The NHS “Data Grab” And How To Opt-Out
The General Practice Data for Planning and Research (GPDPR) data collection is a new system planned to collect pseudonymised patient data held by GP surgeries in England and feed it into a central NHS database. The new system has been in development for three years, yet patients were originally given just over one month to be made aware of it and to opt out if they so wished. This triggered a fierce backlash from some within the NHS, doctors’ organisations and campaigners concerned that the data collection was being pushed through too quickly without an open consultation or large-scale information campaign.
There were also privacy concerns and concerns about patient data being shared with commercial entities for profit within the new system. These concerns led to the GPDPR data collection being characterised as an NHS “data grab”. The government has postponed the implementation of the new system to 1st September 2021 giving us more time to work out what the GPDPR data collection is and how to opt out of it.
What is the GPDPR data collection?
As part of the GPDPR data collection, NHS Digital will collect incredibly personal and sensitive data from GP surgeries in England including:
- Data on patients’ sex, ethnicity and sexual orientation;
- Clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, mental and sexual health; and
- Data about staff who have treated patients.
From 1st September 2021 patient data from GP medical records from the past 10 years will be transferred to the new system. After that, data will be uploaded to the system in near real time.
Patient data will be pseudonymised meaning that patients will not be directly identifiable in the data. NHS Digital will not collect patient names and addresses. Any other data that could directly identify a patient, such as NHS number, postcode and date of birth, will be replaced by unique codes produced by de-identification software before being shared with NHS Digital. However, NHS Digital will be able to convert the unique codes back to data that could directly identify patients in certain circumstances and where there is a valid legal reason. There are significant privacy concerns about the nature of the supposedly de-identified data as the data will contain details of staff who have treated each patient, which could make it easy to narrow down which patient the data relates to.
NHS Digital state that the following organisations will likely need access to patient data from the GPDPR data collection:
- the Department of Health and Social Care and its executive agencies, including Public Health England and other government departments
- NHS England and NHS Improvement
- primary care networks (PCNs), clinical commissioning groups (CCGs) and integrated care organisations (ICOs)
- local authorities
- research organisations, including universities, charities, clinical research organisations that run clinical trials and pharmaceutical companies
How can you opt out?
Data collection is due to commence on 1st September 2021 and you have until 25th August 2021 to opt out of this. If you miss the 1st September 2021 deadline, you can still opt out of future information being collected and shared but data from the last 10 years may already have been taken from your medical records.
There are two types of opt-out:
- The Type 1 Opt-out – This allows you to opt out of NHS Digital collecting your data, including as part of the GPDPR data collection, and to prevent your identifiable patient data from being shared outside your GP practice for any purposes other than your own care. If you have already registered a Type 1 Opt-out, NHS Digital will not collect any data about you. If you register a Type 1 Opt-out after your data has already been shared with NHS Digital, no more of it will be shared in future however NHS Digital will retain patient data shared before you opted out. If you don’t want your data to be collected in the GPDPR data collection, register a Type 1 Opt-out before 25th August 2021.
- The National Data Opt-out – This allows you to prevent NHS Digital from sharing your identifiable patient data, including both GP data and hospital data, with other organisations apart from when there is an exemption to this, such as a legal requirement or where it is in the public interest to do so. The National Data Opt-out will not prevent your GP data being shared by your GP practice with NHS Digital in the GPDPR data collection because it is a legal requirement for GP practices to share this data with NHS Digital. Your patient data will not be used to inform research and planning but will be passed to NHS Digital.
So, what’s the problem?
Despite the postponement of the GPDPR data collection, it remains that large sections of the population do not know about the new system and the fact that they can opt out of it. Information about the new system is primarily being shared on the NHS Digital website and via leaflets at GP surgeries, which have limited reach. Despite the incredibly sensitive data involved and potentially serious implications for privacy rights, there has been no large-scale information campaign about the new system on social media, in traditional media or through direct communication with patients. It appears that the government is purposefully not publicising the GPDPR data collection in order to push it through under the radar at a time when, due to the ongoing Covid pandemic, patients are generally more sympathetic to allowing their data to be used for medical research. It is an opportunistic attempt by the government to capitalise on the ongoing Covid pandemic to permanently curtail our right to privacy, much like the government’s efforts to permanently clamp down on our right to protest under the guise of protecting against Covid.
While there is potential for the GPDPR data collection to be used for the public good, there is also scope for it to be exploited for financial gain and control as the new system allows companies to buy patient data for commercial purposes. Critics argue that this is the reason for the government’s reluctance to properly inform the public of the new system. Some GPs are concerned that plans to share patient data with third parties, including for profit, could erode trust between them and their patients and leave patients reluctant to share their problems due to fear of who their data will be shared with.
The opt-out options lack nuance in that they do not give patients the choice to opt out of specific uses of data. There is no option to allow your data to be shared for care and medical research purposes but not share your data with commercial entities for profit. We deserve greater control over how our incredibly sensitive data is used, especially given concerns that de-identified data is not truly anonymous in reality. The government’s failure to allow patients to opt out of their data being shared with commercial entities for profit could be explained by their wider ambitions to incrementally and covertly commodify and privatise the NHS.
We have a right to be properly informed about the GPDPR data collection and to have the opportunity to make meaningful and informed choices about who our sensitive data is shared with and for what purposes. It is unacceptable that the government is not delivering this.
Our leading Civil Liberties & Human Rights Solicitors are backed by over four decades of experience and have a strong track record of achieving favourable outcomes for clients in a wide range of cases. If you’re seeking expert legal advice please call us on 0808 271 9413 today or request a call back online.