New automatic extractions of data from GP-held patient records, due to come into force in early summer, are ‘far bigger’ and ‘more intrusive’ than care.data, GP privacy campaigners have warned.
NHS Digital announced earlier this month that it will be rolling out a ‘new and improved’ GP data collection system from 1 July called General Practice Data for Planning and Research (GPDPR), with patients wanting to opt out having to do so by 23 June.
NHS Digital said the collected data will be used ‘for better planning of healthcare services and for use in medical research’ and that the new system will be ‘more efficient’ at doing this than the current General Practice Extraction Service (GPES) process.
However, privacy campaigners have warned that the amount of information going to be extracted from patient records from July ‘far exceeds’ that done under previous schemes, adding GPs have not been given enough time to inform patients about these changes.
GPs don’t have to contact patients but will need to update their privacy notice, for example on their website, NHS Digital has said, adding they may also wish to include information about the change on social media, newsletters and other communications.
This comes in contrast to the scrapped care.data plans which saw every household in England receive a leaflet about the upcoming changes in 2014.
But Hampshire GP and data autonomy advocate Dr Neil Bhatia told Pulse that GPDPR ‘is more intrusive than care.data in terms of the amount of information being extracted’, adding that it’s ‘even more imperative that everybody has an opportunity to at least find out about it’.
He said: ‘Six weeks is not a long time for practices to put out the information and to make their patients aware that this is going to happen. We have 30,000 patients in my practice, but there are practices with 50,000 or 100,000 patients. How on earth are they going to reach patients in six weeks?’
He added that this short timescale is ‘manifestly unfair’ on patients as it gives them ‘little time’ to find, read and understand the changes before deciding whether or not to opt out.
Dr Bhatia said: ‘This is just another job for GPs to do at a very very difficult time in our professional lives – while in the middle of a pandemic and while we’re trying to vaccinate the country and with patients now ringing in and sending e-consults in droves.’
He added that the ‘saving grace’ is that many patients would have opted out under care.data, with those wishes being carried over to the new system, according to NHS Digital.
Campaigners have also raised concerns about the amount of data going to be collected under GPDPR and how it will be used.
During the pandemic, there has been a regular extraction of some GP data to exclusively support Covid-19-related research and planning, but GPDPR will go beyond that purpose.
NHS Digital said the GPDPR service ‘has been designed to the most rigorous privacy and security standards’, adding that any data which identifies individual patients ‘will be pseudonymised and then encrypted before it leaves a GP practice’.
It also said that it consulted with patient and privacy groups, clinicians, technology experts, as well as with the BMA and the RCGP.
Under GPDPR, NHS Digital states it will collect medication, referral and appointment data for the previous 10 years, as well as other medical record data for patients’ entire history, including symptoms, diagnoses and immunisations.
Phil Booth, coordinator of MedConfidential, a data confidentiality advocacy group, told Pulse that the new GPDPR system is ‘far bigger’ than the controversial data sharing scheme, care.data, which was scrapped in 2016, following concerns about patient confidentiality and how the data would be used.
He said: ‘Care.data was only prospective, from the point it would have collected, it would have collected going forwards. This is people’s entire coded GP history on first upload and then daily thereafter for any changes. It’s far bigger than care.data. It’s also taking thousands of sensitive codes, which care.data specifically excluded.’
He added that there are also questions around who the data collected will be shared with, adding NHS Digital’s privacy statement on this is too wide. According to NHS Digital, ‘data will only be shared with organisations who have a legal basis and meet strict criteria to use it for local, regional and national planning, policy development, commissioning, public health and research purposes’.
Mr Booth said that while processes ‘have improved’, ‘they are still entirely capable, as their own data releases show, of sending copies of this data out to information intermediaries, and it’s the information intermediaries that service, for example, the pharmaceutical sector’.
The GPDPR data provision notice also states that the extracted data ‘may be used for direct care purposes’ in ‘exceptional circumstances’ where it is ‘necessary and compelling’ to do so, citing its use of GP data to create the shielded patient list during the pandemic as a previous example.
NHS Digital told Pulse: ‘This program is not an extension to, or an evolution of, the care.data program. Our process and protocols for data access are very different to seven years ago.
‘Data is only shared with organisations who have a legal basis and meet strict criteria to use it. There is independent oversight and scrutiny from the Professional Advisory Group (PAG) and the Independent Group Advising on the Release of Data (IGARD).’
NHS Digital added that the Type 1 opt-out has been available to patients since 2013 and that the six week window merely offers patients ‘more time to opt out before their data is shared’, adding it would be ‘disproportionate’ to write to every patient as the national campaign ‘is not new and there are no new actions for individuals to take’.
It said: ‘We recognise the current pressures on GPs and have taken steps to minimise the burden. We have provided links for practices to use to reduce the burden of informing patients and have an ongoing media campaign to raise awareness.
‘By providing a rigorous, standardised and unified approach, this collection removes the job of thoroughly assessing current and future applications for data sharing for research and planning from GPs, who can direct these to NHS Digital.’
BMA GP executive committee IT lead Dr Farah Jameel told Pulse: ‘The BMA has been working closely with NHS Digital over the planning of this new data collection to ensure that it will have a minimum administrative burden on practices at a time when workload pressure is at an all-time high.’
She added that GP data plays a vital role in research and planning but that any data collected must be used ‘safely and responsibly’, and that the BMA ‘will continue to work closely with NHS Digital to ensure that there are appropriate safeguards in place over how the data collected is used, as well as advising on ways to minimise the need to disseminate data’.
READERS' COMMENTS [3]
Please note, only GPs are permitted to add comments to articles
surely–noone is surprized
current mob of pols are fully signed up to total control
You publish your salaries, and complaints policy. They mould you into professional data junkies. Then mock you with referral, QOF and prescribing data, publically. CQC remotely monitoring fake “intelligence”.
And then, GovUK sell off the lucrative data to the USA and private contractors, just in time for their job promotion. Better code my depression interim review. And you better maintain “patient confidentiality” under GMC guidelines. Hilarious hippocrites.
With ample precedent, and as opaque as it appears, it’s unlikely GPDPR is as advertised.
Real-world unanswered questions remain about the known potential to re-identify individuals by reverse engineering pseudonymised data. Concerns remain unaddressed regarding data sale for the commercial purposes of private companies in the new health system.
For instance, Babylon (GPatHand) and Centene (Operose) come ready-primed with their own software platforms. Babylon’s Bayesian chatbot needs access to your medical records in order to improve its accuracy.
Centene (the giant US Health Insurance company now running 70 General Practices in England) has recently acquired Apixio, whose marketing video for their software platform describes full coded and free-text data extraction from medical records, together with their ability to commercialise the value of the data, working with their ‘partners’.
Would you trust a health insurance corporation with your medical records? Well, it looks like they’ll be getting them soon.
The only thing that’s secure about GPDPR is the data transfer. The rest will be exploitable loopholes giving access to the NHS’s most valuable asset: your data.