Tag: health data rights uk

  • NHS App, Wearables and Patient Data: Who Actually Owns Your Health Information in the UK

    NHS App, Wearables and Patient Data: Who Actually Owns Your Health Information in the UK

    Most people download the NHS App, link a wearable, and move on without reading a single line of the privacy policy. That is completely understandable. But given how much sensitive health information flows between your phone, your GP surgery, third-party apps and commercial data brokers, it is worth spending five minutes understanding what is actually happening to that data and what rights you genuinely hold.

    The short answer to “who owns your health information” is: you do, in principle. The longer answer involves NHS trusts, private app developers, cloud storage agreements, and a patchwork of consents most of us click through without thinking. Let us be specific about each layer.

    Woman reviewing NHS app health data privacy UK settings on smartphone with smartwatch on wrist
    Woman reviewing NHS app health data privacy UK settings on smartphone with smartwatch on wrist

    What Does the NHS App Actually Store and Share?

    The NHS App gives patients in England access to GP records, appointment booking, repeat prescriptions, and increasingly, hospital referral letters. It is run directly by NHS England, which means the core platform is governed by strict NHS data policies and UK GDPR. Your GP record data is held by NHS England under a legal basis of public task, not consent, which means you cannot simply opt out and have it deleted in the way you might with a commercial app.

    Where it gets more complicated is third-party integrations. The NHS App marketplace now includes services from private providers offering things like online consultations, pharmacy delivery, and mental health support. Each of these has its own privacy policy, its own data controller status, and its own relationship with your information. When you tap “connect” on one of these services, you are entering a separate contractual relationship that operates partly outside NHS data governance.

    The Information Commissioner’s Office (ICO) provides clear guidance on health data processing under UK GDPR, classifying health information as special category data requiring explicit consent or another specific lawful basis. That framework exists. The question is whether it is being applied consistently across every app integration.

    NHS App Health Data Privacy UK: The Third-Party App Problem

    Consumer health apps operating outside the formal NHS structure present a murkier picture. Apps that connect to NHS login or pull data from Apple Health, Google Health Connect, or Fitbit do so under whatever terms you agreed to when you set up each platform. A step count from your smartwatch, combined with your sleep pattern, heart rate variability, and menstrual cycle tracking, creates a detailed health profile that can be more revealing than a single GP consultation.

    In 2023, research from University College London found that several popular health apps shared user data with advertising networks despite claiming not to. Whilst the regulatory picture has tightened since then, the underlying business model for many free health apps remains data monetisation. If an app is free and it has investors, the question worth asking is where the revenue actually comes from.

    Smartwatch and privacy document representing NHS app health data privacy UK concerns
    Smartwatch and privacy document representing NHS app health data privacy UK concerns

    Wearables complicate this further. Garmin, Fitbit (owned by Google), Apple Watch and Samsung Galaxy Watch all store health data on servers that may sit outside the UK. Under UK GDPR, data transferred internationally must have adequate protections in place, but enforcement of this in practice remains inconsistent. The ICO has the power to investigate and fine, but consumer complaints are rarely the trigger for action.

    What UK GDPR Actually Gives You

    Under UK GDPR, you have several meaningful rights when it comes to your health data. You can request a subject access request (SAR), which means any organisation holding your data must provide a copy within one calendar month, free of charge. You have the right to rectification if something is incorrect, and in certain circumstances the right to erasure.

    For NHS data specifically, the right to erasure is more limited. Clinical records are retained for legal and clinical safety reasons, and NHS England is required to keep GP records for a minimum of ten years after a patient’s death. You cannot simply request deletion of your medical history from NHS systems. What you can do is opt out of your data being used for research and planning purposes via the national data opt-out, which is managed through your NHS login settings.

    For commercial apps and wearables, your erasure rights are stronger, provided the company is based in the UK or processes UK residents’ data. Submit a deletion request in writing, keep a copy, and if the company fails to respond within the statutory period, you can escalate directly to the ICO.

    The Data-Sharing Controversies Worth Knowing About

    The most significant UK controversy in recent years was the General Practice Data for Planning and Research (GPDPR) programme, which NHS Digital proposed in 2021. It would have extracted GP records from across England for use by researchers and, critically, commercial third parties. Public backlash and ICO scrutiny led to the programme being paused and subsequently redesigned with tighter controls. It demonstrated that public pressure and regulatory attention can shift NHS data policy.

    More recently, controversy has surrounded how private companies with NHS contracts handle patient data. Several NHS trusts have used software platforms from US-based companies, raising questions about data sovereignty. The Department of Health and Social Care has updated its guidance on cloud services, but critics argue enforcement lags far behind adoption.

    Practical Steps to Protect Your Health Data

    None of this means you should delete every health app and throw your wearable in the bin. The data these tools generate can be genuinely useful for managing long-term conditions, tracking fitness progress, and supporting mental health. The aim is informed use, not paranoia.

    A few concrete things worth doing. First, review the third-party connections in your NHS App settings and disconnect any services you no longer actively use. Second, check the privacy settings on your wearable platform and limit data sharing to the minimum necessary. Most platforms allow you to prevent data being used for product improvement or advertising if you look hard enough. Third, if a health app asks for access to contacts, location, or camera and cannot explain why it needs them, that is a meaningful red flag.

    For anyone managing a serious health condition, it is worth checking whether your consultant or specialist clinic uses NHS-governed systems or a private platform, and what the data retention policy is. You are entitled to ask. You are entitled to a clear answer.

    NHS app health data privacy UK is not a niche concern for civil liberties campaigners. It is a practical question that affects anyone who has ever booked a GP appointment online, used a smartwatch, or downloaded a wellbeing app. The rules exist to protect you. Knowing them is how you actually use them.

    Frequently Asked Questions

    Who legally owns my NHS health records in the UK?

    Your health records belong to the NHS organisation that created them, such as your GP surgery or NHS trust, not to you personally. However, under UK GDPR you have significant rights over that data, including the right to access it, correct inaccuracies, and in limited cases restrict its use. You do not have an absolute right to have clinical records deleted.

    Can third-party apps linked to the NHS App access my medical records?

    Only if you explicitly grant permission. When you connect a third-party service via the NHS App marketplace, that provider becomes a separate data controller with its own privacy policy. You should read that policy before connecting, and you can revoke access at any time through the NHS App settings.

    How do I opt out of my NHS data being used for research?

    You can register a national data opt-out through your NHS login or via the NHS website. This prevents your confidential patient data from being used for research and planning purposes outside your direct care. It does not affect the medical treatment you receive.

    Is my Fitbit or Apple Watch health data protected under UK law?

    If the company processes data about UK residents, UK GDPR applies regardless of where the company is based. You have rights including subject access, rectification, and erasure. In practice, enforcement across international platforms is complex, so reviewing and adjusting privacy settings within each app is your most immediate line of defence.

    What can I do if I think a health app has misused my data?

    First, submit a written complaint directly to the app’s data controller and request a response within one month. If they fail to respond adequately, you can file a complaint with the ICO at ico.org.uk, which has the authority to investigate and issue fines under UK GDPR. Keep records of all communications.