Getty Images/iStockphoto

NHS Digital tightens rules for GPDPR data scrape

The proposed collection of patient data held by GPs will now only commence when three key criteria have been fulfilled, says NHS Digital

NHS Digital has abandoned plans to commence collecting patient data from GPs in England on 1 September and put in place three key tests that must be met before the process can start, saying that tougher safeguards are needed to protect patient data.

Jo Churchill, minister for primary care and health promotion, set out the revised plans in a letter to GPs on Monday 19 July. In the letter, she said the latest changes to the General Practice Data for Planning and Research (GPDPR) service would give patients more choice and an opportunity to opt in and out of data sharing.

The data scrape had already been postponed by three months following a public outcry. Privacy campaigners and security experts had contended that the plans as they stood posed an unacceptable risk to the safety of patients’ data, and accused NHS Digital of failing to either adequately inform people of its plans or make it clear how to opt out.

The three tests are as follows:

  • That patients have the ability to opt out or in to sharing their GP data with NHS Digital, and that data can be properly deleted even if it has already been uploaded.
  • That a trusted research environment (TRE) is available where approved researchers can work securely on de-identified data within a secure environment, offering more protections and privacy while still enabling collaboration between researchers.
  • That a campaign of engagement and communication has successfully increased public awareness of the programme, explaining how data is used and their choices and rights.

NHS Digital reiterated that the objective of the data sharing plan was to save more lives and enhance services delivered by the NHS. For example, successful targeting of the Covid-19 vaccination programme to those most vulnerable and at risk of complications or death from Covid owes much to the use of GP data. Support for other health issues such as blindness, diabetes and learning disabilities has also been improved through access to patient data. It also helps inform planning and research across the health service, and allows local trusts to plan staffing and care levels.

“Patient data is vital to healthcare planning and research. It is being used to develop treatments for cancer, diabetes, long Covid and heart disease, and to plan how NHS services recover from Covid-19,” said Simon Bolton, interim CEO of NHS Digital.

“This research and planning is only as good as the data it is based upon. We know we need to take people with us on this mission and this decision demonstrates our absolute commitment to do just that.

“We will continue to work with patients, clinicians, researchers and charities to further improve the programme with patient choice, privacy, security and transparency at its heart,” he added.

NHS Digital continues to insist that protecting the privacy and security of patient data has always been at the core of the programme, and said it had listened to feedback on its previous proposals and was committed to working across the sector on key elements to make the programme even more secure and reduce the bureaucratic burden on GPs, many of whom anecdotally reported their admin staff were distracted and overwhelmed with paper opt-out requests when news of the plans first spread.

The letter also claimed that patient data was not now and never would be for sale, and that it would only be used “to deliver clear benefits to health and care, by organisations that have a legal basis and legitimate need to use the data”.

Work will now continue on developing the proposed TRE in line with best practice, including projects such as OpenSAFELY and the Office for National Statistics’ Secure Research Service, as well as establishing confidence and trust among patients and adapting the opt-out process.

Timeline of developments in GPDPR


Read more on Privacy and data protection

Data Center
Data Management