National data guardian calls for dialogue on NHS Digital GP plans

Nicola Byrne, the UK’s national data guardian for health and social care, has called for more dialogue over the NHS Digital GP Data for Planning and Research (GPDPR) programme as concern spreads among the general public over the safety and security of their confidential medical data.

The programme will see all data held by GPs on their patients in England scraped into a “pseudonymised” database at the end of June 2021. The data store is intended to be used for healthcare planning and research purposes, and it may be shared with third parties such as research institutes and pharmaceutical companies where there is a legal basis to do so.

However, NHS Digital has drawn brickbats over the programme, with privacy experts criticising it for failing to adequately publicise the project, clearly explain people’s rights to opt out, and for placing a burden of additional paperwork on GP surgeries during a global health crisis. GPDPR is now also the subject of a legal challenge which may force it to be delayed.

In a statement, Byrne said: “I am continuing to listen to and talk with patient groups and the public to inform my discussions with system leaders. My focus is on encouraging the organisations involved to work together to make it sufficiently clear to the public how data will be used and kept secure, both now and in the future.

“As the recently established 8th Caldicott Principle makes clear, it is important that there are no surprises for the public about how confidential information about them is used.”

Byrne said the reasons for the GPDPR scheme were fundamentally sound because it was “vital” that data is used to improve healthcare standards through planning and research. Information contained in GP records had an important part to play in this, she added, for example by giving NHS planners the insight they need to target services and treatments for vulnerable people.

“Public attitudes research demonstrates that patients and service users are supportive of health and care data being used if certain expectations are met, including that it delivers a public benefit, that it is made clear to them what will and will not be done with the data, and what choices people have about its use,” said Byrne.

“My focus is on encouraging the organisations involved to work together to make it sufficiently clear to the public how data will be used and kept secure, both now and in the future. It is important that there are no surprises for the public about how confidential information about them is used”

“People also want to know that robust cyber security arrangements are in place to keep confidential data about them safe. The Office of the National Data Guardian has been involved since 2018 in system-wide discussions about how the new GP data collection [system] can meet these expectations so that trust is maintained,” she added.

“The new system for collecting general practice data provides an opportunity to strengthen the safeguards that protect GP data and provide strong oversight of its use for planning and research of benefit to health and care.”

The role of national data guardian for health and social care was initially established in 2014 and held until the beginning of 2021 by Fiona Caldicott, who passed away just weeks before her planned retirement.

During her tenure, Caldicott had significant input into NHS cyber policy, overseeing among other things the publication in 2016 of a major review of information governance and data security that recommended the adoption of new standards based around people, processes and technology.

Her recommendations also led to the shuttering of NHS England’s Care.data data-sharing programme, which was tainted by similar failings around transparency as many now believe are dogging the GDDPR plans.

Byrne – who has a background in psychiatry and continues to practice as a consultant on a part-time basis – was appointed following an open public appointment process overseen by, among others, NHSX chief Matthew Gould.

UK information commissioner Elizabeth Denham welcomed the decision to delay the launch of the General Practice Data for Planning and Research data collection scheme.

“The appropriate use of health data is an important part of health and care research and planning in England, and better sharing of health data could offer substantial benefits,” she said.

“However, it is clear that there remains considerable confusion regarding the scope and nature of the GPDPR among both healthcare practitioners and the general public. This includes how data protection rights can be exercised in practice. It is sensible for NHS Digital to take more time to engage with its stakeholders, and consider the feedback it is receiving about its plans,” added Denham. 

“The success of any project will rely on people trusting and having confidence in how their personal data will be used. Data protection law enables organisations to share data safely – and when it comes to using health information, there are particular safeguards that must be put in place to protect people’s privacy and ensure effective transparency. This ensures people’s data isn’t used or shared in ways they wouldn’t expect. We look forward to continuing to engage with NHS Digital regarding this important project,” she said.