GP Patient Records & Privacy: Not Between These Four Walls

GP Patient Records & Privacy: Not Between These Four Walls

“Treasure trove’ and ‘gold mine’ are descriptions which jar when describing the sensitive health care data recorded by GPs in countless daily consultations up and down the country in the expectation of doctor-patient confidentiality. Yet, this is how some people perceive the patient records of 55 million citizens which the UK Government plans to make available to a variety of users in pseudonymised form in a scheme unveiled without fanfare in May 2021, formally known as the General Practice Data for Planning and Research. Supported by David Davis MP, an assortment of medical bodies, charities and privacy campaign groups have forced a Government rethink – at least for now.

In truth, anonymised datasets such as this have for years been available for research purposes and the potential healthcare benefits are manifold, including the treatment of cancers and the development of the world’s first steroid treatment for Coronavirus sufferers. If access to the dataset was limited to philanthropic purposes, opposition to the scheme might have melted away. However, access to patient data is not always so altruistic. A recent survey found that sensitive patient data was increasingly shared with commercial organisations including management consultants, accountancy firms and marketing companies, with insights gained from health datasets sold on to other organisations who can then use it to price and lobby for regulatory approval of their drugs.

Lurking Doubts

With one estimate valuing the almost unique NHS dataset at £10 billion and the pandemic playing havoc with UK public finances, it might be tempting to put a ‘for sale’ sign over GP patient records. Ministers and NHS Digital, the healthcare sector’s technology partner, insist this was not their intention. Yet, with a Government-commissioned task force recently urging GDPR reform to unlock the financial value of personal data, the Information Commissioner’s (‘ICO’) job specification rewritten to include commercial and business acumen, and the NHS’s data arm giving less than convincing assurances that patient information will not be used “solely” for commercial purposes, lurking doubts remain about the motives underlying what some people see as an unprecedented “data grab”.

Lacking Transparency

Fuelling suspicions, the scheme initially gave patients just six weeks’ notice to opt out despite it being in the making for three years. Announced via an obscure online blog and a fistful of leaflets left in GP waiting rooms at the height of the Covid-19 pandemic, the information campaign accompanying the scheme would have compared unfavourably to the advertising of a local mini-cab service. Small wonder, then, that a recent survey by Which? found that 45% of UK adults were still entirely unaware of it, despite the fierce battle waged between the Government and the scheme’s opponents. Many in the medical profession feared the grave impact that the scheme would have had on doctor-patient trust if the Government had pressed ahead regardless.

Battle Won?

In June 2021, the threat of legal action on data protection grounds forced the Government to rethink its implementation plans, with the roll-out initially pushed back to September 2021 and now postponed indefinitely. In the meantime, Ministers announced a series of fresh criteria for the scheme, including an enhanced patient opt-out method, a Trusted Research Environment enabling researchers to use the data securely and transparently, and a campaign to raise public awareness and improve engagement with the scheme. To many, the ICO’s reticence about the legality of the scheme was surprising, though when the scheme’s roll-out was delayed, she welcomed the pause as sensible. The reality, though, is that the UK’s data protection legislation, of which the ICO is guardian, permits the processing of sensitive personal data where necessary for public health interest reasons.

For now the Government has backed down. But the undoubted medical benefits of access to such datasets, combined with their lure for commercially-driven entities make it inevitable that the battle will be re-commenced before too long. When that happens, the challenge will be to reach a consensus about using GP data sets securely, anonymously and transparently so that advances in healthcare research can be achieved without jeopardising patient privacy and public trust in the wider medical profession.

Julian Hayes advises companies and individuals in the rapidly developing field of data protection, especially in the context of data breaches and law enforcement investigations, where necessary litigating to ensure that the actions of state authorities are properly constrained. A partner at BCL for four years, he has vast experience of all types of criminal inquiries, including the unlawful obtaining of data and computer misuse offences. He is well-known and highly regarded commentator on cybersecurity and privacy issues. He advises telecommunications operators on their obligations under UK investigatory powers legislation and provides practical guidance on how to handle demands placed upon them, including in establishing systems that work to ensure legal compliance and protection for the operator. He has advised in relation to US-UK Bilateral Data Sharing Agreement and forthcoming UK online harms legislation.

Related articles