NHS Improvement urged hospitals to work with Experian to check whether patients could receive free treatment, in a bid to tackle overseas health tourism.
Documents seen by the Health Service Journal (HSJ) and PA news agency showed NHS Improvement admitting it had not carried out its own assessment of whether the move would break data protection rules.
In January, an email was sent to 51 NHS trusts which are being supported to recover money from patients who may not be eligible for free treatment.
It said: “We are offering you the opportunity to participate in a research and development pilot exercise being run by Experian.”
Experian was already working with Lewisham and Greenwich Trust to check which patients might be charged for treatment.
The NHS Improvement email said the pilot would involve “running checks on historical data to confirm residency by matching an individual to an address by using a patient’s digital footprint and then analysing credit bureaux for other aspects which could ‘disprove’ residency against other economic activity, potentially identifying ex-pats and other health tourists.
“Information required would be name, address, date of birth, preferably and NHS number, email address and phone number. Clinical or other sensitive information is not required.”
The email said the aim of the pilot was to “refine a system that can conduct bulk residency checks on all admissions and referrals in secondary care”, including to establish whether “this is an economically viable solution for use in all trusts”.
But, following concerns raised by NHS trusts about breaches of data protection laws, NHS Improvement issued a frequently asked questions document in May.
It said trusts must seek their own legal advice on whether carrying out checks with the use of Experian was lawful.
NHS Improvement said it had not completed its own data protection impact assessment.
“The agreements to conduct the pilot are between the trust and Experian,” it said.
“NHS Improvement has not reviewed Experian’s processes and data sharing agreements for compliance either with GDPR (General Data Protection Regulation) or Caldicott principles.”
It told NHS trusts that “privacy statement notices need to be updated to explain the purposes for which data is being collected and used”.
An email from a member of staff at Experian in the summer, seen by HSJ, said several trusts had shared data with it as part of a pilot.
However, when HSJ approached Experian last week, the firm said a pilot with the NHS had been “discontinued” and “there are currently no plans to extend the services we provide in this area to other trusts”.
An Experian spokesman told HSJ: “Experian currently works with one NHS trust to help them verify the identity of patients.
“The trust submits lists of patient details in order for us to cross reference and check whether they are residents in the UK, and therefore eligible for services. This process is similar to most standard residency checking services.
“The information used in this process is subject to strict industry guidelines.
“And it is not used for any other purpose than helping the NHS trust identify potential overseas patients, who may be required to pay for treatment under NHS guidelines.”
Phil Booth, from data privacy campaign group Med Confidential, told HSJ: “People who go to the NHS do not expect their data to be handed over to a credit finance agency.
“It is extraordinary that a national body, not having even determined the legality of what they are doing, appear to be doing everything they can through this carefully designed process to wash their hands of any consequences and put them on to any trust foolish enough to join this pilot.”
An NHS Improvement spokesman said: “Eligibility for free NHS care is based on ordinary residence within the UK, and trusts are required by law to apply this.”
Figures show that, at the end of March this year, the NHS had recovered £127m from overseas patients compared with £116.5m at the end of March last year.