UK NHS Digital GPDPR Programme

The eternal conundrum between data protection rights and public health research and social care needs - lessons to be learned by Government on transparency and accountability in pandemic times

Mass patient data collection and exploitation may offer unprecedented benefits to advance public health research and social care at a critical time for the UK and the rest of the world, still grappling with the COVID-19 pandemic. But with great power comes great responsibility and governments have a duty to communicate, explain and obtain regulators' and public support for the public health policy they intend to pursue and the ways they intend to protect individuals data protection rights prior to implementing critical systemic changes to national GP data collection.

WHAT IS THE NEW GPDPR PROGRAMME ABOUT?

NHS Digital is the national custodian for health and care data in England and has responsibility for standardising, collecting, analysing, publishing and sharing data and information from across the health and social care system, including general practice. In April 2021, the Secretary of State for Health and Social Care issued a Direction under the Health and Social Care Act 2012 requiring NHS Digital to establish and operate an information system for the collection and analysis of General Practice data for health and social care purposes.

To date, NHS Digital collects patient data from general practices using a service called the General Practice Extraction Service (GPES). On May 12, NHS Digital issued a Data Provision Notice to GPs to let them know that the GPES will be replaced by the brand new GPDPR programme from 1 July 2021 with the aim to collect pseudonymised GP data daily to support vital health and care planning and research. However, if healthcare professionals may have been taken aback by the announcement of the forthcoming GPDPR, health industry organisations were quick to voice their concerns over the lack of communication and engagement with the public over the new service.

In practice, the data collected will not include patients' names and addresses but could include a patient's NHS number, date of birth, full postcode as well as information about mental health, domestic violence, treatments and addictions.

There is therefore a statutory basis for the information sharing under the GPDPR. This is not, however, a 'silver bullet' for the scheme. Concerns that not enough time has been given to let people know specific information about the service, its purposes, patient rights to opt-out and that patient trust could be destroyed have been raised. In response to growing general concerns, the implementation date for the programme has now been moved from 1 July to 1 September 2021 to ensure that more time is allocated to speak with patients, doctors and health charities about the plans.

WHAT ARE THE KEY DATA PROTECTION CONCERNS?

Lack of transparency

The key reason given for delaying the launch date of the programme to September 2021 is to provide time to improve the transparency of the scheme. To date, there have been no publicity campaigns and very little consultation, leading to very low public awareness of the programme. It has been reported that GP practices were given merely 6 weeks to prepare for, and notify their patients of, the change.

Although NHS Digital has said the Department of Health and Social Care and its executive agencies, NHS England, local authorities and research organisations may need to access the data, the limits on the range of other organisations which may look to access the data are unclear. "Appropriate requests" from organisations wishing to access the data will be scrutinised by NHS Digital's Independent Group Advising on the Release of Data and decisions will be published on NHS Digital's publicly-available Data Release Register. However, major concerns remain around access to data within the programme by 'big tech' organisations who will likely see significant commercial benefits to accessing the highly sensitive information held on the database. Access to such data for research and social care purposes does not exclude data monetisation opportunities for third parties yet data sharing restrictions seem to be weak in the face of the broad definitions of "health and care planning and research" purposes and the security parameters which do not detail how to address the risks of re-identification of pseudonymised data.

It would have been helpful and it would still be welcome to share with both GP practices and the public the data protection impact assessment (DPIA) of the GPDPR demonstrating how all risks and mitigation measures had been considered and addressed. The DPIA is yet to be published.

Opt-out instead of opt-in

Patients can opt-out of their data being shared under GPDPR by registering a Type 1 Opt-out directly with their GP surgery or a National Data Opt-out (or both). A Type 1 Opt-out prohibits the uploading and extraction of a patient's data whereas the National Data Opt-out only limits the ways that NHS Digital will be allowed to use confidential patient information for research and planning.

If patients do not opt-out then their data will automatically be shared with NHS Digital in September. Due to the lack of publicity and awareness of the campaign, there is a concern that many individuals will not be aware of the need to opt-out. In particular, there is a risk that more vulnerable members of society and elderly people who do not have access to the internet will be unaware of the requirement and perhaps unable to access the means to do so.

NHS Digital has said that individuals can also opt-out at any time after the deadline date. However, doing so would only stop new information being collected and would not apply to any data that had already been collected and shared.

Lawful Basis

NHS Digital is not relying on patients' failure to opt-out as being indicative of their consent to the sharing. Instead, NHS Digital appears to be relying on the fact that the data sharing is provided for in law to legitimise the programme. The requirement under the Health and Social Care Act 2012 and the General Practice Data for Planning and Research Directions 2021 is a legal requirement on GP practices to share data, not on NHS Digital to collect and analyse it. Furthermore, under the UK GDPR the sharing of 'special category personal data' which includes health information, requires that one of a specified list of conditions for processing are satisfied beforehand. NHS Digital has not specified which of those 'conditions for processing' it is relying upon. It would be helpful to understand why consent was not considered the most appropriate lawful basis notwithstanding the obvious issues relating to the possibility of consent withdrawal at any time.

Security of Data

Whilst NHS Digital has said that it will be using a secure system to collect and store the data there is little information about what security measures will be in place. Whilst the data will be pseudonymised, there are also concerns that data could still be easily 're-identified' by those who know how to do so.

In particular, there are concerns that NHS Digital itself could re-identify the data using other data it already holds under its existing Personal Demographics Service which contains patients' name, address, date of birth and NHS Number. Additionally, if big tech platforms such as Google Amazon or Apple gain one more avenue to access NHS data through the GPDPR, it is not clear how is addressed the risk that access to pseudonymised data held under the programme may potentially lead to individuals being identified when used in combination with other data sets and they could then exploit the data for monetary gain.

KEY TAKEAWAYS

This is not the first time that a data sharing programme relating to GP-held medical records has been exposed to widespread criticism. In 2013, NHS England launched its 'Care-data' project to extract GP medical records but this was quickly abandoned due to a lack of transparency and concerns about security and pseudonymisation.

Concerns with 'big tech' access to NHS data were previously addressed in 2016 when Google DeepMind entered into a data sharing arrangement with the Royal Free NHS Foundation Trust in London[1]. The Trust provided the personal data of around 1.6m patients to Google DeepMind as part of a data sharing trial but the ICO found that there was a lack of transparency about how the Trust would be using patient information and therefore patients could not exercise their statutory right to object to the processing of their information. The Information Commissioner said at the time: "There's no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights."

The COVID-19 pandemic has demonstrated that data sharing and data analysis is vital to improve patient outcomes and public health. However, compliance with privacy laws must be ensured beforehand and, above all, transparency for data subjects is key.

This was emphasised again recently by the UK Information Commissioner in reference to the programme: "The success of any project will rely on people trusting and having confidence in how their personal data will be used. It is crucial that, from the start, thought is given to how this can be explained clearly to people."

[1] Please see Dr Nathalie Moreno's article: The rise of big tech monetising healthcare data, Comments in Information Age published on 24 February 2020.