Conflicting messaging overshadows NHS Digital's attempts to inform public about patient data slurp
Which opt-out is the right opt-out? Are they selling data or not?
The NHS body responsible for delivering IT strategy has struggled to ensure patients understand that medical data held by their GPs will be copied into a central database to be shared with third parties unless they opt out by 23 June.
Earlier this month, NHS Digital said GP medical records in England would be collected via a new service called General Practice Data for Planning and Research (GPDPR). It will replace the General Practice Extraction Service (GPES), which has operated for over 10 years.
The new service comes with a broadened remit: the data will be used to "support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including COVID-19) and enable many different areas of research."
Campaigners said patients had until 23 June to stop their data being used in what has been described as the "biggest data grab" in the history of the NHS.
medConfidential, which works to ensure patients have a choice in how their data is used, said it had been struggling to guide the public due to out-of-date and misleading messaging from NHS Digital.
For example, NHS Digital's mythbusting website, last updated on 24 March, still says there "is no 30 September deadline for opting out of sharing your data", but this relates to there being no National Data Opt-out, a different issue, medConfidential said.
The National Data Opt-out refers to a choice not to share data that takes place after the GP data has been extracted and collated in a national, central repository.
Meanwhile, the GPDPR website says the deadline for opt-out is 23 June, but patients landing on the "mythbusting" site through a simple search term might not understand the distinction.
Other discrepancies include NHS Digital's claim that it does not sell data – again on the mythbusting website – while at the same time publishing "charging guidelines" in which it says the "actual costs will be agreed with the customer during the application process."
An NHS Digital spokesperson said of this point: "There is no discrepancy. We do not sell data. We only seek to recoup costs - and as analyses and extracts differ in complexity, therefore they take different amounts of resource to produce. So, how much resource is to be dedicated to an analysis is discussed and agreed with applicants during the DARS process."
They added: "We do expect organisations who receive data to cover the cost of producing the information they request. We publish details of every time we share data so that the public can see exactly how health data is used and why."
- Mammoth grab of GP patient data in the UK set to benefit private-sector market access as rules remain unchanged
- UK pharma supplier put into special measures after new IT system causes almost 10,000 missed medicine deliveries
- NHS-backed org reacted to GitHub leak disclosure with legal threats and police call, complains IT pro
- 'Biggest data grab' in NHS history stuffs GP records in a central store for 'research' – and the time to opt out is now
- AWS wins yet another UK public-sector contract – this time to provide £15m health data system for NHS Scotland
Another issue relates to the claim that no data would be taken that is more than 10 years old. While NHS Digital says it will not take "coded data that is not needed due to its age – for example, medication, referral and appointment data that is over 10 years old," it will extract other categories of data [PDF] under the new GP data haul irrespective of its age. These could include patient diagnoses, symptoms, test results, allergies, immunisations or vaccinations that patients have had.
When we put it to NHS Digital, a spokesperson responded: "We won’t take coded data where age negates its appropriateness. So medication you were prescribed or referrals you received eleven years ago probably won’t provide any useful insight. A diagnosis, however, provides trend data which could be crucial to, say, an academic study. We have a legal duty to minimise the amount of data collected as much as possible and this is one of the ways in which we are doing so."
Phil Booth, coordinator for medConfidential, said the campaign group had informed NHS Digital about these and other discrepancies and asked the agency to make changes to clarify information available to the public ahead of the public annoncement of GPDPR.
"They weren't ready and it's really toxic for trust," Booth said. "If someone believes that something is the case and has been told it by a NHS body and it turns out to be, literally, factually untrue, by the body's own statements, then it's really bad."
Separately, NHS Digital told The Register it would not approve requests for data where the purpose is for "marketing purposes, including promoting or selling products or services, market research or advertising."
However, we showed that that Data Access Request Service already releases data to private information providers for the purpose of helping drug companies and other health providers access NHS markets.
The access to GP data will get new oversight from a joint committee formed by the BMA doctors union, and professional body The Royal College of GPs. It would also be overseen by the Independent Group Advising on the Release of Data, which is part of NHS Digital. But the agency was unable to say whether the criteria used for accessing data would differ as a result of the slurp of data from family doctors.
In a statement to The Register, NHS Digital said: "Data requests are all under the legal control of contracts and data-sharing agreements, which are limited by time and either need to be renewed or the data securely destroyed.
"Where possible, we will provide access to data within NHS Digital's secure data access environment (which forms the basis for our Trusted Research Environment), reducing the need for record-level data to be released. Where data is released, we will check that requestors have appropriate safeguards in place so that they store and handle the data safely and securely.
"Once data is shared, we carry out independent audits and where necessary post-audit reviews to check that our customers are meeting the obligations in their Data Sharing Framework Contracts and Data Sharing Agreements.
"This helps to ensure that organisations abide by the terms and conditions set by NHS Digital and data is kept safe and secure."
Booth argued that the NHS body should have been clear whether any changes to the criteria for sharing data came in with the new GP data haul. "This is one of the things that we said that they should have had ready by the time they went live, which is a clear public set of criteria so that people could see what the what the applicants were being measured against." ®