Data despatched to NHS, research and private organisations was made vulnerable by inadequate NHS Digital procedures.
Around two-thirds of the data releases from the company between April and August this year included inappropriate information about patients.
1.2 million individuals who have asked for their records not to be shared, other than in circumstances related to direct care, were affected by this issue.
The data was despatched to NHS, research and private organisations.
A public debate is now brewing on whether or not opt outs should apply to these releases.
NHS Digital has argued that it has acted illegally at all times, regardless of respecting the actual wishes of patients.
The organisation believes that it has actually behaved in the best interests of patients, and a spokeswoman for the organisation has argued that there is minimal risk of confidentiality issues from the released data.
Furthermore, NHS Digital has stated that it has ensured that the data has been made anonymous, in accordance with the Information Commissioner’s Office’s code of practice
But the privacy rights campaign group, MedConfidential, suggested that the reports indicated that privacy is not being taken seriously enough, and that “opt outs are not being respected. This goes directly against what patients think is happening when they opt out of their data being shared for reasons beyond direct care”.
The group argues that standards of anonymisation have not been met by NHS Digital.
Commenting further on the issue, coordinator Phil Booth reassured those concerned about the reports that full datasets would eventually be made available to researchers.
“There are perfectly good reasons why some researchers may sometimes require an entire data set, including those who have opted out. Researchers who have a legitimate reason to obtain the full data set can do this by getting permission from the confidential advisory group.”
Releases to private firms have been considered particularly worrying, with around 200 of the releases made without opt-outs being actioned having involved private firms such as Capita.
Booth concluded that the issue will be considered extremely serious by health service observers.
“After the Care.data debacle, this will only make people further question whether or not the NHS can be trusted with patients’ confidential and sensitive data.”
Responding to the report, an NHS Digital spokeswoman stated that nothing underhand nor concerning had occurred.
“Our public register details all data releases shared under agreement with organisations, the vast majority of whom are NHS, university or charity bodies. The register includes a very significant number of releases that are anonymised in line with the ICO code of practice, which means the type two opt out is not required given the data is not confidential patient information.”
The spokeswoman further underlined future initiatives related to this issue.
“We are absolutely committed to upholding patient opt-outs and continue to do so in line with legislation and working closely with bodies like the ICO and the [national data guardian]. We are also committed to making details of what we do public, which is why we added the application of opt outs to the register.”