Recent news coverage has highlighted the growing concern over plans by NHS Digital (which runs the NHS’s IT system) to upload the medical data of 55 million patients onto a database which it will then share with third parties. The medical data (which will include anonymised mental and sexual health data, criminal records, and more sensitive information) will be drawn from all patients registered with a GP clinic. Third parties can then apply to view this data, to be used for research and development purposes.
Whilst the data will be anonymised, with patient identifiers being replaced with unique codes, the NHS will be able to unlock the personal data to which the records relate 'in certain circumstances, and where there is a valid legal reason', something which has caused much concern amongst privacy campaigners and lawyers too.
The new system will be known as the General Practice Data for Planning and Research (GPDPR), which sounds remarkably similar to the GDPR, or UK GDPR as it is now, and makes one wonder whether this was done on purpose to falsely reassure people that the changes are not anything new.
The NHS, and the government, have sought to minimise the above by pointing out that anyone has the right to opt out of the plans should they so wish, provided that they do so by completing the relevant form and taking it to their GP practice by 23 June 2021. Patients who miss this deadline can still opt out, but their opt out will then only apply to future medical information and not to that which will have already been uploaded by that date.
However the problem is that the public are largely unaware of the above plans, despite the plans being published on the NHS Digital website and being advertised in flyers in GP practices (many patients will not have been in to their GP practice in the past year due to the ongoing coronavirus pandemic).
Indeed, the Financial Times recently reported Phil Booth, founder of advocacy group MedConfidential as saying 'They’re trying to sneak it out, they are giving you six weeks nominally and if you do not act based on web pages on the NHS digital site and some YouTube videos and a few tweets, your entire GP history could have been scraped, never to be deleted.'
The plans have also led to much concern and resistance from GPs, not least because the relationship between a patient and a GP is one built on trust and the automatic sharing of personal data will undermine this relationship. Notably, senior doctors in NHS North East London Clinical Commissioning Group have called on about 100 GP surgeries in their area to withhold patient data from the new system until they are satisfied that patients have had enough time to consider the new plans. They rightly want patients to have the choice as to whether their personal data is shared in this way, and the time to consider such a decision.
The issue has since made its way onto the political stage. On 6 June 2021 Labour called for the plans to be delayed until the issues around patient privacy have been addressed. The plans were initially to be implemented from 1 July 2021, however NHS Digital has since confirmed that the collection of patient data will now only take place from 1 September 2021, to allow more time to 'talk to patients, doctors, health charities and others to strengthen the plan, build a trusted research environment and ensure that data is accessed securely'.
This naturally leads us to consider the legality of the above plans. Privacy lawyers have aired their concerns recently in the press and it would appear on a deeper consideration of the law in this area that the plans are dubious from a legal standpoint, given that very few (if any) of the 55 million patients will have given their explicit consent to the sharing of this data by the date of implementation.
A campaign group for digital rights called Foxglove has written a letter to the Department of Health and Social Care, questioning the lawfulness of the plans under current data protection legislation, and threatening further legal action in this regard.
The Department of Health and Social Care is likely to try and rely on Article 6 of the GDPR, which allows data processing without patient consent for a number of reasons such as it being necessary for compliance with a legal obligation to which the data controller is subject, or necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. Indeed, the Department has already stated that its plans have not been objected to by the Information Commissioner’s Office, and that it would soon produce a data protection impact assessment of the plans.
However there are arguments to be made that patients’ privacy is under threat as a result of these plans and groups such as Foxglove have pledged to continue to challenge the government, at least until the plans are properly explained and informed consent has been given (or withheld) by patients. It is hoped that the plans can be properly explained to patients in the period between now and the beginning of September.
In the information age the sharing of often sensitive information will become more commonplace and this area is definitely a legal battleground of the future. It will be interesting to watch how the law develops in this area as it seeks to find a balance between the rights of patients and the need for the sharing of data to improve public health and policy outcomes.
If your personal data, including your private medical information, has been processed or given to a third party without your consent, then you may have a claim against the individual or organisation that processed your data. Our team have experience of dealing with cases of this nature so if you would like to discuss your issue further please e-mail Nicholas.firstname.lastname@example.org.
Nicholas Leahy is a clinical negligence solicitor at Osbornes Law