Hospital records sold to insurance companies – in breach of the Data Protection Act?

I’ve asked the ICO to assess whether the sale of millions of health records to insurance companies so that they could “refine” their premiums was compliant with the law

I’m about to disclose some sensitive personal data: I have been to hospital a few times over recent years…along with 47 million other people, whose records from these visits, according to reports in the media, were sold to an actuarial society for insurance premium purposes. The Telegraph reports

a report by a major UK insurance society discloses that it was able to obtain 13 years of hospital data – covering 47 million patients – in order to help companies “refine” their premiums.

As a result they recommended an increase in the costs of policies for thousands of customers last year. The report by the Staple Inn Actuarial Society – a major organisation for UK insurers – details how it was able to use NHS data covering all hospital in-patient stays between 1997 and 2010 to track the medical histories of patients, identified by date of birth and postcode.

I don’t know if this use of my sensitive personal data (if it was indeed my personal data) was in compliance with the Data Protection Act 1998 (DPA), although sadly I suspect that it was, but section 42 of the DPA allows a data subject to request the Information Commissioner to make an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the DPA. So that’s what I’ve done:


As a data subject with a number of hospital episodes over recent years I am disturbed to hear that the Hospital Episode Statistics (HES) of potentially 47 million patients were disclosed to Staple Inn Actuarial Society (SIAS), apparently for the purposes of helping insurance companies “refine” their premiums. I became aware of this through reports in the media (e.g. I am asking, pursuant to my right under section 42 of the Data Protection Act 1998, the ICO to assess whether various parts of this process were in compliance with the relevant data controllers’ obligations under the DPA:

1) I was not aware, until relatively recently, that HESs were provided to the HSCIC – was this disclosure by hospitals compliant with their DPA obligations?

2) Was the general processing (e.g. retention, manipulation, anonymisation, pseudonymisation) of this personal data compliant with HSCIC’s or, to the extent that HSCIC is a data processor to NHS England’s data controller, NHS England’s DPA obligations?

3) Was the disclosure of what appears to have been sensitive personal data (I note the broad definition of “personal data”, and your own guidance on anonymisation) to SIAS compliant with HSCIC’s (or NHS England’s) DPA obligations

4) Was SIAS’s subsequent processing of this sensitive personal data compliant with its DPA obligations?

You will appreciate that I do not have access to some information, so it may be that when I refer to HSCIC or NHS England or SIAS I should refer to predecessor organisations.

Please let me know if you need any further information to make this assessment.

with best wishes, Jon Baines

We’ve been told on a number of occasions recently that we shouldn’t be worried about our GP records being uploaded to HSCIC under the initiative, because our hospital records have been used in this way for so long. Clare Gerada, former Chair of the Council of the Royal College of General Practitioners wrote in the BMJ that

for 25 years, hospital data have been handled securely with a suite of legal safeguards to protect confidentiality—the exact same safeguards that will continue to be applied when primary care data are added

Well, it seems to me that those legal safeguards might have failed to prevent (indeed, might have actively permitted) a breach involving 47 million records. I’m very interested to know what the Information Commissioner’s assessment will be.

UPDATE: 24 February 2014

An ICO spokesperson later said:

“We’re aware of this story, and will be gathering more information – specifically around whether the information had been anonymised – before deciding what action to take.”

UPDATE: 25 February 2014

At the Health Select Committee hearing into the initiative HSCIC and NHS England representatives appeared not to know much about what data was disclosed, and in what circumstances, and effectively blamed NHSIC as a predecessor organisation. This echoed the statement from HSCIC the previous evening

The HSCIC believes greater scrutiny should have been applied by our predecessor body prior to an instance where data was shared with an actuarial society

UPDATE: 27 February 2014

GP and Clinical Lecturer Anne Marie Cunningham has an excellent post on what types of data were apparently disclosed by NHSIC (or HSCIC), and subsequently processed by, or on behalf, of SIAS. I would recommend reading the comments as well. It does seems to me that we may still be talking about pseudonymised personal data, which would mean that the relevant data controllers still had obligations under the DPA, and the ICO would have jurisdiction to investigate, and, if necessary, take regulatory action.

See also Tony Hirst’s blog posts on the subject . These are extremely complex issues, but, at a time when the future of the sharing and linking of health and other data is being hotly debated, and when the ICO is seeking feedback on its Anonymisation Code of Practice, they are profoundly important ones.

UPDATE: 14 March 2014

The ICO has kindly acknowledged receipt of my request for assessment, saying it has been passed to their health sector team for “further detailed consideration”.

UPDATE: 24 May 2014

Er, there is no real update. There was a slight hiccup, when the ICO told me it was not making an assessment because “[it] is already aware of this issue and is investigating them accordingly. Given that we do not necessarily require individual complaints to take consider taking further action your case is closed”. After I queried the legal basis for failing to make a section 42 assessment as requested, the position was “clarified”:

…we will make an assessment in relation to this case, however we are unable to do so at this present time…This is because the office is currently investigating whether, as alleged in the media, actual personal data has been shared by the HSCIC to various other organisations including Staple Inn, PA consulting and Google

I don’t criticise the ICO for taking its time to investigate: it involves a complicated assessment of whether the data disclosed was personal data. In a piece I wrote recently for the Society of Computers and Law I described the question of whether data is anonymous or not as a “profound debate”. And it is also highly complex. But what this delay, in assessing just one aspect of health data disclosure, does show, is that the arbitrary six-month delay to the implementation of was never going to be sufficient to deal with all the issues, and sufficiently assure the public, and medical practitioners, to enable it to proceed. A vote on 23 May by the BMA’s Local Medical Committee’s conference emphatically illustrates this.


Filed under, Confidentiality, Data Protection, data sharing, Information Commissioner, NHS, Privacy

13 responses to “Hospital records sold to insurance companies – in breach of the Data Protection Act?

  1. As part of a session on primary care data in the Health Informatics module on the Imperial Master of Public Health Programme, I asked students to work in two groups to present arguments for and against the NHS Care.Data programme. The aims to make them better informed about the programme. See:

  2. Sara

    Hi Jon

    Do you mind if I use your letter to register my own concerns with the ICO? Perhaps we should suggest that all tweeters who are concerned do the same thing. Bombarding the ICO with concerns would create an important storm around this issue. What do you think?


  3. David Stone

    I am slightly wary of wading in amongst this learned crowd, but to me, your blog raises two issues:
    1. To what extent do you consider HES data to be personal data, as defined by DPA?
    The HES data sets are defined here: and, in NHS speak, would not be identifiable data per se, except the inclusion of the NHS Number, which is normally considered an identifier, but requires special permission from an oversight group before release. I can’t see from the report if the data set here included this reference. The Caldicott Report appendix 5 provides some indicators, but the NHS ISB Pseudonymisation guidance is more comprehensive about what is, or is not, identifiable in context..

    Further, current practice is to contractually require that data sets are not linked, although the report does not make clear what data items were used to link, or if this was generalised by super output area (the first part of a post code).

    2. To what extent the data transfer was lawful?
    Ignoring the legal position at the time of the release (as I don’t know if the NHS number was included or not), the new NHS world is very different.

    HSCIC can satisfy principle 1 schedule 2(5)b and 3(7)b through powers in the Act for its own processing, but struggles with the Common Law. Currently, most flows that include the NHS number have the Common Law set aside through s251 of the NHS Act 2006 and accompanying regulation.

    Further, much of the HSCIC data collection power depends on receiving a request. Requests are mandated if from certain requesters, or can be more widely considered, subject to a set of rules. Almost a year in to the new Act, no valid directions have been issued by NHS England (one of the bodies that can mandate data collection) to HSCIC, although I might of missed one.

    From an NHS perspective, the powers of HSCIC, NHS England and others are still being explored. There are lofty ambitions for the beneficial use of data and, whilst seen through the lens of some media a conspiracy may appear, this agenda has genuinely been pushed by scientists that want to help society. I have even heard very senior figures refer to the use of NHS data as the social benefit of health provided free at the point of delivery.

    The biggest problem I see is the struggle to be transparent – what they really need is better communications

    • Hi David

      Feel free to wade in – I suspect you’re a damn sight more learned than I am on this subject. In asnwer to “To what extent do you consider HES data to be personal data, as defined by DPA?” and “To what extent the data transfer was lawful?” I don’t yet know the question, and I’m not being facetious when I say that that is why I’ve asked the ICO (that’s what section 42 DPA is for). Data subjects aren’t necessarily going to have the information (or power to gather that information) in order to assess the lawfulness of processing.

      That said, I am trying to find out as much as I can, to inform myself, and thanks for your contribution.

      • David Stone

        I think this is where the whole thing comes unstuck (nicely summarised by Ben Goldacre:

        As far as I can tell, there isn’t a problem satisfying DPA. There is a problem satisfying the common law (hence the leaflet drop) and there is a massive problem with communications/making the case, which includes assurance and benefits.

        The problem is that you get misinformation (such as the Telegraph article). If you read the comments on their pages it is clear people feel violated, but the data SHOULDN’T allow them to be identified and/or is of no biographical significance. Since 1st April, the Health and Social Care Act says that HSCIC are prohibited from publishing such data – strong words.

        Nevertheless, many criticisms are fair in that the void in clear thought through guidance has left people free to wildly speculate. I hope that the team at the centre recognise this and rapidly close the gap with robust governance and transparent communications.

  4. David. The data sold by the NHS was NOT anonymous because it contained at least postcode and date of birth, thereby allowing identification of individuals to whom the data referred. This data is classified as sensitive personal data under the Data Protection Act 1998:

    c. 29 Part I: Sensitive personal data, Section 2 states:
    In this Act “sensitive personal data” means personal data consisting of information as to—
    (e) his physical or mental health or condition

    and under c.29 Schedule I, Part I, Principles (First Principle), data should only be processed if at least one condition is met under Schedules 2 & 3. This is not the case and therefore the Data Protection Act was breached.

    The really BIG question here is that laws were broken in selling that data. Therefore the ICO should force the Staple Inn Actuarial Society and any insurance companies in possession of such data to immediately DELETE it.

    The Staple Inn Actuarial Society must have made an information request to have the data in the first place, so they are also guilty of breaking the law along with the NHS.

    The data in question is from the period between 1997 and 2010.

    The laws which have been breached are:

    The National Health Service Act 2006
    The Access to Health Records Act 1990
    The Human Rights Act 1998

    as the data was actually sold in 2012.

    The access to medical data is also reinforced by The Health and Social Care Act 2012 which came into force on 1st April 2013, therefore not applicable to the data sold.

  5. Pingback: Why no prison sentences for misuse of medical data? | inforightsandwrongs

  6. Pingback: Health data breaches – missing the point? | inforightsandwrongs

  7. Pingback: We thought you cared(ata) | inforightsandwrongs

  8. Pingback: The Partridge Review reveals apparently huge data protection breaches | informationrightsandwrongs

  9. Pingback: The wrong test for anonymisation? | informationrightsandwrongs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s