The data of GP patients in England was set to be shared with third parties from 1 July 2021.
However, the plans to allow an NHS system to extract patient data from doctors’ surgeries in England has now been delayed by the Government following concerns around privacy.
The new data collection project by NHS Digital – named General Practice Data for Planning and Research (GPDPR) – will see records of 55 million NHS patients pooled together into a single resource that will be available to academics and commercial third parties.
It will include sensitive information about patients, including physical, mental and sexual health, but will now not begin until 1 September 2021 – being pushed back by two months.
We want to hear from you: let us know what you think about this story and be part of the debate in our comments section below
The NHS has said the project is aimed at helping to plan and deliver its services more effectively and “ensure that care and treatment provided is safe and effective”.
However, questions have been raised about whether the project is legally sound. So what data will be shared, what will it be used for - and how do you opt out?
This is what you need to know.
Why is the NHS sharing patient data?
NHS Digital says that the patient data can help the NHS in a number of ways, including being able to:
- monitor the long-term safety and effectiveness of care
- plan how to deliver better health and care services
- prevent the spread of infectious diseases
- identify new treatments and medicines through health research
Although GP practices already share patient data for these purposes, this new data collection project is promised to be more efficient and effective.
Abbas Kanani, pharmacist at Chemist Click, says that from a healthcare provider’s point of view, there are positives to the data sharing initiative “as it allows for better planning of healthcare services and can help to provide seamless care.”
He said: “Analysing data that is to be made available can also help to reduce inefficiencies within healthcare services, ultimately with the end goal of improving patient outcomes.”
Despite this, Mr Kanani does say that the rollout of this initiative “appears to be slightly haphazard,” and that due to healthcare services finding their feet after an intense year, mostly due to the Covid pandemic, “it is probably best to delay this.”
He comments: “The short timescale that GP practices have to inform their patients, and the short timeframe in which patients have to respond, is a little unfair.”
What data will be shared - and when?
From 1 July, patient data was set to be collected from GP medical records about:
- any living patient registered at a GP practice in England when the collection started - this includes children and adults.
- any patient who died after the data collection started, and was previously registered at a GP practice in England when the data collection started.
Data will include:
- your sex, ethnicity and sexual orientation.
- clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and recalls, and appointments, including information about your physical, mental and sexual health.
- data about staff who have treated you.
Your name or where you live will not be included in the data collection.
Any other data that could directly identify you, for example your NHS number, General Practice Local Patient Number, full postcode and date of birth, will be replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.
However, the new initiative will now begin on 1 September.
Health minister Lord Bethell said the implementation date of the scheme would be pushed back until 1 September to ensure “that it is as effective as possible”.
This delay follows calls for a pause to allow for a public consultation and information campaign to allay the fears of the public and medical professionals.
Speaking In Parliament, Lord Bethell told peers: “Data saves lives. We have seen that in the pandemic and it’s one of the lessons of the vaccine rollout.”
He said the GP data programme “will strengthen the system and save lives”, but added: “That’s why we are taking some time to make sure that it is as effective as possible so the implementation date will now be September 1.
“We will use this time to talk to patients, doctors and to others to strengthen the plan, to build a trusted research environment and to ensure the data is accessed securely.”
Who is the data being shared with?
The government has stated that the data will be made available to academic and commercial third parties, however it’s still unclear what exactly this means.
Mr Kanani says: “I think that patients not only need to be informed of exactly what data is being shared, but also with whom this data is being shared.
“Using the term ‘third party’ organisations is not good enough. If patient confidentiality can be maintained, and the initiative will not put too much pressure on healthcare professionals, in principle, it seems like a good idea. However, this needs to be well thought out and structured to allow a smooth process.”
Are there security risks?
David Sygula, Senior Cybersecurity Analyst at CybelAngel, said that mechanisms must be put in place, including the anonymisation of data, “as data leaks will inevitably happen.”
“Security researchers, attackers, and rogue states have all put in place processes to identify unsecured databases and will rapidly find leaked information. That's the default assumption we should start with,” Mr Sygula adds.
“It's about making sure patients are not personally exposed in case of a breach, while setting up the appropriate monitoring tools to look for exposed data among the supply chain.”
However, the NHS Digital website has said it has engaged with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices.
NHS Digital also said that any data it collects will only be used for health and care purposes, and will never be shared with marketing or insurance companies.
How can I opt out - and what’s the deadline?
If you do not want your patient data to be shared outside of your GP practice as part of the data sharing project then you can register an opt-out with your GP practice.
NHS Digital will not collect any patient data for patients who have already registered an opt-out, but if this changes then patients will be informed.
You can register an opt-out at any time and can also change your mind and withdraw your opt-out.
The original date to opt out by was 23 June – in order for no data to be shared - but NHS Digital says that people will now need to opt out anytime before 1 September to prevent their data from being shared.
You can opt-out by returning an NHS form to your GP practice. The form can be sent by post or email to your GP practice or you can call 0300 3035678 for a form to be sent out to you.
You can still opt-out after the project has begun, but the patient data shared before you registered the opt-out will still be held.
Alternatively, if you have previously opted out of data sharing and would like to withdraw this, you can use the same form to do so.
A message from the editor:
Thank you for reading. NationalWorld is a new national news brand, produced by a team of journalists, editors, video producers and designers who live and work across the UK. Find out more about who’s who in the team, and our editorial values. We want to start a community among our readers, so please follow us on Facebook, Twitter and Instagram, and keep the conversation going.