National Data Guardian responds to NHS data scraping concerns

Government says plans for data scrape of patient records is in the “public benefit” despite opponents citing a lack of transparency and concerns over where the data will be shared

Posted 8 June 2021 by Christine Horton

UPDATE: The plans to aims create a central store of data from GP records will be delayed by two months, the government has announced. The system was due to begin on July 1, but the date has now been pushed back to September 1.

Health Minister Jo Churchill said ministers would use the extra time to “talk to doctors, patients and charities to strengthen the plan… and ensure data is accessed securely.”

The National Data Guardian has responded to controversial plans by NHS Digital to make patients’ GP records available to third parties.

NHS Digital says the aim of the new data scrape is to collect data from GP practices to use for health and social care purposes including policy, planning, commissioning, public health and research. It aims create a central store of data from GP records in England.

The plan is for GP medical records in England to be collected via a new service called General Practice Data for Planning and Research (GPDPR). It will replace the General Practice Extraction Service (GPES), which has been in place for 10 years.

The new service will have a wider remit, allowing it to “support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including Covid-19) and enable many different areas of research”.

However, the plans have caused concern among patients that their records will be available to the private sector.

However, the office of the National Data Guardian, Dr Nicola Byrne, has issued a statement that says the new data scrape “provides an opportunity to strengthen the safeguards that protect GP data and provide strong oversight of its use for planning and research of benefit to health and care.”

“Public attitudes research demonstrates that patients and service users are supportive of health and care data being used if certain expectations are met, including that it delive­­­rs a public benefit, that it is made clear to them what will and will not be done with the data, and what choices people have about its use.

“People also want to know that robust cyber security arrangements are in place to keep confidential data about them safe. The Office of the National Data Guardian has been involved since 2018 in system-wide discussions about how the new GP data collection can meet these expectations so that trust is maintained.”

The statement said Byrne was “continuing to listen to and talk with patient groups and the public to inform my discussions with system leaders. My focus is on encouraging the organisations involved to work together to make it sufficiently clear to the public how data will be used and kept secure, both now and in the future.

“As the recently established 8th Caldicott Principle makes clear, it is important that there are no surprises for the public about how confidential information about them is used.

Calls for a delay

Currently, patients have until 23 June to opt out of the initial upload. After that date, they will be able to prevent new data being taken from their GP, but they can’t remove existing data from the database being built by NHS Digital.

Leading doctors are calling for an immediate delay to a programme to move information from GP records in England to a central NHS Digital database, reports the BBC. Informing patients should not be left to busy GPs, the Royal College of General Practitioners (RCGP) have told Health Secretary Matt Hancock in a letter.

At the same time, it’s been reported that a coalition comprising medical organisations, privacy campaigns and a Conservative MP, supported by tech justice specialists Foxglove, is preparing to embark on legal action against the government to force NHS Digital to pause its plans.

Elsewhere, Computer Weekly reported that most recent approved data release register show that, in the first quarter of 2021, there were 242 instances where identifiable records were shared, 223 of which involved sensitive data. These were shared within the boundaries of respect for the existing patient opt-out.

It says that new scheme “hasn’t met the spirit of transparency”.

It said: “We need proper assurances about controls over access to and use of the data. Using health data safely is difficult, and it can’t be recalled or remedied once it has been breached or misused.”