Big Brother’s big data grab: GPs caught up in patient records controversy

A new system for extracting patient records has been postponed until the autumn, but GP anxieties about privacy, data security and liability remain, find Nicola Merrifield and Awil Mohamoud

As a former home secretary, Sajid Javid may know more than most about sensitivities around the state and people’s right to privacy. And – while not top of his to-do list – the NHS’s new GP patient data-sharing scheme has stoked the public’s fears.

The latest NHS scheme will see patient records extracted from practices, pseudonymised by the GP IT system and sent to NHS Digital, which will pass the packaged data to interested third parties. And it has serious implications for GPs. 

Under the scheme – named ‘General Practice Data for Planning and Research’, or GPDPR – it is up to practices to notify all their patients about the plans. On 1 September, NHS Digital will extract all patient data from GP records, except for patients who have opted out and whose opt-outs have been processed by GPs. Future data will then be extracted routinely, until a patient opts out. 

This will, of course, be a significant burden for GPs at a time when they are already facing huge workload. But workload is only part of the problem. GPs are still unclear about their obligations, and a case led by campaigning organisation Doctors’ Association UK (DAUK) is currently going through the court to establish the scheme’s legal basis.

But perhaps the biggest effect of the scheme – or, more accurately, the publicity around it – will be on the GP-patient relationship.  There are even suggestions that patients will be less willing to come forward with health concerns due to worries about privacy.

All this is set to come in over the summer. But there has already been a level of drama not normally associated with the subject of data processing. 

Rocky start

The scheme started to pique the public interest in early June (after being reported in Pulse, of course). 

Media reports focused on campaigners’ warnings that it would potentially make sensitive patient data available to private firms.  

This includes patients’ full history, not just any future changes to their records. This means it goes further than the previous controversial scheme, care.data – which itself was completely ditched in 2016 after becoming too toxic due to accusations of the NHS selling off the data to private companies. 

Originally, GPs were given just over a month to inform patients about the scheme and warn them they had until 23 June to opt out.

As the protests grew, the BMA and RCGP called for a delay to implementation due to the tight deadline, alongside fears of the data being sold to private companies. Meanwhile a group of organisations, including DAUK, threatened legal action unless the deadline for opting out was extended and ‘meaningful patient consent’ obtained.

On 8 June, the Government duly announced a delay to the data extraction until September. Health minister Jo Churchill told the House of Commons the extra time would be used to ‘talk to patients, doctors, health charities and others to strengthen the plan, build a trusted research environment and ensure data is accessed securely’.

A few days later, it was announced that then health secretary Matt Hancock had roped in former RCGP chair Professor Helen Stokes-Lampard to advise on the rollout.  

Privacy concerns

The purpose of the scheme has been somewhat lost in the media outcry. NHS Digital says it is intended to extract patient data for ‘better planning of healthcare services and use in medical research’.

The system will be ‘more efficient’ at extracting data than the General Practice Extraction Service (GPES) process it replaces, NHS Digital insists. During the pandemic GPES has allowed regular patient data extraction to help plan treatments and monitor the effects of Covid-19, with data that can be shared with third parties. 

Under GPDPR, the data will be pseudonymised – meaning information that could directly identify a patient, such as NHS number or date of birth, is replaced with unique codes – but NHS Digital says it could reverse this and identify patients ‘in certain circumstances, and where there is a valid legal reason’.

However, it says the GPDPR data will only be shared with organisations that ‘meet strict criteria to use it for local, regional, and national planning, policy development, commissioning, public health, and research purposes’.

But Phil Booth, coordinator of data confidentiality advocacy group MedConfidential, warns NHS Digital’s privacy statement is too wide and that questions remain about who will have access to the information. Furthermore, he says GPDPR is ‘far bigger’ than care.data because it takes all a person’s primary care medical history.

‘Care.data was only prospective… it would have collected data going forward. This is people’s entire coded GP history on first upload and then daily thereafter for changes. It’s far bigger than care.data.’ 

Warrington GP  and GP adviser at DAUK Dr Rosie Shire agrees: ‘There will be some people who have heard vaguely that the Government is going to share this data with third parties.’

If the Government does not clearly explain the system to the public, patients could accuse GPs of betraying their trust by handing over their data. It may also make them wary of frank conversations about their health, warns Dr Shire.

‘The name “GP” is in the title of the new system and it implies we are complicit in this. I would worry it would affect the relationship.’

She adds: ‘We want this done in the right way so patients can trust us as GPs and don’t feel they’ve got to hide stuff from us in case in gets in their record and gets uploaded.’

Legal risks for GPs 

It seems unlikely that GPs, as the data controllers, would be held liable under data protection laws if a patient felt their record had been used illegally, or their privacy or confidentiality breached. 

Cori Crider, director of legal firm Foxglove, which is working with DAUK on the legal challenge against the secretary of state over the scheme, tells Pulse: ‘Everything turns on whether the secretary of state’s direction to GPs to hand off the data is lawful. If it’s [found to be] lawful, then suddenly NHS Digital will be the controller of the data, and if there is any downstream misuse they are going to be on the hook, rather than GPs.’ 

But that may not stop patients trying to sue practices if things go wrong.

Nathalie Moreno, a data protection and cyber security partner at law firm Addleshaw Goddard, warns: ‘It might be difficult to identify who made the mistake – was it the GP, a system failure? Is it clearly NHS Digital’s responsibility or the GP supplier’s responsibility?

‘In any case, the principle from [a data regulations] perspective means if anything goes wrong… the patient doesn’t need to know who caused the mistake. They are entitled to sue both the GP practice and NHS Digital.’

Despite the risks, unless the court finds the Government’s request for data to be unlawful in the DAUK case, GPs must comply. The BMA has confirmed GPs are contractually required to take part.

Opting out

GPs’ major role in this will be around opt-outs. They will have to opt patients out who request it. Patients can only opt out of having their historical health record data extracted on 1 September by filling in a Type-1 opt-out form and sending it to their GP practice.

They will be able to opt out after that, but this will only apply to future data – their historical data will already have been extracted and will be retained.

Before the recent delay, NHS Digital imposed a deadline for patients to opt out a week before the data were extracted, giving GPs a bit of time to process any opt-outs. However, following the delay, NHS Digital removed a deadline for patients, leaving GPs to determine the cut-off point to ensure opt-outs can be processed in time.

The BMA is not happy about this. GPC England executive team IT lead Dr Farah Jameel says: ‘The public needs a clear deadline for opting out, with clear instructions on how to do this if they wish. 

‘We have been urging the Government and NHS Digital to consider making the process of opting out simpler, and in effect remove any additional burden [that] large volumes of Type 1 opt-outs could place on already under-pressure general practice.  

‘NHS Digital must also make clear to patients what will happen to their data if they do not opt out before the deadline, and how long this data will be stored for, as well explaining why it cannot be retrospectively deleted should patients subsequently decide to opt out.’

Hampshire GP and data privacy campaigner Dr Neil Bhatia says: ‘There is always the risk that GPs are going to suddenly end up with a whole load of forms right at the last minute.’ 

As the deadline will now be in GPs’ hands, patients could be ‘very angry’ if their opt-out requests aren’t registered in time, as ‘there is no way back’, he says. ‘It is not good for the relationship with our patients if this happens.’

Impact assessments

Meanwhile, as Pulse revealed last month, the ICO has said GP practices should be carrying out a process known as a data protection impact assessment (DPIA), to help them understand the risks of the data extraction before allowing it to go ahead.

This involves a comprehensive assessment form, documenting how the data will be processed and used, and any associated risks. NHS Digital intends to make a GP DPIA available for practices to use ‘if they wish’, to support them. 

NHS Digital has also passed on its own DPIA to the ICO. But Phil Booth says the organisation is ‘clearly conflicted’ in ‘doing a DPIA of its own system’. He says an independent assessment must also be carried out that is ‘owned and backed by the RCGP, BMA and maybe LMCs’. 

But GPs warn it will be impossible for practices to do these risk assessments themselves because they are so complex. 

Leicester GP and former IT lead for the BMA’s GP Committee Dr Grant Ingrams says: ‘It is very hard to do a DPIA if you don’t know the structure of the data extraction, how it’s going to be done, how it’s going to be kept.’

Interim measures 

With so many uncertainties, some GP leaders have advised practices to hold off sharing the data.

Last month, before the delay to the scheme, Tower Hamlets LMC chair Dr Jackie Applebee and NHS North East London CCG chief clinical information officer Dr Osman Bhatti advised GPs not to enable the service ‘until you’re absolutely certain that you have properly consulted and informed your patients adequately of what this means for them’.  

Manchester GP and chair of grassroots organisation GP Survival Dr John Hughes says practices may also want to consider automatically opting out all patients – and then asking them to opt in if they wish to be included.  

‘It’s something we would recommend until there are reassurances of sufficient governance and safeguards,’ he says.

But from a legal perspective, Ms Moreno warns this approach could land GPs in hot water.

‘By doing this, GP practices are taking on a role which is not for them to take. 

‘The patient needs to be able to make a choice – in this case it looks like the GP practice is stepping in and lifting the choices off the patient… there is no legal basis for them to do that.’

Data extractions by the NHS have been going on for years – and will continue. GPs will have no control over what happens to their patients’ information once it has been passed on. 

But what the profession needs now is a national communication campaign so patients are fully informed and can make a decision to participate or opt out. 

For NHS Digital’s part, it says it will use the next few months to ‘continue to communicate to the profession and raise awareness with the public about the new collection and its benefits’.

‘We are not intending to push the burden for communicating with patients onto GPs, although individual GPs or GP practices may choose to communicate directly with their patients to explain how GPDPR will work,’ it says.

Dr Hughes has his doubts: ‘Although the delay to the scheme is helpful, the big question is, will the Government actually use that delay for a proper information campaign to let the public know what is involved and what will be uploaded and stored permanently, and available to anybody NHS Digital decides to give it to?’