Data sharing – what the practice is doing
Many of you will have seen the media coverage of NHS Digital’s plan to extract patient data on anyone who doesn’t opt-out by the end of the month, and the subsequently-announced delay until September. This covers “Type 1 opt-outs” from GP to NHS Digital. The practice position is:
- We will opt you out of data sharing by default
- This means your personal data will not be shared with NHS Digital unless you actively tell us you’d like it to be
- If you wish to opt in to sharing data with NHS Digital, please complete the Type+1+Opt-out+form (1), ticking the box to opt back in, and we will action this on your behalf
- You do not need to return this form if you wish to opt out
- You still need to ask NHS Digital for a type 2 opt out separately if you also wish one of those; we cannot do this on your behalf
We have discussed this in detail with our Patient Participation Group, who raised concerns about this with us from the patient perspective in advance of the media coverage. While we recognise there would be benefits nationally to have large-scale patient data sets available for research and planning services, the way this has been implemented and the explanations NHS Digital have provided for how your data could be used are not reassuring.
After discussion with our PPG, we have agreed as a practice that:
- Our overriding priority must be to ensure that your data is not transferred outside the practice without your express consent. This is in line with your rights, and our responsibilities, under GDPR legislation, which requires that “explicit consent requires a very clear and specific statement of consent”, and that people should “positively opt in”.
- We cannot practically hope to contact 13,000 patients and obtain that consent, either in the original 20-day timeframe, or in the longer 3-month one.
- Even were we to attempt to, any patients we were not able to contact would have their data transferred by default when the process starts, and NHS Digital have made clear that it is not possible thereafter for that data to be deleted from their systems. This again potentially puts us in breach of GDPR, and more importantly would leave patients justifiably angry their data had been shared without consent.
As such, and with the agreement of our Patient Participation Group, we will opt all of our patients out of the GPDPR process by default.
This means that no one’s data will move across without their explicit consent. However, where patients have had a chance to consider the pros and cons of sharing their data and want to opt in, their data can move across at that point. If you would like this to happen, please let the surgery know.
You may wish also to implement a national data opt-out, which is different from the type 1 opt-out. This can be done directly with NHS Digital, and the differences are outlined in the graphic below (for which thanks are due to Neil Bhatia).
Finally, we are grateful to the SW London data protection officer and particularly to our PPG for their time and insights on this subject, and to Londonwide LMCs who have supported similar action elsewhere in London.