GPs will not have data controller role within NHS single patient record
Exclusive GPs will not be the controller for data held within the anticipated NHS single patient record (SPR), NHS England meeting minutes seen by Pulse have said.
Instead, the plans are for NHS England to take on the data controller role, while simultaneously allowing patients to ‘own’ their record.
This has been revealed within minutes from NHS England, which were obtained via FOI and shared with Pulse.
At the May 2025 meeting held by NHS England’s Data, Digital and Technology Committee, members agreed it would ‘not be appropriate’ for GPs to act as data controller of this ‘multi-service record’.
First announced in last year’s NHS 10 year plan, the SPR will make patients’ data visible to clinicians across different care settings and will be available on the NHS App by 2028. It is currently in a ‘test and learn’ development phase, according to NHS England.
The minutes said: ‘It was accepted that an appropriate data controller for SPR is necessary, which will require a review of the legislative framework; given SPR will be a multi-service record it would not be appropriate for GPs to act as the data controller.
‘It was agreed that while the NHS will be the data controller/custodian, patients would expect to own their records: how this can be achieved requires further thought.
‘It was noted that Australia have developed a model of sharing patient records, and this should be considered when reviewing legislative and regulatory amendments for SPR.’
The BMA’s GP committee for England said it disagreed in principle with the plans.
Dr Mark Coley, the committee’s IT lead, told Pulse: ‘While we welcome future discussions on the single patient record, it is still the BMA’s view that GPs themselves must remain the data controller of the GP record.
‘This data controllership role would allow us to act for the best interests of our patients, to advocate for them in any data sharing processes, to maintain confidentiality and, ultimately, to ensure we have the trust of our patients.’
The GPCE is currently in dispute with the Government over online access changes which came into force on 1 October last year, including around switching on access to the GP Connect Update Record by other NHS providers.
GPC chair Dr Katie Bramall told a webinar last month the committee was looking at collective action around patient data which would put ‘a spanner in the works’ for the Government.
The minutes were obtained through a freedom of information (FOI) request from medConfidential, a campaign group for confidentiality and consent in health and social care.
Sam Smith, policy lead at medConfidential, told Pulse: ‘The SPR will be used however politicians want.
‘Decisions about what happens to patient medical records will now be made by politicians alone, GPs will no longer have any choice. A recent demonstration of this was the Secretary of State’s Direction to break the pandemic-only promise and give “Covid-19 only” data to UK Biobank for their reuse.’
UK Biobank is a health dataset project holding data from more than 500,000 volunteers in the UK. It is one of the beneficiaries of the recent Government instruction to NHS England to extract identifiable patient data for research from GP records, on an opt-in basis.
Professor Azeem Majeed, a GP and head of the Department of Primary Care and Public Health at Imperial College London, said while transferring data controllership would shift risk away from GPs, it risks weakening patient trust in general practice.
Professor Majeed told Pulse: ‘As the single patient record is intended to be a multi-service record (bringing together data from general practice, hospitals, mental health and other care settings), it would be difficult for general practices to remain data controllers. The role carries significant legal responsibilities, and it is not practical for individual practices to oversee data that extends far beyond their direct control.
‘Transferring data controller responsibility to a central NHS body would shift the legal, financial and governance risks associated with data breaches or misuse away from individual practices. Hence, it maybe welcomed by many GPs, given the growing complexity of data governance.
‘However, general practice has traditionally been the trusted custodian of patient records and plays a key “gatekeeper” role in how patient data is accessed and used. Centralising control could risk weakening that role and, potentially, public trust if patients feel their data is more widely shared without sufficient oversight.
‘Overall, while the move may reduce burden and risk for practices, the profession will want clear assurances that privacy standards remain robust and that the clinical integrity, accuracy and appropriate use of patient records are not compromised.’
Pulse has contacted NHS England and DHSC to comment.
What the SPR means for clinicians
For clinicians, the SPR will be designed to offer:
- A clear, unified view of a patient’s history – wherever they’ve received care;
- Seamless access to be able to support care across all care settings, from primary, to acute, to community;
- Better-informed decision-making and reduced administrative burden;
- Safer, faster, and more coordinated care through a more collaborative approach, as the SPR will enable patients to read, update, and share joint care plans;
- The SPR will, wherever possible, build on and connect with existing systems – such as Electronic Patient Records, Shared Care Records, and the Federated Data Platform – rather than replacing them. Source systems will remain the clinical system of record.
Source: NHS England
Related Articles
READERS' COMMENTS [13]
Please note, only GPs are permitted to add comments to articles
This will speed up the plurality of alternative providers, able or willing to take on work traditionally done in general practice.
Saw this legal change coming last year (or was it the year before?) ….GPs now reduced to mere minions – the quantification of their job reduced to inputting their priceless opinion, thought processes and consultation notes as data, for LLMs and machine learning. What a bargain basement price for whichever US corporate gets their hands on it in the future! How flipping embarrassing! The significance of this should not be lost but should have GPs up in arms.
Stop inputting consultation data, and switch back to Lloyd-George until the Govt gives some guarantees and fair compensation for this work (which will be worth billions in the future).
A continually failing NHS England/ DHSC imo with an unenviable unbroken record of mismanagement and dire leadership should also, please kindly take over the unlimited liability -No! -thought not -as unlimited liability unlike data capture without explicit patient consent in many cases, in a far from secure data environment in my view, is considerably more difficult to sell on is it not?.
I am also very worried about who will have Control of who can access that data !
And how much will it cost us to access our own data?
I wonder if GPs will remain the first point of contact for private reports EG insurance.
This looks like a refreshing change after so many years of trying to hold GPs responsible for everything regardless of our lack of ability to influence others to ensure things – but how much will we have to pay the Controller for access to patient data, and will access be guaranteed ? The Trojan Horse was also looking very nice until……..
I thought NHSE was to be abolished?
looks like a pretext for (yet another) cut in funding
GPs should be the controller pf GP record.
Sadly I think GPs have already lost the battle of control over the database that GPs developed themselves since the 1990s. It should have been our intellectual property. Once DH grabbed access to the Appointment Books in Covid – it was downhill. Biobank given access, OpenSafely allows industry access for free (at least no money comes back to data controllers), many organisms have statutory write back into our records which we are now data controller for. We have to do DPIAs for these- but aren’t allowed to refuse whatever the risks, are held responsible for data breaches uninsured, and have to pay for all the SAR process. So only left with the bad bits.
Sadly once our Appointment Books became DH property in Covid, its been downhill. GPs have invested years of work in creating electronic GP records, but the IP within this project has not being valued sadly. Biobank gets the data it needs, OpenSafely allows industry free /paid access -with none of this money filtering back to GP. Other organisations can now write into our records, and we have to curate this / become data controller. We have to write DPIAs for data sharing that we don’t agree to, whilst being financially at risk and uninsured for the risky stuff, and the expensive bits like SARs. We aren’t really data controllers any more. We’ve lost the valuable bit already. We’ll certainly risk losing trust in what our patients tell us, and who sees this….but that boat has already sailed.
I fear this could be a lose-lose situation. Firstly, more information is not necessarily better information. Often, we end up unable to see the wood for all the trees. Secondly, there are already many people who do not trust the vaccination program and are not coming forward to be immunised. What else are they not coming for? What else are they not telling us? It is possible that trust could be suffficiently undermined that we will not be able to to do our jobs at all.
Dear no-win no-fee lawyer Please scour my shared records for something I can sue my GP for with help of a career ‘expert witness’ who has never been a GP and sees as many patients in a year as a GP does in a day.