Source: New Zealand Privacy Commissioner – Blog
In 2013, UK Prime Minister David Cameron tried to instigate the sharing of UK National Health Service (“NHS”) patient data to private organisations for a small fee. Despite plans to anonymise the data, the move was sufficiently controversial that the Government had to drop the plan – there were major concerns over transparency and privacy. Eight years later, a similar plan has emerged, this time during the pandemic response of Boris Johnson’s Government.
As part of its General Practitioner Data for Planning and Research Programme (“GPDPR”), the Government is planning to put the GP records of England’s 55 million enrolled patients into a single NHS database which will become available to third-party companies and researchers for a fee. It is an ‘opt-out’ programme, meaning that patients need to fill out a form to prevent their data from being included. Originally, GPDPR was supposed to come into action in July 2021 but has now been pushed back to September.
GPDPR will give private organisations access to the NHS Digital central database containing data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, and appointments, including information about physical, mental, and sexual health. The information will include data about patients’ gender, ethnicity, and sexual orientation.
Technically peoples’ data will be anonymised, but there are two qualifications. First, given how specific the data is, it will at least be possible to cross-reference with other databases to reidentify the data. Secondly, NHS Digital can unlock the codes to allow access in certain circumstances and where there is valid legal reason. No names and addresses will be available to researchers, but encoded postcodes will be included.
What about these third parties? According to NHS Digital, the data will only be used for health planning and research purposes by organisations that can show they have an appropriate legal basis and a legitimate need to use it. Any data sharing will be overseen by the British Medical Association (“BMA”), the Royal College of General Practitioners (“RCGP”), and the Independent Group Advising on the Release of Data (”IGARD”).
One issue is that neither the NHS, nor their chosen third parties, have had the best record when it comes to data sharing. In 2017, Information Commissioner Elizabeth Denham ruled that the NHS had acted illegally in sharing information with Google’s DeepMind AI without properly informing patients. Moreover, a litany of third parties were found to have breached privacy contracts (which usually means ignoring patient opt-outs). These third parties included University College London, Method Analytics, University of Bristol, Wakefield Council, Health IQ, Device Access UK Ltd, Foundation Trust and Moorfields Eye Hospital.
Another major issue is that the UK Government has not communicated this initiative to its citizens and is relying on GPs to inform their patients. Given that GPs across the UK have massive backlogs, are trying to operate during a pandemic, and struggle to inform their patients of important matters ordinarily, this approach was never going to be sufficient. The result is that people don’t understand GPDPR. It was precisely this lack of communication that brought David Cameron’s Government to scrap the original policy in 2016.
Indeed, RCGP and BMA who were both consulted on the scheme wrote a joint letter expressing concern at the lack of transparency and communication with the public. Several organisations such as the Doctors’ Association UK, Just Treatment and Open Democracy also threatened the Government with legal action if they went ahead with the programme.
Due to mounting pressure, the Government has delayed the programme until September to give it more time to talk to patients, doctors, health charities and others. However, patients are already suspicious about why the Government tried to push the programme through so quickly and quietly. People are increasingly reticent to allow their data to stay in the programme and have until 23 August to opt-out.
Why does GPDPR matter to us?
You may be wondering why GPDPR is relevant to New Zealand. It is true that New Zealand is a unique place with peculiarities that necessitate distinctly local perspectives. But as privacy experts, our Office closely monitors international developments to inform the work we do to protect personal information in New Zealand. We share our observations with public and private sector agencies, both proactively and when we are consulted by them.
With the New Zealand Government’s recent decision to reform the national health system by consolidating district health boards into a single agency called Health New Zealand, we should expect to see changes to the way patients’ personal information is collected, stored, used, and disclosed. New frameworks will be required to facilitate these changes, which will have implications for peoples’ privacy and health practitioners’ systems and processes.
Before making major changes to the way personal information is handled in the health sector, officials should take note of the consequences of not properly informing the public of any implications. The GPDPR saga demonstrates that a lack of clear communication about changes to patients’ privacy can lead to suspicion that can ultimately stymy the launch of a beneficial and legitimate policy.
Despite the criticisms, GPDPR has the potential to facilitate immensely beneficial developments for public health. Recently, Oxford’s COVID Recovery Programme used NHS data (with patients’ express consent) to identify dexamethasone as an effective COVID therapy, which shows what can be achieved with the appropriate sharing of patient data.
Alongside the reform of public health in New Zealand, beneficial work can be done to leverage the value of patient data, or simply to reorganise the way data is treated for efficiency’s sake. Officials and health practitioners should work together to ensure the public are both aware and on board.
This article was originally published in the 21 July 2021 issue of NZ Doctor.
