Update: After this article was published, NHS Digital confirmed the collection of GP data had been deferred from July 1 to September 1, 2021.
GPs have called for an immediate delay to the government’s plans to share people’s personal NHS medical data with third parties.
The Royal College of GPs (RCGP) and British Medical Association (BMA) were concerned patients hadn’t been given enough warning regarding the move, initially due to happen on July 1.
As it stands, NHS patients can opt out of the data share – which has been dubbed the ‘NHS data grab’ – however they need to do this by June 23.
It’s likely you won’t have heard much about the data change, as communication surrounding the event has been pretty scarce. So here’s what you need to know.
What’s the NHS ‘data grab’?
Patient data is already collected to improve health and care services, but the existing system – the General Practice Extraction Service (GPES) – is over 10 years old. The new system – which has the catchy name: the General Practice Data for Planning and Research (GPDPR) data collection, but has colloquially been dubbed the NHS Data Grab – will collect people’s medical information and pass it on to third parties for research purposes.
If people don’t opt out by June 23, their data will be added to NHS Digital’s database and distributed. The collected data is sent on to third parties for “research and planning purposes” – and the NHS has already shared how it believes kind of data sharing has been helpful.
For instance, data from GP records was used to help identify those most vulnerable to Covid-19 and prioritise cohorts to receive their vaccine, it said.
Data from GP medical records has also shown that there was no association between the MMR vaccine and the development of autism, and allowed investigation of whether certain medications increase the risk of cancer.
Who receives the data?
So far, there’s been a lack of information about which organisations will be receiving this data – and people are concerned where their information will be shared to. Alex Norris, shadow minister for primary care, said: “I echo concerns from across the health sector that the lack of transparency on which organisations can access this personal data is deeply concerning.
“Patients need to be made fully aware of which of their data is available for access and by whom, and so I have written to NHS Digital asking them to pause their upcoming GP data collection until these questions are resolved.”
NHS Digital said it does not sell the data. But it does charge those who want to access the data for the costs of making it available to them – charges cover the cost of running the service and do not enable NHS Digital to profit, it said.
In a statement shared on June 4, NHS Digital’s clinical director Arjun Dhillon stressed: “We don’t share names, addresses or NHS numbers. We don’t sell any data and will never provide data for insurance, marketing or promotional purposes — or for anything other than healthcare research and planning.”
What data is shared – and what isn’t?
People want to know exactly what kind of information will be shared with third parties come July. PA Media reported that the scheme will collect information on people’s treatments, referrals and appointments over the past 10 years, alongside other data from medical records held on GPs’ systems.
Some of this includes sensitive information like a person’s mental health and sexual health history, information on addiction, and whether they’re victims of physical and sexual violence.
NHS Digital said it won’t collect your entire GP record. The following won’t be shared with third parties either: written notes of any consultations or interactions between you and your clinician; images, letters, videos, or documents; medicines, appointment, or referral data over 10 years old; legally-restricted data such as whether you’ve had IVF treatment or gender reassignment.
Is it anonymous?
Any data that directly identifies an individual will be pseudonymised and then encrypted before it leaves a GP practice. This means it’s processed in a way that the personal data can no longer be attributed to a person without the use of additional information.
According to NHS Digital, data will only be shared with organisations who have “a legal basis and meet strict criteria to use it” for local, regional and national planning; policy development; commissioning; public health and research purposes.
Sarah Wilkinson, NHS Digital’s CEO, explained a bit more about how this works: “We have designed technical systems and processes which incorporate pseudonymisation at source, encryption in transit and in situ, and rigorous controls around access to data to ensure appropriate use. We also seek to be as transparent as possible in how we manage this data so that the quality of our services are constantly subject to external scrutiny.”
What are the concerns?
Despite assurances from NHS Digital, the swift nature the scheme is being rolled out, without actively notifying patients, hasn’t inspired a lot of trust.
As such, doctor’s groups have called for a delay to the rollout and for better communication to the millions of patients whose data will be shared.
A coalition of five organisations and an MP have also joined forces and crowdfunded almost £25,000 to cover the legal costs to stop the data grab from going ahead – essentially, they want to take the government to court.
RCGP said while it supports the principle of improved and more secure sharing of data for healthcare planning and research purposes, it’s “critical” appropriate safeguards are in place to guard against any inappropriate uses of this data.
“An appropriate level of communication has not yet begun,” said RCGP in a statement, “and time is now running out before the 23 June deadline” for patients to opt out.
The body escalated its concerns to health secretary Matt Hancock and warned it must not be left to already stretched GPs to communicate with patients on this issue. “It must be done by NHS Digital and thoroughly,” RCGP said.
Even GPs are confused about how the data will be used. BMA’s IT lead Dr Farah Jameel said: “Recent weeks have shown that communication from NHS Digital to the public has been completely inadequate, causing confusion for patients and GPs alike. Family doctors have a duty to their patients, and have their best interest at heart – so are understandably hesitant to comply with something that patients may know nothing about and that they themselves do not fully understand, even if this is a legal requirement.”
How to opt out
If you want to opt out, you can do so on the NHS website. You’ll need to enter your full name, date of birth, postcode and/or NHS number. Alternatively, you can call NHS Digital on 0300 303 5678.
People can also opt out on behalf of their children by posting a letter to: National Data Opt-Out, NHS Digital, 1 Trevelyan Square, Boar Lane, Leeds LS1 6AE. You’ll need to provide your name, address, postcode and sign a declaration that you have parental responsibility for the children named in your letter. For the children you are making a choice for, you’ll need to share their name(s) and NHS number(s). If you can’t provide their NHS number, you’ll need to provide a copy of their passport or birth certificate.
NHS Digital warned if a large number of people choose to opt out, the data will become less useful. “This is a particular problem if people from certain areas or groups are more likely to opt out,” it said. “If that happens then services may not reflect the needs of those groups or areas and research may reach misleading conclusions.”
It’s worth bearing in mind you can opt out after the June 23 deadline, however this will not erase any data held by NHS Digital that has already been shared.
An NHS Digital spokesperson said: “Patient data saves lives. We could not have delivered the Covid-19 vaccine rollout if we had not used data to ensure we reached the whole population, prioritising them in the most effective way. In the interests of patient safety it is important to learn lessons from the pandemic and modernise our practices.
“The new programme for collecting data has been developed in collaboration with doctors, patients and data, privacy and ethics experts to build on and improve systems for data collection.
“We continue to engage with the BMA and RCGP regarding GP Data for Planning and Research. We are exploring further options to expand our communications approach and remain committed to being transparent with patients and the public about the collection and use of data.”