'Biggest data grab' in NHS history stuffs GP records in a central store for 'research' – and the time to opt out is now
'More data, more breadth, more depth... it's the whole f&*king deal'
Updated The NHS is preparing for the "biggest data grab" in the history of the service, giving patients little information or warning about the planned transfer of medical records from GP surgeries in England to a central store for research purposes – and with no prospect of the data being deleted.
Campaigners and doctors have expressed alarm that such a wide-ranging data haul is in the offing when health services and patients are still swamped by the effects of the COVID-19 pandemic, with little time to focus on the details of data privacy.
The 55 million citizens of England will need to opt out of the involuntary scheme before it is introduced to prevent the entire history of their GP visits being slurped, campaigners told us. Opt-out forms are here [.docx]. We understand you will need to give this form to your GP practice before 23 June or your data held by your GP joins the central repository.
According to an official announcement on the NHS Digital website, data held in GP medical records will be collected via a new service called the General Practice Data for Planning and Research data collection. It will replace the General Practice Extraction Service (GPES), which has operated for over 10 years.
The new service comes with a broadened remit: the data will be used to "support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including COVID-19) and enable many different areas of research."
The service will collect data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, and mental and sexual health. It will also collect information about data on sex, ethnicity and sexual orientation, and data about staff who have treated patients.
NHS Digital said names and addresses, written notes, images, letters, and documents would not be collected. Nor would coded data that is not needed due to its age and coded data that GPs are not permitted to share by law.
Patient data from doctors' surgeries in England will be shared from 1 July 2021 unless patients opt out by 23 June 2021. Patients can also decide on a National Data Opt-out, which prevents NHS Digital sharing your collected data with third parties. To be clear, our understanding is that the earlier GP form means it is not sent from the practice to the central data repository.
But concerned patients will not know about the data grab and some doctors may not have had time to explain given the overwhelming focus on the pandemic.
I do not have any confidence the data will not be given to the private sector in the US
Dr Neil Bhatia, a Hampshire GP and information governance lead, told The Register it was the "biggest data grab" in the history of the NHS. "It is going to be a scramble. If you want to opt out, you need to do it now. [You] cannot change that [in] six weeks' time; you can only prevent new data going on the system. The health service is distracted with COVID. GPs are drowning. We would like to do something about it, but the government slips this out, and there is no going back."
NHS Digital said it had engaged with the British Medical Association, Royal College of GPs, and the National Data Guardian over the records collection. Campaigners noted that the press release carried no quotes from those organisations. NHS Digital said the data would "support a wide variety of research and analysis to help run and improve health and care services."
However, Dr Bhatia said patients may not know their information could be used by US companies planning to bid for work for the NHS. "I do not have any confidence the data will not be [given] to the private sector in the US. Nobody ever checks; once it is anonymised and outside GDPR, they can give it to who you like.
"The information may not identify you but it can be used in ways you are not happy about. It could be used by a company looking to buy up GP surgeries, for example. There is no granularity for how the data could be used.
"I like to think that the money [NHS Digital] gets will always be for the benefit of the NHS, but cynically, I think it will benefit the companies and be worth every penny to get a foothold in the market. Whether you think that is right or wrong, patients do have not control of data [going to that purpose]."
The NHS has been here before. In 2016, The Register revealed NHS England spent nearly £8m on its controversial care.data programme before scrapping it. The publicly hated programme was beset by delays and criticised by doctors and privacy campaigners over the haphazard way it would share sensitive medical data of citizens with commercial companies without explicit consent.
- AWS wins yet another UK public-sector contract – this time to provide £15m health data system for NHS Scotland
- NHS App gets go-ahead for vaccine passport use despite protest from privacy groups
- NHS Digital booking website had unexpected side effect: It leaked people's jab status
- Under threat of judicial review, UK.gov agrees to consultation before extending Palantir's NHS role beyond pandemic
Phil Booth, coordinator for campaign group medConfidential, told us the latest scheme from NHS Digital was "even bigger than care.data."
"It's more data, more breadth, more depth, it's the whole record, not just prospectively. It's not excluding all of the really sensitive codes, the stuff which care.data wouldn't touch, it's the whole f&*king deal."
The combination of hospital data, GP data, and the capacity to link them together could create "the single most valuable data asset on the planet," Booth said.
He said the NHS had delayed the launch of the programme until the day after the Queen's Speech, a magnet for political news, "because they learned last time that it's the publicity that kills them."
medConfidential has produced a guide to opting out of the new data grab. It has also published a list of the types of data that will be extracted from GP records by the programme. These data points include sensitive details relating to divorce, criminal records, prison and probation, complaints about care, relationship abuse, and child abuse, and info on sensitive diseases, such as AIDS. The campaign group's full guide for patients is available here.
A BMA spokesman told The Register it had been engaged in the planning for this new collection over the past three years, and made representations on behalf of GP practices to ensure stronger arrangements were put in place over the security and intended uses of the data collected.
"GP data has a crucial role to play in research and planning which can improve public health, but it is important for patients and the public that this data is made available for appropriate purposes in a secure and trusted manner," the spokesman said.
"We are broadly supportive of the principles of the new collection in seeing fewer extracts of data and a reduced administrative burden for general practice."
It is important for patients and the public that this data is made available for appropriate purposes in a secure and trusted manner
The GP data grab comes 18 months after The Reg revealed details of a meeting between senior figures at numerous public-sector NHS bodies and UK heads of businesses at the likes of Amazon, Microsoft and AstraZeneca. They discussed ways to package the medical records of millions of British citizens.
The Health and Care Data Day hosted by NHS England in October 2019 involved the discussion of nine commercial models for a proposed medical record repository, which was estimated to be worth up to £10bn annually. The repo would include data from GPs and hospitals, mental health professionals, death and demographics registers, the private healthcare sector, prescription records, environmental and social statistics, and more.
This was described by NHS Digital in material handed out at the event, seen by us, as a "single, national, standardised, event-based longitudinal record for 65 million citizens within two years." It was intended to capture the "full journey of care from cradle to grave."
As was pointed out in late 2019, healthcare tech professionals are all for using data for research purposes though transparency and trust are key issues for the general public when sensitive medical data is being shared.
Joe McDonald, then Chief Clinical Informatics Officer for Great North Care Record, told us: "We have to be guided by citizens, not by government agencies and industry big players who see to profit from NHS data."
"We hope the lessons of Care.Data have been learned. I'm not sure what patient representation goes into current policy thinking. I suspect not enough," he added.
NHS Digital has argued that, once collected, the data could be available to “parties involved in the planning of the health and care system, and parties undertaking clinical research”. However, it has so far declined to comment on specific questions over whether these parties could include private sector companies scoping the NHS for commercial opportunities. ®
Updated at 1400 UTC to add
An NHS Digital spokesperson has told us:
Data is only shared with organisations who have a legal basis and meet strict criteria to use it for local, regional and national planning, policy development, commissioning, public health and research purposes.
They added: "All applications for access to this data must have a health or care benefit and cannot be for solely commercial purposes. NHS Digital will not approve requests for data where the purpose is for marketing purposes, including promoting or selling products or services, market research or advertising.
"Applications from commercial organisations are very carefully scrutinised to ensure the purposes of any access are appropriate and benefit health and care. Requestors will only be able to access the minimum data required to meet their specific approved health and care purposes and are subject to contractual data sharing agreements."