More than 20 million people in England – a little under half of the 56 million living in the country – are still unaware of NHS plans to share patients’ GP medical records, according to a new study from consumer watchdog Which? The brand surveyed 1,700 adults in England and found 45 percent were unaware of plans to share the medical records held by your doctor with non-departmental government bodies. However, campaigners have slammed the controversial plans.
The original deadline was July 1, 2021. However, the Government changed the deadline in early June, pushing it back to September 1st. Unless you decide to opt-out before the deadline, records from your GP surgery will be brought together into the centralised database. Although it’s possible to opt-out after the September deadline will still work, however, it will only apply to any future data generated on your next visit to your local GP surgery – any historic data will always be available to researchers, academics, and commercial partners of the NHS.
The latest figures from Which? suggests the health department has been incredibly ineffective at informing all patients about the changes – something that’s required under data protection law. According to NHS Digital, which runs the country’s healthcare IT systems, the General Practice Data for Planning and Research (GPDPR) programme is needed because the current system used by GP surgeries, known as General Practice Extraction, is over a decade old.
Which? Director Of Policy Rocio Concha told The Register: “NHS Digital and the government are right to delay implementation of the GPDPR scheme and must now go to greater lengths to engage the public, raise awareness of the scheme, and increase people’s understanding of it through better communication and transparency.”
The statistics from Which? contrast with comments from ex-Health Secretary Matt Hancock, who recently claimed “the vast majority of people are strongly onside” with the upcoming data-grab from GP surgeries across England.
Around half of those surveyed who had heard about GPDPR had only learnt about the plans from news outlets or social media, rather than direct from the campaigns from NHS Digital or their GP surgery.
A lack of transparency about the plans could seriously damage trust in the health service… something that’s not ideal in the middle of a pandemic. At the start of the survey from Which?, around three-quarters of respondents said they trust their local GP surgery to handle their sensitive records. However, some 40 percent said that learning about the GPDPR scheme had made them trust the NHS less than before.
While sensitive information, including mental and sexual health data, criminal records, full postcode and date of birth, is included in the database. NHS Digital says that anything that could be used to identify you from your records will be pseudonymised before it’s uploaded from your local GP practice.
“This means that this data is replaced with unique codes so patients cannot be directly identified in the data which is shared with us. The data is also securely encrypted,” NHS Digital explains.
However, the code to unscramble the anonymised data will be held by the NHS. This is different from the approach taken by some tech companies, including Apple and WhatsApp, which do not store the digital keys that could unscramble the anonymised data. That’s why Apple refused to help FBI investigators who hoped to unlock an iPhone owned by one of the terrorist suspects.
According to Apple CEO Tim Cook, “In today’s digital world, the ‘key’ to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks – from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”
NHS Digital will hold the keys to unlock its anonymised data, but says it will “only ever re-identify the data if there was a lawful reason to do so and it would need to be compliant with data protection law”. In an example scenario of why medical records would be un-scrambled to reveal the identity of the patient, NHS Digital adds: “a patient may have agreed to take part in a research project or clinical trial and has already provided consent to their data being shared with the researchers for this purpose.”
NHS Digital publishes a list of who it shares its database of anonymised records with, which is updated each month, however, privacy campaigners say it can be extremely difficult to find out who sees the data due to the NHS’ “opaque” commercial relationships. For its part, the NHS says that patient data is never used for insurance or marketing purposes, promoting or selling products or services, market research, or advertising.
However, a recent investigation from the Financial Times revealed at least 40 companies – including management consultancies and pharmaceutical groups – had been granted access to years of detailed medical records from hospitals in England under current data sharing arrangements by the NHS. According to the Financial Times, insights gleamed from patients’ data was often shared or sold to other commercial entities and providers, which use the data to price the products sold back to the NHS.
Responding to the Which? survey, NHS Digital said: “We know we need to take people with us on this mission which is why we have committed to putting even tougher protections and safeguards in place and stepping up communications through a public information campaign before the new programme begins.
“Data is only shared where there is a clear benefit to healthcare planning and research. This benefits all of us, but it is only as good as the data it is based upon which is why it is absolutely vital that people make an informed decision about whether to share their data.”