NHS Digital announces new primary care data collection service

  • 12 May 2021
NHS Digital announces new primary care data collection service

NHS Digital has announced it is setting up a new primary care data collection service with the aim of giving planners and researchers faster access to pseudonymised patient information.

For the last ten years NHS Digital has been collecting data from GPs via the General Practice Extraction Service but it is now to be replaced with their new General Practice Data for Planning and Research (GPDPR) service.

On May 12, the organisation issued a Data Provision Notice to GPs to enable the new  data collection process to begin from 1 July, 2021.

NHS Digital confirmed it has been legally directed by the secretary of state for health and social care to establish a new strategic system to collect and provide access to near-real-time data from GP practices for planning and research purposes.

The move, according an NHS Digital statement, was prompted by the Covid-19 which led to a significant increase in the need for GP data to support clinicians, researchers, academics and commissioners.

Any data which directly identifies an individual will be pseudonymised and then encrypted before it leaves a GP practice.

Data will only be shared with organisations who have a legal basis and meet strict criteria to use the information for local, regional and national planning, policy development, commissioning, public health and research purposes.

Sarah Wilkinson, NHS Digital chief executive, said: “The power and utility of health data was clearly demonstrated during the pandemic, where it supported NHS organisations and researchers to roll-out vaccines, identify those most at risk from Covid-19 and investigate disease pathology, amongst other things.

“General practice data is particularly rich and valuable because many illnesses are treated predominantly in primary care. We want to ensure that this data is made available for use in planning NHS services and in clinical research, but it is critical that we do this in such a way that patient confidentiality and trust is prioritised and never compromised.

“We have therefore designed technical systems and processes which incorporate pseudonymisation at source, encryption in transit and in situ, and rigorous controls around access to data to ensure appropriate use. We also seek to be as transparent as possible in how we manage this data so that the quality of our services are constantly subject to external scrutiny.”

NHS Digital said it has consulted with patient and privacy groups, clinicians, and technology experts, as well as with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG).

However, if a patient does not want identifiable data to be shared outside their GP practice, except for their own care, they can choose to opt-out by requesting that their GP practice record is not shared, known as a Type 1 opt out, or by registering their opt-out through the National Data Opt Out service on nhs.uk.

Arjun Dhillon, Caldicott Guardian and clinical director at NHS Digital, said: “This dataset has been designed with the interests of patients at its heart.

“By reducing the burden of data collection from general practice together with simpler data flows, increased security and greater transparency, I am confident as NHS Digital’s Caldicott Guardian, that the new system will protect the confidentiality of patients’ information and make sure that it’s used properly for the benefit of the heath and care of all.”

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Digital Health Coffee Time Briefing ☕

Digital Health Coffee Time Briefing ☕

Our latest Coffee Time Briefing includes updates on the Synnovis strike action and insights from the National Data Guardian 2023-2024 report.
NHS England to adopt new cyber security framework

NHS England to adopt new cyber security framework

The National Data Guardian and NHS England have announced a new cyber resilience framework for health and social care organisations.
Privacy concerns raised over trust’s AI data-sharing deal

Privacy concerns raised over trust’s AI data-sharing deal

A privacy campaign group has raised concerns over a data sharing agreement between the Royal National Orthopaedic Hospital and an AI startup.

17 Comments

  • GDPR requires consent to be via opt-in and not assumed consent with an opt-out. Does the government get an exception to this?

    • We left the EU. GDPR was an EU initiative. Slow erosion of rights in this way was predicted by many

      • True enough, though I would query “slow”. I should be said, however that violation of patients’ information rights by the NHS goes back, certainly as far as 2013 and, almost certainly much further. The ICO has certainly been colluding in this since 2013, as has the National data Guardian, since the birth of the office.

        I recall attending a seminar, sponsored by the PHG Foundation, at which the speaker and discussion leader was Dr David Erdos, an academic at Oxford University and then Cambridge. The topic was enforcement of data protection law across the EU – a subject on which Dr Erdos has done extensive research over a good many years. He singled out the UK as a jurisdiction in which data protection law is effectively not enforced at all. On the basis of personal experience I would certainly endorse that judgement, particularly with reference to the NHS and the entire data brokering industry. I have a wheelbarrow load of evidence, but, unsurprisingly, nobody wants to know – definitely not the Parliamentary and Health Service Ombudsman.

        Corruption in high places has been with us for a long time, but I agree that leaving the EU has had the effect of taking the brakes off entirely.

        I am uncomfortable with connections to Google and Twitter appearing on this page. They slurp data without consent even if you do not touCh their icons to connect. I should prefer not to come within a mile of them

        • We did, but has UK data legislation been changed since? Because if not then GDPR is still the legal standard in the UK.

          • As you probably know, the GDPR was written into English Law in the form of the Data Protection Act 2018. I am not an expert on the 2018 Act and don’t know how much the GDPR was changed in this process, but I am not aware of further data protection legislation since then. So, yes, we are still under the GDPR, in theory. But the law means very little if it is not enforced, and everyone knows they can ignore it or fudge it with impunity, or if the Government gives themselves powers to override data protection law, whenever it suits them.

  • and people wonder why i use a private gp at 160gbp per shot, and then deny them the right to share data with my NHS GP.

    Privacy costs it seems.

    • Soon there will be no privacy for any money. At this moment your private GP records might be safe, but the NHS is currently appropriating patient records from private hospitals “to fill in the gaps in NHS records”. The pretext is the need to assure the quality of private healthcare. The plan is to “roll this out” (don’t they just love the steamroller metaphor”?) to all regulated private healthcare providers, GPs, dentists, physiotherapists etc. This idea was set in motion by Jeremy Hunt, however many years ago. See this source:
      https://healthbusinessuk.net/news/07012021/nhs-test-routine-collection-private-hospital-data

      There have also been covert discussions between the NHS and major data brokers, such as social media giants. The NHS plans not only to appropriate everyone’s cradle-to-grave health and care records and store them centrally, where these records can be made available to government, researchers (including the bio-technology industry) and anyone else who wants big data, but they are also planning to “enrich” these records with “citizen data” generated outside the health service, and covering every aspect of our lives. In comparison the Stasi were small time amateurs.

      I therefore suggest you make different plans for the near future, along with those of us who cannot afford private healthcare.

  • On my corona vaccination passport it gives an “expiration date” of
    20. June 21. What does that mean ?

  • @The Let Down Optimist, I can access the info stored by my GP’s practice about me (including some personal asides by the pharmacist) on Patient Access, any time I like, for absolutely nothing. Yes, surgeries can charge for a physical copy, and no, they don’t often do so; but they don’t really need to.

  • I do not welcome NHS Digital’s “attempt to appear transparent”. The essential business of NHS Digital is deception. Duplicity and obfuscation characterize everything they say and do. Nothing is what it seems, and usually there is layer upon layer of deceit, as there certainly is here. Unpack the suggestion that patients can opt out of secondary use of their personal data and you will find that this is Humpty Dumpty speak. (1) NHS Digital has its own private meaning for “personal data”, according to which pseudonymized data is not personal data (the GDPR says otherwise, but the ICO colludes in this deception rather than having to challenge the Government). Therefore, by extracting pseudonymized (but easily re-identifiable) data NHSD negate the supposed opt out. (2) There are “legally mandated exceptions” to the opt-out, which, you will find, cover any data extraction the Government/NHS Digital might want to carry out. Again the opt-out is rendered meaningless. (3) Just for good measure, NHS Digital have been clearly shown to ignore opt-outs whenever it suits them. MedConfidential have the evidence of this extracted from the obfuscatory spread sheets. So, for “you may opt out of secondary use of your personal data” the patient should actually understand, “You may opt out of nothing that NHS Digital chooses to do or is directed to do”. This is not my idea of transparency.

    The attempt to conflate controlling a dangerous virus (Sars-Cov-2) with so called preventative medicine or population health management, in order to reintroduce the Care.data programme by stealth, is equally dishonest and duplicitous. The reasoning is simply invalid. While it can reasonably be assumed that more or less everyone wants the pandemic to be brought under control, and will accept data collection for this purpose as justified, it can by no means be assumed that everyone wants their confidential health data analysed with the purpose of a lot of half baked, irrelevant and unsolicited health interventions, which are also unlawful, if the patient has opted out of secondary use of their health data. This use of health data has nothing to do with the patient’s direct care and is in no way comparable to collection of data in order to inform strategies for controlling Sars-Cov-2.

    NHS Digital should be renamed NHS Duplicity. That is their main function.

  • It seems the government/ NHS Digital have chosen COVID as an opportune moment to re-launch Care.Data but this time with more groundwork put into preparing the ‘resources’ to convince patients that it is all fine and there’s nothing to be worried about (e.g. the friendly video). If I were in their shoes I would probably have done the same, as it is certainly harder to argue against when presented as an essential tool to fight a pandemic. But the aspirations for this (as set out in the Care.Data PR disaster) clearly predate the pandemic. It seems a little disingenuous to write “The move, according an NHS Digital statement, was PROMPTED by the Covid-19…”

    I welcome the attempt to appear transparent but the spreadsheet that is made available to identify just what data has been shared and with whom smacks more than a little of drowning one in an excess of information, so that it becomes genuinely difficult to hold NHSX accountable for what they share when there’s so much detail to wade through.

  • And they are still lying about pseudonymization being “sufficient anonymization”.

    The ONLY protection from these predators is to avoid generating GP data.

  • care.data was never dead
    it was just “resting”

  • Uh-oh. Anyone else got deja vu?

    • Yep! Deja vu for sure!
      So the NHS can sell/give away my data but I have to pay my up to GP £50 for a physical copy of my record (general DPA ‘18 reg) and my GP sets the level of digital medical record access I can have access to. But everyone else can have it all easily and for free!! Oh the irony!

      Then again, most of my data is probs already on a Palantir server anyway thanks to the NHS this last yr. No harm in everyone else being able to see it too now I suppose?!

      Given the recent vaccine booking system incident, my faith in their ability to effectively anonymise is pretty low.

      Bring on blockchain or W3 Pods or anything else where I can actually own; carry and be responsible for my own data!

      • GP practices aren’t allowed to charge you for a print out of your data, and haven’t been able to for quite some years. Also, they are contractually obliged to give you full online access to your medical record when requested unless there’s a damn good patient safety reason not to (mental health etc.) 🙂

        • Hey Dan 🙂

          GPs (and anyone else providing data to data subjects) are legally allowed to charge for a print out to cover the costs of the resources it consumes and the time it takes to undertake the request. This can be up to £50. However I accept that this very seldom occurs in all industries and that GPs and their receptionist colleagues do freely provide copies on request which is great! The point is that they legally can charge, but thankfully they very very (x10) rarely do!

          With reference to access, the point is that I do not have access to my own data in full. except on request! It is freely given to me by my bank when registering; without hiding elements or setting SCR view only. Full DCR should be the default with access then decreased on a case by case basis as per your reference to mental health issues etc, absolutely!

          I provide ID when I register at a practice and in return I’m provided with my linkage key/passphrase for online access. However this has limited access by default! To get full DCR I need to reapply; show ID again and also sign another piece of paper stating I accept that I may get access to things I don’t understand.

          When I get access to my banking info I can freely get myself into a whole world of financial pain! We don’t give this level of control to any other third party organisation in any other industry that controls particularly precious PII – hence the request financial references.

          This article shows that full anonymised DCR data en masse will be more readily available for research etc than a person has access to their own full DCR! Just seems counter intuitive to me…

Comments are closed.