Campaigners plan legal action over NHS data sharing

Privacy coalition aims to force NHS Digital to push back its plans to scrape medical information on millions of patients into a central database

A coalition comprising medical organisations, privacy campaigns and a Conservative MP, supported by tech justice specialists Foxglove, is preparing to embark on legal action against the government to force NHS Digital to pause its plans to collate GP data held on 55 million people in England into a single database.

As previously reported, the General Practice Data for Planning and Research (GPDPR) will see people’s medical histories shared into a massive data lake that will ostensibly used by third-parties for research, development and planning. People can opt out, but the process for doing so has not been publicised, involves physical paperwork, and places a burden of administrative work on hard-pressed GP practices.

The group, made up of Just Treatment, Doctors’ Association UKthe Citizens, openDemocracy, the National Pensioners Convention and MP David Davis, have now written jointly to the Department of Health and Social Care and NHS Digital.

In the letter, the coalition says that rushing the change through without transparency and debate is in violation of patient trust and doing so without seeking consent is unlawful. The crowd-funded case asks for a halt to the data scrape with an injunction, and to rethink and seek meaningful consent from patients.

Writing on its website, openDemocracy’s Caroline Molloy said the government and NHS Digital were racing to roll the scheme out under cover of the Covid-19 pandemic, meaning there was little time for the plans to be assessed, understood, or challenged. She accused the government of “hiding behind secrecy and ambiguity” and running down the clock.

Public service union Unison also criticised the plans and joined calls for the plan to be put back. In an article on its website, policy officer Allison Roche said: “Unison is campaigning for guarantees that our health data will be used in an ethical manner, assigned its true value and used for the benefit of UK healthcare.

“So far, the government has failed to deliver public transparency and trust, and little if any consultation on what they are doing with data and artificial intelligence in the health sector,” said Roche. “We must hold them to account, now and in the future. The government should take steps to protect and harness the value of our health data to ensure that the public can be satisfied that its value will be safeguarded and, where appropriate, ring-fenced and reinvested in the UK’s health and care system.”

Read more about NHS Digital’s data plans

  • The Chartered Institute for IT has warned that millions of people are not being properly informed of NHS Digital plans to harvest their data.
  • Security and data privacy experts warn NHS Digital that its data collection plans could increase risk and cause a public backlash.
  • New system designed “with interests of patients at its heart” will provide near-real-time primary care data to support improvements in healthcare and help research.

Keystone Law tech and data partner Vanessa Barrnett said that while she did not believe the proposal to collate patient data into the GPDPR database was illegal, by not communicating the plan effectively the scheme does breach some aspects of data protection law. Similar cases – such as the Google DeepMind/Royal Free Hospital project, have drawn the attention of the Information Commissioner’s Office.

“The failure to put in the work that is required for data subjects to understand what is happening, and being given a real and proper opportunity to exercise their rights, may be a breach of the more ‘administrative’ aspects of data protection law. How many people will have been down the rabbit hole to actually find the transparency notice about this? Hardly anyone,” she said.

“Most people would not expect their GP records to be shared in this way, have no awareness of it, and will not opt out because they had no awareness. It’s noteworthy to see that the data will be pseudonymised rather than anonymised – so it is possible to reverse engineer the identity of the patients in some circumstances.

“If the data lake being created is genuinely for research, analysing healthcare inequalities and research for serious illness, what is the reason this cannot be done on a true anonymised basis?”

Read more on Privacy and data protection

Data Center
Data Management