Sun May 16 2021
The public only has till 23rd June to opt out
MedConfidential, a limited company with charitable objectives that campaigns for privacy and confidentiality of health records and data, founded by Privacy International and other privacy organisations, has accused the Department of Health And Social Care, alongside NHS Digital, of trying to sneak intrusive new measures in during the current pandemic.
They’ve done this amidst the news that the UK Government has updated existing practices and directed NHS Digital to start collecting sensitive health data from GP records, with the public being given until the 23rd June to opt out, if they so desire.
medConfidential are strongly objecting to this, protesting that the move hasn’t been adequately flagged up… despite assurances all data will be anonymised and encrypted.
They’re also concerned this move may make the sale of health data possible to commercial companies and other interested third parties (as is already the case with hospital data).
The General Practice Data for Planning & Research (GPDPR) Directive requires NHS Digital to:
Establish and operate an information system for the collection and analysis of General Practice data for health and social care purposes. Data should be collected for health and social care purposes that include but are not limited to health and social care policy, planning and commissioning purposes; public health purposes, including Covid-19 purposes... and research
The GPDPR’s scope is currently limited only to England.
In a press release that was sent out last week (12th May) NHS Digital said GPDPR would replace the 10 year current GPES system and would enable faster and more accurate access to pseudonymised patient data for planners and researchers.
The value of health data has been proven during the vaccine rollout. Our systems will incorporate pseudonymisation at source, encryption in transit and in situ, and rigorous controls around access to data to ensure appropriate use.
medConfidential however, are still questioning the small time scales involved for opting out, stating the 23rd June is just too soon.
Documents about the programme were published on 12 May 2021 - the morning after the Queen's Speech in which none of this was mentioned. Details of the scheme are spread across a number of PDF documents and web pages. The opt-out process is similarly cumbersome.
You need to use one opt-out - a ‘Type 1' - by 23 June 2021 to stop NHS Digital from taking your entire GP history, and also another supposedly ‘digital' opt out that may stop your GP data being shared with others once it's been taken. Or it may not. Anyway, if you have a family, this ‘National Data Opt-out' still requires a combination of PDF forms.
If patient data has already flowed to NHS Digital before a Type 1 opt-out is registered, the data already held by NHS Digital will continue to be accessible… in other words it will remain on the system, potentially forever.
The 'opt out at any time' stops them doing some things in future, such as seeing new GP records, but it doesn't stop anyone having the data they already have.
Data to be collected by NHS digital will include information about gender, ethnicity, sexual orientation, mental and sexual health, alcohol consumption, operations and diagnoses.
NHS Digital has confirmed the data will both encrypted and pseudonymised, but as the number of data-sets used for cross-matching increases and encryption algorithms age, there is a risk the data could be re-identified.
Companies will be able to see and use this data - it'll be available on the same basis as hospital records from NHS Digital - pay them and they'll send you all the data. That includes the most sensitive of data and the dates that it happened, which makes the data re-identifiable from things like Twitter and Facebook posts, so if you know something about someone, you can find out everything else.
Responding to these comments, NHS Digital have said that patient data is already collected and used for planning and research purposes:
This new system will improve and simplify the current processes and will replace multiple existing data collections into one collection updated seamlessly, reducing the burden on GPs and providing strict processes and consistency around data security, transparency, assurance, and strict adherence to GDPR and related governance. We only seek to recover costs associated with providing data to meet approved data applications. We do not operate on a profit-making basis. Data will only be used for the benefit of health and care.
Information has also been provided to GP practices so that they can also communicate with patients on the new collection, and we have given them the materials they need to both educate patients and answer their questions. It would be disproportionate to write to every patient individually about the collection given the national communications campaign when the data being collected is not new and there are no new actions for individuals to take.
Sun May 16 2021