BMA calls for GPs to control single patient record data
- 8 April 2026
- The BMA has called for doctors to remain in control of GP data in the single patient record
- The Department of Health and Social Care is expected to take on the role of data controller and custodian
- Campaign group medConfidential warned that politicians could have greater influence over how medical records are used
The British Medical Association (BMA) has called for doctors to remain in control of GP data in the single patient record data, rather than the Department of Health and Social Care (DHSC).
Under the NHS 10 year health plan, a single patient record is planned to bring together information across care settings including primary care, hospitals and mental health services in England by 2028.
Minutes from an NHS England Data, Digital and Technology Committee meeting held in May 2025, obtained via a Freedom of Information request by the campaign group MedConfidential, confirm that NHSE, which will have been merged into DHSC, will take on the data controller role for the SPR.
“It was accepted that an appropriate data controller for SPR is necessary, which will require a review of the legislative framework; given SPR will be a multi-service record it would not be appropriate for GPs to act as the data controller.
‘It was agreed that while the NHS will be the data controller/custodian, patients would expect to own their records: how this can be achieved requires further thought,” the minutes state.
However GP leaders have pushed back against the proposals and argued that doctors should remain in control of GP data.
Dr Mark Coley, BMA’s GP Committee for England IT lead, said: “While we welcome future discussions on the SPR, it is still the BMA’s view that GPs themselves must remain the data controller of the GP record.
“This data controllership role would allow us to act for the best interests of our patients, to advocate for them in any data sharing processes, to maintain confidentiality and, ultimately, to ensure we have the trust of our patients.”
MedConfidential told Digital Health News that government control of SPR data risks giving politicians greater influence over how medical records are used.
Sam Smith, policy lead at medConfidential, said: “Mr [Wes] Streeting thinks he should be the data controller of every patient’s entire medical history – taking control away from registered medical professionals, as well as from patients themselves, if his new single Palantir record ignores opt-outs and past promises.
“If Wes gets his way, it won’t be GPs who determine how data in the SPR gets used.
“Instead, the confidential relationship between doctor and patient will be broken, and the politicians of the day will decide – because the SPR under political control will contain all the notes of every appointment made by a GP, alongside the recordings of appointments in the proposed Neighbourhood Health Centres with mandatory ambient scribing.”
Speaking in November 205, Ming Tang, interim chief digital and information officer at NHSE, said that the SPR will connect existing systems, such as electronic patient records and shared care records, rather than create a “massive new platform or a huge data lake”.
Meanwhile, the government has granted approval for UK Biobank, Genomics England and Our Future Health to access coded GP patient data for research purposes, with NHSE responsible and legally liable for the data.
Digital Health News contacted NHSE and DHSC for comment.
1 Comments
The whole point of the SPR is that it gives data users access to all available data relating to a particular patient. This precludes the patient exercising the choice, to which they are entitled, to decide what information to share with whom. It also precludes there being multiple controllers of the data in any real sense.
It is an inalienable right of human beings to decide whom to trust and in this context we are talking about whom to trust with our confidential personal data. Patients can exercise that right only insofar as they can choose which healthcare providers to go to. On the whole they will stay with any given provider only if they find that provider to be trustworthy. It is totally unthinkable that patients should be forced to accept NHS England or the DHSC as the data controller of all of their medical records/health data. NHS Digital, now NHS England Digital, soon to become (presumably) the DHSC England Digital, are the last people on earth to whom I would ever voluntarily entrust any personal data. I have spent over twelve years fighting to protect myself from the information governance practices of NHS Digital/NHS England Digital, practices developed under the direction of the DHSC. All of these bodies are demonstrably not to be trusted with personal data, far less confidential personal data. They habitually contravene data protection law, deliberately misrepresent data protection law to patients in order to dismiss valid data protection complaints and deny patients the protection of the law to which they are entitled. They use obfuscation, lies, confidence tricks, and every kind of deception to evade accountability. When I say that this is demonstrable, I mean exactly that, and I have the evidence. Are we really going to stand by and let the Secretary of State for Health actually remove our information rights altogether, by repealing data protection law, as he clearly intends to do? His Directives already repeal data protection law by implication, which is not a legally valid process, but if he is not stopped he will make this abuse legal in the UK.
Under no circumstances will it ever be acceptable to coerce patients into having their confidential personal data transferred to central control, and the SPR clearly implies central control. If patients give their legally valid consent, there can be no argument, but if patients withhold their consent, how can we ever know that our dissent has been upheld, when NHS Digital told patients in 2014 that they could opt out of having a Summary Care Record (SCR) and then proceeded to secretly extract a SCR data set from the GP record of every patient in England, totally and deliberately ignoring the opt-out, and merely concealing their action from patients and some data users. They continue to process these stolen data sets in 2026, even when the patient has found out and objected, and asked to have the data set deleted by NHS Digital, and asked again to have the data set deleted by NHS England Digital, only to be refused for specious reasons. The same thing would happen to anyone who did not consent to central control of their records, or did not consent to a SPR, which implies central control. We should never believe a word these people say.
Coercive transfer of patient data to central control is tantamount to removing all information rights from the patients thus abused. If the data controller cannot be trusted there is in effect no data protection law of any kind.
Comments are closed.