A new system for extracting patient records has been postponed until the autumn, but GP anxieties about privacy, data security and liability remain, find Nicola Merrifield and Awil Mohamoud
As a former home secretary, Sajid Javid may know more than most about sensitivities around the state and people’s right to privacy. And – while not top of his to-do list – the NHS’s new GP patient data-sharing scheme has stoked the public’s fears.
The latest NHS scheme will see patient records extracted from practices, pseudonymised by the GP IT system and sent to NHS Digital, which will pass the packaged data to interested third parties. And it has serious implications for GPs.
Under the scheme – named ‘General Practice Data for Planning and Research’, or GPDPR – it is up to practices to notify all their patients about the plans. On 1 September, NHS Digital will extract all patient data from GP records, except for patients who have opted out and whose opt-outs have been processed by GPs. Future data will then be extracted routinely, until a patient opts out.
This will, of course, be a significant burden for GPs at a time when they are already facing huge workload. But workload is only part of the problem. GPs are still unclear about their obligations, and a case led by campaigning organisation Doctors’ Association UK (DAUK) is currently going through the court to establish the scheme’s legal basis.
But perhaps the biggest effect of the scheme – or, more accurately, the publicity around it – will be on the GP-patient relationship. There are even suggestions that patients will be less willing to come forward with health concerns due to worries about privacy.
All this is set to come in over the summer. But there has already been a level of drama not normally associated with the subject of data processing.
The scheme started to pique the public interest in early June (after being reported in Pulse, of course).
Media reports focused on campaigners’ warnings that it would potentially make sensitive patient data available to private firms.
This includes patients’ full history, not just any future changes to their records. This means it goes further than the previous controversial scheme, care.data – which itself was completely ditched in 2016 after becoming too toxic due to accusations of the NHS selling off the data to private companies.
Originally, GPs were given just over a month to inform patients about the scheme and warn them they had until 23 June to opt out.
As the protests grew, the BMA and RCGP called for a delay to implementation due to the tight deadline, alongside fears of the data being sold to private companies. Meanwhile a group of organisations, including DAUK, threatened legal action unless the deadline for opting out was extended and ‘meaningful patient consent’ obtained.
On 8 June, the Government duly announced a delay to the data extraction until September. Health minister Jo Churchill told the House of Commons the extra time would be used to ‘talk to patients, doctors, health charities and others to strengthen the plan, build a trusted research environment and ensure data is accessed securely’.
A few days later, it was announced that then health secretary Matt Hancock had roped in former RCGP chair Professor Helen Stokes-Lampard to advise on the rollout.
The purpose of the scheme has been somewhat lost in the media outcry. NHS Digital says it is intended to extract patient data for ‘better planning of healthcare services and use in medical research’.
The system will be ‘more efficient’ at extracting data than the General Practice Extraction Service (GPES) process it replaces, NHS Digital insists. During the pandemic GPES has allowed regular patient data extraction to help plan treatments and monitor the effects of Covid-19, with data that can be shared with third parties.
Under GPDPR, the data will be pseudonymised – meaning information that could directly identify a patient, such as NHS number or date of birth, is replaced with unique codes – but NHS Digital says it could reverse this and identify patients ‘in certain circumstances, and where there is a valid legal reason’.
However, it says the GPDPR data will only be shared with organisations that ‘meet strict criteria to use it for local, regional, and national planning, policy development, commissioning, public health, and research purposes’.
But Phil Booth, coordinator of data confidentiality advocacy group MedConfidential, warns NHS Digital’s privacy statement is too wide and that questions remain about who will have access to the information. Furthermore, he says GPDPR is ‘far bigger’ than care.data because it takes all a person’s primary care medical history.
‘Care.data was only prospective… it would have collected data going forward. This is people’s entire coded GP history on first upload and then daily thereafter for changes. It’s far bigger than care.data.’
Warrington GP and GP adviser at DAUK Dr Rosie Shire agrees: ‘There will be some people who have heard vaguely that the Government is going to share this data with third parties.’
If the Government does not clearly explain the system to the public, patients could accuse GPs of betraying their trust by handing over their data. It may also make them wary of frank conversations about their health, warns Dr Shire.
‘The name “GP” is in the title of the new system and it implies we are complicit in this. I would worry it would affect the relationship.’
She adds: ‘We want this done in the right way so patients can trust us as GPs and don’t feel they’ve got to hide stuff from us in case in gets in their record and gets uploaded.’
Legal risks for GPs
It seems unlikely that GPs, as the data controllers, would be held liable under data protection laws if a patient felt their record had been used illegally, or their privacy or confidentiality breached.
Cori Crider, director of legal firm Foxglove, which is working with DAUK on the legal challenge against the secretary of state over the scheme, tells Pulse: ‘Everything turns on whether the secretary of state’s direction to GPs to hand off the data is lawful. If it’s [found to be] lawful, then suddenly NHS Digital will be the controller of the data, and if there is any downstream misuse they are going to be on the hook, rather than GPs.’
But that may not stop patients trying to sue practices if things go wrong.
Nathalie Moreno, a data protection and cyber security partner at law firm Addleshaw Goddard, warns: ‘It might be difficult to identify who made the mistake – was it the GP, a system failure? Is it clearly NHS Digital’s responsibility or the GP supplier’s responsibility?
‘In any case, the principle from [a data regulations] perspective means if anything goes wrong… the patient doesn’t need to know who caused the mistake. They are entitled to sue both the GP practice and NHS Digital.’
Despite the risks, unless the court finds the Government’s request for data to be unlawful in the DAUK case, GPs must comply. The BMA has confirmed GPs are contractually required to take part.
GPs’ major role in this will be around opt-outs. They will have to opt patients out who request it. Patients can only opt out of having their historical health record data extracted on 1 September by filling in a Type-1 opt-out form and sending it to their GP practice.
They will be able to opt out after that, but this will only apply to future data – their historical data will already have been extracted and will be retained.
Before the recent delay, NHS Digital imposed a deadline for patients to opt out a week before the data were extracted, giving GPs a bit of time to process any opt-outs. However, following the delay, NHS Digital removed a deadline for patients, leaving GPs to determine the cut-off point to ensure opt-outs can be processed in time.
The BMA is not happy about this. GPC England executive team IT lead Dr Farah Jameel says: ‘The public needs a clear deadline for opting out, with clear instructions on how to do this if they wish.
‘We have been urging the Government and NHS Digital to consider making the process of opting out simpler, and in effect remove any additional burden [that] large volumes of Type 1 opt-outs could place on already under-pressure general practice.
‘NHS Digital must also make clear to patients what will happen to their data if they do not opt out before the deadline, and how long this data will be stored for, as well explaining why it cannot be retrospectively deleted should patients subsequently decide to opt out.’
Hampshire GP and data privacy campaigner Dr Neil Bhatia says: ‘There is always the risk that GPs are going to suddenly end up with a whole load of forms right at the last minute.’
As the deadline will now be in GPs’ hands, patients could be ‘very angry’ if their opt-out requests aren’t registered in time, as ‘there is no way back’, he says. ‘It is not good for the relationship with our patients if this happens.’
Q&A on GPs’ duties
What will GPs need to do for this?
Every GP practice will be sent an invitation to comply with a Data Provision Notice through their GP system supplier. GPs must notify their patients of the data extraction and their ability to opt out. This can be done by updating the privacy notice on their practice website rather than contacting each person individually.
Practices are expected to process patient opt-out forms (which are Type 1) before 1 September. Ahead of the data extraction GPs must also carry out a Data Protection Impact Assessment (DPIA – see below) to assess and mitigate risks.
Are GPs allowed to opt patients out wholesale?
This would not be wise, according to data lawyers. A practice that opts out all its patients could be seen as making a choice on their behalf, with no legal basis.
What happens if GPs refuse to take part?
GPs are legally required to participate – under the Health and Social Care Act they must comply with directions from the health secretary. The GP contract also obliges them to take part, although it is not clear if NHS England would bring a case for breach of contract if a practice refused.
How do I conduct a DPIA and what are the implications?
NHS Digital has carried out its own DPIA, which it is due to publish, but each GP practice will also have to conduct its own. NHS Digital says it will provide a GP DPIA to GPs to use ‘if they wish’, to support this activity.
Practices must consider the ‘nature, scope, context and purposes of the processing’ and document it on the DPIA form. This includes how the data will be collected, stored and used, who will have access, and any potential impact on patients. If a practice identifies a high risk, it must act to minimise it; if this can’t be done, GPs must consult the Information Commissioner’s Office. The ICO could block the data processing – but it could take up to 14 weeks.
Meanwhile, as Pulse revealed last month, the ICO has said GP practices should be carrying out a process known as a data protection impact assessment (DPIA), to help them understand the risks of the data extraction before allowing it to go ahead.
This involves a comprehensive assessment form, documenting how the data will be processed and used, and any associated risks. NHS Digital intends to make a GP DPIA available for practices to use ‘if they wish’, to support them.
NHS Digital has also passed on its own DPIA to the ICO. But Phil Booth says the organisation is ‘clearly conflicted’ in ‘doing a DPIA of its own system’. He says an independent assessment must also be carried out that is ‘owned and backed by the RCGP, BMA and maybe LMCs’.
But GPs warn it will be impossible for practices to do these risk assessments themselves because they are so complex.
Leicester GP and former IT lead for the BMA’s GP Committee Dr Grant Ingrams says: ‘It is very hard to do a DPIA if you don’t know the structure of the data extraction, how it’s going to be done, how it’s going to be kept.’
With so many uncertainties, some GP leaders have advised practices to hold off sharing the data.
Last month, before the delay to the scheme, Tower Hamlets LMC chair Dr Jackie Applebee and NHS North East London CCG chief clinical information officer Dr Osman Bhatti advised GPs not to enable the service ‘until you’re absolutely certain that you have properly consulted and informed your patients adequately of what this means for them’.
Manchester GP and chair of grassroots organisation GP Survival Dr John Hughes says practices may also want to consider automatically opting out all patients – and then asking them to opt in if they wish to be included.
‘It’s something we would recommend until there are reassurances of sufficient governance and safeguards,’ he says.
But from a legal perspective, Ms Moreno warns this approach could land GPs in hot water.
‘By doing this, GP practices are taking on a role which is not for them to take.
‘The patient needs to be able to make a choice – in this case it looks like the GP practice is stepping in and lifting the choices off the patient… there is no legal basis for them to do that.’
Data extractions by the NHS have been going on for years – and will continue. GPs will have no control over what happens to their patients’ information once it has been passed on.
But what the profession needs now is a national communication campaign so patients are fully informed and can make a decision to participate or opt out.
For NHS Digital’s part, it says it will use the next few months to ‘continue to communicate to the profession and raise awareness with the public about the new collection and its benefits’.
‘We are not intending to push the burden for communicating with patients onto GPs, although individual GPs or GP practices may choose to communicate directly with their patients to explain how GPDPR will work,’ it says.
Dr Hughes has his doubts: ‘Although the delay to the scheme is helpful, the big question is, will the Government actually use that delay for a proper information campaign to let the public know what is involved and what will be uploaded and stored permanently, and available to anybody NHS Digital decides to give it to?’
What NHS Digital says about the new system
‘The Type 1 opt out has been available to patients at the request of the GP profession since May 2013 to prevent GP data being used for secondary purposes…. [Patients will] be able to opt out at any point in the future and no further
data about them will be shared from the point at which
they opt out.’
Comparisons with care.data
‘This program is not an extension to, or an evolution of, the care.data program. This program has been developed with a specific set of use cases in scope, namely the efficient sharing of primary care data with parties involved in the planning of the health and care system, and parties undertaking clinical research.’
How the data will be shared
‘Our process and protocols for data access are very different to seven years ago. Data is only shared with organisations who have a legal basis and meet strict criteria to use it for local, regional and national planning, policy development, commissioning, public health and research purposes.’
‘There is independent oversight and scrutiny from the Professional Advisory Group (PAG) and the Independent Group Advising on the Release of Data (IGARD).’
Source: Information provide to Pulse by NHS Digital