New GP patient data extraction scheme raises concernBMJ 2021; 373 doi: https://doi.org/10.1136/bmj.n1389 (Published 28 May 2021) Cite this as: BMJ 2021;373:n1389
A new way to extract patients’ data from general practices in England has been criticised by privacy rights campaigning groups, which are concerned about the scheme’s lack of clarity and the level of detailed information being gathered.
However, medical profession representatives seem to broadly support the approach, although they agree that more needs to be done to clarify its purposes so it can secure public support.
Details were given on 12 May of the new GP data collection system for England, titled General Practice Data for Planning and Research (GPDPR), which goes live on 1 July and from which patients can choose to opt out by 23 June.1 It will replace the current GP Extraction Service (GPES).
Under the new scheme NHS Digital will collect data on treatments, referrals, and appointments over the past 10 years, alongside other data from medical records data for patients’ entire history. The new service is designed to enable faster access to pseudonymised data on around 55 million patients for planners and researchers.
But campaigners fear that much more data will be collected than has been attempted before, including information on mental and sexual health, criminal records, and abuse, and that the scheme is being rushed into place without proper communication with patients. They are also concerned that GPs have not been given enough time to tell patients about the changes.
Foxglove, a group that campaigns for digital rights, has sent a legal letter to the Department of Health and Social Care questioning the scheme’s legality.2 It also launched a petition on 28 May calling on the government to drop the 23 June deadline for patients to opt out and to pause the rest of the plan to hold a consultation.
Cori Crider, director of Foxglove, told The BMJ, “If you’re going to collect the GP record of every man, woman, and child in England—and potentially make people’s health data available to corporations for profit—you need to tell patients what you’re up to and ask their permission.
“We all want to see the NHS come out of the pandemic stronger. Health data, used in a clear, trustworthy, and legal way, could be part of that. But this is being rammed through in a rush without the government being clear with patients what is happening and who gets the keys to this giant new data vault. Bouncing this past people corrodes patient trust and may be unlawful.”
Lack of transparency
Use MY Data, a patient movement that campaigns for patient data to be used to help save lives and improve outcomes, also has concerns. Its expert data adviser Chris Carrigan told The BMJ, “When you talk to citizens about how their health data could be used, they are largely supportive of it being used for research.
“At the minute, the concern that a lot of people have with the new primary care data collection is that it’s not clear enough. The problem comes around the lack of transparency.”
The data confidentiality advocacy group medConfidential told The BMJ that lessons had not been learnt from the failure of the care.data scheme in 2013, when plans to extract GP patient data into a central database were abandoned after complaints about confidentiality and business use led to around two million patients opting out of the scheme, which was later abandoned.
An NHS Digital spokesperson said that patients’ data were already being used every day to plan and improve healthcare services, for research that resulted in better treatments, and to save lives. The new service had been designed to have the “most rigorous privacy and security standards” and had been subject to consultation with the BMA, the Royal College of General Practitioners, patient and privacy groups, clinicians, and technology experts, the spokesperson added.
NHS Digital had also provided support and materials to GPs so that they could let their patients know about the collection.
“We have engaged with doctors, patients, and data, privacy, and ethics experts to design and build a better system for collecting this data,” the spokesperson told The BMJ. “The data will only be used for health and care planning and research purposes, by organisations which can show they have an appropriate legal basis and a legitimate need to use it.
“We take our responsibility to safeguard patient data extremely seriously. Researchers wanting to access this data will need each request to be approved by the independent group advising on the release of data and a GP professional advisory group, with representatives from the BMA and the RCGP.”
Angela Coulter, a health policy analyst and researcher and a member of The BMJ’s Patient Panel, said she was less concerned about the initiative than others, saying, “I think there are robust and trustworthy processes in place to ensure the data won’t fall into the wrong hands.”
Coulter believed the benefits of the system greatly outweighed the risks in terms of the knowledge gained for tackling diseases but added, “It is important that patients should have the right to opt out if they are concerned about how their data are used.”
Natalie Banner, who leads on the “Understanding patient data” programme at the Wellcome foundation, said, “The fundamental rationale behind the GPDPR programme is a good one, and it’s an improvement on the current system.
“These changes will make many valuable uses of data possible for the benefit of patients and the healthcare system. But there are no 100% guarantees against breaches, misuse, or the government changing the rules, so NHS Digital will have to prove consistently over time that the system is trustworthy.”
Although NHS Digital had made information about the programme available to patients and GPs, Banner added, “You have to know where to look for it. The programme has also mostly come to prominence through media reporting and social media critique, rather than proactive dissemination. Under these circumstances it’s not surprising that there has been confusion over what the programme does and a suspicion that it’s being rushed through without scrutiny.”
We amended this article on 2 June 2021 to more accurately reflect the activities of Use MY Data, which we originally described as “a healthcare data privacy campaign group”.