GP leaders warn Health Bill gives ministers sweeping powers over patient data

GP leaders and data experts have joined forces to warn about the new Health Bill’s sweeping powers over patient data in the planned Single Patient Record.

The Health Bill, which was announced last week and which will also abolish NHS England, details how the single patient record will be created and the powers that will compel GPs to share their patients’ information with it. 

Data experts expressed concern that the bill is an ‘exercise in raw political power’ which gives the health secretary far-reaching authority to share patient data with private companies, researchers, and across all parts of the NHS, while failing to clarify the issue of data controllership.

And GP leaders including the BMA, RCGP and DAUK all voiced concerns about how confidentiality of patient data would be protected.

The single patient record will include primary, secondary and social care data. Data will include diagnoses, physiological data (such as blood pressure and heart rate), medical imaging, prescriptions and medications, key primary and secondary care NHS interactions.

The bill will ‘require holders of patient data’ to share the data with both ‘people other than a patient on the patient’s behalf’ and ‘people involved in the provision to patients of health care or social care anywhere in the British Islands’. 

The health secretary – currently James Murray, following Wes Streeting’s resignation from the role last week – as well as the CQC and a ‘special health authority’, will have the ‘power to impose financial penalties’ on holders of patient data who do not comply with requests to share data. 

The bill includes several conditions where the health secretary is allowed to ‘disclose personal information’ included in the single patient record, including ‘sharing with clinical trials or research’, sharing with private providers, and where the health secretary thinks it is a ‘proportionate means of achieving a legitimate aim’.  

A ‘legitimate aim’ means ‘the protection of the life or health of humans’ and/or ‘the protection of public safety or security’, the bill clarifies. 

BMA’s GP Committee chair Dr Katie Bramall suggested on social media that ‘The [House of] Lords will stop this, and we will support them’, while urging GPs to ‘work together to make it right’.

She added that incoming health secretary Mr Murray and others in Government ‘need to understand’ the bill’s implications for the confidentiality of patient data.

A BMA spokesperson told Pulse that while the ‘concept’ of the SPR ‘may sound promising, ‘GPs have serious concerns about security and undermining high standards of confidentiality’.

‘We need to study the details of the Bill, however, data must not be used in ways that patients might not reasonably expect or without established safeguards and governance arrangements which are there to protect confidentiality and promote public confidence in appropriate data use. 

‘If safeguards are lost or diluted many patients might object to data sharing altogether or, crucially, feel they cannot be honest with their doctor. This loss of trust would be to the serious detriment of a patient’s own health and public health more widely.’

They added that GPC England had ‘not been involved in discussions about the form the Single Patient Record will take, who will have access to it, the purposes for which it will be used, or which company will operate it’.

‘Pressing ahead with this change while so many fundamental questions remain unanswered is therefore irresponsible. Until the Government listens to our concerns and provides clear assurances that patient data will be kept safe and confidence in our systems protected, we will continue to remind patients of their right to use the National Data Opt-Out where concerns exist.’

Dr Sarah Jacques, GP co-lead at Doctors’ Association UK (DAUK), said the bill showed a ‘total disregard’ for patient data.

She told Pulse: ‘There seems to be a total disregard for our personal information and the consequences of sharing that information with the powers that be, which would probably likely be only for financial gain.’

She said she agreed in principle with a system which meant appropriate record-sharing was easier, but that the version being proposed here gave ‘unfettered access’ to third parties which do not need it.

‘With what they are proposing, certain groups have unfettered access to identifiable data. It’s not what a single patient record should really fundamentally be about. It should be just for the clinician and the patients. It shouldn’t be for groups of people to do data grabs for their own benefit.

‘I don’t necessarily disagree that we perhaps need more information for research and things like that, but there has to be a different way of going about getting that information, and it needs to be transparent.

‘We need to know who is asking for it, why they’re asking, and when they’re accessing that information. We need to understand the implications of what it would be someone shared that information for research purposes. Nobody’s going to have a say in any of that in the current guise of the bill’, she said.

MedConfidential, a campaign group for confidentiality and consent in healthcare, said the single patient record will allow unlimited access to GP patient data from across the NHS.

Sam Smith, policy lead at medConfidential, told Pulse: ‘Politicians in London will make decisions about how patient data is used in GP practices.

‘It is a raw exercise in political power which treats patients the same way the DWP treats Universal Credit claimants, and it gives GPs about as much autonomy as the clerk in the job centre.

‘The single patient record system, which will be the federated data platform (FDP), will take the records of other care providers. When a hospital tells a patient “we don’t think you have this” and sends them back to a GP, something will be written into the GP record.

‘The GP record stops being notes entered by somebody working for the GP practice and it becomes notes and diagnoses entered by the GP practice, and anyone else randomly, anywhere across the NHS.’

Meanwhile, health think tank the King’s Fund warned that the lack of assurance for GPs around protection of their patients’ data could be ‘a barrier’ for the single patient record, pointing out the bill does not say who will assume data controllership. 

At a King’s Fund webinar today, former RCGP chair Professor Kamila Hawthorne raised concerns about potential misuse of data.

In response, King’s Fund fellow Pritesh Mistry said: ‘Kamila rightly says that there are potential issues around misuse of data and concerns when it comes to data controllership. GPs are data controllers, as are trusts and hospitals, and that has a different effect on how people feel comfortable in sharing that data.  

‘The bill itself doesn’t deal with the GP data controllership. I think there’s not just one solution, there’s different ways in which this could be solved, and it might be around capping some of the liabilities and other concerns that GPs may have. However, the bill doesn’t deal with that today, but it could potentially be a challenge and a barrier for the SPR.’  

Pulse has contacted DHSC to confirm who will be the data controller. 

Professor Victoria Tzortziou Brown, current President of the RCGP, told Pulse: ‘We are encouraged by efforts to modernise the NHS and improve the way information is shared across the health service. Done well, this has the potential to improve patients’ experiences of care and reduce fragmentation between services.

‘But any move towards a Single Patient Record must be carefully considered and evaluated, and include robust safeguards to protect patient confidentiality and ensure public trust.’

Professor Azeem Majeed, a GP and professor of primary care and public health at Imperial College London, said compelling GPs to share data raised questions over confidentiality and liability that would need to be addressed. 

He told Pulse: ‘The proposed unified single patient record aims to improve care coordination and information sharing across the NHS, which could bring important benefits for patient care.  

‘However, the compulsory element for GPs raises concerns around trust, confidentiality, liability for errors originating from other providers, and the handling of patient consent and opt-outs. Some patients may feel uneasy about sensitive health information – for example relating to mental health, sexual health or other confidential issues – being more widely accessible across the NHS. There are also practical concerns for GPs about additional workload, governance responsibilities, and medico-legal liability.’ 

NHS England has pushed back on some of the patient data concerns raised by GP leaders. In an op-ed for Pulse, Dr Phil Koczan, a clinical adviser at NHS England and a GP and RCGP fellow, said: ‘Not everyone in the NHS will be able to see everything.

‘In fact, the principle is the opposite: only those directly involved in a patient’s care can access the information they need. That access will be recorded, visible and auditable. 

‘The idea that this would involve taking every GP record in the country and putting it all into one giant central database is simply not how this is being designed. The intention is not to replace GP systems or hospital records, but to connect them more effectively so that, when needed, the right information can be seen in the right place.’ 

He added: ‘On consent and privacy, this isn’t about changing the rules of the game. The same legal safeguards apply – confidentiality, data protection law and patient choice. 

‘Where data is used beyond direct care, there are already established controls, including the national data opt out, and the Single Patient Record will be designed with these principles in mind and communicated transparently.’

Pulse has contacted the CQC to comment on its proposed role enforcing compliance with patient data sharing.