Hundreds of organisations, including drug companies, private healthcare providers and universities, have breached patient data sharing agreements but not had their access to patient data withdrawn, a report reveals.
“High risk” breaches were revealed to have occurred at healthcare groups, pharmaceutical giants and educational institutions including Virgin Care, GlaxoSmithKline (GSK) and Imperial College London, during audits by NHS Digital, according to an investigation by the British Medical Journal (BMJ).
This means these organisations were handling information outside the remit agreed in data contracts and may be failing to protect confidentiality, the journal said.
In one instance, local NHS commissioners allowed sensitive, identifiable patient data to be released to Virgin Care without permission from NHS Digital. When auditors tried to get access to Virgin Care to check their compliance, they were denied access for several weeks and the company refused to delete the patient data, the BMJ reported.
Records about mental health, including children and young people, those with learning disabilities, diagnostic imaging and other confidential patient data was being processed outside the scope of objectives agreed with NHS Digital, at an address that had not been agreed, and without a data sharing contract.
A spokesperson for Virgin Care said it had “robust data protection in place”.
“It is outrageous that private companies and university research teams are failing to comply,” said Kingsley Manning, the former chair of NHS Digital. “How is it that these organisations can be so lax with data?”
The BMJ’s analysis of NHS Digital audits found that in the past year 33 organisations were audited and each one had breached data sharing agreements. Hundreds more have been found in breach since audits began in 2015.
GSK was found to be at high risk regarding “compliance, duty of care, confidentiality, and integrity” by NHS Digital’s auditors in December 2021. It had breached the terms of its data sharing agreement with NHS Digital in 10 ways, including allowing four unauthorised GSK data analysts in North America to access the patient data. GSK also processed and stored NHS patient data in locations that had not been declared, according to the BMJ.
A GSK spokesperson told the Guardian the company had “worked hard” to ensure “all of their recent audit findings have been fully addressed”, adding: “This is reflected by NHS Digital’s decision to reassess GSK’s risk rating as ‘low’.”
A health research unit at Imperial College London was also deemed high risk in August 2021. Identifiable, sensitive patient data was not encrypted while in transit between the primary datacentre and the back-up site. Two doctoral students were also given unauthorised access to the data supplied by NHS Digital, the BMJ reported. Imperial College London said it “fully accepted” the findings of this audit and had “quickly put in place an action plan to tackle the matters raised”.
None of the organisations had their access to NHS Digital’s data curtailed in light of the breaches. NHS Digital said it was working with the organisations to rectify problems.
“These breaches will damage public trust that data is being handled safely and securely,” said Natalie Banner, the former lead for the Understanding Patient Data initiative hosted by Wellcome. “The current system is failing to protect data adequately and a major policy shift and investment is needed.”
Phil Booth, coordinator of campaigning group medConfidential, called for real consequences if companies, commissioners and research teams breach their agreements, warning that breaches of data sharing contracts would otherwise be meaningless.
He said: “These contractual requirements aren’t just for fun: a single data breach could include sensitive information about millions of patients.”