On 1 July, the NHS will upload the medical history of roughly 55 million people registered with a GP in England onto a central database, collected by a new service dubbed the General Practice Data for Planning and Research data collection.
According to NHS Digital, this will include diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, as well as information about physical, mental and sexual health.
They say that the data is “needed to support a wide variety of research” and “the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including covid) and enable many different areas of research.”
On the face of it, this sounds reasonable; some may even say essential during a pandemic.
But reading between the lines reveals this new set-up will make sensitive data available and incredibly easy to access for companies and individuals in the private sector, academic researchers and other third parties.
Exactly which organisations and corporate entities will have access to this data remains unclear, and if the nature of the NHS’s complex web of existing private and commercial associations is anything to go by, it may be difficult to accurately map the journey the data will take.
Considering the magnitude of the change, it’s extremely disappointing to see that the NHS has granted people mere weeks to consider whether or not they wanted their information to be a part of this major change to patient data practises.
The health secretary, Matt Hancock, only announced the plans for the collection in early April, despite the deadline to opt-out being 23 June. A link to the form to opt-out can be found on this page, and is quite hard to find for such an important form.
With under three weeks to go, few people are aware that the collection is imminent, and the health service is rightly under fire for how this has (or more accurately hasn’t) been publicised.
Organisations like the Royal College of General Practitioners say the NHS hasn’t communicated effectively that the mass collection will take place and warned already-swamped GPs will be left to pick up the pieces.
But perhaps the best illustration of this failure of publicity surrounding the collection is that one of the main channels of communication used has apparently been flyers in GP surgeries.
In terms of the data itself, NHS Digital says that names and addresses will not be collected and directly identifiable information will go through a de-identification process, within which it will be replaced with unique codes.
The phrase de-identification will ring alarm bells for anyone who knows how easy it is to re-identify supposedly anonymised information. What’s more, NHS digital “will be able to use the [de-identification] software to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason.” Examples of such circumstances aren’t listed.
Campaign groups like FoxGlove have raised serious questions about the legality of the plan in general.
However, even if the scraping of this data is shown to have a lawful basis, it could still fall foul of ICO guidelines relating to fairness, which demand data is only used “in ways that people would reasonably expect.”
Back in 2017, the ICO ruled that the Royal Free NHS Foundation Trust did not comply with the Data Protection Act when it provided Google DeepMind with patient details. The lack of expectation that individuals’ data would be used in this way was highlighted as a key issue.
NHS digital has reportedly said, despite an imminent data protection impact assessment expected to be delivered by the ICO, that the regulator had not objected to the plans.
Will the proportion of the 55 million who don’t opt out reasonably expect their data to be subsequently shared with commercial entities and private companies? Did they have a fair chance to opt-out, given the time frame?
Both of these questions will be difficult to answer, as will ones that include reference to Care.data, a failed 2013 programme that was similarly condemned due to concerns regarding commercial access and patient confidentiality.
The erosion of trust between the British public and the institutions that exist to serve them has been a key political theme over the past decade, from the chaos of Brexit to the government’s covid response.
Public trust is vital for public institutions, but this is particularly relevant in the case of the NHS, and even more pertinent during a public health crisis.
The welfare and health of the nation rest heavily on the willingness of individuals to trust their public health system to respect their privacy and keep their medical records confidential.
With this in mind, it beggars belief that the NHS would choose to action a plan that has real potential to negatively impact patient trust, and that they’d do it now.
Reports that some GPs have already agreed to withhold data provides a glimmer of resistance, but with millions still in the dark about the plans, it will do little to change the fact that an unfathomable amount of medical information is about to be collected and kept forever.