Sharing NHS patient data: Questions and Answers
NHS Digital is rolling out a new system to collect patient data held by GP practices across England. Data collection was due to start on 1 September but has been postponed. No new date has been set for data collection to begin. It will only do so once the following four conditions have been met:
- It must be possible to delete data if patients choose to opt-out of sharing their GP data with NHS Digital, even if this is after their data has been uploaded
- The backlog of opt-outs has to be fully cleared
- A Trusted Research Environment has been developed and implemented in NHS Digital
- Patients have been made more aware of the scheme through a campaign of engagement and communication
Questions and Answers
Will my GP patient data be anonymous?
The data shared won't include your name or your address. Any other data that could directly identify you (such as NHS Number, date of birth, full postcode) will be replaced with unique codes produced by de-identification software before the data is shared with NHS Digital. This process is called pseudonymisation.
Does hospital data get collected in the same way for Mental Health hospitals?
Yes, that pseudonymised data can be collected and shared.
What is the new date for GP data collection to begin?
It was the 1 September, but now it won’t be until the four criteria (see above) have been fulfilled.
Is your data automatically pseudonymised as soon as you opt in? Are there different categories of pseudonymisation?
We’re not sure when the pseudonymisation happens. Healthwatch Islington will check this. By the time the data is shared with NHS Digital, it must be pseudonymised.
Camden and Islington NHS Foundation Trust is now in partnership with Barnet, Enfield and Haringey Mental Health NHS Trust. What does this mean in terms of data sharing for both trusts? How about access to services?
They will already be sharing data with NHS Digital but if they want to share your data with another NHS Trust, I think they would have to ask for your permission.
I’m from Keep Our NHS Public and my concern is that we don’t know where this data will really end up. And we know that this data can be sold for X amount of money. I think we should be asking what the real ambition was for this data. We might trust the NHS but do we trust who this data is being passed onto?
The specification says that the data cannot be used for marketing or insurance purposes and it cannot be sold. However, a charge can be made for compiling the data to share.
How does someone who doesn’t have access online or can’t access online services be informed about this? Is there a form you can fill in to opt out?
There is a telephone number (0300 3035678) you can call to opt out. You can also talk to your GP practice, but we know this isn’t easy. An awareness-raising campaign needs to take place on a number of different platforms. Healthwatch Islington will be talking about this at different events and meetings and will share the information with our Diverse Community Health Voice Partners who can share the information in other languages as well.
Can you get support to opt out by calling that number?
They might be able to send you the form. Or, if you had a reasonable adjustment they should be able to help you complete it.
How can we be sure that no one will misuse these records and that this data is treated carefully?
It links back to that point about trust. How do we make sure the data is protected? What are the safeguards?
I’m involved in an ethical committee around research and data at UCLH (University College London Hospitals), especially around Covid. In minority communities, there’s still a lot of mistrust around how our medical records and data are used. Who makes money from this exchange of data? This mistrust hasn’t come out of nowhere, it’s based on experience. Are patients' voices being valued and heard or is it just those in power such as consultants and private companies with money?
I used to work in health research. There have been so many examples over the past few years of bad and unethical data sharing. At the Royal Free, patient data was shared with Google DeepMind, and patients weren’t (and some still have not been) notified that their records had been shared. That was a decision made by a consultant. Sometimes the ones we thought we could trust make bad decisions.
Defining a 'Trusted Research Environment'
One of the four conditions that needs to be met before the new system for GP patient data collection can begin is the development and implementation of a Trusted Research Environment in NHS Digital. We asked participants attending our briefing event how they would define a Trusted Research Environment, and what would give them confidence that NHS Digital was operating one:
What does the term 'Trusted Research Environment' mean to you?
- People emphasised the importance of openness about how data is shared and clear monitoring of that. If people are not told the full story, but find out later that data has been shared in a way that they are not happy with, then you break their trust and it can impact on their attitude to data-sharing for a long time afterwards.
- It was felt that ‘people who are not set to profit from the data’ need to be part of any Trusted Research team. People attending our briefing event did not trust NHS Digital's internal processes to ensure this happened.
- Participants wondered how we can reassure ourselves that parts of the system that hold our data are not using it for other purposes, how we monitor how that data is used, and whether partners in the system have the skills to manage our data properly. Are there enough safeguards in place, especially when some of our GP practices are now owned by overseas companies who may have a market interest in the NHS? They want to reach the UK market, how do we ensure that they are only using patient data in the ways they should?
- There was particular concern about how Integrated Care Systems could enable wider sharing of data, without patients knowing, and to parts of the system that may have less trust than others. It was felt that there needed to be more clearly defined limitations on how data could be shared. Concerns were also raised about the IT systems used to store and back up data, these are often owned by global corporations who may have a different approach to safeguarding privacy.
What would give you confidence that NHS Digital was operating a ‘Trusted Research Environment’?
- There was some concern that ‘backdoor’ privatisation of the NHS could mean a Trusted Research Environment was simply not achievable.
- What would instill confidence was prioritising the inclusion of people who put patient privacy first within the research environment. Suggestions included GPs, the GP Federation, and non-private providers.
- There was concern that pharmaceutical companies may have undue influence over some universities if they rely on them for research and so attention should be paid to conflicts of interest.
In what ways should NHS England, NHS Digital and/or GPs raise awareness around data sharing with patients?
- It was agreed GPs were very busy but perhaps the best contact point.
- It was suggested that NHS England resource GP practices to text patients about this and to have information available on websites, within practices, and through Patient Participation Groups. However, it was recognised that all of this is harder during the pandemic and that there needs to be a place where people can take their questions. This could include Local Healthwatch, but again this could need resourcing as it affects all residents and is very complex to explain as the information from NHS England has been so unclear.
"Trust can be really fragile. Data is a word that arouses a lot of distrust. You can’t trust something until it’s been tested. It needs good communication and separation from Government and Big Pharma. Couldn’t they start the program as a pilot and expand it in stages, building trust as it goes? We all want to improve health and care services. Isn’t there a way this data sharing could be even more pseudonymised?"
