The public remains largely unaware that their GP records will soon be made available to third parties through an NHS data-sharing initiative. With this in mind, we are calling on the government to launch an urgent national campaign explaining what the move means, how data will be protected, and how patients can opt out if they’d like to.
Currently, patients have until 23 June to opt out of the initial upload. After that date, they will be able to prevent new data being taken from their GP, but there’ll be no way to remove existing data from the vast database being built by NHS Digital.
This date should be pushed back, allowing time for a national campaign explaining how patient data will be shared by the NHS and why patients should trust it.
NHS Digital has said GP medical records in England will be collected via a new service called General Practice Data for Planning and Research (GPDPR). It will replace the General Practice Extraction Service (GPES), which has been in place for 10 years.
The new service will have a wider remit, allowing it to “support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including Covid-19) and enable many different areas of research”.
A March data release register shows patient information is already used to scope market access by private drug companies through third-party information firms. The list includes Wilmington Healthcare, a market research firm; Harvey Walsh, part of “world-class healthcare communications and market access group” OPEN Health; and Health iQ, which says it proves “the value of interventions in healthcare for successful market access”.
So, the assumption is that the new GP records will also be available to the private sector.
The most recent approved data release register tells us that, in the first quarter of 2021, there were 242 instances where identifiable records were shared, 223 of which involved sensitive data. These were shared within the boundaries of respect for the existing patient opt-out.
A further 67 records with identifiable data were shared with no option to opt-out; 25 of these are related to managing the pandemic under special emergency powers that abrogate our right to data protection.
The rest used previous legislation allowing the NHS to share data without consent or the right to opt-out.
Altogether, this amounts to 309 instances in 90 days, which does not, in our view, constitute rare and special circumstances but routine re-identification. Indeed, it represents just under 70% of all of the data sharing relating to living persons.
A scheme like GPDPR, called Care.data, fell apart in 2016, after the NHS spent £8m on it, because of confidentiality concerns and failings over duty of care to the taxpayer.
This is a second bite of the cherry and, once again, what’s missing is transparency and clarity over safeguards. By doing this properly, fewer people would opt out and it would be less likely to come to a halt. It’s important to explain to the public that, if it’s done correctly, access to this data can lead to real medical breakthroughs.
The government has to tell people properly what’s going on – it hasn’t done that. And this data lake it’s about to create has to be managed properly.
We need proper assurances about controls over access to and use of the data. Using health data safely is difficult, and it can’t be recalled or remedied once it has been breached or misused.
Importantly, the data being collected will only be “pseudonymised” – in other words, it will remain possible for NHS Digital to identify patients – and will be sufficiently detailed that each person’s unique combination of medical and demographic attributes would in any case serve as an identifiable fingerprint. This means that any breach presents a real risk of data being misused to target individuals.
There might be rare circumstances in which you need the data at what is effectively individual patient level – perhaps when studying rare diseases – but, in general, information should be aggregated or generalised to prevent any possibility of re-identification.
There is proven data science that achieves this (k-anonymity and l-diversity), but the existing NHS information makes no reference to this, saying only that “NHS Digital will be able to use the software to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason” without giving any detail as to those circumstances or lawful bases.
It’s up to the government to set an example to business, as other governments in Europe do. It cannot sign up to the Charter of Fundamental Human Rights, implement the UK Data Protection Act and talk about the importance of behaving properly with data, then continuously break the rules.
It clearly hasn’t met the spirit of transparency.
At the moment, the slurp is incredibly difficult to opt out of, and this will make patients suspicious about the government’s intentions.
There’s one NHS form which is clunky and seems designed to discourage people from opting out. You need your NHS number to activate it. Or you can go to another website to download a Word document that you complete and send to your GP either by post or email. You need an electronic signature if you want to email it. And this is unfair on GPs who will have to deal with the request.
Hospital records are already shared from GPs to the NHS for research purposes, although few patients are aware they can opt out of that, using a so-called national data opt-out. However, until now, no external body has had direct access to patient records held by GPs.
We’re not denying the potential value of the GPDPR – right now, researchers don’t have direct access to the whole health journey. They don’t know what symptoms presented at the GP that led them to a hospital referral. Or what symptoms, say, presented at the GP five years ago were missed that might have led them to do the referral earlier before a patient’s cancer got to stage four.
But it’s vital that, in generating these potential research benefits, we continue to respect the rights and freedoms of the data subject. The government should run a national publicity campaign placing ads or advertorial in national newspapers, putting out proper, in-depth information on social media, making clear the value of this exercise.
How well is it really going to police who has access to this data lake? It’s not just going to be virtuous public sector primary health care professors who want to find early diagnostic measures – it’s going to be US drug companies. At the moment, the most valuable data set in the world is Iceland’s, but it will turn Britain into a health data goldmine.
It’s a core part of the government’s National Data Strategy to sell this stuff on and share it out. If you read Oliver Dowden’s opinion piece in the FT from January, you’ll see it’s well known the government looks to monetise this, directly or indirectly.
All government is by consent. The government needs to make a better case for this programme, and it should be based on public support, not authoritarian imposition.
Ben Rapp and Sara Newman are co-founders of Securys, a privacy consultancy helping enterprises build stakeholder trust by delivering data privacy globally and locally.