UK: How to Opt Out of the NHS Data Sharing Project

Protesters with signs at an NHS protest

Everyone expects doctor-patient confidentiality when visiting their GP. However, an upcoming NHS (UK National Health Service) project will share your medical history directly with third parties unless you opt out of NHS data sharing. From July 1 2021, NHS England will collate the medical records of around 55 million NHS patients. This confidential patient information will be available in a digital database for third parties who want to utilise it for academic and commercial purposes.

If this is the first you’re hearing about the project, then you’re not alone. The British Medical Association and Royal College of General Practitioners have already expressed concern that the UK public has not been given enough warning about the changes.

Why the NHS is Sharing Your Data

The new NHS project is known as “General Practice Data for Planning and Research.” GP surgeries across the country will transfer patient data to a central store. Data will be made available to third parties for a range of purposes, including planning and research. According to NHS Digital, some of the benefits will include:

  • informing and developing health and social care policy
  • planning and commissioning health and care services
  • taking steps to protect public health (including managing and monitoring the coronavirus pandemic)
  • in exceptional circumstances, providing patients with individual care
  • enabling healthcare and scientific research

The NHS has insisted that any agency wishing to use the data will have to be approved. However, it’s still unclear exactly who will access this data and for what purpose; the term “third party” is very broad.

Information that the NHS will share

The scope of data is quite extensive. Data gathered from GP surgeries will include details about physical, mental, and sexual health. The full list includes:

  • your sexual orientation, gender, and ethnicity
  • reported symptoms, diagnoses, and observations
  • medications prescribed
  • allergies
  • immunisations and test results
  • referrals and appointments
  • information about the healthcare professionals who treated you

What’s more, while the NHS is not sharing your name and full address, they will share some identifiable data. This includes your NHS number, GP surgery identifier, postcode, and date of birth. They’ll encrypt this information; however, NHS Digital’s website explains how they will have the ability to:

“convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason.” – NHS Digital

So, rather than the NHS not sharing your personal, identifiable data, it will be – in an encrypted format. Therefore, the data could still be open to abuse if the wrong kind of organisation gained access. It could also be susceptible to data breaches that could see patient data fall into the wrong hands.

Information that the NHS won’t share

The NHS will not be including all data in their project. Such data will not include:

  • written notes from conversations with a healthcare professional
  • any stored images, letters, and other documents
  • certain sensitive information, including IVF treatment and gender reassignment
  • older data, including medication, referral and appointment data more than 10 years old

Have there been NHS data breaches before?

There’s no telling whether the data in question could leak into the wrong hands in future. However, it would not be the first time that an NHS data breach has occurred. Below, you’ll find just a few of the most recent data breaches to affect the National Health Service:

How to Opt-Out of NHS Data Sharing

If you’d prefer not to share your data, don’t worry: you can opt out. You’ll need to tell your GP practice that you want to opt out of NHS data sharing. NHS England will not share any data where a patient has opted out of the program.

This kind of opt-out is known as a “Type 1 Opt-out” and can be done by downloading this form. You’ll need to return the completed form in person or via email, but remember to do so before the recommended date of June 23rd 2021. This is to allow for processing time before data collection begins on July 1st.

Cybersecurity analyst
David is a cybersecurity analyst and one of the founders of Since 2014 he has been gaining international experience working with governments, NGOs, and the private sector as a cybersecurity and VPN expert and advisor.