When news broke that NHS plans to share GP patient data in England had been delayed until September, there were sighs of relief among privacy campaigners. The rollout, which had been due to begin today on 1 July, will now commence on 1 September to give the NHS more time to address concerns about patients’ privacy being breached.
And there are concerns. Critics argue NHS Digital’s General Practice Data for Planning and Research Scheme (GPDPR) hasn’t been explained to patients beyond a few updates to the website, and leaflets in GP surgeries. Patients were only given a month to opt out of being included, even though the scheme has been in development for three years. Millions of people are still unaware of the proposals, and their implications.
Elizabeth Denham, the Information Commissioner, welcomed the pause but said there is still “considerable confusion regarding the scope and nature” of the scheme.
Some doctors say the proposed move to put the anonymised medical histories of more than 55 million patients into a database – including mental and sexual health data, criminal records and other sensitive information – will erode trust in the GP/patient relationship. Others say the broad remit of the GPDPR, which makes data available to academic and commercial third parties, is problematic.
Trust in the NHS is high
Brits have historically been comfortable sharing data with the NHS. In a 2018 survey by Healthwatch England, 77% said they trust the health service to protect their personal data and 73% said they’d be happy for their data to be used to improve healthcare. However two thirds of those polled felt they might later regret their data being shared with partners such as technology companies and universities. A more recent study found 50% of UK patients would share their anonymised personal health data with a research institute but only 12.2% would share it with a tech company.
NHS Digital says the database will not include names, addresses or other data that can directly identify a patient. There have been reassurances that the data will only be accessible to organisations with a legitimate need who match stringent criteria, and that the database will never be used for insurance or marketing purposes, selling products or services, market research or advertising. Those in favour of the scheme say it could mean real strides in advancing understanding of medical issues.
Lack of transparency
So what’s the problem? Well, there are a few. Under the UK GDPR, this plan needs to satisfy certain conditions and the average person may think that one such condition would be getting consent. However, it would appear that the NHS are not seeking to rely on patient consent and, instead, are simply giving individuals a right to opt-out. This can’t be done online – opting out can only be achieved by handing a form into a GP surgery.
The amount of data points included also seems to make it easy enough for patients to be identified, despite NHS claims about anonymisation. And, additionally, there’s a lack of transparency about what the data will be used for and by who, now and in the future.
Other concerns include access, for example, and the possibility of onward transfers, whereby the data can be exported to another location and misused without the health service’s knowledge or control. Security experts have also pointed to the difficulties in securing a massive centralised database against serious attack or accidental breach, particularly after the WannaCry ransomware incident in 2017.
This isn’t the first time the NHS has had questions raised about its competency in handling sensitive information. The government spent nearly £8m on the controversial Care.data initiative, which proved so unpopular it was scrapped in 2016. In 2015, the Royal Free London Trust was found to have breached UK data protection law by transferring patient data to Google’s DeepMind. Then there are the international pharmaceutical companies that have obtained access to NHS patient data.
Innovation must be balanced by privacy
We know health data is beneficial to companies working in this space. Much progress has been made in the past, and will be in the future, by testing, collecting and analysing health information. But there need to be appropriate measures in place so that that data is handled responsibly, transparently and ethically.
If the GPDPR is to go ahead, it needs independent oversight governing the access of information. It needs to be on an opt-in system, whereby users are fully aware of what they’re consenting to, and can opt out later if they so wish. The data needs to be properly anonymised and only handled within the limits that are specified. In short, the GPDPR needs to be demonstrably compliant with the UK GDPR before it is fit for purpose.
If you want to opt out before 1 September, here’s more information about how to go about it.
Sign up below to receive all the privacy stories that matter, direct to your inbox every month.
Build a culture of continuous privacy compliance
At the Privacy Compliance Hub, we make compliance easy for everyone to understand, care about and commit to. We call it a culture of continuous privacy compliance. Our platform, created by two ex-Google lawyers, provides a structured programme to follow, with a suite of engaging, relatable training videos and powerful reporting tools.