NHS Digital data extraction
From Jo Churchill MP
Parliamentary Under Secretary of State for Primary Care and Health Promotion
General Practice Data for Planning and Research
Patient data from general practice has significantly contributed to the improvement of health and care services and treatments for many years. Patients rightly trust their GP to safeguard their data, a role that we know that all general practitioners take very seriously. This is why I am writing to share more information with you about how we are working to improve how this data is collected.
NHS Digital is making improvements to how data is collected from general practice, with a new framework for data extraction called the General Practice Data for Planning and Research (GPDPR) collection.
You will have seen the announcement to pause the collection of this data, to provide more time to engage with GPs, patients, health charities and others, and to strengthen the plan.
We are working in collaboration with a range of partners including the Royal College of General Practitioners (RCGP) and the British Medical Association (BMA). I want to reassure you that we have heard your concerns loud and clear and will continue to listen.
I am writing now to provide an update on the four key areas of work to strengthen the plan. We hope this will foster your trust in the system and provide a strong basis for you and your patients to participate in the scheme with confidence.
Most importantly, I can confirm today that, while we are continuing to work on the infrastructure, and communication for the project, we are not setting a specific start date for the collection of data. Instead, we commit to start uploading data only when we have the following in place:
● the ability to delete data if patients choose to opt-out of sharing their GP data with NHS Digital, even if this is after their data has been uploaded;
● the backlog of opt-outs has been fully cleared;
● a Trusted Research Environment has been developed and implemented in NHS Digital;
● patients have been made more aware of the scheme through a campaign of engagement and communication.In this letter each of these adjustments are set out, all of which are critical to the success and impact of the programme, including through better understanding of the huge benefits the programme will have to the NHS and to our ability to provide the best and safest possible care for patients.
We want to make the position around opt-out much simpler. While 1st September has been seen by some as a cut-off date for opt-out, after which data extraction would begin, I want to reassure you that this will not be the case and data extraction will not commence until we have met the tests.
We are introducing three changes to the opt-out system which mean that patients will be able to change their opt-out status at any time:
- Patients do not need to register a Type 1 opt-out by 1st September to ensure their GP data will not be uploaded;
- NHS Digital will create the technical means to allow GP data that has previously been uploaded to the system via the GPDPR collection to be deleted when someone registers a Type 1 opt-out;
- The plan to retire Type 1 opt-outs will be deferred for at least 12 months while we get the new arrangements up and running, and will not be implemented without consultation with the RCGP, the BMA and the National Data Guardian.
Together, these changes mean that patients can have confidence that they will have the ability to opt-in or opt-out of the system, and that the dataset will always reflect their current preference. And we will ensure it is easy for them to exercise the choice to opt-out.
We have heard from many GPs and practices that there is concern about the administrative burden that Type 1 opt-outs have placed on you and your teams. We are in the process of working with colleagues across general practice to develop a way of simplifying and centralising the opt-out process in order to remove this burden on practices. This is still in development, but we will share further information with you in the coming weeks.
In the meantime, given the changes we have agreed to the opt-outs there is now no urgency to process Type 1 opt-outs specifically for GPDPR in order to get people opted out before September. We will keep you updated on timelines for when we expect the programme to go live.
We will also ensure that the NHS Digital Data Protection Impact Assessment (DPIA) reflecting these changes to the programme is published well before data collection commences. A template DPIA for practice use will also be made available in good time to allow practices to complete it.Data Security and Governance
The Government has committed that access to GP data will only be via a Trusted Research Environment (TRE) and never copied or shipped outside the NHS secure environment, except where individuals have consented to their data being accessed e.g. written consent for a research study. This is intended to give both GPs and patients a very high degree of confidence that their data will be safe and their privacy protected.
The TRE will be built in line with best practice developed in projects, such as OpenSAFELY and the Office for National Statistics’ Secure Research Service.
We are also committed to adopting a transparent approach, including publishing who has run what query and used which bit of data. We are developing a TRE which will meet our specific needs and act as “best in class”.
We commit to only begin the data collection once the TRE is in place. Further, we will ensure that the BMA, RCGP and the National Data Guardian have oversight of the proposed arrangements and are satisfied with them before data upload begins.
I can also confirm that the previously published Data Provision Notice for this collection has been withdrawn.
Once the data is collected, it will only be used for the purposes of improving health and care. Patient data is not for sale and will never be for sale.
Transparency, communications and engagement
There has been a great deal of concern regarding the lack of awareness amongst the healthcare system and patients. We recognise that we need to strengthen engagement, including opportunities for non-digital engagement and communication. Since the programme has been paused, we have been developing an engagement and communications campaign, with the goal of ensuring that the healthcare system and patients are aware and understand what is planned, and can make informed choices. The public rightly look to and trust general practice - through a centrally driven communication campaign, with clear messages, we will seek to ensure that the introduction of this collection does not impose an additional burden on practices. We are developing a communications strategy delivered through four phases.
● Listening - where we listen to stakeholders and gather views on how best to communicate with the profession, patients and the public and give them the opportunity to inform the development of the programme in areas such as opt-outs, trusted research environments and other significant areas;
● Consultation - a series of events where we can explain the programme, listen and capture feedback and co-design the information campaign;
● Demonstration - show how feedback is being used to develop the programme and shape communications to the healthcare system and the public
● Delivery - of an information campaign to inform the healthcare system and the public about changes to how their GP data is used, that utilises the first three phases to ensure the campaign is accessible, has wide reach and is effective.
Data saves lives. The vaccine rollout for COVID-19 could not have been achieved without patient data. The discovery that the steroid Dexamethasone could save the lives of one third of the most vulnerable patients with COVID-19 – those on ventilators - could not have been made without patient data from GP practices in England. That insight has gone on to save a million lives around the globe. That is why this programme is so important. The programme and I will be providing further information as the programme progresses. In the meantime, if you have any questions, you can contact the programme at firstname.lastname@example.org. The NHS Digital web pages also provide further information at https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research#additional-information-for-gp-practices. Thank you for your continued support.
Parliamentary under Secretary of State for Primary Care and Health Promotion
About the General Practice Data for Planning and Research programme
NHS Digital is making improvements to how data is collected from general practice, this new framework for data extraction is called the General Practice Data for Planning and Research data collection (GPDPR). The goal of this new system is to
● reduce burden on GP practices in managing access to patient data and maintain compliance with relevant data protection legislation;
● improve protections through the consistent and rigorous review of all applications for access to patient data;
● make it easier for patients to understand how their health and care data is being used, including increasing use of Trusted Secure Environments that avoids data flowing outside the NHS. This new NHS Digital service will collect data from GP practices in England and will analyse, publish statistical data and provide safe, secure, lawful and appropriate access to GP data for health and social care purposes. This will include planning, commissioning, policy development, public health purposes (including COVID-19) and research. NHS Digital is engaging with the British Medical Association (BMA), Royal College of General Practitioners (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices.
Protecting patient data
All data will be pseudonymised and encrypted by your GP system suppliers on your behalf before it is transferred to NHS Digital. Access to GP data will only be via a Trusted Research Environment (TRE) and never copied or shipped outside the NHS secure environment, except where individuals have consented to their data being accessed, e.g. written consent for a research study. As with the COVID-19 collection, access to the data will be through the NHS Digital Data Access Request Service (DARS) and will be subject to a robust approvals process, which includes oversight by the Independent Group Advising on Release of Data (IGARD) and a Professional Advisory Group, which is made up of representatives from the BMA and RCGP.
Once fully established, this new collection will help to reduce the number of patient data flows for planning and research purposes currently managed by each GP practice. GPs and patients will be able to clearly see how patient data is being used to run and improve health and care services from the information provided by NHS Digital.
Please note that data sharing can be a great advantage if, for example hospitals need to know what medication you are on/allergies you have and major medical problems you have and need this data to treat you safely. It is also used to plan services so that a local populations needs are met and for research purposes.
Please look at the following page that should help to clarify the situation : https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research/transparency-notice#our-legal-basis-for-collecting-analysing-and-sharing-patient-data.
We have also compiled some key exerts below:
How sharing patient data with NHS Digital helps the NHS and you
The NHS needs data about the patients it treats in order to plan and deliver its services and to ensure that care and treatment provided is safe and effective. The General Practice Data for Planning and Research data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this. For example patient data can help the NHS to:
- monitor the long-term safety and effectiveness of care
- plan how to deliver better health and care services
- prevent the spread of infectious diseases
- identify new treatments and medicines through health research
GP practices already share patient data for these purposes, but this new data collection will be more efficient and effective.
This means that GPs can get on with looking after their patients, and NHS Digital can provide controlled access to patient data to the NHS and other organisations who need to use it, to improve health and care for everyone.
Contributing to research projects will benefit us all as better and safer treatments are introduced more quickly and effectively without compromising your privacy and confidentiality.
NHS Digital has engaged with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices.
Our purposes for processing patient data
Patient data from GP medical records kept by GP practices in England is used every day to improve health, care and services through planning and research, helping to find better treatments and improve patient care. The NHS is introducing an improved way to share this information - called the General Practice Data for Planning and Research data collection.
NHS Digital will collect, analyse, publish and share this patient data to improve health and care services for everyone. This includes:
- informing and developing health and social care policy
- planning and commissioning health and care services
- taking steps to protect public health (including managing and monitoring the coronavirus pandemic)
- in exceptional circumstances, providing you with individual care
- enabling healthcare and scientific research
Any data that NHS Digital collects will only be used for health and care purposes. It is never shared with marketing or insurance companies.
What patient data we collect
The proposed Patient data to be collected from GP medical records about:
- any living patient registered at a GP practice in England when the collection started - this includes children and adults
- any patient who died after the data collection started, and was previously registered at a GP practice in England when the data collection started
We will not collect your name or where you live. Any other data that could directly identify you, for example NHS number, General Practice Local Patient Number, full postcode and date of birth, is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.
This process is called pseudonymisation and means that no one will be able to directly identify you in the data. The diagram below helps to explain what this means. Using the terms in the diagram, the data we collect would be described as de-personalised.
Image provided by Understanding Patient Data under licence.
NHS Digital will be able to use the same software to convert the unique codes back to data that could directly identify you in certain circumstances, and where there is a valid legal reason. Only NHS Digital has the ability to do this. This would mean that the data became personally identifiable data in the diagram above. An example would be where you consent to your identifiable data being shared with a research project or clinical trial in which you are participating, as they need to know the data is about you.
More information about when we may be able to re-identify the data is in the who we share your patient data with section below.
The data we collect
We will only collect structured and coded data from patient medical records that is needed for specific health and social care purposes explained above.
Data that directly identifies you as an individual patient, including your NHS number, General Practice Local Patient Number, full postcode, date of birth and if relevant date of death, is replaced with unique codes produced by de-identification software before it is sent to NHS Digital. This means that no one will be able to directly identify you in the data.
NHS Digital will be able to use the software to convert the unique codes back to data that could directly identify you in certain circumstances, and where there is a valid legal reason. This would mean that the data became personally identifiable. It will still be held securely and protected, including when it is shared by NHS Digital.We will collect:
- data on your sex, ethnicity and sexual orientation
- clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and recalls, and appointments, including information about your physical, mental and sexual health
- data about staff who have treated you
More detailed information about the patient data we collect is contained in the Data Provision Notice issued to GP practices.NHS Digital does not collect:
- your name and address (except for your postcode in unique coded form)
- written notes (free text), such as the details of conversations with doctors and nurses
- images, letters and documents
- coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old
- coded data that GPs are not permitted to share by law – for example certain codes about IVF treatment, and certain information about gender re-assignment
Opting out of NHS Digital collecting your data (Type 1 Opt-out)
If you do not want your identifiable patient data (personally identifiable data in the diagram above) to be shared outside of your GP practice for purposes except for your own care, you can register an opt-out with your GP practice. This is known as a Type 1 Opt-out.
Type 1 Opt-outs were introduced in 2013 for data sharing from GP practices, but may be discontinued in the future as a new opt-out has since been introduced to cover the broader health and care system, called the National Data Opt-out. If this happens people who have registered a Type 1 Opt-out will be informed. More about National Data Opt-outs is in the section Who we share patient data with.
NHS Digital will not collect any patient data for patients who have already registered a Type 1 Opt-out in line with current policy. If this changes patients who have registered a Type 1 Opt-out will be informed.
If you do not want your patient data shared with NHS Digital, you can register a Type 1 Opt-out with your GP practice. You can register a Type 1 Opt-out at any time. You can also change your mind at any time and withdraw a Type 1 Opt-out.
If you have already registered a Type 1 Opt-out with your GP practice your data will not be shared with NHS Digital.
If you wish to register a Type 1 Opt-out with your GP practice before data sharing starts with NHS Digital, this should be done by returning this form to your GP practice t. If you have previously registered a Type 1 Opt-out and you would like to withdraw this, you can also use the form to do this. You can send the form by post or email to your GP practice or call 0300 3035678 for a form to be sent out to you.
If you register a Type 1 Opt-out after your patient data has already been shared with NHS Digital, no more of your data will be shared with NHS Digital. NHS Digital will however still hold the patient data which was shared with us before you registered the Type 1 Opt-out.
If you do not want NHS Digital to share your identifiable patient data (personally identifiable data in the diagram above) with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out. There is more about National Data Opt-outs and when they apply in the National Data Opt-out section below.
Our legal basis for collecting, analysing and sharing patient data
When we collect, analyse, publish and share patient data, there are strict laws in place that we must follow. Under the UK General Data Protection Regulation (GDPR), this includes explaining to you what legal provisions apply under GDPR that allows us to process patient data. The GDPR protects everyone's data.
NHS Digital has been directed by the Secretary of State for Health and Social Care under the General Practice Data for Planning and Research Directions 2021 to collect and analyse data from GP practices for health and social care purposes including policy, planning, commissioning, public health and research purposes.
NHS Digital is the controller of the patient data collected and analysed under the GDPR jointly with the Secretary of State for Health and Social Care.
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the Data Provision Notice issued by NHS Digital to GP practices.
NHS Digital has various powers to publish anonymous statistical data and to share patient data under sections 260 and 261 of the 2012 Act. It also has powers to share data under other Acts, for example the Statistics and Registration Service Act 2007.
Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) also allow confidential patient information to be used and shared appropriately and lawfully in a public health emergency. The Secretary of State has issued legal notices under COPI (COPI Notices) requiring NHS Digital, NHS England and Improvement, arm's-length bodies (such as Public Health England), local authorities, NHS trusts, clinical commissioning groups and GP practices to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use confidential patient information.
How we use patient data
NHS Digital will analyse and link the patient data we collect with other patient data we hold to create national data sets and for data quality purposes.
NHS Digital will be able to use the de-identification software to convert the unique codes back to data that could directly identify you in certain circumstances for these purposes, where this is necessary and where there is a valid legal reason. There are strict internal approvals which need to be in place before we can do this and this will be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD).
These national data sets are analysed and used by NHS Digital to produce national statistics and management information, including public dashboards about health and social care which are published. We never publish any patient data that could identify you. All data we publish is anonymous statistical data.
We may also carry out analysis on national data sets for data quality purposes and to support the work of others for the purposes set out in Our purposes for processing patient data section above.
Who we share patient data with
All data which is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the relevant health and social care purpose will be shared.
All requests to access patient data from this collection, other than anonymous aggregate statistical data, will be assessed by NHS Digital’s Data Access Request Service, to make sure that organisations have a legal basis to use the data and that it will be used safely, securely and appropriately.
These requests for access to patient data will also be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD). Organisations approved to use this data will be required to enter into a data sharing agreement with NHS Digital regulating the use of the data.
There are a number of organisations who are likely to need access to different elements of patient data from the General Practice Data for Planning and Research collection. These include but may not be limited to:
- the Department of Health and Social Care and its executive agencies, including Public Health England and other government departments
- NHS England and NHS Improvement
- primary care networks (PCNs), clinical commissioning groups (CCGs) and integrated care organisations (ICOs)
- local authorities
- research organisations, including universities, charities, clinical research organisations that run clinical trials and pharmaceutical companies
If the request is approved, the data will either be made available within a secure data access environment within NHS Digital infrastructure, or where the needs of the recipient cannot be met this way, as a direct dissemination of data. We plan to reduce the amount of data being processed outside central, secure data environments and increase the data we make available to be accessed via our secure data access environment. For more information read about improved data access in improving our data processing services.
Data will always be shared in the uniquely coded form (de-personalised data in the diagram above) unless in the circumstances of any specific request it is necessary for it to be provided in an identifiable form. For example, when express patient consent has been given to a researcher to link patient data from the General Practice for Planning and Research collection to data the researcher has already obtained from the patient.
It is therefore possible for NHS Digital to convert the unique codes back to data that could directly identify you in certain circumstances, and where there is a valid legal reason which permits this without breaching the common law duty of confidentiality. This would include:
- where the data was needed by a health professional for your own care and treatment
- where you have expressly consented to this, for example to participate in a clinical trial
- where there is a legal obligation, for example where the COPI Notices apply - see Our legal basis for collecting, analysing and sharing patient data above for more information on this
- where approval has been provided by the Health Research Authority or the Secretary of State with support from the Confidentiality Advisory Group (CAG) under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) - this is sometimes known as a ‘section 251 approval’
This would mean that the data was personally identifiable. Re-identification of the data would only take place following approval of the specific request through the Data Access Request Service, and subject to independent assurance by IGARD and consultation with the Professional Advisory Group, which is made up of representatives from the BMA and the RCGP. If you have registered a National Data Opt-out, this would be applied in accordance with the National Data Opt-out policy before any identifiable patient data (personally identifiable data in the diagram above) about you was shared. More about the National Data Opt-out is in the section below.
Details of who we have shared data with, in what form and for what purposes are published on our data release register.
National Data Opt-out (opting out of NHS Digital sharing your data)
This applies to identifiable patient data about your health (personally identifiable data in the diagram above), which is called confidential patient information. If you don’t want your confidential patient information to be shared by NHS Digital for purposes except your own care - either GP data, or other data we hold, such as hospital data - you can register a National Data Opt-out.
If you have registered a National Data Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.
From 1 October 2021, the National Data Opt-out will also apply to any confidential patient information shared by your GP practice with other organisations for purposes except your individual care. It won't apply to this data being shared by GP practices with NHS Digital, as it is a legal requirement for GP practices to share this data with NHS Digital and the National Data Opt-out does not apply where there is a legal requirement to share data.
You can find out more about and register a National Data Opt-out or change your choice on nhs.uk/your-nhs-data-matters or by calling 0300 3035678.
How long we keep patient data for
We will keep your patient data for as long as is necessary for the purposes outlined above in accordance with the Records Management Code of Practice for Health and Social Care 2016 and NHS Digital's Records Management Policy.
Other organisations with whom we share your personal data must only keep it for as long as is necessary and as set out in the Data Sharing Agreement with that organisation. Information about this will be provided in their privacy notices on their websites.
General Practice Extraction Service (GPES)
- The GPES is replacing and extending the large number of individual data provision notices (DPNs) currently required
- NHS Digital are assuming data controller rights for the extract – this was always the legal position, but not before exercised
- Patients can opt out completely via the Type 1 opt out (but this may be removed)
- Patients can opt out for research and planning via the National Data Opt-Out but only for identifiable data, not anonymous data, and GPES data will still be collected
What is GPES?
Currently, the system for obtaining data for managing the health service from GPs and other data controllers who provide service has always been:
- Secretary of state issues a Data Provision Notice (DPN) under sections 259(1)(a) and 259(1)(b) of the Health and Social Care Act 2012.
- It’s extracted from the controller systems, generally with controllers having to switch it on
- Type 1 opt-outs (no sharing beyond practice) are respected unless there is a COPI notice saying they should not (e.g. the current pandemic notice)
- The National Data Opt-Out is respected, unless there is a COPI notice
- Data is used for the specified purpose only
This means they are commonly extracting the same data multiple times and a lot (350 per year) of extracts need to be done.
GPES simplifies this to a smaller number of extractions, which can be then used for ANY purpose defined by NHS Digital – in other words, they become the data controller. This means that the National Data Opt-Out (NDOP) is NOT respected as in their view this is a direct care (a “planning of healthcare provision” purpose). It should be respected for onward use, but they appear to be taking the position that anonymised data isn’t personal data and therefore the NDOP only restricts them from using your identifiable data.
NHSD have stated they will be respecting patient Type 1 opt out where a patient does not want their record to leave the GP practice other than for direct care. Given the extraction is for Planning and Research and NHSD is adopting Controller responsibility we will challenge NHSX's policy steer and NHSDs DPO and programme and their documented necessity to use the Type 1 optout rather than the national opt out option for patients to opt out of secondary uses which seems most appropriate in this case and to meet the intentions of the GPDPR.
The initial data model, so you can see what they are extracting, is at the link below:
Do we need to do anything?
Your privacy notices (if you’re using the one we sent out with the DPO briefings, revised from the initial GDPR pack), already has the use of data provision notices in it – so strictly speaking, no.
However, an information page for patients has been provided which we would recommend you link to from your privacy notices:
The section that needs changing is shown in the appendix, with the recommended changes.
Prepare for a possible increase in type 1 opt-outs…
Are the NHS now selling our patient’s data?
NHS Digital state on their pages “NHS Digital will never sell your data”.
NHS Digital are also able to fulfil requests via the Data Access Request Service, which are subject to independent oversight by IGARD.
Do patients have an opt-out?
Sort of, but not really.
To opt out the patient must request type 1 opt-out – which means their data won’t be shared with other healthcare providers too, which is to their detriment. The first extract is being done on 1 July, so patients need to create a type 1 opt out by 23 June.
There is a form available for patients which is now being published in the press, so these will be the most likely thing you will receive.
The government has also previously stated its intent to remove type 1 opt-outs, so I would expect that to come down the line fairly quickly if a lot of patients start exercising type 1 opt-outs. The notice is clear they intend to review this, it states:
This may change in the future if NHS Digital is directed otherwise in the event of a change in policy following a review of Type 1 opt-outs by NHSx, with implementation being subject to consultation with the profession via the Joint GP IT Committee, a representative body comprised of elected members from RCGP and BMA.
It may also change if NHS Digital agrees with the British Medical Association (BMA) and the Royal College of General Practitioners (RCGP), and the Department of Health and Social Care (DHSC) that it has put in place appropriate organisational and technical measures and controls to enable it to collect and process pseudonymised Type 1 opt-out records by means which continue to uphold the Type 1 opt-out and do not enable the patient to be directly identified except for the purposes of their own care.
Is there an “official” information page for us?