The below document is by way of an open, honest explanation of the NHS Digital Data project and the many questions still unanswered by the Secretary of State for Health & Social Care.
It lays out for the general public why we are concerned about what happens to the data in the future.
We are still in difficult times with COVID restrictions, but I urge you to spread this document as far and wide as you possibly can with members of your own group and in community accesses like libraries, shops etc.
The Secretary of State has done nothing to ensure that every patient is aware of the project, the deadline for opting out, and the crucial answers to third party access, safety and security of your data. We are trying (with our coalition partners) to get to as many people as we can who are not digitally connected.
Thank you for your help and stay safe.
National Pensioners Convention
The #NHS Data Grab – we do the government’s job and explain it for you
What’s this NHS Data Grab I’ve heard about?
The government wants to collect the confidential health records of every GP patient in England and put them into one huge new data pool. It says “third parties” will be able to access this pool, including commercial companies, but won’t say who or how.
The scheme’s official name is GPDPR or ‘General Practice Data for Planning and Research.’
It will take 55 million people’s cradle-to-grave health records and put them in a central database – to be used by many different parties, for many different purposes.
This is new. Under today’s system, requests for GP data are made on a one-off basis. GPDPR is far bigger and broader. It puts 55m health records in a single place that updates in real time. In the government’s words, it will ‘collect [your data] once, [but] use [it] many times’.
A similar scheme, ‘care.data’, was tried in 2013, only to collapse over widespread concerns over privacy and corporate access. We don’t want to repeat the same mistakes today.
What’s wrong with that – surely the NHS using data better is a good thing?
It isn’t just the NHS who will access data. You can’t pool the cradle-to-grave health records of all 55 million people in England without telling people and giving them a meaningful say in how the new system works. It’s undemocratic and could damage trust in the NHS.
This huge change wasn’t explained to patients. Matt Hancock told Radio 4 that his aim was for patients to control their own data and “consent should be at the heart of it”. He also said he was “not against” writing to everyone in the country, or sending everyone a text message, like with the COVID vaccination programme, to inform them of the change.
But this is the opposite of what’s happened so far. Instead, the change was posted on one NHS Digital website. How does that reach the millions over-65s who aren’t online, for example?
The government needs to tell us why it wants to build this new data pool - and what it plans to do with the data. It should urgently explain who the “third parties” are who will have access to our data, and what standards they will need to meet.
Matt Hancock needs to explain what alternative models he has considered for managing NHS data research. For example, openSafely, the data platform developed by Ben Goldacre during the pandemic takes research queries to the data itself - instead of grabbing the entire GP record. This might solve some of the problems with maintaining public trust.
But NHS Digital says that “Data saves lives?”
No-one is opposed to using health data for research that saves lives. But the data can also be used for profit. The plan must benefit the NHS and, crucially, maintain the faith and trust of patients.
Of course, data can save lives. But it can also make people a lot of money – and those goals don’t always support one another.
The government should be honest about this. Research shows that, compared to the NHS, people are less comfortable with private companies using their confidential health records to make a profit.
Matt Hancock must set out in plain English on what terms companies could access this massive new pool of our GP data – and give people a choice.
Isn’t this data anonymous?
This data is not anonymous. It is pseudonymous. This is a really important distinction and is practically and legally different to anonymous.
Government spokespeople have repeatedly mixed these up. It is pretty easy to identify people from pseudonymised data - often with only a few bits of information about you.
The government says they may re-identify your data in certain circumstances - without fully explaining when they might do this.
As for companies, to identify someone from pseudonymised data is illegal in most cases. But the body who handle those offences, the Information Commissioner’s Office (ICO), is understaffed, underfunded, and unable to enforce against major breaches.
There must be safeguards in place already to protect this data?
The safeguards aren’t strong enough yet – there’s one expert body that doesn’t explain its decisions clearly, and the ICO hasn’t got the resources to police the law. And the government may be about to dilute the laws that protect your health data.
A body called IGARD considers requests for data access. The minutes of their meetings are online, as is a record of requests for data. But the records of their meetings aren’t easily understood by the average person – nor are the standards they judge private companies on.
Watchdog group medConfidential has published a list showing lots of third parties have broken the rules when they used medical data. And the ICO, as we said, just hasn’t got the resources to follow up every time the law is broken.
The government’s also considering weakening legal protections for your health data.
Is it biased to refer to GPDPR as a “data grab”?
What would you call taking the personal information of 55 million people – without asking for permission, presenting an informed choice, or, until our case, giving fair warning at all? It doesn’t seem an exaggeration to call that a data grab.
Millions of people still haven’t heard about this system. Originally, NHS Digital set a deadline to opt-out of June 23. We think the new deadline is August 25. If you haven’t opted-out by then your GP data will be gone forever and you can only prevent future data being shared. Does that seem like a reasonable and fair system to you?
Again – where is the public information campaign? Matt Hancock admitted that a “proper national debate” is needed but has done little to create one. We know the government can text the nation, can address the nation daily at teatime on BBC One. Why haven’t they?
It’s not too late. The government could repair damage by slowing down and making a much bigger effort to consult people. Our data is there for the asking, not the taking.
If giving private companies access to my data helps the NHS, what’s the problem?
The question we always need to be asking is: who benefits? The collected data of the NHS is the most valuable resource of its kind in the world – but only because it has been created and paid for over decades by taxpayers and ordinary British people.
Companies requesting access to health data tend to promise “innovation”. But there is evidence that using data in this way can make unfairness in healthcare worse, not better.
“Innovative” medicines are often priced too high for the NHS to buy them, so how does that benefit the NHS? What if instead, access to our data meant the NHS got the final product for free or a share of any financial gain? Or the product could be made open source, so everyone can benefit.
Most of all – we need to make sure that introducing a major profit motive in our health service doesn’t undermine the core value of the NHS: a universal service free at the point of delivery, with care of patients at its heart.
Download the document
The easiest way to opt out is to follow the steps on the Medconfidential website
You can download the opt out letter
How can you help?
What is the legal challenge?
On 3 June Just Treatment, Doctors’ Association UK, the Citizens, openDemocracy, the National Pensioners Convention and David Davis MP sent a legal letter (a letter before claim) to the Department of Health and Social Care and NHS Digital. The legal letter says that rushing such a major change through with no transparency or debate violates patient trust, and doing so without seeking patient consent is unlawful. The case asks for a halt to the GP data grab with an injunction, and to rethink and seek meaningful patient consent.
Why do we need to raise money?
Foxglove are launching a crowdfunder to cover the cost risks associated with the case. Their legal team work on ‘conditional fee agreements’. That means they only recover their costs from the other side if we win. But if we lose in court, we could have to pay the other side's costs. The claimants in this are asking the court for a “Cost Capping Order”. If the court grants that it means that there would be a limit on the amount the coalition can be forced to pay in the event it loses. To make this case possible we need to raise as much as possible.
You can donate on https://www.crowdjustice.com/case/stop-the-nhs-gp-data-grab/
What happens to funds raised if we don’t spend it on legal fees?
If for some reason we don’t need to spend all the donations on this case or if we don't end up in court you can request a refund. Should you choose not to request a refund the donations will be split evenly between the claimant organisations and Foxglove.
Foxglove have launched a petition to support this case:
Please sign and share.
Just Treatment, Doctors’ Association UK, all the Citizens, openDemocracy, and the National Pensioners Convention, as well as David Davis MP, are the co-claimants in this case. That means they are together taking the government to court.
They are supported by Foxglove. Foxglove is a non-profit that exists to make tech fair.
Our case is being taken by a fantastic team of lawyers, including Rosa Curling at Scott-Moncrieff & Associates and Director of Foxglove, Robert Palmer QC of Monckton Chambers and Julianne Kerr Morrison of Monckton Chambers.