Thirteen NHS Trusts have been advised to terminate their agreements with clinical data analytics provider Sensyne Health and require that the company returns or deletes all NHS data it holds.
Earlier this month, Sensyne Health announced that it will delist from the AIM stock exchange, after warning investors that a cash flow shortfall threatened its ability to operate. The NHS Trusts are among the company’s shareholders, and health data campaign group medConfidential has advised that they take the opportunity to cut their ties.
Sensyne Health says its 48.3 million patient records, including 12.9 million from the UK, have been ‘anonymised’. But medConfidential contends that this data can in fact be linked to individual patients and could now be sold on.
In a letter to 13 NHS Trusts that together hold a 16.2% share in Sensyne Health, medConfidential advised that they take advantage of a termination clause in their agreements with Sensyne Health that allow them to cut ties in the event of a “change of ownership”. It also suggests they invoke the right to demand that any NHS data held by the company is destroyed or returned.
“Given the events that have now taken place … the responsible course of action for now is to terminate your agreements and require the return and/or deletion of the existing data held by Sensyne,” the letter advises.
The Trusts that own a share in Sensyne Health include Oxford University Hospitals NHS Trust, Royal Devon and Exeter NHS Foundation, Great Ormond Street Hospital for Children NHS Foundation Trust, George Eliot Hospital NHS Trust and Wye Valley NHS Trust.
What is Sensyne Health?
Sensyne Health provides a clinical data platform designed to support the development of new treatments. It describes its SENSEIGHT product as “the first data analytics platform to provide industrial scale access to de-identified real world data insights globally across multiple therapy areas”.
In a press release from Sensyne Health, an executive from The Royal Wolverhampton NHS Trust said that working with Sensyne Health would help it find “new and innovative ways to use data to drive care processes and contribute to vital health research”. In another, a director at Oxford Clinical Trials Research Unit said they are “excited by the potential for unique insights that may come from exploratory analyses of the anonymised clinical trial data using [Sensyne’s] proprietary machine learning algorithms”.
The company says that the patient records it handles are “de-identified”. Somerset NHS Foundation Trust, which has worked with Sensyne since 2020 and owns a 1.11% share in the company, says that any requests for patient records from Sensyne Health are reviewed by the Trust’s Caldicott Guardian (a senior officer responsible for healthcare information) and data protection officer.
If a request is approved, “our authorised data analysts then extract the requested data from our systems and anonymise it”, the Trust says. “This process is designed to create an anonymised dataset which contains no patient identifiable information.
“After we have completed this anonymisation process, we transfer it to Sensyne Health under encryption,” the Trust says. “Sensyne Health then applies further anonymising techniques before undertaking any analysis.”
But medConfidential says that these records are only “pseudonymised”, meaning the patient’s name is replaced by an anonymous patient ID. While this prevents researchers accidently seeing a patient’s identity, detailed healthcare records can be used to reidentify patients, it says.
“That being the case, patients have legal rights, eg to object to the processing of their data under UK GDPR,” medConfidential coordinator Phil Booth told Tech Monitor.
As a result, said Monika Sobiecki, partner at law firm Bindmans LLP, which is advising medConfidential, “those who operated on the presumption that neither Sensyne nor the NHS Trusts really had to do anything to comply with the UK GDPR and/or Data Protection Act 2018 because the data was anonymous (and so not ‘personal data’) are completely wrong”.
If Sensyne’s finances difficulties continue, Sobiecki added, it might consider selling the patient data on to a company inclined to re-identify patients.
The battle over patient records
medConfidential’s warning is the latest development in the ongoing debate about patient data and medical research. In March last year, the government laid out plans to bolster the country’s clinical research capabilities, in which data and AI play a central role. “Ground-breaking technologies, data and analytics will transform healthcare and save lives,” said then-health minister Matt Hancock.
But moves to make NHS data available to clinical researchers has been met with alarm from privacy campaigners. Last year, a plan to share GP data with researchers, General Practice Data for Planning and Research (GPDPR), was postponed following public outcry.
In April 2022, a review led by author Dr Ben Goldacre described the unrivalled potential for NHS data to advanced medical research. “For 73 years the NHS has collected detailed records and data, on tens of millions of patients, from a huge and ethnically diverse population,” it concluded. “This dataset – the full medical history of millions – contains almost unfathomable depth and potential.”
The commercial value of this dataset has not gone unnoticed. In a 2019 report, consulting firm EY estimated that “the value of the curated NHS data set could be as much as £5bn per annum, delivering around £4.6bn worth of benefit to patients per annum”.
This has some campaigners worried about the prospect of NHS patient data falling into private hands. The Goldacre Review warned that “concrete action” is needed on privacy and transparency. “Trust cannot be earned through communications and public engagement alone.”
In particular, it said, the NHS must ensure all “data policies actively acknowledge the shortcomings of ‘pseudonymisation’ and ‘trust’ as techniques to manage patient privacy: these outdated techniques cannot scale to support more users (academics, NHS analysts, and innovators) using ever more comprehensive patient data to save lives”.