity in this area."

Dr Katrina Herren, medical director of Bupa Health Funding UK, said: "Bupa uses NHS clinical data to support the NHS with services like population health management, and also for benchmarking purposes.

"The government publishes very clear rules on how we can use the data, and we adhere to the highest standards of information governance when handling confidential information."

• This article was amended on 21 May 2013 to restore a sentence, lost during the editing process, which made clear that once organisations have been approved, they must apply to see identifiable data. The headline was also amended to reflect this.


Randeep Ramesh, social affairs editor

The GuardianTramp

Related Content

Letters: NHS data safeguards
Letters: There are important legal and ethical safeguards that ensure patient confidentiality and never – as your article implied – casual or secret routes for commercial companies to break these rules

27, May, 2013 @7:59 PM

Article image
NHS patient data audit uncovers 'significant lapses' in confidentiality
HSCIC starts spot checks after failures including researchers getting patient-identifiable data without approval

Randeep Ramesh, social affairs editor

17, Jun, 2014 @12:27 PM

Article image
NHS patient data to be made available for sale to drug and insurance firms

Privacy experts warn there will be no way for public to work out who has their medical records or how they are using it

Randeep Ramesh, social affairs editor

19, Jan, 2014 @9:34 PM

Article image
Royal Free breached UK data law in 1.6m patient deal with Google's DeepMind
Information Commissioner’s Office rules record transfer from London hospital to AI company failed to comply with Data Protection Act

Alex Hern

03, Jul, 2017 @2:01 PM

Article image
NHS to scrap single database of patients' medical details
Care.data scheme to close after Fiona Caldicott review calls for tougher measures to keep information confidential

Sarah Boseley Health editor

06, Jul, 2016 @3:58 PM

Article image
Revealed: how drugs giants can access your health records
Experts say information sold on by Department of Health and Social Care can be traced back to individual medical records

Toby Helm Political Editor

08, Feb, 2020 @9:03 PM

Article image
UK government using confidential patient data in coronavirus response
Exclusive: Documents seen by Guardian show tech firms using information to build ‘Covid-19 datastore’

Paul Lewis, David Conn and David Pegg

12, Apr, 2020 @4:30 PM

Article image
Fears of patient data leak prompt inquiry into mapping website

Website search service is shut down by authorities in incident that has fuelled demands to halt data sharing scheme

Randeep Ramesh, social affairs editor

03, Mar, 2014 @10:10 PM

Article image
More NHS patients being treated by private firms, survey finds

Labour policy allowing private health firms to be paid from state funds has resulted in their share of NHS patients grow rapidly

Denis Campbell, health correspondent

19, Nov, 2012 @12:01 AM

Article image
Patient data must be safeguarded | Letters
Letters: We believe information from patient records has huge potential to save and improve lives but privacy concerns must be taken seriously


27, Jul, 2015 @6:47 PM