NHS Digital has been legally directed by the Secretary of State for Health and Social Care to establish a new strategic system called the GPDPR service, to collect and provide access to near-real-time data from GP practices for planning and research purposes.
The service was due to start extracting data on 1 July 2021, but was paused until 1 September 2021 to give patients more time to consider if they wish to opt-out. Then, on 19 July 2021, the Minister for Primary Care and Health Promotion, Jo Churchill, set out a revised process for commencing data collection, moving away from this previously fixed date.
The GPDPR service seeks to collect a broader range of data than the existing General Practice Extraction Service (GPES), to include data on treatment, referrals and appointments over the past 10 years.
The Health and Social Care Act 2012 (the 2012 Act) gives the Health and Social Care Information Centre - now known as NHS Digital - statutory powers to acquire data from health or social care bodies, or from organisations providing publicly-funded health or adult social care in England. NHS Digital had issued a Data Provision Notice on organisations, which made it a legal requirement to provide the data. However, it has been reported in the media that this data provision notice has been withdrawn for the time being.
During the COVID-19 pandemic, NHS Digital was also legally directed to collect and analyse information about patients, including from their GP records. Undoubtedly this has demonstrated the potential of this rich data source in helping to plan NHS services in the future and facilitate research.
Duties and obligations
As data controllers, and under data protection law, GP practices have a legal duty to provide their patients with information about the GPDPR service. NHS Digital has produced a notice that GPs can add as a link to their current privacy notice, informing patients that their data will be shared with NHS Digital and signposting them to NHS Digital's website for more information.
NHS Digital has confirmed it has conducted a full data protection impact assessment (DPIA), which has been shared with the Information Commissioner's Office (ICO) and NHS Digital will be publishing a baseline version of it shortly.
It has been highlighted in the media that as data controllers, GP practices will need to also perform a DPIA as they process health information (special category data). It has also been reported that NHS Digital has said its own DPIA covers the risks from both the perspective of the GP and NHS Digital, and practices may use it "if they wish", to "support them to consider the risks and be confident they have discharged their obligations under the Data Protection Act 2018 and UK GDPR".
NHS Digital has provided information on how they will use patient data and the safeguards in place to protect it. It says it will not collect patient names or addresses, and any other data that could directly identify patients (such as NHS number, date of birth and full postcode) will be replaced with unique codes in a de-identification process called pseudonymisation.
NHS Digital have developed a 'Trusted Research Environment' that will enable researchers to safely access the data without copying it, and assurances have been given that data will never be shared for marketing or insurance purposes.
At the moment, patients can opt out of sharing their data for purposes beyond their individual care, and can register a 'Type 1 Opt-out' with their GP practice. This means that from the date their opt-out is registered, no new data will be collected by NHS Digital. Alternatively, patients can register a National Data Opt-out, which means that no data collected by NHS Digital is shared for any other purpose beyond their individual care. However, the way in which patients can opt out is anticipated to be revised.
Writing to GPs, the Minister for Primary Care and Health Promotion, Jo Churchill, has set out three new tests and advised that these must be met before data is extracted. These tests are:
- the ability for patients to opt out or back in to sharing their GP data with NHS Digital, with data being deleted even if it has been uploaded, and outstanding opt outs being processed
- a trusted research environment is available where approved researchers can work securely on de-identified patient data that does not leave the environment, offering further protections and privacy while enabling collaboration amongst trusted researchers to further benefit patients
- a campaign of engagement and communication has increased public awareness of the programme, explaining how data is used and patient choices.
This page was correct at publication on 23/07/2021. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.