This month, the National Health Service (NHS) in England will bombard all 26.5 million households in the country with an innocuous-looking information flyer. In soothing tones the leaflet, entitled ‘Better Information Means Better Care’, announces changes to the way that health officials will handle confidential medical records to “improve the quality of care and health services for all”.

The name of the programme is care.data — not that you would know that from the leaflet, which neglects to mention it. From this spring, information from medical consultations, for example on diagnoses and treatments prescribed, that was once confidential between a person and their doctor, will be uploaded to a central database. There it will be combined with hospital and other medical records. This will become one of the world’s most complete databases on the health care of patients. Initially, the data will be used to help health authorities to manage NHS resources, but the plan is to eventually open up the database to researchers and private companies. The importance for research and the medical opportunities afforded by such a unique joined-up resource cannot be overestimated. Nature fully supports such an endeavour, and this journal spoke out in May 2013 when proposed changes to European data-protection laws threatened the usefulness of projects such as this latest one (see Nature 497, 287; 2013).

The removal of identifiers is an essential step in protecting data, but it is far from foolproof.

The key, as always, is consent. The information at stake here is not genomic clues to future health risks — already the subject of fierce debate — but sensitive data on past and current medical conditions. What the government leaflet fails to highlight is the real threat to privacy and the possible consequences. Worse, the public-relations exercise carried out by the government to stress the programme’s benefits has if anything increased the backlash from privacy campaigners, who are now highlighting the risks and urging people not to participate. An unfortunate false choice has been established, between scientific progress on one side and protection of privacy on the other.

The government did not initially intend even to allow individuals to opt out of having their data centralized in this way, which would have flown in the face of the most basic principles of privacy and informed consent. The leaflet now states, “You have a choice”, but the government seems to have made it as difficult as possible for people to exercise that right. They must explicitly contact their local doctor to opt out — a requirement that seems a sure way to make certain that most won’t bother, and so will be opted in by default. UK medical charities, including the Wellcome Trust, have launched their own advertising campaign in support of care.data, which, although it validly highlights many of the research opportunities of such big data, also fails to mention sufficiently prominently that an opt-out option exists, and indeed seems intended to try to reduce the number of people who opt out.

Maximizing the number of people entering the programme is clearly a noble goal. But one cannot help but get the uncomfortable impression that, in their enthusiasm to amass these data, the authorities are using sleight of hand and paying lip service to the principles of informed consent. Inconvenient as it may be, and even if it has some negative effects on the utility of the database, the opt-out option to care.data should be prominently displayed, and facilitated.

The public-relations campaigns also break the first rule of risk communication, which is to state clearly any potential, even if remote, risks. They are far too reassuring, for example, that people’s personal data are in safe hands and will be well protected from abuse. Under the programme, personally identifiable data will be stored securely by the Health and Social Care Information Centre in Leeds, which will review requests for them. Most will be made available only after being pseudonymized — a process by which data are stripped of information that would otherwise easily allow identification of the data’s personal provenance.

This removal of identifiers is an essential step in protecting data, but it is far from foolproof, and a determined effort can often re-identify pseudonymized data. Furthermore, the Health and Social Care Information Centre’s store of personally identifiable data is not immune from hacking or other intrusions. No doubt much thought has gone into protecting the data to high standards, but overly reassuring the population that its personal data are safe is an invitation to public disillusionment in the system down the road.

The potential gains for health authorities and researchers from patient-level data are immense. But both should be insisting on the spirit of informed consent — clearer, more-upfront information and greater visibility given to people’s right to opt out would be a good start.