'Biggest data grab' in NHS history stuffs GP records in a central store for 'research' – and the time to opt out is now

'More data, more breadth, more depth... it's the whole f&*king deal'

Updated The NHS is preparing for the "biggest data grab" in the history of the service, giving patients little information or warning about the planned transfer of medical records from GP surgeries in England to a central store for research purposes – and with no prospect of the data being deleted.

Campaigners and doctors have expressed alarm that such a wide-ranging data haul is in the offing when health services and patients are still swamped by the effects of the COVID-19 pandemic, with little time to focus on the details of data privacy.

The 55 million citizens of England will need to opt out of the involuntary scheme before it is introduced to prevent the entire history of their GP visits being slurped, campaigners told us. Opt-out forms are here [.docx]. We understand you will need to give this form to your GP practice before 23 June or your data held by your GP joins the central repository.

According to an official announcement on the NHS Digital website, data held in GP medical records will be collected via a new service called the General Practice Data for Planning and Research data collection. It will replace the General Practice Extraction Service (GPES), which has operated for over 10 years.

The new service comes with a broadened remit: the data will be used to "support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including COVID-19) and enable many different areas of research."

The service will collect data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, and mental and sexual health. It will also collect information about data on sex, ethnicity and sexual orientation, and data about staff who have treated patients.

NHS Digital said names and addresses, written notes, images, letters, and documents would not be collected. Nor would coded data that is not needed due to its age and coded data that GPs are not permitted to share by law.

Patient data from doctors' surgeries in England will be shared from 1 July 2021 unless patients opt out by 23 June 2021. Patients can also decide on a National Data Opt-out, which prevents NHS Digital sharing your collected data with third parties. To be clear, our understanding is that the earlier GP form means it is not sent from the practice to the central data repository.

But concerned patients will not know about the data grab and some doctors may not have had time to explain given the overwhelming focus on the pandemic.

I do not have any confidence the data will not be given to the private sector in the US

Dr Neil Bhatia, a Hampshire GP and information governance lead, told The Register it was the "biggest data grab" in the history of the NHS. "It is going to be a scramble. If you want to opt out, you need to do it now. [You] cannot change that [in] six weeks' time; you can only prevent new data going on the system. The health service is distracted with COVID. GPs are drowning. We would like to do something about it, but the government slips this out, and there is no going back."

NHS Digital said it had engaged with the British Medical Association, Royal College of GPs, and the National Data Guardian over the records collection. Campaigners noted that the press release carried no quotes from those organisations. NHS Digital said the data would "support a wide variety of research and analysis to help run and improve health and care services."

However, Dr Bhatia said patients may not know their information could be used by US companies planning to bid for work for the NHS. "I do not have any confidence the data will not be [given] to the private sector in the US. Nobody ever checks; once it is anonymised and outside GDPR, they can give it to who you like.

"The information may not identify you but it can be used in ways you are not happy about. It could be used by a company looking to buy up GP surgeries, for example. There is no granularity for how the data could be used.

"I like to think that the money [NHS Digital] gets will always be for the benefit of the NHS, but cynically, I think it will benefit the companies and be worth every penny to get a foothold in the market. Whether you think that is right or wrong, patients do have not control of data [going to that purpose]."

The NHS has been here before. In 2016, The Register revealed NHS England spent nearly £8m on its controversial care.data programme before scrapping it. The publicly hated programme was beset by delays and criticised by doctors and privacy campaigners over the haphazard way it would share sensitive medical data of citizens with commercial companies without explicit consent.

Phil Booth, coordinator for campaign group medConfidential, told us the latest scheme from NHS Digital was "even bigger than care.data."

"It's more data, more breadth, more depth, it's the whole record, not just prospectively. It's not excluding all of the really sensitive codes, the stuff which care.data wouldn't touch, it's the whole f&*king deal."

The combination of hospital data, GP data, and the capacity to link them together could create "the single most valuable data asset on the planet," Booth said.

He said the NHS had delayed the launch of the programme until the day after the Queen's Speech, a magnet for political news, "because they learned last time that it's the publicity that kills them."

medConfidential has produced a guide to opting out of the new data grab. It has also published a list of the types of data that will be extracted from GP records by the programme. These data points include sensitive details relating to divorce, criminal records, prison and probation, complaints about care, relationship abuse, and child abuse, and info on sensitive diseases, such as AIDS. The campaign group's full guide for patients is available here.

A BMA spokesman told The Register it had been engaged in the planning for this new collection over the past three years, and made representations on behalf of GP practices to ensure stronger arrangements were put in place over the security and intended uses of the data collected.

"GP data has a crucial role to play in research and planning which can improve public health, but it is important for patients and the public that this data is made available for appropriate purposes in a secure and trusted manner," the spokesman said.

"We are broadly supportive of the principles of the new collection in seeing fewer extracts of data and a reduced administrative burden for general practice."

It is important for patients and the public that this data is made available for appropriate purposes in a secure and trusted manner

The GP data grab comes 18 months after The Reg revealed details of a meeting between senior figures at numerous public-sector NHS bodies and UK heads of businesses at the likes of Amazon, Microsoft and AstraZeneca. They discussed ways to package the medical records of millions of British citizens.

The Health and Care Data Day hosted by NHS England in October 2019 involved the discussion of nine commercial models for a proposed medical record repository, which was estimated to be worth up to £10bn annually. The repo would include data from GPs and hospitals, mental health professionals, death and demographics registers, the private healthcare sector, prescription records, environmental and social statistics, and more.

This was described by NHS Digital in material handed out at the event, seen by us, as a "single, national, standardised, event-based longitudinal record for 65 million citizens within two years." It was intended to capture the "full journey of care from cradle to grave."

As was pointed out in late 2019, healthcare tech professionals are all for using data for research purposes though transparency and trust are key issues for the general public when sensitive medical data is being shared.

Joe McDonald, then Chief Clinical Informatics Officer for Great North Care Record, told us: "We have to be guided by citizens, not by government agencies and industry big players who see to profit from NHS data."

"We hope the lessons of Care.Data have been learned. I'm not sure what patient representation goes into current policy thinking. I suspect not enough," he added.

NHS Digital has argued that, once collected, the data could be available to “parties involved in the planning of the health and care system, and parties undertaking clinical research”. However, it has so far declined to comment on specific questions over whether these parties could include private sector companies scoping the NHS for commercial opportunities. ®

Updated at 1400 UTC to add

An NHS Digital spokesperson has told us:

Data is only shared with organisations who have a legal basis and meet strict criteria to use it for local, regional and national planning, policy development, commissioning, public health and research purposes.

They added: "All applications for access to this data must have a health or care benefit and cannot be for solely commercial purposes. NHS Digital will not approve requests for data where the purpose is for marketing purposes, including promoting or selling products or services, market research or advertising.

"Applications from commercial organisations are very carefully scrutinised to ensure the purposes of any access are appropriate and benefit health and care. Requestors will only be able to access the minimum data required to meet their specific approved health and care purposes and are subject to contractual data sharing agreements."

Similar topics

Narrower topics

Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022