On September 1 2021, NHS Digital will implement a new system for extracting millions of patient medical histories and other data from GP practices across the UK, in line with the new General Practice Data for Planning and Research (GPDPR) data collection scheme.
The announcement has been met with criticism by privacy activists and other organizations, who are concerned that the new system is being implemented too quickly, without adequate safeguards for patient data, and without sufficient public consultation. (In response to pressure from privacy activists, the original July 1 deadline has been postponed to September 1, 2021).
Let’s unpack some of the issues about GPDPR that have been getting the most attention.
What exactly is GPDPR?
GPDPR is the new method for collecting patient medical data from GP records, designed to replace the General Practice Extraction Service (GPES) with a more cohesive and efficient system. Most of the information in your medical record held by your GP is stored using different codes (e.g., codes for a specific diagnosis, or prescribed medication). Periodically, this coded information is collected by NHS Digital and used for healthcare planning (e.g., what health and care services are needed in a local area), and medical research.
Will GPDPR allow the NHS to sell my data to commercial companies?
Many people are apprehensive about the possibility of their sensitive health information being sold to big tech or pharmaceutical companies.
NHS Digital currently shares patient data with various public sector bodies, charities, and commercial organizations. This would continue to be the case with GPDPR.
It is somewhat ambiguous whether NHS Digital ‘sells’ patient data. Those who are given access to patient data are charged the cost of making the data available; NHS Digital states that it does not profit from sharing data. NHS Digital could choose to share data for profit in the future, but GPDPR makes this no more nor less likely.
NHS Digital also states that it will not share data for “insurance or marketing purposes, promoting or selling products or services, market research, or advertising.” According to the Care Act 2014, NHS Digital may only share data when doing so will be used to provide care or promote health. However, this does not exclude commercial organizations from also profiting from the use of data, provided it meets this requirement. This means that the health arm of Google DeepMind, for example, can be given access to patient data to develop a new piece of technology that it will sell for profit (including to the NHS), as long as this piece of technology is expected to benefit patients in the UK.
Will My Data be Anonymous?
The short answer, in most cases, is no.
Anonymous data is data that can no longer be attributed to a specific person. Pseudonymous data, on the other hand, is data that can no longer be attributed to a specific person, without the use of additional information. The data that NHS Digital accesses from GP records is ‘pseudonymized’. Any information that can directly identify you (e.g., name, date of birth, NHS number, full postcode) is replaced with a unique code, so those accessing the data cannot identify you. But because NHS Digital is still able to re-identify this data, it is not anonymized.
NHS Digital states that it will only re-identify data where there is “a legally valid reason.” This includes when it is needed for your care, or when you have consented, but also when there is a legal obligation (e.g., COPI notices issued during a pandemic), as well as when approved by the Health Research Authority for research purposes.
It is possible that your data could be re-identified by someone other than NHS Digital, if they are able to access enough other data about you. For example, GPS data from my phone, or social media posts about getting my COVID vaccine, could be cross-referenced with a pseudonymized patient record to re-identify it. Of course, this would be illegal in the UK.
Can my medical data really be collected and shared without my permission?
According to data protection regulations, yes.
There are several lawful bases for data processing in the UK, of which consent is only one. Processing health data requires a further legal basis, which can include “substantial public interest”, “health and social care purposes”, “public health purposes”, and “scientific research” . This means that NHS Digital can legally collect and share patient health data with third parties, without patient consent.
It is a separate question whether it is ethical for them to do so. This raises complex issues about whether informed consent is even possible in this context. I can’t give informed consent in advance for the use of my patient records, because I don’t know how it will be used. NHS Digital could ask for my consent each time they want to share my data, although this would not be realistic if my data is being used in hundreds or thousands of research studies (and could I really be informed about all of these possible uses of my data?) Any ethical approach to sharing patient health data will need to balance the potential benefits of research, while also showing appropriate respect for patient autonomy.
What If I Don’t Want to Share My Data?
If you don’t want your data to be collected or shared there are two options for opting out, although there are important differences between them.
A Type-1 opt out prevents information being shared outside a GP practice for purposes other than direct care. If you don’t want NHS Digital collecting your data, you can register a Type-1 opt-out with your GP practice. Any data that NHS Digital has collected before registering your Type-1 opt out, they will continue to hold. This means that opting out now will not remove any data that NHS Digital has already collected under the old data collection system, but it will prevent new data from being collected.
The National Data Opt-out prevents NHS Digital from sharing your data with third parties. However, there are several instances in which the National Data Opt-Out does not apply, including when data sharing is required by law, when you have given consent, when the information has been de-identified, or when there is an overriding public interest. This means that NHS Digital can legally share your data even if you have registered a National Data Opt-out. It also means that the National Data Opt-Out does not prevent NHS Digital from collecting your data from GP practices (i.e., GPDPR), because collecting this data is a legal requirement.
Data protection regulations also stipulate that individuals have the right to have their data erased (sometimes referred to as ‘the right to be forgotten’). But this right only applies in certain circumstances, and is unlikely to apply to the collecting or sharing of health data by NHS Digital.
A Missed Opportunity
No one would dispute that research has the potential to benefit patients, both now and in the future, and making patient data available for research is critical to achieving these benefits. But it is critical that the systems we have in place for collecting, sharing, and using patient data are worthy of public confidence, to ensure that research benefits everyone, and data is kept safe. What seems clear is that a big part of building confidence is engaging with the public, so that their input actually makes a difference. It’s not clear that the roll-out of GPDPR accomplished this. In that respect, GPDPR was a missed opportunity to shape, or re-shape, the sharing of health data in the UK. We need to do better to treat patients as partners in research, and not merely as sources of data to be exploited.
Mackenzie Graham
Senior Research Fellow in Imaging & Data Ethics
Ethox Centre and Wellcome Centre for Ethics and Humanities; part of the National Consortium of Intelligent Medical Imaging (NCIMI)
This blog reflects the view of the author and not necessarily those of Ethox, the Wellcome Centre for Ethics and Humanities and/or NCIMI.
Image by Gerd Altmann on Pixabay