The digital world is a bit like the American Old West. There are big opportunities, relatively few regulations and huge resources to be mined. One of these golden data nuggets is your set of medical records. There has recently been a wave of protest from privacy campaigners and GPs themselves about an imminent UK government programme for NHS Digital to copy the bulk of people’s GP medical records into a central database. Most people know that the NHS needs to hold their medical data in some form, so why has this been so controversial?
What data does my GP have?
In the UK, GPs are a network of thousands of independent doctors’ surgeries contracted to the NHS to provide primary healthcare. The GP is the first place you go with your health concerns, and is often the only way to access further medical services. If you are referred to another facility like a hospital, the results of tests or treatments you have received will usually be sent back to your GP.
And in addition to physical health information, a GP’s records can also contain extremely sensitive information that people have given in confidence, for example details of their mental health, drug problems or criminal record. If you move to a new GP, they will request the data from your previous surgery.
This arrangement means that your GP controls the vast majority of your medical records, which they use to quickly make informed decisions about your care. It is a system that was set up in 1911, using paper records held in iconic brown “Lloyd George envelopes”, named after the then Chancellor of the Exchequer whose budget paved the way for UK national health insurance and the modern welfare state.
Why are things changing?
Perhaps unsurprisingly, a system for handling medical data that was designed over a century ago is struggling to cope with the demands of modern healthcare.
For GPs, it is costly to maintain and administer their own IT systems and records. Some of these records are still on paper – new Lloyd George envelopes were being produced up until January 2021!
For patients, it is often inconvenient or unreliable. Under time and cost pressures, healthcare staff may omit to request or send information, which creates data gaps or treatment delays. And many people have incomplete records because files have been lost in transit moving between surgeries, or paper records have simply not been digitised. The original NHS target to be paperless by 2018 has now slipped to 2024.
For the NHS and the medical industry itself, service improvement and research is hampered by a lack of centralised data. It is difficult and costly for the NHS and its partners to deal with multiple GPs and hospitals, and the systems required to extract data from them.
So to improve patient services, conduct research and develop better treatments, the management of medical data is being updated. This means changing how your records are created, stored, accessed and controlled. The organisation tackling this challenge is NHS Digital, a non-departmental public body that ultimately reports to the Department of Health and Social Care.
At the specific direction of the Health Secretary on 6 April 2021, NHS Digital are implementing new data collection programme called General Practice Data for Planning and Research (GPDPR), going live on 1 July 2021. This direction is for GPs to share almost all the medical records they hold, and for them to be copied into a central NHS Digital database.
Why are people concerned?
Simply put, far more data is being shared by your GP than ever before, and it is not fully clear to many people how this new database will be handled or who else it will be shared with. There is a feeling that the government’s direction was issued at short notice, and without enough public consultation on such a fundamental change. Some believe it may even be unlawful.
The government argues that this system is really nothing new. On its website, NHS Digital provides plenty of information about its current data handling activities. For example since 2011, it has had access to GP data through a system called the General Practice Extraction Service (GPES), where at the direction of the Health Secretary or NHS England, your GP records can be accessed to pull out data.
Critically though GPES is only used collect information on specific topics of interest. There are also various checks and layers of governance, and only relevant and anonymised data is collected by default. For example, GPES has been used to assist in fighting the COVID-19 pandemic. The new system however follows a “collect once, use many times” method that extracts and stores all GP data. To many though it is not clear how proper governance will still apply, which has generated several areas of concern.
Security and trust
Numerous data breaches by the UK government means low confidence in some people that it can be trusted to maintain such a large database of sensitive data. There is also some concern that that NHS Digital will not respect individual rights. According to TheySoldItAnyway – a website that tracks NHS data sharing – 92% of releases since 2016 ignored individual opt-outs.
In addition, NHS England has previous bad form in managing data projects – a similar programme to GPDPR called ‘care.data‘ failed in 2014 after condemnation from several high profile medical organisations. It will be a concern that lessons have not been learnt from this, including more safeguards for sharing data with private companies, and better public communication over large-scale healthcare data projects.
People are also concerned about some organisations that may get access to the data. One example is the involvement of Palantir with NHS data. With its major interests in spying and policing technology, there are questions about whether its use of data would always be in the best interests of patients.
Legality and your rights
NHS Digital states that your data is not identifiable to you because identifying information like your name or NHS number is removed from your GP’s data and replaced with a pseudonym code. This is a bit like an author using a secret pen name, and means the records are deemed to be “de-personalised”.
While a pseudonym is a form of security, it is fairly weak. Writers with a secret pen name are often identified by their unique writing style, and similarly your entire medical history is unique to you. Some simple cross-referencing with other data sources could identify you, as security researchers found by fairly easily de-anonymising supposedly anonymous Netflix movie rating data. And should the list of pseudonym codes be breached, everyone’s privacy is compromised.
It’s curious then why NHS Digital gives pseudonymisation such weight. It could be seen as an attempt to remove the database from the scope of data privacy laws – primarily the General Data Protection Regulations (GDPR) – that give rights to individuals where data is personally identifiable. However, the UK data regulator (the ICO) states clearly that “Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of UK GDPR”. But even if your rights apply, you must exercise them for them to be effective.
Your local GP surgery is focused on providing you with a service, and will generally try to avoid legal conflict. This means you are in a relatively strong position to control how your data is handled, so it is unlikely to be shared or used for any purpose that you wouldn’t expect. This means you are unlikely to have to exercise your rights.
GPDPR makes NHS Digital and the Department of Health the data controller of whatever is copied to them. This means once they have a copy, they are in charge of how it is used and crucially whether to comply with any rights you might seek to exercise about it. NHS Digital also claim that a direction from the Health Secretary means you lose many of your rights, including the right of erasure once any data has been copied to them. You could contest this, but government departments have huge budgets and resources, and are not afraid of legal challenges when pursuing political aims. This puts you in a much weaker position to assert your data privacy rights.
Legality and your GP’s responsibilities
GPs may be in a bind. On one hand, they are legally obliged to comply with the Health Secretary’s direction to share the data. On the other hand, some have argued that the direction is unlawful: that government does not have a sound legal basis for centralising all the data or sharing it with third parties. So some GPs are concerned that they might be in breach of data privacy laws if they do send the data. In this case though, the legal obligation carries a lot of weight and is likely to cover them against any claims.
Accuracy
Many people’s GP records are far from complete, and yet most people haven’t checked whether any of their data is missing or inaccurate. This risks the reliability of any research conclusions based on these records. It is also a concern that should there be a data breach, an individual may suffer more if the data is inaccurate.
Rejection of alternatives
In order to make easy use of your medical records, GPDPR copies huge amounts of data out to a new database, from which it is again copied out to selected third parties for storage and analysis with their tools. But this is not the only way to use data. Another approach is to provide third parties with access to a secure environment containing both data and tools, without copying any data out. NHS Digital in fact already has this system in the form of its Trusted Research Environment (TRE).
It is not clear why a new solution is needed rather than using the TRE. Some people suspect therefore that the primary purpose of GPDPR is actually to provide an easier mechanism for extracting data to third parties for opaque commercial or government purposes.
‘Slippery slope’ of privatisation
Many believe that the NHS works best as a fully public service. While private sector and commercial uses of medical data are not inherently bad, there is a concern that the more NHS data that is available to private companies, the more easily those companies could replace frontline NHS service provision ‘by stealth’. Some people feel that there are not enough safeguards or transparency around how this might happen. For example, if GP data is centralised, there is less reason to continue with the arrangement of individuals using a single independent GP surgery. While a centralised system may be beneficial, it fundamentally changes that trusted direct relationship that people have with their local GP. Some people feel that before data is shared too much, there should be a more open debate about how any new arrangements might work.
Sharing the profits
Some people support the NHS in sharing data, but believe that they are giving it away too cheaply (at near cost price). They argue that because lucrative products and services can be developed with such data, the NHS should arrange to share in any profits to benefit the public purse. The counter-argument is that the research and development of new products is risky, so there must be sufficient financial incentive: charging too much for the data may hinder development of new products that ultimately have medical and public benefits.
What’s next?
As of today (5 June 2021), the British Medical Association and Royal College of General Practictioners have issued a joint statement asking for better public communication on GDPDR, and reiterating that appropriate safeguards must be in place. A group of GPs in east London have already declared that they will refuse to share the data that is being requested. And legal action is being planned by a coalition of campaign groups.
However, with less than 3 weeks to go until the planned launch, NHS Digital has rebutted concerns and the government is still expecting GPs to comply. It has also made some further disclosures, mainly around the agreements it has drawn up with companies to access the data.
You can opt-out of this new data sharing before the deadline of 23 June 2021. This is the most cautious option if you have any concerns, because you can always opt back in later if you change your mind. But if you do not opt-out, then you risk permanently losing control of the last 10 years of your GP data.
Whatever the materiality of these concerns or whether the programme plan is changed, it is clear that this new system has already damaged public trust. There are many opportunities and advantages that come from the smart use of your medical data, for which it must be shared in some form. But public understanding of the digital world is still developing, so the government must first build confidence. It must take the lead in educating people about data issues, and show that we can all benefit from technology advances without sacrificing individual rights.
Andy Worsley 