Around 20 million adults in England are unaware of the government’s plan to share patient data and medical records with NHS Digital, a new report by consumer rights charity Which? has found. The study confirms the widely-criticised miscommunication of the General Practice Data for Planning and Research (GPDPR) scheme. While some in the medical research community view this miscommunication as a matter of poor execution, activists argue that it reflects a desire to extend data sharing with the private sector without public scrutiny.

GPDPR
The GPDPR scheme has been delayed twice following a backlash from doctors and patients. (Photo by Mundissima/Shutterstock)

In May, NHS Digital initiated a plan to collect pseudonymised medical records held by GP surgeries automatically, so that it can then be shared with medical researchers. GPDPR, which replaces an existing data-sharing regime, has been delayed twice since then after medical professionals, MPs and privacy groups complained about the lack of communication around the scheme, and some GP surgeries, including all of those in the London Borough of Tower Hamlets, withheld patient data when the collection was meant to start this month.

The Which? study confirms this lack of communication. 45% of the 1,681 adults in England surveyed by the consumer watchdog were unaware of the scheme. This proportion equates to 20 million people in the country, it says. Of those who were unaware, four out of ten (39%) would like to opt out of the scheme.

Even among those 55% of respondents who had heard of the scheme, 71% felt the NHS had not publicised it well. Half had heard of the scheme through the news or social media, not official NHS sources.

“The Covid-19 crisis has thrown into sharp relief the opportunity for health data to be used in ways that benefit patients and society in general,” said Rocio Concha, director of policy and advocacy at Which?, in a statement. “However it’s really important to engage the public effectively on how their data is going to be used and the governance of data sharing with third parties.

“NHS Digital and the government are right to delay implementation of the GPDPR scheme and must now go to greater lengths to engage the public, raise awareness of the scheme and increase people’s understanding of it through better communication and transparency.”

Is GPDPR the new care.data?

Last month, members of the medical research community told Tech Monitor that the backlash to the scheme reflected poor public engagement. The scheme itself is an extension of long-established practices, said Nicola Perrin, director of policy and public affairs at the Association of Medical Research Charities. “This isn’t new,” she said. “What is changing is trying to systematise it a bit more across the whole of the NHS, using GP data in the same way, having it all centralised so you can do better research.”

But others believe the lack of public engagement reveals that the government was hoping to implement the scheme unnoticed. “The government would love us to consider everything as some sort of incompetence, but the reality is that they chose to sneak out this proposal without any publicity whatsoever in the middle of a pandemic,” said NHS doctor and campaigner Dr Bob Gill. “And it’s only down to the dedication of activists who actually value the confidential and private nature of the data that is being offered up here, that the public have any awareness.”

The purpose of the scheme is to pave the way for patient data to be shared with the private sector, Gill argued. “What the government is proposing to do is allow all the confidential, sensitive, private information given by patients in confidence to their GP and making that available to private corporations for profit, and this is a gross betrayal of the doctor-patient relationship,” he said.

The fact that “patient data would be a commercial asset of great value to private corporations” was established by the Health and Social Care Act 2012, Gill said. The act allowed the Health and Social Care Information Centre to collect and share confidential information in medical records through the ‘care.data’ service for ‘secondary purposes’, such as service development and commissioning. The care.data scheme was beset by privacy scandals, including the reported sale of more than a decade’s worth of hospital records to an insurance provider, before it was shuttered in 2016. Similarly to GPDPR, care.data was implemented amid criticism of a lack of transparency and consultation.

Medical privacy advocates medConfidential argue that the Department of Health has been seeking ways to share more patient data with drug companies and other researchers for 25 years, under intense lobbying. “The system will keep trying to take dodgy shortcuts until every patient is told how their data is used, and what their choices are,” says coordinator Phil Booth.

This impetus endangers the trust between patients and their doctors, Booth adds. “The key here is patient trust in what they can safely tell their doctor.”

NHS Digital denies that GPDPR represents an extension of the current data-sharing system. “Data is already being collected from GPs and has previously been used to better understand and develop cures for all types of serious illnesses and plan the most effective services for the NHS,” it said in a statement following the Which? report. “During the pandemic, it has been used to support the vaccine roll out and develop lifesaving treatments for Covid-19.

“We know we need to take people with us on this mission, which is why we have committed to putting even tougher protections and safeguards in place, and stepping up communications through a public information campaign before the new programme begins.

“Data is only shared where there is a clear benefit to healthcare planning and research, this benefits all of us, but it is only as good as the data it is based upon, which is why it is absolutely vital that people make an informed decision about whether to share their data.”

Healthcare data sharing in the US

In the US, patient data is routinely sold and traded to third parties to companies for purposes unrelated to medical treatment. And although this data is anonymised, a report by US think tank the Century Foundation found that enough anonymised data gathered over time can give out enough clues to reidentify nearly anyone who has received medical care.

Adam Tanner, associate at Harvard University’s Institute for Quantitative Social Science at Harvard University and author of two data privacy books, questions whether GPDPR might send the UK down a similar route. “Historically, the sale of our intimate health data has not principally been about medical research, although it can be used for such purposes,” says Tanner. “Going back decades, a lot of this patient information, both in the US and elsewhere, is used for sales and marketing, not science.”