The implementation date for General Practice Data for Planning and Research (GPDPR) service has been moved to 1 September 2021.
On May 12, NHS Digital issued a Data Provision Notice to GPs to enable GPDPR to begin from 1 July 2021 with the aim of giving planners and researchers faster access to pseudonymised patient information.
Concerns have been raised about the timeframes and whether enough time has been given to inform patients about the changes which could result in patient trust being “destroyed”.
Therefore, NHS Digital has said that to ensure that more time is allocated to speak with patients, doctors, health charities and others to strengthen the plan even further, the collection of GP data for planning and research in England would be deferred from 1 July to 1 September 2021.
Simon Bolton, interim chief executive of NHS Digital, said: “Data saves lives and has huge potential to rapidly improve care and outcomes, as the response to the Covid-19 pandemic has shown. The vaccine rollout could not have been delivered without effective use of data to ensure it reached the whole population.
“We are absolutely determined to take people with us on this mission. We take our responsibility to safeguard the data we hold incredibly seriously.
“We intend to use the next two months to speak with patients, doctors, health charities and others to strengthen the plan even further.”
In a press release, NHS Digital said it is “committed to being transparent with patients and the public about the collection and use of data”.
“Under the system entire GP records will not be collected,” it adds.
“All the data which is collected is protected – or pseudonymised – before it leaves the GP surgery to ensure patients cannot be directly identified from the data while still enabling it to be safely linked to other records.
“Data can only be accessed by organisations which will legitimately use the data for healthcare planning and research purposes, and they will only get the specific data that is required. All requests are subject to independent oversight and scrutiny, and audits are conducted to ensure it is being used for the purpose it was requested for.”
If a patient does not want identifiable data to be shared outside their GP practice, except for their own care, they can choose to opt-out by requesting that their GP practice record is not shared, known as a Type 1 opt out, or by registering their opt-out through the National Data Opt Out service on nhs.uk.
In a tweet, the Royal College of GPs (RCGP) said it was “pleased” that the implementation date had been delayed.
We’re pleased @Jochurchill4 has announced a delay to the #GPDPR programme following the serious concerns we’ve raised over the past few weeks.
It’s essential this time is used to properly communicate with the public so patients & GPs understand & trust the programme @TheBMA
— RCGP (@rcgp) June 8, 2021
The RCGP and the British Medial Association (BMA) issued a joint letter last week to express their concerns and “about the lack of communication with the public”.
Following the news that the service had been paused, BMA GP committee executive team member and IT lead, Dr Farah Jameel said: “Today’s announcement is an important win for patients, family doctors and the BMA. Along with the RCGP, we made it abundantly clear to both the government and NHS Digital that this programme needed to be delayed to allow for a proper in-depth public information campaign to give the public a chance to make an informed decision about whether they want their data collected as part of the new GP data extraction programme.
“We knew there was insufficient time until the first extraction – originally planned for the 1st July – to allow for the public to have a proper understanding of what the programme was intended for and to give enough time to make fully informed choices on whether they should opt-out or not.
“We know from our members that many family doctors feel that all their patients may not yet know what’s changing, and many practices do not believe that they themselves have been given the right level of information nor adequate time to comprehensively understand the programme, its merits and the safeguards it will operate within. It’s clear that previous communications from NHS Digital on this programme has, frankly, been either inadequate or non-existent.
“While the BMA understands that data sharing plays a key role in planning and research as well as developing treatments, we also know that the crux of the GP-patient relationship relies on trust, transparency and honesty, and therefore allowing the public to make fully informed decisions is paramount.
“What’s important now is that the government takes full responsibility for ensuring that there is honest dialogue and robust public engagement. GPs were never, and should not be, expected to take responsibility for communicating the details of this programme to patients, so we would expect to see the Government use this extension to adequately communicate the programme details to doctors and the public. Patients across England must be afforded the ability to make an informed choice in this matter, with decisions based on the correct facts and information.”
The announcement of the changes did lead to threats of legal action, as Foxglove – a team of lawyers, technology experts and community activists – sent a pre-action letter on behalf of several organisations and Conservative MP David Davis.
Foxglove director, Cori Crider, welcomed the decision to move the implementation date to September adding that “now the government needs to meaningfully involve people and answer key questions”.
11 June 2021 @ 14:59
Seeing the quality of the GP data used to identify individuals needing shielding, how valuable will the final data collection actually be for planning – let alone “research”?
Clinical trials are fully consented ( the Recovery Trial didn’t apparently draw on GP data uploaded under COPI Emergency legislation) – & OpenSafely used data held in SystmOne in situ.
If you look at the Codes previously excluded as “sensitive” https://medconfidential.org/for-patients/gp-2021-sensitive-codes/ , not only are they sensitive but many of the Terms are ambiguous – including Terms relating to sexual & physical abuse within families ( & who – in this context – is a “Family Member”?)
By law (Rehabilitation of Offenders Act) the medical records of individuals in custody are not linked to the GP medical record. I have no idea as to whether there is any plan to include them in this data collection, but would a Direction over rule this prohibition? (& if so, what is the quality of HMP EPRs?)
I suspect we might find its a question of “GIGO”!
11 June 2021 @ 16:36
Unless I am mistaken, some time ago there was a proposal to overrule the Rehabilitation of Offenders Act, on the pretext that this would allow offenders to receive better care, by making their prison medical records (where accessible)accessible to GPs. My memory is hazy about the details.
There is very clearly a relentless drive to link as much information on each individual, from all possible sources, on any pretext or none. We must be left with zero privacy.
Frankly, my historical GP records are mostly utter rubbish that could only mislead. They also include deliberately and maliciously falsified records that I only discovered by chance and insisted on having corrected. Not to mention a significant number of records that clearly belong to another patient, including one misplaced record that incorrectly indicates that I have a drinking problem and am overweight.
11 June 2021 @ 16:39
Correction: “where accessible, in parentheses, should be “where applicable).
9 June 2021 @ 20:35
DPIA?
9 June 2021 @ 21:40
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/
10 June 2021 @ 21:26
Ty
11 June 2021 @ 18:58
Very good question.
See https://www.pulsetoday.co.uk/news/technology/gps-will-need-to-risk-assess-mass-patient-data-extraction-says-ico/
The joint Government-ICO strategy is:
1. Scare overworked GPs by telling them that each practice has to carry out its own DPIA
2. Show them how they can circumvent this major requirement by using a DPIA provided by NHS Digital
3. The ICO makes fierce noises to suggest (mendaciously) that it is strongly for the protection of patients’ information rights
4. Provide a safety net for the data collection programme by telling GPs that, if in doubt, they must consult the ICO.
What most people will not know is the ICO’s track record when it comes to guidance to organizations carrying out self assessments. Companies in the data and marketing industry process person data on an industrial scale, usually without the knowledge, let alone the consent of the data subject, who is usually unaware of the existence of these companies (hordes of them). They all claim a legal basis of “Legitimate Interest” under GDPR Article 6(1)(f). These claims require a Legitimate Interest Assessment (LIA). This is a self assessment, not unlike like a DPIA. The result is that virtually every company trading in our data is using a totally invalid LIA. They have done no assessment as required by the GDPR. They just concoct something that, very superficially looks vaguely like an LIA – under the guidance of the ICO. If all unlawfully processed personal data was removed from the data and marketing industry, it would disappear overnight. This is what will happen with the GP DPIAs.
8 June 2021 @ 23:47
‘In a press release, NHS Digital said it is “committed to being transparent with patients and the public about the collection and use of data”.’
I believe that a crucial question for patients and the public about the collection and use of data from their GP records is whether this will be mandatory, or whether they may opt out. If anyone thinks the answer is clear, I suggest that they should think again.
Dr Farah Jameel, refers to
“giv[ing] the public a chance to make an informed decision about whether they want their data collected as part of the new GP data extraction programme.”
Now, this statement would seem to imply that patients have a choice as to whether or not their data is collected as part of the said GP data extraction by NHS Digital.
The author of the above article, Hannah Crouch, also appears to say that patients have a choice. I quote,
“If a patient does not want identifiable data to be shared outside their GP practice, except for their own care, they can choose to opt-out by requesting that their GP practice record is not shared, known as a Type 1 opt out, or by registering their opt-out through the National Data Opt Out service on nhs.uk.”
Historically, NHS opt outs have only applied to personal, that is, identifiable data and Simon Bolton is saying that NHS Digital will collect pseudonymized data, which does not “directly” identify the patient. Where does this leave the opt-outs? Do they, or do they not apply to pseudonymized data? I would think that this question is absolutely crucial, but I do not believe anyone has answered it, presumably for the compelling reason that the opt-outs will be treated as completely irrelevant, but must be believed to represent a choice “about whether [patients] want their data collected”, or not. This is called having your cake and eating it, I think.
Could I therefore ask Dr Jameel to please tell us how she thinks patients will exercise their “informed decision about whether they want their [pseudonymized] data collected as part of the new GP data extraction programme.” As the IT lead for the GPC, she must presumably know the answer.
8 June 2021 @ 22:23
For non-specialists:
– Psuedonymisation [from pseudo anonymisation] means key bits of your data have been replaced with a coded version of that information. Unlike anonymisation, this coding can be decoded, with a special key, held by NHS Digital, in this case.
So, NHS Digital will be holding your GP record, and lots of other records, and linking them together as your Pseudonymised [coded] NHS number and name are the same, in all the data sets, which allows a link to be made.
For most uses, they can do all they need to, plan, support research, without using the key to unlock your identity.
Phil Booth of MedConfidential used a phrase ‘temporary anonymisation’ to describe this. In other words it’s a bit like ‘The Masked Singer’, with the patient’s identity revealed at the end [mask off = using the key to decode your name etc.]
For a while, lots of people running smaller NHS databases [e.g. a county level] that combine data, support planning and through ‘risk stratification’ try and find patients who need extra care, all believed Psuedonymisation was a magic bullet to solve issues with holding massive databases with lots of personal confidential information in.
So far so good.
Then, academic researchers came along and spoiled the party by suggesting that patients could be re-identified, without using the key, by combining the [row-level] data with other sources of data, e.g. from social media, phone records and so on.
Over time, with the revolution in mobile technology, we create a bigger and bigger pool of data about ourselves, to enable this to happen.
A simple example would be location tracking by Google using Google Maps / Android. Right now, if I go into Google Maps and look up my GP Practice, Google tells me I visited on 4 different days since March. That’s more than enough for Google to uniquely identify me, my NHS number and thus reveal who my entire medical record belongs to. Even Google’s own engineers don’t know how to disable Google location tracking, by the way.
If a database of ‘psuedonymised’ or ‘anonymised’ information gets into the wrong hands, this would be a disaster on a number of levels. For example;
– it could reveal the home addresses of people of interest to enemy states, or celebrity stalkers
– it could reveal the home addresses of domestic abuse survivors
– it could be used to create really believable scams and frauds
– it could be used for black-mail
– it could be used to target people for propaganda campaigns
and on and on….
And this is why, lots of campaigners are worried about these pseudonymised data sets being released, as pseudonymisation is no protection at all.
8 June 2021 @ 20:30
Time is very short, so we should not waste any of it. Here are some initial questions for Simon Bolton, Interim Chief Executive of NHS Digital.
Sir, you are quoted above as saying, in a press release,
“All the data which is collected is protected – or pseudonymised – before it leaves the GP surgery to ensure patients cannot be directly identified from the data while still enabling it to be safely linked to other records.” [My italics]
Q1: What does this statement mean? I can see only two possibilities:
1. The statement is nothing more than the self evident truth that patients cannot be directly identified from pseudonymized data without carrying out the process of identifying them from the data?
If so, I would wish to suggest that you are simply playing with words, with intent to deceive.
If you are not simply playing with words, the only other meaning must be :
2. You are making the substantive statement that the patient/data subject cannot be identified from the pseudonymized data to be collected by NHS Digital.
Let us assume, Sir, that you are not given to making statements that are meaningless tautologies, in order to deceive gullible patients, and that your meaning is the substantive statement, 2.
May I then ask you the following question?
In NHS Digital’s Data Provision Notice, dated 12 May, sent to GPs to inform them of the imminent collection of GPDPR, it is stated,
“Data will only be re-identified for approved specific uses where pseudonymized data would not be adequate for the purpose and where the law allows.”
Q2: Version 2 of the statement quoted from your press release, and the statement here quoted from your Data Provision Notice, of 12 May, are mutually contradictory, which is to say that both cannot be true. In the interests of clarity, please would you kindly tell us which of the two statement is false?
Or are you, after all making a meaningless statement, as in version 1 of the statement quoted from your press release, with intent to deceive?
I think we do need to be absolutely clear what is being said here; and what is true and what is false.
9 June 2021 @ 20:07
Who R u, if u R only prepared to talk anonymously I have no interest in what you have said
8 June 2021 @ 19:33
We are in the flat earth period of public understanding of health IT privacy, and to be fair to Simon Bolton he won’t even be that far on yet. He’s come from jaguar motors. Pseudonymisation is a Fig leaf of confidentiality as it takes very few data items to re-identify an individual. A generation of digital natives whose genome will likely be stored in their record will look back and judge the decisions we made at this time. Ethics or profit?
If its Simon Bolton who has paused the madness , I applaud him. At least he didn’t fall into the trap Tim Kelsey did.
9 June 2021 @ 20:34
Joe, profit is not a dirty word, to me profit means a +, what you do with + is key, easy money are dirty words, books must balance and that means counting Accurately and Efficiently, time is running out
8 June 2021 @ 19:06
All that will happen in the next twelve weeks will be more of the same deliberate deception and obfuscation, as the above statement from NHS Digital makes completely clear. They will continue to tell patients that their pseudonymized data is not identifiable, while clearly stating in their Data Provision Notice of 12 May that such data can readily be re-identified. They will continue to tell patients that they can opt out when neither opt-out applies to pseudonymized data. That is to say, nobody can opt out of anything. I doubt that twelve weeks is enough time to stop the initial collection before it is too late. That is what needs to happen. NHS Digital has made clear that once the collection has been made it will be irreversible and nobody can opt out. Why on earth does anyone see this brief delay as a victory?
8 June 2021 @ 17:58
Simon Bolton – “All the data which is collected is protected – or pseudonymised – before it leaves the GP surgery to ensure patients cannot be directly identified from the data while still enabling it to be safely linked to other records”. The problem for me is, we’ve been told by *IG professionals* for years, and years, that neither pseudonymisation, nor row-level anonymised data, are bullet-proof against re-identification, if datasets are released. I’m not smart enough to follow the maths in the papers this thinking is based on, but it has been drilled into us over and over again by IG.
What’s the truth here, as we seem to have the head of NHS Digital suggesting re-identification isn’t a risk? Also, where’s the DPIA? We’ve been told we should always have one of those, too.
Is this high-noon for IG?