Last reviewed 29 June 2021
In this feature, Deborah Bellamy explains the national data opt-out — suggesting ways practices may be able to ensure patients are informed and details the new General Practice Data for Planning and Research.
NHS Digital has been collecting data from GP practices for over 10 years via General Practice Extraction Service (GPES). During the Covid-19 pandemic, sharing patient’s information regarding management and efficacy of treatments has been crucial. This was done under specific emergency data sharing rules which came into force during the pandemic.
NHS Digital launched proposals in May 2021 for GPES to be replaced with General Practice Data for Planning and Research (GPDPR). A Data Provision Notice (DPN) was issued to practices on 12 May which the BMA and RCGP affirmed would be a legal requirement for practices to comply by registering participation on the GP medical record system and that GP system suppliers should provide further guidance.
The GPDPR service is said to have a broader remit to "support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including Covid-19) and enable many different areas of research" and will upload data to the system in “near real time”.
However, there has been some apprehension from GPs and privacy campaigners regarding data security and concerns regarding organisations outside of the NHS with whom data may be shared. This includes pharmaceutical companies, other government departments and charities. GPs in East London have refused to release patient data, citing the lack of an effective information, fearing the automatic transfer of medical records will undermine the trust patients have in them. See Patients have until 23 June to opt out of data sharing system. The BMA and RCGP contended insufficient people had enough information regarding GPDPR, or that they were unaware they can opt out.
NHS Digital announced a delay to the launch of the GPDPR data collection scheme on 8 June 2021, now deferred from 1 July 2021 to 1 September 2021. This is to enable more time to communicate with those involved to consolidate the plan and address concerns raised.
Patients have the right to elect a type-1 opt-out to ensure personal data is not collected as part of GPDPR and were initially being asked to do so by 23 June to ensure their request was processed in time, but practices have now been made responsible for deciding when to do this according to the BMA.
The NHS confirmed patients “can still register type 1 opt-out at any time after this date and it will prevent any more data being shared with NHS Digital” and patients can also register a National Data Opt-out, “to prevent NHS Digital from sharing your identifiable patient data for planning and research purposes”.
Different types of data sharing
A type 1 opt-out prevents information being shared outside a GP practice for purposes other than direct care.
A type 2-opt out prevents information being shared outside NHS Digital for purposes beyond the individual's direct care.
From 25 May 2018, the type 2 opt-out was replaced by the national data opt-out. Type 2 opt-outs that were recorded on or before 11 October 2018 were automatically converted to national data opt-outs.
Both opt-outs, previously registered, will be fully respected when GPDPR is implemented. Patients should be assured their individual care will not be affected if they opt-out using either or both options.
Ways to opt-out of NHS data sharing
For patients who wish to register a type 1 opt-out with their GP practice, the form General Practice Data for Planning and Research: NHS Digital Transparency Notice - NHS Digital should be sent by post or via email to their GP practice. Patients can also email (email@example.com) or phone 0300 3035678 for a form and separate forms should be completed for each member of the household.
For any patients who have previously registered a type 1 opt-out and may wish to amend this, can also use the same form.
If this deadline is missed and data shared with NHS Digital, no further data will be shared but the patient data which was shared prior to registering the type 1 opt-out will be kept.
Purpose of GPDPR data collection
Whilst NHS Digital does not sell data, it does charge those who want to access its data for the costs of making the data available to them as they are not funded centrally.
The data NHS Digital collects is to:
inform and develop health and social care policy
plan and commission health and care services
take steps to protect public health, including managing and monitoring the coronavirus pandemic
in exceptional circumstances, provide individual care
enable healthcare and scientific research.
GP practice privacy notices
NHS Digital’s main GP practice privacy notice is available on their website: digital.nhs.uk and provides details about the personal information that they are sharing with NHS Digital for its GPDPR data collection.
The BMA recommends practices update their privacy notice. NHS Digital has produced a GP Practice Privacy Notice which practices may add as a link to their current privacy notice by publishing a statement and link on their website: "This practice is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this see the GP Practice Privacy Notice for General Practice Data for Planning and Research." General Practice Data for Planning and Research: GP Practice Privacy Notice - NHS Digital
How practices can make patients aware
When practices collect, analyse, publish, and share patient data, they are bound by UK General Data Protection Regulation (GDPR), which includes explaining to patients what legal provisions apply under GDPR that enable processing of patient data. Therefore, practices need to communicate with patients regarding the implications of these changes.
BMA guidance confirms patients must be made aware of GPDPR and GPs assured communications have been effective. Practices may wish to proactively engage with patients to make them aware of their right to opt out. They recommend this should include:
discussion with the patient during a consultation
waiting room screens
posters in the practice (a downloadable poster is available from NHS Digital)
information on the practice website
use of local media
communication with patient participation groups.
Practices are currently reporting increases in contacts from patients and concerns are being escalated to them regarding data sharing and security.
Do practice clinical systems make a difference?
The BMA outlined how suppliers of shared records stream/store data in various ways. An example is that EMIS Web and System One, hold patient records in a data centre and as patients are unable to opt of having their information stored in such centres.
All system suppliers should aspire to meet high confidentiality standards practices are advised to check specific data storage issues with systems providers.
Data will only be provided to NHS Digital via GP system suppliers after practices have confirmed with their system supplier, they have complied with the DPN. Additional guidance on shared electronic patient records, can be found via Practice Guidelines for GP Electronic Patient Records version 4 (2011) at: www.gov.uk.
What should put be in place for audit purposes?
Systems must be designed to include audit trails, according to the BMA, to enable patients to view details of who has accessed and edited their records and when. If their record is accessed without consent, there must be a mechanism to notify a trusted third party such as a privacy officer.
Practices should ensure audit logs are reviewed to flag up inappropriate access, so it may be identified and actioned.
Now that the delay has been agreed until 1 September 2021, this will enable practices a little more time to ensure their patients are better informed, and have the time and opportunity to opt out if they wish.
In 2016, the Care.data scheme was abandoned after comparable issues were raised and practices are advised to keep abreast of emerging guidance from NHS Digital.