Disclaimer: The views expressed are that of the individual author. All rights are reserved to the original authors of the materials consulted, which are identified in the footnotes below.
By Shayahi Kathirgamanathan
Section Editor for Medical Law and Ethics
‘Data grab’, ‘theft’, ‘harvest’- these are the terms in headlines which describe the new NHS data collection system for patients-formally known as General Practice Data for Planning and Research (GPDPR). In recent months, social media has been awash with disturbing narratives of patients’ data being imminently sold off to private entities and American pharmaceutical companies, and fact is difficult to separate from fiction-partially because of the Government’s own cryptic handling of the change. In response to heavy criticism, the Government has responded by deferring implementation from 1 July to 1 September 2021. Patients will thus be able to register an opt-out until this date. So should we welcome the GPDPR, or await its introduction with apprehension? This article examines the workings of the system, and whether fears about threats to privacy, and inappropriate implementation are founded.
What is the GPDPR?
The GPDPR is a new system of data collection that creates a central NHS digital database from patients’ GP records.[1] It replaces the previous system of data collection known as the General Practice Extraction Service (GPES), representing ‘a shift in terms of the scale and centralisation of the data held’.[2] NHS Digital will collect data on the information including diagnoses, symptoms, observations, sex, ethnicity and treating staff. Patients’ names, addresses and written notes are not collected; software replaces any identifying information in a process of ‘pseudonymisation’.
The GPDPR is intended to carry out additional functions like enabling different areas of research e.g. on the long-term impact of coronavirus on the population, and healthcare inequalities. Nor will the data be used solely for commercial purposes. Overall, the new system is intended to reduce burden on GP practices and facilitate processes managing lawful access to patient data in order to improve health and social care.
As Toynbee observes, the GPDPR is a plan of ‘incalculable medical value’.[3] Previously access to GP records has demonstrated there was no association between the MMR jab and autism, and they have been used to investigate whether particular medications cause an increased risk of cancer.[4] Emergency access to GP records has also facilitated the COVID-19 vaccine rollout to the population.[5] Above all, if our data is properly anonymised, why should we be concerned with its use, especially in light of the overwhelming potential benefit to healthcare?
Privacy
One key concern about the GPDPR is that it may fail to sufficiently protect the privacy of the public. NHS Digital states the data will only be made available to approved organisations who have a clear legal basis to use it for health and care purposes, and who will only receive the minimum amount to meet the specified purpose. They have also emphasised pseudonymisation as a safeguard for privacy. However, the GPDPR has raised alarm bells for campaigners on multiple grounds, who have expressed scepticism over the supposed security of patient data.
Firstly, the pseudonymisation process may be legally reversed in certain circumstances so patients will be identifiable from their data- but the exact grounds on which this is possible is unclear.[6] Secondly, the basis on which companies can access data is similarly obscure and potentially expansive- what is really meant by use for ‘legitimate needs’ and ‘research purposes?[7] A defect of the GPDPR is that it functions on the assumption of companies working in good faith- companies will claim they are not using the data for solely commercial purposes, and they are also contractually prohibited from identifying patients from their data. But there is no way to ensure companies will act ethically to protect the interests of patients above their own: indeed it seems almost naive to expect that they will.
Even looking beyond the wide legal accessibility of the GPDPR, illegal access to patient data via a cyberattack will become a more lethal threat to privacy. Due to the magnitude of data collected, the GPDPR creates a ‘new set of risks for individuals’.[8] Patient data on the black market is immensely valuable for cyber-criminals, meaning that the system is an ‘obvious target’ for attacks.[9] No system is infallible: regardless of how many safeguards are put into place, there is a very real possibility that cyber-criminals will be able to stay one step ahead.
Implementation
Another concern of the GPDPR is that it will not be appropriately implemented. Beauchamp and Childress regard informed consent as a foundation to autonomous decision-making, and one of the elements of informed consent is understanding.[10]In order for the GPDPR’s opt-out system to represent a fully autonomous decision an individual has taken to provide informed consent to the collection of their data, they must have a core understanding of the GPDPR. This entails ‘[acquiring] pertinent information’ and possessing ‘justified, relevant beliefs about the nature and consequences of their actions’.[11] The public must be given adequate information about the GPDPR, and what it means to provide or deny consent to the system.
Yet the Government’s approach to the GPDPR leaves much to be desired. The underhanded way in which implementation has been initially attempted, especially in the midst of COVID-19, has drawn criticism. In a joint letter to NHS Digital, the British Medical Association (BMA) and the Royal College of General Practitioners expressed their concerns “about the lack of communication with the public” on the GPDPR.[12] Lack of transparency has undoubtedly fuelled mistrust of the system; in a common sentiment, one headline reads: “the Tories have worked out how to pull off an NHS data grab: do it during a pandemic”.[13] Moreover, the Government’s failure to properly inform the public has left a lacuna for misinformation about the GPDPR to thrive online, with falsified posts spreading like wildfire.
While the delay until September is the first step, it remains to be seen whether the Government will actually take the opportunity to facilitate the public’s informed and meaningful consent to the system. Many including Labour, the BMA, and the RCGP have called for public consultation and information campaign.[14] Understanding Patient Data have also published 6 recommendations for NHS Digital to adopt in the interim period, including ensuring secure environments are the default for data access and investing in communications to respond to public concerns.[15] If these steps were taken, it would signal respect for the principles of autonomy and informed consent, foster greater trust in the GPDPR, and align better with the Article 8 right to privacy under the ECHR.
Regarding the introduction of the opt-out system for organ donation, the Government explicitly recognised the importance of engaging with the public and raising awareness by planning a 12-month communication campaign, as stated in the Department of Health’s document ‘The New Approach to Organ and Tissue Donation in England’.[16] The same reasoning ought to apply to patient data. Tellingly, however, the campaign on organ donation was not actually undertaken due to COVID; unlike Scotland, the English Government chose not to delay the introduction of the opt-out system, and the reform has passed through largely unnoticed.
So if (recent) history teaches us anything, it seems unlikely that the Government will utilise the next two months to undertake any such campaigns to facilitate the public’s understanding of the GPDPR. Instead, the delay appears to be intended to temporarily appease detractors, with the hope that the later introduction will elicit a more muted reaction. The task of ensuring the public can provide informed consent to the GPDPR when it is introduced may solely fall to campaign groups and the media.
Conclusion
Ideally, the GPDPR should be a system that ought to be welcomed for its potential to revolutionise research and healthcare. However, the planned safeguards for privacy may be inadequate in the face of exploitative use by third parties, as well as cyber-attacks. Neither does the government’s record of blatant disregard for the public’s informed consent bode well for a trustworthy system. While exaggerations about the GPDPR should be avoided, we should also be aware of these legitimate concerns. In the wrong hands, the GPDPR may well turn into a foe.
[1] NHS Digital, ‘General Practice Data for Planning and Research (GPDPR)’ <https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research> accessed 16 June 2021
[2] ‘Letter from RCGP and BMA to NHS Digital’ (27th May 2021) <https://www.rcgp.org.uk/-/media/Files/News/rcgp-bma-letter-gpdpr.ashx?la=en> accessed 16 June 2021
[3] Polly Toynbee, ‘Why I back the NHS patient data-sharing plan’ <https://www.theguardian.com/commentisfree/2021/jun/11/nhs-patient-data-sharing-plan-covid-vaccine> (The Guardian, 11 June 2021) accessed 17 June 2021
[4] (n 1)
[5] (n 1)
[6] Caroline Molloy, 'Legal threat sharpens over UK government plans to harvest patient data from GPs’ <https://www.opendemocracy.net/en/ournhs/legal-threat-sharpens-over-uk-government-plans-harvest-patient-data-gps/> (Open Democracy, 4 June 2021) accessed 18 June 2021
[7] ibid
[8] Alex Scroxton, ‘Privacy experts concerned over NHS data collection plans’ <https://www.computerweekly.com/news/252501494/Privacy-experts-concerned-over-NHS-data-collection-plans> (Computer Weekly, 28 June 2021) accessed 19 June 2021
[9] James Coker, ‘Interview: Jonathan Whittle Discusses Plans to Share NHS Patient Data’ <https://www.infosecurity-magazine.com/interviews/jonathan-whittle-share-nhs-patient/> (InfoSecurity, 16 June 2021) accessed 20 June 2021
[10] Tom L Beauchamp and James F Childress, Principles of Biomedical Ethics, (OUP USA, 5th edn)
[11] ibid 88
[12] (n 2)
[13] Marina Hyde, ‘The Tories have worked out how to pull off an NHS data grab: do it during a pandemic’ <https://www.theguardian.com/commentisfree/2021/jun/04/tories-nhs-data-grab-pandemic> (The Guardian, 4 June 2021) accessed 17 June 2021
[14] Sky News, ‘Plan for NHS to collect patient data from GPs should be delayed over privacy fears, says Labour’ <https://news.sky.com/story/plan-for-nhs-to-collect-patient-data-from-gps-should-be-delayed-over-privacy-fears-says-labour-12326648> (Sky News, 6 June 2021) accessed 17 June 2021
[15] Understanding Patient Data, ‘Trustworthy use of GP data: what must happen now’ <https://understandingpatientdata.org.uk/news/trustworthy-use-gp-data-what-must-happen-now> (Understanding Patient Data, 15 June 2021) accessed 17 June 2021
[16] Department of Health & Social Care,‘The New Approach to Organ and Tissue Donation in England: Government Response to public consultation’ (August 2018) <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/731913/govt-response-organ-donation-consent.pdf> accessed 17 June 2021
Comments