“NHS Data Grab”: An examination of the new NHS…

The medical records of NHS England users are set to be gathered in a new centralised database under the new General Practice Data for Planning and Research (“GPDPR”).

Data about hospital patients is already collected centrally through the Hospital Episode Statistics database.[1] The GPDPR will collect the confidential health records of some 55 million GP patients in England and place those records in a single database. The data will start to be transferred on 1 September 2021. Patients are in principle entitled to opt out at any time, but as any opt out is not retrospective, the effective deadline to opt out of the transfer of existing data to the GPDPR is 1 September 2021. According to NHS Digital, the data will be available to academic and commercial third parties for research and planning purposes.

The legal basis for the GPDPR is the Secretary of State for Health and Social Care’s General Practice Data for Planning and Research Directions 2021, made under powers in Part 9 of the Health and Social Care Act 2012 and the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013/259.

Currently, requests by NHS Digital for data held by GPs are made on a one-off basis through the General Practice Extraction Service (GPES). The Secretary of State’s Requirements Specification for the GPDPR[2] describes the GPES’ “collect once, use once” method as “inefficient, costly and capacity constrained”, and continues:

“The policy demand and commission were for the replacement to support existing national extracts and reports, in addition to providing capability and capacity to meet rapidly increasing requirements for data to support local, regional and national planning, commissioning and research. It was agreed that this should be achieved in a way that builds and maintains professional, patient and public trust, and operates within the legal, policy and transparency framework of NHS Digital”.

The GPDPR clearly represents a significant step-change from the GPES mechanism, and in relation to information that would, by any account, be considered to be of the most private nature. The information set to be included in the database includes data about sex, ethnicity, sexual orientation, diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments. It will also include sensitive information on mental and sexual health, criminal records and abuse and details about which staff have treated patients.

Given the scope and scale of the scheme, it is inevitable that complications and legal issues will emerge as it is unfolded. Simply on the information already provided about how it will work, the following potential issues can be identified.

Firstly, has there been sufficient consultation and transparency in the introduction of the GPDPR, given its scope? Since its announcement in early April 2021, the GPDPR has not been highly publicised. There has been no centralised information campaign and matters have largely been left in the hands of individual practices. There is much about the scheme that would appear to invite scrutiny, in particular by those affected: the scale of the data collection; the nature of the data collected; the non-retrospective nature of the opt-out; and the lack of clarity on how data will be used, who will benefit from it and what implications that use may have for patients. There are implications for relationships between patients and GPs (as patients will be aware that information from their interactions will come to be placed on the database) and between GPs and the NHS (given that the former may not relish being obliged to hand over such data). There are already indications of confusion around the role of GP practices within the GPDPR. Some GP practices have not even updated their privacy notices to reflect the GPDPR. Anecdotally, it appears that some GP practices are not allowing patients to opt out by completing a form in the surgery – saying, for example, that this is all a matter for NHS Digital not us. This seems clearly wrong, given that GPs are data processors and potentially liable for breaches of the Data Protection Act 2018 and the UK GDPR.[3] Principle 1 of the UK GDPR requires processing to be ‘fair’ as well as lawful. There is an argument that a non-publicised data transfer (particularly if combined an out of date of privacy notice) would be a breach of the fairness requirement.

Secondly, a number of questions arise about how the GPDPR can be said to comply with other

data protection principles. How can the scale of the data collected be said to comply with the requirement for the data minimisation principle (Article 5(1)(c) UK GDPR)?

Thirdly, what measures will be in place to protect against the identification of individual patients? It is proposed that the database will not include names or addresses, or any other data that could directly identify a patient like their NHS number, date of birth, or postcode (although it is understood that partial postcodes and week and year of birth will be included). However, it appears to be readily possible to identify people from pseudonymised data.[4] This is a serious concern in the context of the proposed GPDPR, which will collect a wide range of highly individualised data. These issues underline concerns about the security of such a system, per the integrity and confidentiality data protection principle (Article 5(1)(f) GDPR).

Fourthly, there is a lack of clarity around the extent to which, and the basis on which, third party organisations will be able to access the data collected via the GPDPR. The proposals suggest that the data will only be accessible to organisations with a legitimate need for it who meet stringent criteria, with independent oversight by the Independent Group Advising on the Release of Data. According to the NHS Digital’s Transparency Notice, if a request is approved, “the data will either be made available within a secure data access environment within NHS Digital infrastructure, or where the needs of the recipient cannot be met this way, as a direct dissemination of data.”[5] Thus, NHS Digital will allow copies of the data to be placed onto external sites, which could raise serious data protection issues of its own.

This data collection is likely to produce one of the most valuable data sets of medical data in the world. It may be used in ways to improve services and planning, for all of our benefits. However, it is also potentially open to exploitation and data breaches and the lack of transparency surrounding the transfer of and the limitations on what it can be used are rightly matters of significant public concern.

Admas Habteslasie is a barrister specialising in public law.

To subscribe to our Health and Social Care Insight and get the blog posts sent straight to your inbox, click here.

[1] https://digital.nhs.uk/data-and-information/data-tools-and-services/data-services/hospital-episode-statistics

[2] https://digital.nhs.uk/about-nhs-digital/corporate-information-and-documents/directions-and-data-provision-notices/secretary-of-state-directions/general-practice-data-for-planning-and-research-directions-2021

[3] The General Data Protection Regulation continues to apply, with some modification, post-Brexit. See, e.g., R (on the application of Open Rights Group) v Secretary of State for the Home Department [2021] EWCA Civ 800.

[4] For example, in 2019, researchers from Belgium’s Université Catholique de Louvain (UCLouvain) and Imperial College London built a model to estimate how easy it would be to deanonymise an arbitrary dataset. They found that a dataset with 15 demographic attributes would render 99.8% of people in Massachusetts as unique.

[5] https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research/transparency-notice#who-we-share-patient-data-with