The Government Wants to Sell Your GP Medical RecordsHere’s How to Opt-Out
Phil Booth sets out how people can protect their privacy following NHS Digital’s announcement that patients’ GP data will be shared
NHS patients’ GP records are the most detailed and sensitive medical records that exist, containing the history of events in an individual’s lifetime impacting their physical and mental health.
But, from 1 July as The Register has reported, NHS Digital, has announced that “data may be shared from the GP medical records about… any living patient registered at a GP practice in England when the collection started”.
NHS Digital – the health and social care system’s information and technology partner – will be able to take the following from GPs’ records: “Data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, mental and sexual health.” This will also include data about “staff who have treated patients”, and data “on sex, ethnicity and sexual orientation”, as well as other sensitive data.
While its press release on the matter states that people can “opt-out at any time”, the privacy notice states: “NHS Digital will however still hold the patient data which was shared with us before you registered the Type 1 opt-out” – meaning that for anyone who has not opted-out by the time that their GP history is first extracted, the information taken will never be deleted.
It is likely that the majority of the population will not be aware of any of this. It will not know that the Government has commanded NHS Digital to instruct their GP to hand over a copy of their lifelong medical history to be sold – because the Government has taken the decision not to tell anyone.
When a similar GP data grab was attempted before, junk mail leaflets were sent to households. That programme failed. This time, patients could and should have been written to, as millions of people have been throughout the Coronavirus pandemic.
If a member of the public did happen to find out about this programme, including the opt-out, they would be be forgiven for believing that NHS Digital would not sell their health and care data – because that is exactly what it states on its website, including in this “mythbusting” fact-check about social media posts:
On its website, NHS Digital states that it “is publicly funded and we operate on a cost-recovery basis” and that it does not “charge for data” – only to cover the cost of processing and delivering its service.
Although it states that “there are lots of protections in place to make sure patient data is used securely and safely”, it is not doing the safest thing – which would be to not let its customers have copies of patients’ data at all.
Like the Office for National Statistics and Genomics England, NHS Digital does now have what is known as a ‘safe setting’ – a secure data processing facility with layers of rules, approvals, protections and monitoring. But the Government has not made it mandatory for patients’ GP data to only be accessed via this highly secure, heavily audited environment. And so, in all likelihood, NHS Digital’s customers will continue to buy copies.
NHS Digital does audit some (but not all) of its customers which receive copies of data. Several of these audits have revealed that, not only do organisations break the ‘protections’ in place, but that these do not stop them from getting data once they have been broken. Some of these protections are legal obligations, but audits have shown that one public body did not even conduct a legally-required data protection impact assessment.
This newly-acquired GP data will be disseminated in the same way as patients’ NHS data collected from other health and care settings already is. After the failure of a similar data grab in 2014, NHS England undertook that any subsequent collection of GP data would be in a safe setting only. However, that promised safeguard is now entirely missing.
The 2014 grab was stopped in the face of overwhelming protest at the flaws in the programme itself and how it was being communicated. Some may say that there is no point arguing with a Government that doesn’t listen and doesn’t seem to care – but if people do care, in this instance, they have choices.
To fully opt-out from having your NHS data used for purposes beyond your direct care is a two-step process:
1) If you have concerns and want to stop your and your family’s GP data being taken from your GP practice for purposes other than your direct care, you can do so by filling in and giving this ‘Type 1’ form to your GP practice. (This form allows you to include details for your children and dependants as well). This is the most urgent step; the deadline to get your form to your GP is 23 June 2021, according to NHS Digital.
2) If you want to stop your non-GP data, such as hospital or clinic treatments, being used/sold for purposes other than your direct care (for example, for “research and planning”) you should also do the following:
· If you are opting-out just for yourself, use NHS Digital’s online National Data Opt-out process – this process only works for individuals aged 13 and over.
· If you have children under 13, you need to fill in this form and email or post it to NHS Digital – this form works for both you and your children.
Make your choice, protect your records, and save your privacy.