With the GP Data for Planning and Research (GPDPR) service launching next month, Richard Alcock, director of primary care technology at NHS Digital explores how GP data is helping to save lives.
The health service is rich with data which can provide us with life-saving insights. For years it has been used to help us better understand and develop cures for serious illnesses, such as heart disease, diabetes, and cancer.
Never has this been clearer than during the response to the Covid-19 pandemic where the access to data benefitted millions of us.
NHS data was vital in managing the response, from making policy decisions and ensuring hospitals weren’t overwhelmed, to rolling out vaccines and building the Shielded Patient List to identify and protect those most vulnerable.
Data from General Practices was also absolutely crucial for the University of Oxford’s RECOVERY trial which identified which treatments were most effective.
The trial was lifesaving for people hospitalised with Covid-19. It found that using dexamethasone as a treatment reduced deaths by one-third in patients on ventilators and by one-fifth in other patients receiving oxygen only.
Unique and rich dataset
GP data is a unique and rich dataset as it provides a holistic, long-term view of a clinical record and incorporates social considerations in a way that hospital data might not. However, the way in which this data is currently collected does not meet the present or future needs of the system.
A new system of collecting data, called GP Data for Planning and Research (GPDPR), has been developed to allow us to make the most of using data for improved planning and research, and strengthen data security and consistency of how that data is accessed.
We know that most people support the idea of data being used for the wider benefit of the NHS and to improve outcomes for patients. It is likely to help us all at some point in our lives.
Addressing concerns
We understand concerns about sharing personal medical data and NHS Digital are committed to making sure data is fully protected and used only in ways that will improve patients’ lives.
We take our responsibility to safeguard the data we hold incredibly seriously. We do not take anyone’s entire GP record, only the relevant data within it, and we ensure that there is no risk of anyone being personally identified as a result.
The new system will pseudonymise data before it leaves the GP systems and it will then be protected by end-to-end encryption, which means it will be impossible to link an individual’s name with a medical record.
We have very stringent rules about who can access the data. It can only be accessed by organisations who will legitimately use data for healthcare planning and research purposes, and they will only get the specific data that is required. All requests are subject to independent oversight and scrutiny, and we conduct audits to ensure it is being used for the purpose it was requested for.
We have worked with patient groups, GP bodies and representatives, NHS commissioners, research organisations, the National Data Guardian and other organisations to build this new system. We have taken on board their recommendations to ensure it is fit for purpose.
Right to opt out
It is important that patients who would rather opt out of sharing their data still have the right to do so through the National Data Opt Out and we have been clear about how they can do this.
There are several benefits to implementing this new system for patients, GPs, system suppliers and those needing the data for planning and research.
For patients, it will allow new treatments to be developed and tested faster to improve outcomes from serious diseases for many people. And it will mean healthcare services can be tailored to their needs.
A reduction in the burden on GPs and their suppliers in processing data requests and the liability that they have for holding, storing and disseminating data will also ensure that data standards are consistent and meet necessary safeguards. It will reduce the risk of large volumes of identifiable patient data being shared multiple times with many organisations.
Researchers and planners will be able to apply for access to the data through one national channel, which will allow them to link datasets and provide more consistency over the data they analyse. This has the ability to unlock vital research through groups such as the UK Biobank and Genomics England.
The past year has shown how health data saves lives. We want to enable clinicians, researchers and academics to access that data in a way that is consistent and secure.
5 June 2021 @ 09:42
I am just a patient who has heard about this and first would want to say that I am happy to share my data with university research institutes and the like but would definitely not be happy to have it sold to insurance companies looking o take over NHS functions and for profit to companies like push doctor – however it also seems to me from reading already that this communications strategy is exceptionally poor – and that makes people very suspicious that it’s a deliberate move to obscure the real issues
4 June 2021 @ 15:04
“Let’s hope this does not become Care.Data v2”
I’m afraid it looks as though it already has due in part to the way it has been handled.
The main lesson that NHS Digital (which is a rebranding name for HSCIC where Care.Data v1 was designed) seems to have learned is that when patients hear about this, they are likely to opt out!
It’s a question of trust: & trying it – again – without even a junk mail leaflet this time – is NOT the way to earn the trust of either Patients *or* GPs (as Data Controllers).
I agree that this is a Direction from Matt Hancock – and that the data extracted under COPI might, when the emergency regulations lapse, have to be destroyed (well, legally, anyway) but has anyone in NHS Digital, NHS England (rebranded Commissioning Board) or the Department of Health & Social Care even considered the possibility of *selling* the project to the public?
4 June 2021 @ 13:11
If anyone has come here looking for simple guidance on how to opt-out [which is hard to find the last time I looked at the NHS-D guidance pages], you can find it in our balanced article at: https://www.digitalhealthcoachuk.net/gpdproptoutexplained
4 June 2021 @ 09:08
As I work in NHS informatics, I understand and have seen the benefits of the collection and use of Patients’ data. However, when it comes to ” healthcare planning and research purposes”, anonymised data has been used. I have not seen a case for, then, identifying a patient (which is, effectively, what pseudonymisation allows you to do.)
This really needs to be spelt out and the article does not do that. Is it only the GP who is able to do this – this is implied but not stated – and why would they be doing it? “We have worked with patient groups, GP bodies and representatives, NHS commissioners, research organisations, the National Data Guardian and other organisations to build this new system.” If this has been done, then more detail on why “Data will only be re-identified for approved specific uses where pseudonymized data would not be adequate for the purpose and where the law allows.” should be available.
Who is going to oversee this and what is the public forum where the results of this can be readily accessed? If you want gain any trust, it has to all be public and transparent. The bodies that have been worked with need to be specifically identified and to publish their contribution to this.
What about the legal framework? Bertl points out at least one inconsistency from a legal point-of-view – the opt-out question. This, then needs to be clarified. if any of this is voluntary (e.g. like the NHS duty of Confidentiality goes beyond the GDPR) how this is going to be assured. This needs to be stated.
Unlike Bertl, I do not assume that in every case like this NHS Digital is lying but I would need a lot more detail to see if the proposal matches the Rhetoric. I do not think that six weeks is enough time for this to be reviewed to most peoples’ satisfaction and, in any case, the six weeks is not a review period is it!
3 June 2021 @ 14:06
My previous comment on this page has been censored because I am saying something that nobody wants patients to know. Will the following part of my comment also be removed by the moderator?
On page 6 of the “Data Provision Notice”, published by NHS Digital on 12 May, and sent to GPs to inform them of the impending data collection, a document not intended to be read by patients, it is stated that,
“Data will only be re-identified for approved specific uses where pseudonymized data would not be adequate for the purpose and where the law allows.
This implies that the pseudonymized data can easily be re-identified. NHS Digital claims (falsely) that pseudonymized data is not personal data. Neither opt out applies to pseudonymized data, on the grounds that it is “not personal data”. Therefore the opt outs do not apply to what NHS Digital is proposing to collect. Some might say that claiming that patients can opt out is somewhat at variance with the truth.
3 June 2021 @ 13:43
Agree National Data Opt Out is a simple process well integrated into the NHS app, the unfortunate fact is it doesn’t actually opt the patient out: it opts patients out from NHSD *sharing* the data, not NHSD *extracting* the data from the GP. The NHS ‘Digital’ solution to allowing patients to opt out from the GP extraction is a downloadable Microsoft Word form for patients to post. NHSD could easily have required GP suppliers to check national data opt out before extracting but no, instead they put this onto the patient to send them a letter and the GPs to action it.
Cynically I could suggest that by making opt out from sharing easy but opt out from extracting hard this maximises the data collected to NHSD while giving patients the illusion of control. In reality I think this is just a poorly thought out and poorly connected process with little thought to what patients actually want which flies in the face of NHSD’s blogging about “how important it is to get stakeholders involved in designing services that truly meet peoples’ needs”.
3 June 2021 @ 00:45
According to the GDPR, data that can be re-identified is personal data.
According to NHS Digital/the ICO/National Data Guardian/DHSC, patients can opt out of collection/extraction of personal data, but NHS Digital will be collecting pseudonymized data, which they claim is not personal data.
So the opt-out does not apply to collection of pseudonymized data. Nobody may opt out of this because it is not personal data.
Yet On page 6 of the “Data Provision Notice”, published by NHS Digital on 12 May, and sent to GPs to inform them of the impending data collection, a document not intended to be read by patients, it is stated that,
“Data will only be re-identified for approved specific uses where pseudonymized data would not be adequate for the purpose and where the law allows.”
Clearly the pseudonymized data to be collected by NHS Digital can, is in all cases quite simple for NHS Digital to re-identify.
Therefore this is personal data. Therefore patients should be able to opt out of the collection of pseudonymized data, but NHS Digital and Co are telling patients that pseudonymized data in not personal data and so the opt out does not apply.
As Richard Alcock so lucidly explains:
“It is important that patients who would rather opt out of sharing their data still have the right to do so through the National Data Opt Out and we have been clear about how they can do this.”
The only thing that is crystal clear is that NHS Digital is still lying to patients, with the collusion of the ICO, the National Data Guardian the DHSC and the NHS generally. This the law does not allow, unless perhaps the Health and Social Care Act 2012 says that “lying is not lying when the lying is carried out at the direction of the Secretary of State for Health”. In that case it is OK.
The truth is that nobody can actually opt out of anything and nothing on this earth would induce me to voluntarily entrust my confidential health information to NHS Digital or to any Data Controller (like a GP for example) whose contract requires them to comply with NHS Digital’s requests for my personal data – in pseudonymized form or any other form.
NHS Digital has been lying to patients consistently since 2014 (or whenever they came into being). Lying is really a very bad habit, Mr Alcock.
2 June 2021 @ 11:55
I am convinced of the importance of sharing data but I fear that the communication lessons have not been learned from the Care.Data fiasco.
GPs were told about this 6 weeks ago and given posters to put up in near-empty waiting rooms and leaflets which we are not supposed to display post-Covid. We can also put information on our websites (but how often do you visit your practice’s website.) and we can consider contacting patients individually.
This is all happening when practices are running flat out, with record demand and also the need to provide Covid Vaccinations.
The result is the news has trickled out to the public and the suspicious amongst them think it has deliberately kept secret to allow a data grab without their permission.
My staff are having more and more queries about opting out at a time when they are needed for other things. Pointing people to the official information does not suffice and there are requests for explanation of the different opt-out processes.
Advice in some areas is now arriving to say that practices should block the data sharing until they are happy that patients are aware of the scheme.
I am aware that practices are data controllers but the process and cost of contacting patients individually (I look after 31,500) should not be falling on us for this important piece of work
Let’s hope this does not become Care.Data v2