From 1st September 2021, the NHS began preparing to upload the data of 55 million patients from GP medical records onto its brand-new system, the General Practice Data for Planning and Research, or GPDPR, which is then shared with third parties for research and development.
Of concern is the fact that the electronic database will hold incredibly sensitive data, such as mental health, sexual health and criminal records. While this is anonymised with unique identification codes, the NHS can access the original data showing patients’ names – where there is a valid legal reason to do so – which has raised concerns around privacy.
According to the NHS, the new system will help to reduce the burden on GP practices, allowing doctors and other staff to focus on patient care, with the data being used to support a wide variety of research and analysis that will help to run and improve services. The NHS made it clear that anyone had the right to opt out if they wished to do so, with an initial cut-off date of 1st September 2021.
However, in a letter dated 19th July this year, the Parliamentary Under-Secretary of State for Health and Social Care, Jo Churchill, set out a new process for the commencement of data collection, which moved away from the previously fixed date of 1st September and introduced three changes to the opt-out system, meaning patients can change their status at any time.
Is GPDPR compliant with data protection legislation?
From a data protection standpoint, it’s necessary to question whether GPDPR conforms with UK General Data Protection Regulation (UK GDPR) legislation and the Data Protection Act 2018. One concern is that a majority of patients won’t have given their explicit consent to the sharing of data, with many potentially being completely unaware of the plans.
While this is a valid point, it is important to understand that consent is not always required. Consent is only one lawful basis for processing data and there are an additional five that allows an organisation to lawfully process data without consent. As a public body, the NHS will be able to process the data without people’s consent if the processing is regarded as being in the public’s interest.
Another concern is that, while patients will be identified with unique codes, the NHS will be able to access the original data that shows the patients’ names. The use of codes rather than names is known as pseudonymisation. This is a commonly used technique in the processing of data, which means that individuals can’t be identified from the data itself and only by referring to other information held separately.
Therefore, the NHS will need to take care that the additional information that can identify the individual is kept separately, with relevant controls in place, to ensure it’s not possible to re-identify the patient, except for in very specific circumstances as permitted by UK GDPR.
How can Nelsons help?
Ruby Ashby is an Associate in our expert Dispute Resolution team.
Should you wish to discuss any issues surrounding the above or anything else data protection related, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester or Nottingham on 0800 024 1976 or via our online enquiry form.