The National Data Guardian has called for a “commitment to transparency” when developing innovative data tools to avoid concerns like those seen with the General Practice Data for Planning and Research programme.
Dr Nicola Byrne said people need to trust they can share their information with confidence without concern their data may be used in “unexpected ways”.
“Successful data initiatives are underpinned by a commitment to transparency and an active understanding of what matters most to people. Professionals and the public want to be informed, involved, and to understand what choices people have,” she wrote in a blog.
“When these conditions are not met, we see situations such as the recent delay and reset of the General Practice Data for Planning and Research (GPDPR) programme.
“If people feel that their information may be used in unexpected ways, for purposes they may not support, this greatly undermines the fundamental relationship of trust.”
Dr Byrne highlighted the importance of the newly formed eighth Caldicott Principal – formally introduced in December 2020 – which states steps should be taken to ensure “no surprises” for patients or service users about how their data will be used.
This is to ensure they have “clear expectations about how and why their confidential information is used, and what choices they have about this”.
In her response to the government’s draft data strategy, published in June, Dr Byrne reiterated the importance of Principal 8, emphasising the importance of using clear, unambiguous language and being open with people about who might access data.
The same principals should be applied to the government’s Police, Crime, Sentencing and Courts Bill, which Dr Byrne writes she has “significant concerns” about.
The Bill will require Clinical Commissioning Groups (CCGs) to disclose information to police for the purposes of reducing serious violence in their areas.
“Whilst tackling serious violence is important, it is essential that the risks and harms that this new duty pose to patient confidentiality, and thereby public trust, are engaged with and addressed,” Dr Byrne said.
“People need to trust that they can share information in confidence with those responsible for their care without worrying how it will be used, by the police or others.
“And health professionals need to trust that confidential information they routinely collect as part of care will not be used in ways that could negatively impact care, or which may be at odds with their professional and ethical duties and obligations to their patients.”
General Practice Data for Planning and Research
In May 2021 NHS Digital announced it was setting up a new primary care data collection service with the aim of giving planners and researchers faster access to pseudonymised patient information.
The General Practice Data for Planning and Research (GPDPR) programme was designed to replace the 10-year-old General Practice Extraction Service used to collect data from GPs.
But the original roll out date was eventually scrapped after concerns were raised about the timeframe to implement the programme and whether patients had been given sufficient information about how their data would be used.
Privacy campaigners and GPs warned it could destroy patient trust and called for more transparency on how the programme would be delivered.
GPDPR was originally due to come into effect on 1 July 2021, but was delayed to September 2021 before being scrapped until further criteria can be met.
In July minister for primary care and health promotion Jo Churchill sent a letter to all GP’s setting out a new process for commencing data collection, stating the government was not “setting a specific start date”.
14 October 2021 @ 10:35
Neither is it enough – or lawful – simply to say “we have a legal obligation to do this under the Health and Social Care Act 2012, and a directive from the Secretary of State for Health and Social Care, and a contractual obligation to do this under our NHS contract, so we have a legal basis for doing this under GDPR Article 6(1)(c), if what you are doing contravenes data protection law (for example, contravening GDPR Article 5). There is nothing in law that says that the above provisions override data protection law, though the NHS conveniently and habitually assumes that they do overide data protection law and uses this assumption to dismiss complaints of abuse from patients. Having a legal basis under GDPR Article 6 is a necessary condition of lawful processing of personal data; it is not a sufficient condition for the lawfulness of processing personal data, and it does not make concealment of relevant information, dishonesty, duplicity and deception lawful, much though the NHS would like to think it does. The proposed GPDPR collection is a hundred miles from being lawful and it will never be lawful because the DHSC/NHS will never tell the truth about what they are doing. Dishonesty is deeply embedded in their information governance practices, I would say ineradicably so.
Dr Neil Bhatia
13 October 2021 @ 14:25
Transparency is important (and a requirement of GDPR, Article 5-1-a) but simply being transparent neither sets aside the common law of confidentiality nor provides a legal basis ( a defence) to avoid a breach of confidence.
If data is being processed outwide of patients’ “reasonable expectations” then an alternative to “implied consent” must be found.
It’s not enough – and not lawful – simply to say “we’re being transparent” or “we have produced a privacy notice” or “but you can opt-out…”.