Big Brother’s big data grab: GPs caught up in patient records controversy

A new system for extracting patient records has been postponed until the autumn, but GP anxieties about privacy, data security and liability remain, find Nicola Merrifield and Awil Mohamoud

As a former home secretary, Sajid Javid may know more than most about sensitivities around the state and people’s right to privacy. And – while not top of his to-do list – the NHS’s new GP patient data-sharing scheme has stoked the public’s fears.

The latest NHS scheme will see patient records extracted from practices, pseudonymised by the GP IT system and sent to NHS Digital, which will pass the packaged data to interested third parties. And it has serious implications for GPs. 

Under the scheme – named ‘General Practice Data for Planning and Research’, or GPDPR – it is up to practices to notify all their patients about the plans. On 1 September, NHS Digital will extract all patient data from GP records, except for patients who have opted out and whose opt-outs have been processed by GPs. Future data will then be extracted routinely, until a patient opts out. 

This will, of course, be a significant burden for GPs at a time when they are already facing huge workload. But workload is only part of the problem. GPs are still unclear about their obligations, and a case led by campaigning organisation Doctors’ Association UK (DAUK) is currently going through the court to establish the scheme’s legal basis.

But perhaps the biggest effect of the scheme – or, more accurately, the publicity around it – will be on the GP-patient relationship.  There are even suggestions that patients will be less willing to come forward with health concerns due to worries about privacy.

All this is set to come in over the summer. But there has already been a level of drama not normally associated with the subject of data processing. 

Rocky start

The scheme started to pique the public interest in early June (after being reported in Pulse, of course). 

Media reports focused on campaigners’ warnings that it would potentially make sensitive patient data available to private firms.  

This includes patients’ full history, not just any future changes to their records. This means it goes further than the previous controversial scheme, – which itself was completely ditched in 2016 after becoming too toxic due to accusations of the NHS selling off the data to private companies. 

Originally, GPs were given just over a month to inform patients about the scheme and warn them they had until 23 June to opt out.

As the protests grew, the BMA and RCGP called for a delay to implementation due to the tight deadline, alongside fears of the data being sold to private companies. Meanwhile a group of organisations, including DAUK, threatened legal action unless the deadline for opting out was extended and ‘meaningful patient consent’ obtained.

On 8 June, the Government duly announced a delay to the data extraction until September. Health minister Jo Churchill told the House of Commons the extra time would be used to ‘talk to patients, doctors, health charities and others to strengthen the plan, build a trusted research environment and ensure data is accessed securely’.

A few days later, it was announced that then health secretary Matt Hancock had roped in former RCGP chair Professor Helen Stokes-Lampard to advise on the rollout.  

Privacy concerns

The purpose of the scheme has been somewhat lost in the media outcry. NHS Digital says it is intended to extract patient data for ‘better planning of healthcare services and use in medical research’.

The system will be ‘more efficient’ at extracting data than the General Practice Extraction Service (GPES) process it replaces, NHS Digital insists. During the pandemic GPES has allowed regular patient data extraction to help plan treatments and monitor the effects of Covid-19, with data that can be shared with third parties. 

Under GPDPR, the data will be pseudonymised – meaning information that could directly identify a patient, such as NHS number or date of birth, is replaced with unique codes – but NHS Digital says it could reverse this and identify patients ‘in certain circumstances, and where there is a valid legal reason’.

However, it says the GPDPR data will only be shared with organisations that ‘meet strict criteria to use it for local, regional, and national planning, policy development, commissioning, public health, and research purposes’.

But Phil Booth, coordinator of data confidentiality advocacy group MedConfidential, warns NHS Digital’s privacy statement is too wide and that questions remain about who will have access to the information. Furthermore, he says GPDPR is ‘far bigger’ than because it takes all a person’s primary care medical history.

‘ was only prospective… it would have collected data going forward. This is people’s entire coded GP history on first upload and then daily thereafter for changes. It’s far bigger than’ 

Warrington GP  and GP adviser at DAUK Dr Rosie Shire agrees: ‘There will be some people who have heard vaguely that the Government is going to share this data with third parties.’

If the Government does not clearly explain the system to the public, patients could accuse GPs of betraying their trust by handing over their data. It may also make them wary of frank conversations about their health, warns Dr Shire.

‘The name “GP” is in the title of the new system and it implies we are complicit in this. I would worry it would affect the relationship.’

She adds: ‘We want this done in the right way so patients can trust us as GPs and don’t feel they’ve got to hide stuff from us in case in gets in their record and gets uploaded.’

Legal risks for GPs 

It seems unlikely that GPs, as the data controllers, would be held liable under data protection laws if a patient felt their record had been used illegally, or their privacy or confidentiality breached. 

Cori Crider, director of legal firm Foxglove, which is working with DAUK on the legal challenge against the secretary of state over the scheme, tells Pulse: ‘Everything turns on whether the secretary of state’s direction to GPs to hand off the data is lawful. If it’s [found to be] lawful, then suddenly NHS Digital will be the controller of the data, and if there is any downstream misuse they are going to be on the hook, rather than GPs.’ 

But that may not stop patients trying to sue practices if things go wrong.

Nathalie Moreno, a data protection and cyber security partner at law firm Addleshaw Goddard, warns: ‘It might be difficult to identify who made the mistake – was it the GP, a system failure? Is it clearly NHS Digital’s responsibility or the GP supplier’s responsibility?

‘In any case, the principle from [a data regulations] perspective means if anything goes wrong… the patient doesn’t need to know who caused the mistake. They are entitled to sue both the GP practice and NHS Digital.’

Despite the risks, unless the court finds the Government’s request for data to be unlawful in the DAUK case, GPs must comply. The BMA has confirmed GPs are contractually required to take part.

Opting out

GPs’ major role in this will be around opt-outs. They will have to opt patients out who request it. Patients can only opt out of having their historical health record data extracted on 1 September by filling in a Type-1 opt-out form and sending it to their GP practice.

They will be able to opt out after that, but this will only apply to future data – their historical data will already have been extracted and will be retained.

Before the recent delay, NHS Digital imposed a deadline for patients to opt out a week before the data were extracted, giving GPs a bit of time to process any opt-outs. However, following the delay, NHS Digital removed a deadline for patients, leaving GPs to determine the cut-off point to ensure opt-outs can be processed in time.

The BMA is not happy about this. GPC England executive team IT lead Dr Farah Jameel says: ‘The public needs a clear deadline for opting out, with clear instructions on how to do this if they wish. 

‘We have been urging the Government and NHS Digital to consider making the process of opting out simpler, and in effect remove any additional burden [that] large volumes of Type 1 opt-outs could place on already under-pressure general practice.  

‘NHS Digital must also make clear to patients what will happen to their data if they do not opt out before the deadline, and how long this data will be stored for, as well explaining why it cannot be retrospectively deleted should patients subsequently decide to opt out.’

Hampshire GP and data privacy campaigner Dr Neil Bhatia says: ‘There is always the risk that GPs are going to suddenly end up with a whole load of forms right at the last minute.’ 

As the deadline will now be in GPs’ hands, patients could be ‘very angry’ if their opt-out requests aren’t registered in time, as ‘there is no way back’, he says. ‘It is not good for the relationship with our patients if this happens.’