As data controllers and doctors with a duty of confidence to their patients, GPs are obliged to ensure that patients are properly informed of significant new data processing and that their permission has been sought prior to us sharing their data – and that this data is and will be handled responsibly, securely, and transparently.
Due to insufficient action and clarity on the part of the Department of Health and Social Care (DHSC), the former Health Secretary’s tech vision unit, ‘NHSx’, and NHS Digital (NHSD) on these issues, we are currently unable to determine that the GP Data for Planning and Research (GPDPR) programme will meet these fundamental requirements.
Therefore, we welcome NHS Digital’s withdrawal of the Data Provision Notice (DPN) on GPDPR and call on the Government to address the following prerequisites before any future DPN is issued. GPs can only complete the Data Protection Impact Assessment (DPIA) – that we are legally required to perform before enabling the GPDPR sharing agreement to begin sharing our patients’ identifiable personal data – once we are satisfied that these minimum requirements have been met:
- NHSD to publish its own DPIA, and any significant subsequent updates to its DPIA or the GPDPR programme to be discussed and agreed with the data controllers;
- DHSC to pay for every GP patient to be written to, informing them about what is going to be done with their data, and what their choices are. This communication should be accessible, include any form(s) needed to express their choices, and allow patients and GP practices the time to do so;
- Patients’ opt-out rights (and appropriate mechanisms to deliver them) to be put onto a statutory footing, i.e. agreed through Parliament in the Health and Care Bill;
- Patients’ right to erasure to be upheld; once a patient has dissented to the use of their data for purposes beyond their direct care, no further data about them should be collected from GP practice systems until they explicitly indicate their consent, and all data held by NHSD that has previously been uploaded via GPDPR to be permanently deleted;
- Access to GP patient data, and to any data linked to it, to be exclusively via a Trusted Research Environment (TRE). Details regarding the form of this TRE, and demonstration that it is functioning, to be made public before any GP patient data is collected;
- The Professional Advisory Group (PAG) to the Independent Group Advising Release of Data (IGARD) to include nominated representatives from RCGP, BMA and patient groups. Access to GP patient data should require the unanimous agreement of PAG, and be recorded in meeting minutes. All names, affiliations and interests, including any conflicts, of PAG and IGARD members to be made public;
- DHSC to provide full transparency to patients over all of the ways in which their data is used, through the timely publication of details – whether that is their GP data in a TRE, or other disseminations and uses under other lawful powers.
Dr Jackie Applebee, Chair Tower Hamlets Local Medical Committee (LMC)
Dr Osman Bhatti, Chief Clinical Information Officer (CCIO) North East London (NEL) Clinical Commissioning Group (CCG)
Dr Mark Sterry, Secretary Solihull LMC
Dr Paul Evans, Chair Gateshead and South Tyneside LMC
Dr Zuhaib Keekeebhai, CCIO North Central London (NCL) CCG