Hundreds of organisations breached patient data rules, reveals BMJ
Hundreds of organisations, including drug companies, private healthcare providers and universities, have breached patient data sharing agreements but not had their access to patient data withdrawn, a report reveals.
“High risk” breaches were revealed to have occurred at healthcare groups, pharmaceutical giants and educational institutions including Virgin Care, GlaxoSmithKline (GSK) and Imperial College London, during audits by NHS Digital, according to an investigation by the BMJ.
This means these organisations were handling information outside the remit agreed in data contracts and may be failing to protect confidentiality, the journal said.
In one instance, local NHS commissioners allowed sensitive, identifiable patient data to be released to Virgin Care without permission from NHS Digital. When auditors tried to get access to Virgin Care to check their compliance, they were denied access for several weeks and the company refused to delete the patient data, the BMJ reported.
Records about mental health, including children and young people, those with learning disabilities, diagnostic imaging and other confidential patient data was being processed outside the scope of objectives agreed with NHS Digital, at an address that had not been agreed, and without a data sharing contract.
A spokesperson for Virgin Care said it had “robust data protection in place”.
“It is outrageous that private companies and university research teams are failing to comply,” said Kingsley Manning, the former chair of NHS Digital. “How is it that these organisations can be so lax with data?”
Source: The Guardian, 11 May 2022