NHS patient data privacy and the COVID-19 pandemic

Share this post..

Campaigners are concerned that the COVID-19 pandemic is being used as a guise to push through opportunities for private companies to share NHS GP patient data without consent.

On the 12 May 2021, NHS Digital issued a Data Provision Notice to all NHS GPs to enable "new and improved data collection process to begin from 1st July." It was initially unclear what this meant, but NHS Digital explained it planned to:

"establish a new strategic system to collect and provide access to near-real-time data from GP Practices for planning and research purposes.

"The new General Practice Data for Planning and Research (GPDPR) service, a broader general-purpose collection will enable faster access to pseudonymised patient data for planners and researchers."

What's the problem?

It is fair enough to wonder, exactly what the problem is? While some may have ideological opposition to electronic records for patients and the existence of 'Big Data', analysis of NHS patient data could indeed be used by planners and researchers in a way that will ultimately benefit people, and in fact it already is. The NHS Genomic Medicine Service is an example of this, and is an existing and ongoing project with little controversy around it. However, all data used in this project was given in full knowledge of its intended use by the patients, and families of patients involved. There is a big question mark over how freely patients are consenting to this new data collection process that will start on 1 July 2021.

In a witness statement for Keep Our NHS Public's People's Covid Inquiry for its seventh session, Rosa Curling co-founder of Foxglove, a digital campaign to ensure the correct use of digital data said: "There is an opt-out, which is welcome. But that is only effective if people are in fact aware this mass transfer of their health data from their GP practices to NHS Digital is in fact about to happen.

"Can it be correct that your patient identifiable data can be shared by your GP with NHS Digital without your consent; simply on the basis of a lack of opt-out? We are not sure how that accords with the requirement for 'explicit consent' under data protection laws."

Fighting for transparency

It is not the first time that there has been a lack of awareness among NHS patients over NHS data changes that could compromise compliance with data protection laws.

Rosa Curling, director of Foxglove and a lawyer told the People's Covid Inquiry about how the Government had tried to change the use of NHS patient data throughout the pandemic.

The COVID-19 Datastore was announced in an NHS blog on 28 March 2020. This blog said that several US tech giants Amazon, Microsoft, and Google, plus Faculty and Palantir, were being brought in help create this COVID-19  Datastore, a datastore which it said was going to be a 'single source of truth' about the pandemic.

While this is not the first time the NHS has teamed up with these companies to develop tools for NHS data analysis (see Google DeepMind) it is the first time, health and social care data from various sources was going to be collated on a national level and held in a single place. It is worth noting that NHS patient data is a set of electronic records unlike anything else globally, and is estimated to be worth around as much as £5bn per year if exploited commercially. It is also estimated to offer around £4.6bn a year in benefits to patients through savings to the economy and enhanced patient outcomes if used to assist in the development of personalised medicine and artificial intelligence so has an estimated £9.6bn value (find out more on our Trade Deals and Data Privacy page).  

On learning about the planned COVID-19 Datastore, Foxglove had concerns that the Government had released no details about the deals reached with the private corporations or the types of data that was going to be stored in the Datastore.

They, along with openDemocracy set about issuing Freedom of Information Act requests for copies of the contracts and of impact assessments that had been done surrounding the sharing of NHS patient data with these companies.

Three months later, after concerted efforts, and days before openDemocracy had made clear it would start legal proceedings the contracts were made available, albeit with some information redacted.

These contracts showed that the Vote Leave-linked company Faculty, which has ties to Dominic Cummings, had initially been granted intellectual property rights and allowed to refine its software and profit from its emergency access to NHS data. These had been reversed after Foxglove and openDemocracy had requested further transparency over the contracts.

The struggle for clarity over exactly what the COVID-19 Datastore was actually going to be continued over the following months, with Foxglove discovering that while NHS England claimed the contracts were temporary, they had in fact signed multiple contracts with software company Palantir, worth up to £23 million, to run the datastore for a further two years. This contract, went beyond the pandemic despite initial assurances this data sharing partnership had been set up purely to help tackle COVID-19.

The Government continued to claim it was not required to carry out a data protection impact assessment for this contract until eventually in March 2021, in response to openDemocracy’s court application, NHS England in essence conceded the claim. It agreed that no non-covid data processing would take place until a data protection assessment and the public consultation process that involves, had been undertaken including via patient juries.

Risks of getting it wrong

While the analysis of electronic NHS patient record could help with scientists' understanding of many health conditions and diseases, including COVID-19, it is essential that it is clear what the terms of it being shared are. Also, that patients have the option to opt-in or out of any data sharing or analysis for research purposes.

Ms Curling told the People's Covid Inquiry:

"These aren't legal formalities. They are actually processes that really matter because the public has a right to be consulted about how their medical data is used and with whom it is shared. The stakes with health data are so high: the rewards with proper data use in the public interest are potentially life-saving, while the risks involved from minor embarrassment through to a total corruption of trust in the medical profession are really, really serious."

She argued that trust in institutions and the medical profession was particularly important during a pandemic: "So in terms of the pandemic we saw a really upsetting level of vaccine hesitancy and obviously wider trust in institutions was eroded and that has a massively negative impact."

That is why Foxglove has concerns over the Data Provision Notice the Government issued in May, and in in the process of investigating this further.

The Government's 'clarifications' are anything but

The day after the People's Covid Inquiry session on 19 May 2021, the Government updated a webpage on the NHS Digital website titled: Mythbusting social media posts about the national data opt-out.

The page addresses the National Data Opt-Out, an entirely separate project to the change in the collection of GP data as announced on 12 May 2021. This is in fact addressed on a separate page and does in fact state that the deadline for opting out before any data transfer takes place is 23 June 2021 (update: this has now been pushed back to September). Opt-in is assumed.

Patients can opt-out afterwards, but this is after the initial changes in data collection have already taken place, and their data will not be retrieved. People who do not wish to opt-out, face not really knowing exactly what they are opting into, which places barriers to benevolent data sharing for the greater good.

Foxglove argues this makes it impossible for the NHS to assume 'explicit consent' from patients over sharing their data.

They said:

"The future of NHS data is being determined now. We can shape its future, but we must demand our say.

"Our experience regarding the COVID-19 Datastore tells us, without concerted public pressure, potentially sweeping changes to our health service will be made without our consent and without a democratic mandate. We need to, and can, make sure that does not happen."

Sign the petition

Keep Our NHS Public and Health Campaigns Together is supporting the following petition to stop Palantir accessing NHS data.

Sign the petition

Find out more

medConfidential have a newsletter you can sign up to be kept up to date with developments.

Your NHS data will be quietly shared with third parties, with just weeks to opt out – GPs like me are worried. inews. Helen Salisbury. 1 June 2021

And our earlier witness, and KONP supporter, Helen Salisbury: Should patients worry about their data? BMJ. 25 May 2021

Share this post..

Be the first to comment

Leave a Reply

Your email address will not be published.


Are you human? *