The NHS Datagrab (GPDPR) explained

What’s this NHS Data Grab I’ve heard about?

The government wants to collect the confidential health records of every GP patient in England and put them into one huge new data pool. It says “third parties” will be able to access this pool, including commercial companies, but won’t say who or how.

  • The scheme’s official name is GPDPR or ‘General Practice Data for Planning and Research.’ 
  • It will take 55 million people’s cradle-to-grave health records and put them in a central database – to be used by many different parties, for many different purposes.
  • This is new. Under today’s system, requests for GP data are made on a one-off basis. GPDPR is far bigger and broader. It puts 55m health records in a single place that updates in real time. In the government’s words, it will ‘collect [your data] once, [but] use [it] many times’.
  • A similar scheme, ‘’, was tried in 2013, only to collapse over widespread concerns over privacy and corporate access. We don’t want to repeat the same mistakes today.

What’s wrong with that – surely the NHS using data better is a good thing?

It isn’t just the NHS who will access data. You can’t pool the cradle-to-grave health records of all 55 million people in England without telling people and giving them a meaningful say in how the new system works. It’s undemocratic and could damage trust in the NHS.

  • This huge change wasn’t explained to patients. Matt Hancock told Radio 4 that his aim was for patients to control their own data and “consent should be at the heart of it”. He also said he was “not against” writing to everyone in the country, or sending everyone a text message, like with the Covid vaccination programme, to inform them of the change.
  • But this is the opposite of what’s happened so far. Instead, the change was posted on one NHS Digital website. How does that reach the 2-3 million over-65s who aren’t online, for example? 
  • The government needs to tell us why it wants to build this new data pool – and what it plans to do with the data. It should urgently explain who the “third parties” are who will have access to our data, and what standards they will need to meet.
  • Matt Hancock needs to explain what alternative models he has considered for managing NHS data research. For example, openSafely, the data platform developed by Ben Goldacre during the pandemic takes research queries to the data itself – instead of grabbing the entire GP record. This might solve some of the problems with maintaining public trust.

But NHS Digital says that “Data saves lives?”

No-one is opposed to using health data for research that saves lives. But the data can also be used for profit. The plan must benefit the NHS and, crucially, maintain the faith and trust of patients. 

  • Of course, data can save lives. But it can also make people a lot of money – and those goals don’t always support one another.
  • The government should be honest about this. Research shows that, compared to the NHS, people are less comfortable with private companies using their confidential health records to make a profit.
  • Matt Hancock must set out in plain English on what terms companies could access this massive new pool of our GP data – and give people a choice.   

Isn’t this data anonymous?

This data is not anonymous. It is pseudonymous. This is a really important distinction and is practically and legally different to anonymous. 

  • Government spokespeople have repeatedly mixed these up. It is pretty easy to identify people from pseudonymised data – often with only a few bits of information about you.
  • The government says they may re-identify your data in certain circumstances – without fully explaining when they might do this.
  • As for companies, identify someone from pseudonymised data is illegal in most cases. But the body who handle those offences, the Information Commissioner’s Office (ICO), is understaffed, underfunded, and unable to enforce against major breaches.

There must be safeguards in place already to protect this data?

The safeguards aren’t strong enough yet – there’s one expert body that doesn’t explain its decisions clearly, and the ICO hasn’t got the resources to police the law. And the government may be about to dilute the laws that protect your health data. 

  • A body called IGARD considers requests for data access. The minutes of their meetings are online, as is a record of requests for data. But the records of their meetings aren’t easily understood by the average person – nor are the standards they judge private companies on.
  • Watchdog group medConfidential has published a list showing lots of third parties have broken the rules when they used medical data. And the ICO, as we said, just hasn’t got the resources to follow up every time the law is broken.
  • The government’s also considering weakening legal protections for your health data. 

Is it biased to refer to GPDPR as a “data grab”?

What would you call taking the personal information of 55 million people – without asking for permission, presenting an informed choice, or, until our case, giving fair warning at all? It doesn’t seem an exaggeration to call that a data grab.

  • Millions of people still haven’t heard about this system. Originally, NHS Digital set a deadline to opt-out of June 23. We think the new deadline is August 25. If you haven’t opted-out by then your GP data will be gone forever and you can only prevent future data being shared. Does that seem like a reasonable and fair system to you?
  • Again – where is the public information campaign? Matt Hancock admitted that a “proper national debate” is needed but has done little to create one. We know the government can text the nation, can address the nation daily at teatime on BBC One. Why haven’t they?
  • It’s not too late. The government could repair damage by slowing down and making a much bigger effort to consult people. Our data is there for the asking, not the taking.

If giving private companies access to my data helps the NHS, what’s the problem?

 The question we always need to be asking is: who benefits? The collected data of the NHS is the most valuable resource of its kind in the world – but only because it has been created and paid for over decades by taxpayers and ordinary British people.

  • Companies requesting access to health data tend to promise “innovation”. But there is evidence that using data in this way can make unfairness in healthcare worse, not better. 
  • “Innovative” medicines are often priced too high for the NHS to buy them, so how does that benefit the NHS? What if instead, access to our data meant the NHS got the final product for free or a share of any financial gain? Or the product could be made open source, so everyone can benefit.
  • Most of all – we need to make sure that introducing a major profit motive in our health service doesn’t undermine the core value of the NHS: a universal service free at the point of delivery, with care of patients at its heart.