The GP records of England’s 61 million NHS users are set to be gathered into a new database which third parties will be able to access. The new data-sharing scheme, called General Practice Data for Planning and Research (GPDPR), will “pseudnoymise” the patient data it collects and shares. NHS Digital claims this will mean the data will remain confidential when it’s accessed by academics and the healthcare industry for use in research and health planning.
People have until September 1 to opt out of the scheme. If they don’t, it won’t be possible to remove their information from the database. That information amounts to a considerable volume of sensitive personal data, including information about physical, mental and sexual health, the staff who treated the patients, and data on sex, ethnicity and sexual orientation.
Supporters of the initiative believe the database will be of “incalculable medical value” and will help advance our understanding of medical issues. Critics see it as a “data grab” taking place under the cover of a pandemic, with one academic labelling the scheme’s guarantees of anonymity “worthless”, given how easy it is to identify people via their medical histories.
The initiation of the scheme has already been delayed by three months following a backlash from privacy campaigners, some of whom are now threatening legal action against the government. But if this initiative is to go ahead at all, officials must address critical concerns around privacy, consent and transparency, especially seeing as the NHS has a history of poorly-communicated and controversial data-sharing initiatives in the recent past.
NHS data sharing
Since it was quietly announced in early April 2021, communication about the GPDPR has been inadequately handled. Information has been mainly shared on the NHS Digital website and through leaflets at GP surgeries, so only a small proportion of the public will be aware of what the initiative entails and their ability to opt out of it.
This isn’t the first time that the NHS has handled a data sharing initiative with opacity, failing to openly communicate to patients how their data is being used. In 2014, the Care.data initiative was proposed, with the objective of sharing patient data with external organisations. A public outcry eventually forced officials to scrap the scheme in 2016.
In November 2015, the health records of NHS patients held by the Royal Free London Trust were transferred, without explicit consent from patients and in a way found not to fully comply with the UK’s Data Protection Act, to Google DeepMind. Around the same time, personal data from NHS patients were shared with the Home Office to trace individuals tagged as “potential immigration offenders”.
In 2019, it was revealed that international pharmaceutical companies had obtained access to NHS patient data. More recently, the involvement of big data company Palantir in the NHS COVID-19 datastore has generated significant controversy.
A common feature shared by these data-sharing initiatives is they don’t seem to have adequately taken into account patient privacy and consent. Moreover, the details of these sharing agreements weren’t voluntarily disclosed by the parties involved, and were only revealed to the public through academic investigation.
Legality and privacy
The new GPDPR scheme has caused controversy for many of the same reasons. Campaigners question the lawfulness of collecting NHS data without properly consulting patients, and are urging the government to seek transparent patient consent before proceeding with the scheme.
There also remain significant privacy concerns. Research has shown that “anonymised” data can never be truly anonymous, and that there exist techniques and methods that can be used to re-identify people in anonymised datasets like the one proposed by NHS Digital.
Consider, for instance, that the proposed database will contain the details of the medical professionals who treat each patient. Information on the surgery or hospital to which they’re attached is freely available online, so by following one line of data it’s possible to narrow down potential patients from a pool of over 60 million to one of a few thousand.
This means the GPDPR’s data security – with strict controls on who can access the database, and for what purpose – will be crucial for maintaining data confidentiality. NHS Digital has a secure data environment that external users can access without the data ever having to travel beyond this secure environment. Yet the system currently in place allows copies of the data to travel from NHS Digital to external sites.
As such, users could breach their agreement and misuse patient data without NHS Digital’s knowledge. It also means the data could end in the hands of unauthorised parties if external organisations are affected by a cyberattack.
Trust and transparency
But there’s a more fundamental issue with the GPDPR initiative. Because the NHS arguably hasn’t provided enough information to patients about the scheme, there are fears its initiation in September could destroy patient trust.
The Doctors’ Association UK has expressed concerns that the initiative could damage the doctor-patient relationship, as patients might feel “reluctant to share their problems due to fears of where their data will be shared”. This has deeply worrying implications for diagnosis and treatment.
The GPDPR will begin collecting GP records in less than three months. Before it does, an effort must be made to communicate to the public how their data will be used. Officials should also explain why it has been deemed appropriate to introduce this data collection while the country is still battling a pandemic and when GP practices, which are expected to deal with opt-out requests, are already overwhelmed.
It’s also essential that stricter measures are adopted and published to guarantee the responsible use of the proposed database, without which it appears patients’ privacy could far too easily be breached.