In June, after waves of controversy, the government announced a two-month delay to the creation of a central NHS digital database from GP records in England. If you hadn’t heard about the database, you are probably not alone. The objectives are well-meaning, but the implications for sharing have given rise to concerns and led to the matter being described as a ‘data grab’ by some commentators.
The data collection process for the database was meant to begin on 1 July, but this has now been stalled until September. Here’s everything you need to know about the new system.
What’s the NHS ‘data grab’?
The NHS already collects patient information to improve health and care services via a 10-year-old system called the General Practice Extraction Service (“GPES”). Because this system is old, the NHS wants to update with a new one: The General Practice Data for Planning and Research (“GPDPR”). As the name insinuates, the new system will collect patient medical data and, in certain instances, share it with third parties for research purposes.
Under the GPDPR, patient data from GP surgeries across England will be collected and stored in a centralised database. The data will include records from up to 10 years ago, and include sensitive data relating to: sex, ethnicity, medication, diagnoses information and other information about physical, mental and sexual health. The data will not include names and addresses.
Why does the NHS want my data?
In the transparency notice about the GPDPR, the NHS explained that the new system will “support vital health and care planning and research.” In essence, the NHS will use people’s data for pattern and trend analysis. Principally, this could help the NHS to improve healthcare services, monitor the impact of COVID-19 on the population, and even find cures for new diseases.
As an example, the NHS referenced how patient data has helped to prove there is no association between the MMR vaccine and the development of autism, as well as to confirm the safety of the meningococcal group B vaccine.
Who receives the data?
While this sounds promising in principle, there is currently a lack of transparency and information regarding exactly which research organisations will receive patient data – and what data they will receive.
As Alex Norris, shadow minister for primary care, put: “I echo concerns from across the health sector that the lack of transparency on which organisations can access this personal data is deeply concerning. Patients need to be made fully aware of which of their data is available for access and by whom.”
In a public information leaflet about the GPDPR, the NHS emphasised that it “does not sell data.” However, it also explained that it will charge third-party organisations for access to the data, as a means to cover the costs of the service, but not for a profit.
The NHS specified that these third-party organisations will be restricted to companies that have “a legal basis and meet strict criteria to use [patient data]” for use cases like research, policy development, and care planning.”
The type of data shared will exclude names, addresses, interactions between patients and their consultants, as well as legally restricted data relating to IVF treatments and gender reassignment. On the other hand, data about sex, ethnicity, sexual orientation, diagnoses, symptoms, test results, medications, allergies, and more may be shared.
How is my data stored?
Details on how patient data will be secured have so far been ambiguous. Regarding data that identifies patients, the NHS stated that this will pseudonymised and encrypted before being stored in the database. Pseudonymisation is a data protection process that replaces data with unique codes so that it cannot be identified.
However, the NHS noted that this data could later be converted back to directly identifiable data, although they will need a valid legal reason to do so.
What’s the controversy?
The less than transparent and seemingly hush-hush nature of the rollout has led to widespread criticism from the media, politicians, health officials and privacy experts. For example, the British Medical Association and Royal College of General Practitioners shared that they were concerned “about the lack of communication with the public.”
Similarly, the Doctors’ Association UK (“DAUK”), was worried that the swift and mostly silent rollout could “erode the doctor/patient relationship, leaving patients reluctant to share their problems due to fears of where their data will be shared”.
The UK’s Information Commissioner also welcomed a delay, stating: “it is clear that there remains considerable confusion regarding the scope and nature of the GPDPR, among both healthcare practitioners and the general public. This includes how data protection rights can be exercised in practice. It is sensible for NHS Digital to take more time to engage with its stakeholders, and consider the feedback it is receiving about its plans.”
These concerns appear to have been heard and the NHS has now delayed the rollout of the system until September. It’s expected that this extra time will be used to create an informative public campaign about the GPDPR to notify patients about the scheme, inform them of their choices and articulate the benefits and risks of data sharing.
However, other critics of the system are less apprehensive about a lack of communication and more about security. There are concerns that such a huge pool of lucrative, sensitive data could be a welcome target for cyber-criminals. If the system suffered a data breach, the fallout could be huge.
Whilst the GPDPR has become controversial in the manner of its rollout, the objectives are well-intentioned. The next steps appear to require better communication about the programme, improved transparency around how the data will be shared and secured, and more information on how individuals can opt-out – if they wish to do so.
Hot on the heels of the GPDPR delay, the Government published the draft health data strategy – Data saves lives: reshaping health and social care with data – for consultation on 22nd June. This strategy is separate to the GPDPR. It is a ten-year plan to “harness the potential of data in health and care, while maintaining the highest standards of privacy and ethics.”
In its announcement about the draft, the Government explained that it is looking to “enable full and open engagement on the commitments made”, indicating, perhaps, a learning about the need for openness and feedback when it comes to any plans for processing sensitive patient data.
We will be publishing our overview of the Data saves lives draft strategy in due course, so stay tuned for more information.