GPDPR – An Open Letter to GP Practices

This is an open letter to all GP Practices working in the NHS to highlight data concerns that have been planned by NHS Digital. Patients should be aware of the how their data is used and GP practice staff should be aware of how best to inform their patients.

Dear GP practices, 

We are writing to you as GP practices who are data controllers of the patient data that you hold for your patients.

You may (or may not) be aware that the current data extraction that takes place from your GP system (GPES) is going to be replaced with a new system called the General Practice Data for Planning and Research (GPDPR) under legal legislation (General Practice Data for Planning and Research (GPDPR) – NHS Digital). I’ve written a summary blog on it here if you want further information: GP Data Sharing – Dr

Essentially what this means is that to enable this you will need to, as data controllers, satisfy  yourselves that you (as data controllers) have informed your patients of this data extraction that will take almost all the coded data from your patients record and pseudonymise (not anonymise) the patient details to potentially link with other data sources for the purpose of research and planning.

We have previously asked local practices within NELCCG to link their practice websites to the central privacy policy on the East London Health and Care Partnership website (Sharing Information | North East London Health & Care Partnership ( that explains the current sharing that we do as a local system and all practices are encouraged to update this on their own websites. Given that we need to do some work informing our patients of existing sharing, as GP practices (and data controllers) you will also need to make the judgement as to whether your patients have a) been adequately informed of this new (GPDPR) legal direction, b) have access to the privacy policies and c) have had considered time to object to data sharing by lodging what is known as a type 1 objection. 

NHS Digital have not publicised this in the way that I would have expected and the GP practice have the obligation to switch on this transfer and EMIS have circulated details of how to do this on clinical systems (EMIS Web – GP Data for Planning and Research (

If you feel that you have not had enough time to inform your patients and that they have had a reasonable time to object, then this sharing agreement should not be enabled. The expectation is that this will be enabled by the 23rd June 2021 for extraction to commence from the 1st July 2021. 
This would technically place the GP practice as the data controller in breach of the Health and Social Care Act 2012 but there are no sanctions or penalties within the Act that arise from failure to enable. What may happen however, is that NHS Digital will contact the practice to enquire as to why it has not been enabled.

This has been discussed with, and supported by Londonwide LMCs Further information for patients, including methods of opting out for patients is available by clicking here.

If you would like to discuss further or have any other points to raise, we are happy to be contacted.

If your practice is not going to enable the transfer until you feel (as data controllers) that your patients have been adequately informed, please click here to submit your practices support for this inaction.

Yours faithfully,

Dr Osman Bhatti (GP / CCIO North East London CCG)
Dr Elliott Singer (GP / Londonwide LMC Medical Director)
Dr Jackie Applebee (GP / Chair Tower Hamlets LMC)

9 thoughts to “GPDPR – An Open Letter to GP Practices”

  1. Absolutely agree! The record of data loss by Government, both National and Local, is appalling and there is little anyone can do once it is out in the public domain.
    The privatisation of the NHS under Thatcher, Blair et al, is relentless unless we take a stand….NOW is the time.

  2. Totally agree. The incursion on personal security, freedom and rights, is relentless under this Tory cabal. NHS Digital is just another example of this as the big corporations have the government red- light to control and manipulate; hence the prolonged attacks on the BBC and an independent judiciary and the denudation of local council power.
    You have my full support.

  3. I would like to know the difference between ‘anonymise’ (which you say is not part of this) and ‘pseudonimise’ (which you say is). I presume the latter is replacing a real name and address with a dummy name and address. This is what it means in data science. Is that the case?

    1. IDENTIFIABLE patient records include information allowing a patient to be identified. Access to identifiable patient data currently requires patient consent, except in exceptional circumstances, where approval is instead requested from the Secretary of State for Health.

      PSEUDONYMISED or key-coded records have had all identifying data removed and can only be traced back to individuals using a ‘key’ which can be securely stored separately from the patient data.

      Patient data can be ANONYMISED to remove any identifying information. As it cannot be linked back to an individual, accessing anonymised data for ethically approved projects does not currently require patient consent.

Leave a Reply

Your email address will not be published.