This site is intended for health professionals only

GPs will need to risk assess mass patient data extraction, says ICO

GPs will need to risk assess mass patient data extraction, says ICO

Exclusive Each GP practice will need to perform a data protection impact assessment (DPIA) before NHS Digital’s controversial mass extraction of patient data from practice systems takes place, Pulse has learned.

The Information Commissioner’s Office (ICO) has told Pulse that General Practice Data for Planning and Research (GPDPR), ‘as it involves processing health information (special category data)’, is ‘likely to result in a high risk to individuals’.

This means data controllers – GPs, in this case – ‘will need to perform a DPIA’, it said.

The ICO explained that this is a legal requirement since the new Data Protection Act came into force in May 2018 and comes as Pulse revealed last month that privacy campaigners fear the new automatic extractions of data will be ‘far bigger’ and ‘more intrusive’ than the scrapped project.

An ICO spokesperson said that the DPIA is ‘a way to help you identify and minimise data protection risks’.

It further added that if any high risks are identified which ‘cannot be minimised through additional measures’, controllers ‘must consult the ICO’. Such a process could take 8-14 weeks and may result in the ICO blocking the data processing from taking place.

However, NHS Digital told Pulse that it has prepared and shared its own DPIA with the ICO and that this covers the risks from both the perspective of the GP and NHS Digital.

In addition, NHS Digital intends to make a GP DPIA available for practices to use ‘if they wish’, to ‘support them to consider the risks and be confident they have discharged their obligations under the Data Protection Act 2018 and UK GDPR’.

It also stressed that with regards to the GPDPR data collection, GP practices ‘are legally obliged to share the data requested with NHS Digital under the Health and Social Care Act 2012’.

But Phil Booth, coordinator of data confidentiality advocacy group MedConfidential, argued that general practice needs to design its own DPIA.

He said: ‘Clearly, NHS Digital has designed and is running the system. It must publish its DPIA, as [it knows] what the system is and only [NHS Digital] can describe it.

‘But, they are clearly conflicted. They are doing a DPIA of their own system, which is their duty, but, in doing so, they may miss or not think of certain aspects. They certainly won’t be thinking of it from the perspective of the GP, as a data controller. 

‘There clearly needs to be a DPIA that is independent of the NHS Digital one, which is owned and backed by the RCGP, BMA and maybe LMCs.’

Hampshire GP and data autonomy advocate Dr Neil Bhatia further stressed that GP concerns ‘would need to be referred to ICO, as there are high risks of data subject rights not being upheld, [including] the right to be informed’.

But he suggested particular groups of GP practices should team up to consult the ICO.

He told Pulse: ‘The ICO won’t be very happy if 7,000 GP practices do it. One might hope that a representative sample of practices [consult the ICO] – rural practices, university practices, those with a very high number of elderly patients who are not necessarily digitally enabled.’

De Montfort University professor of cyber security Professor Eerke Boiten told Pulse that NHS Digital providing a DPIA for individual practices to use will ‘save GPs the individual effort’ of filling in the forms themselves but said those with additional ‘insight or worries’ could decide to design their own.

He said, however, that GPs can ‘reasonably justify’ allowing the data to be processed as NHS Digital ‘is legally required to be a responsible holder of central medical data’.

An ICO spokesperson said: ‘People having confidence in how their data is being used and shared is an important part of people’s broader trust in an organisation.

‘When handling health data, organisations need to take extra care and put safeguards in place to protect people’s privacy, ensuring their data is not used or shared in ways they wouldn’t expect. We have recently produced updated guidance and tools to help organisations share data safely and with confidence.

‘We are aware of the GP Data for Planning and Research programme and we’ve discussed with NHS Digital their data protection obligations.’

It comes as the Government this week delayed the date for the GPDPR extraction from 1 July to 1 September, amid concerns the public has not been sufficiently informed.

Health secretary Matt Hancock also said that the deadline for patients to opt out of the data extraction would be extended from the previous date of 23 June, but he has not yet announced a new date.

This followed concerns raised by the BMA and RCGP, which have both advised on the GPDPR system that will replace the GP Data Extraction Service (GPES).

Following the announcement, Mr Hancock asked former RCGP chair Professor Helen Stokes-Lampard to advise the Government on the project.



Please note, only GPs are permitted to add comments to articles

Dr N 11 June, 2021 3:55 pm

Computer says ‘dont know’.

James Weems 11 June, 2021 4:43 pm

So, one cannot just opt all of one’s patients out then?

David Jarvis 11 June, 2021 5:30 pm

It does seem that saying no is the safest option as a GP. Remembering what risk you carry if later found guilty of a breach,

Nick Mann 11 June, 2021 5:49 pm

Where is Ben Goldacre when you need him? I’m not sure Helen Stokes-Lampard has the necessary skills to properly look into this, although Sir Ian Diamond (ONS) has apparently also been co-opted.

Aside from the disparaging media coverage regarding the “small but vocal minority” of GPs rightly demanding a pause to GPDPR for proper scrutiny, it is abundantly clear that NHSD failed in their primary duty to inform patients. NHSD saying it’s down to GPs to inform patients, when we don’t have that information ourselves, is oxymoronic and typical of the invidious attitude towards us by govt and its ALBs.

Lucy Marchand 11 June, 2021 6:22 pm

So why can’t we tell NHS Digital to take a running jump and opt everyone’s data on our lists out of this exactly ?!!!! Why the hell should we be taking responsibility for a scheme pretty much none of general practice approves of or wants to happen in the first place!

Turn out The Lights 11 June, 2021 9:45 pm

It’s a mess,an ill thought out dogs dinner just like Gdpr.It is immensely risky it all needs to be scrapped.We are not information controllers.The information is stored in a server room in Leeds we have absolutely no control.This whole idea is an arrogant greedy Tory mess and should be stopped.Ultimaetly the SoSis responsible.But when ther is a breach and there will be the nearest professional with a GMC numbers will be scapegoated.

terry sullivan 12 June, 2021 2:45 pm

just refuse en masse–this is govt responsibity not clinicians. tell ico to go away–gdpr needs revisiting by govt?

terry sullivan 12 June, 2021 2:47 pm

also do not jab kids–repercussions will be dumped on those that jab!

Andrew Fripp 13 June, 2021 11:45 pm

Apparently GPDPR could be worth £10bn to the NHS each year, yet unless I am much mistaken, as GP partners we are being asked to administer the scheme in primary care out of our own funds.

The patient opt-out forms are piling up already. Anyone else wondering how the NHS intends to fund us to do this work? BMA?

Patrufini Duffy 14 June, 2021 2:55 pm

Outcome of RA = risky. Cannot proceed.

David Banner 15 June, 2021 7:45 pm


Jonathan Heatley 18 June, 2021 1:01 pm

Standing up to this is daunting. I’m sorry but I don’t have the energy.