Legal threat sharpens over UK government plans to harvest patient data from GPs
openDemocracy and campaigners threaten injunction over the largest seizure of personal medical records in NHS history, as backlash mounts
Today lawyers acting for openDemocracy and five other claimants have challenged the British government’s controversial plans to extract the medical records of everyone in England from their GP without proper consultation or informed consent – just as the doctors are reeling from coping with COVID-19.
openDemocracy has joined forces with Foxglove, a tech justice start-up, and other campaigners to issue an urgent legal challenge to the Department of Health and Social Care over its scheme to harvest the personal medical data into one massive database, which private corporations will be able to access.
The coalition’s legal letter to the government warns that unless the health department pauses the GP data grab – due to go ahead on 1 July – and seeks transparent patient consent, we will seek a court injunction to halt the scheme.
It’s the third time that openDemocracy has teamed up with Foxglove to protect patients’ rights to know – and have a say – about their data being shared with private corporations. This time we have joined forces with other campaigning organisations – Just Treatment, Doctors’ Association UK, The Citizens, and the National Pensioners Convention – and with David Davis MP.
The Conservative MP warned: “My constituents don’t expect when they sit down with their family GP that their sensitive health data is going to be able to be accessed by all and sundry. I support a future-fit NHS, but it’s got to be done in a way everyone can trust. The government must involve and inform patients so they have a meaningful chance to opt out before they progress any such policy.”
Health data is both hugely sensitive and immensely valuable – to our health, and to big business. The UK’s NHS data has been valued at £10bn. And our GP data – with details of everything from diagnoses and medications to depression, abortions, sexually transmitted infections and addictions – is the most detailed, valuable and sensitive of all.
Back in 2013-14, openDemocracy was the first non-specialist news site to cover a similar, though less ambitious, project to upload and share GPs’ patient records – the care.data project – which was abandoned after two million people opted out amidst concerns about confidentiality and business use.
But on 12 May this year, health secretary Matt Hancock quietly issued a legal direction to every GP in England, instructing them to upload their patient records to a central database, with patients given just a few weeks to find out about the plans.
NHS Digital insists it’s not selling patient data – but then tells us that the data will be made available to third parties for a fee
During COVID, much health data was shared under extraordinary powers – including with private companies. But the government looks set to make this the ‘new normal’.
An NHS Digital spokesperson sought this week to justify its plans by arguing that “NHS data was vital in managing the response to COVID” – but relevant health data can already be shared in a public health emergency. Phil Booth of campaign group medConfidential told openDemocracy it was “very cynical for the government to be pointing to COVID purposes and using that to justify a data grab”.
The government says the data will be used only “for health and care planning and research purposes” as well as for “the development of health and care policy” – and that it will be used only “by organisations which can show they have an appropriate legal basis and a legitimate need to use it”.
The problem is, they’ve told us next to nothing about what would count as “research purposes” or a “legitimate need”.
Instead they’ve put out a succession of vague and inconsistent reassurances from NHS Digital, which give little confidence.
NHS Digital insists it’s not selling patient data – but then tells us that the data will be made available to third parties for a fee.
It tells us that it’s assessed the impact of its plans on our human rights and privacy – but that we aren’t yet allowed to see that assessment, less than three weeks before the data transfer is due to happen.
It tells us no data will be shared for “solely commercial reasons” – but few companies, particularly those operating in healthcare, claim to be motivated “solely” by their bottom line. The government itself has been generally sympathetic to companies’ claims of loftier goals. So that reassurance is a long way from watertight.
The government tells us that the data will be “de-identified” but acknowledges this process can be reversed and individuals re-identified “in certain circumstances, and where there is a valid legal reason” to do so. And it hasn’t made clear what those circumstances or reasons would be.
It tells us that companies accessing the data will be contractually banned from using other data sources to re-identify people, but we know companies don’t always play by the rules. Which is why new guidance just published by the Information Commissioner’s Office makes clear that de-identified data is still personal data, and can’t be shared with anyone else without meaningful, informed consent. Which is exactly what the government – so far – seems determined to evade.
It tells us it’s “engaged with the British Medical Association (BMA) [and the] Royal College of GPs (RCGP)” – but those organisations have pointedly not endorsed the current plans. The RCGP chair Martin Marshall said whilst the organisation supports improved data sharing in principle for “important healthcare planning and research”, it was “critical that this is transparent and that patients have confidence and trust in how the NHS and other bodies might use their information”. He added that they were “continuing to lobby NHS Digital to ensure appropriate safeguards are in place for how the data collected is used”.
The ‘mad rush’ for health data
GPs have pointed out that there’s a ‘safe setting’ for the medical data they hold that means researchers can access it without copies of our records being sent out to third parties – but the government is choosing not to use it. Why?
We know that access to NHS data is a key prize for the pharmaceutical and life sciences industries, as well as for the artificial intelligence firms. The latter, the Financial Times reported this week, are now a “mad rush” for health data, having seen their stock boom during the pandemic.
It’s also of interest to US health insurers and providers, who, as openDemocracy exposed, are already boasting of how they are “planting seeds” in England’s NHS. These firms are already advising the NHS on how to deal with more “expensive” patients, and what services could be cut. And openDemocracy has also covered how unfettered access to British data, including health data, is also a key demand for US trade negotiators.
Diarmaid McDonnell of medical campaign group Just Treatment said: “For many patients this is not just about their data – it’s about the future of the NHS. We're sleepwalking into a health system where profits are prioritised over patients, with big tech and pharma corporations at the helm, shaping every decision about the care NHS patients receive.”
The largest public sector union, Unison, has called for the data upload to be delayed until there is greater transparency and consultation. The union called on the government to “harness the value” of our health data so that it can be “reinvested in health and social care”, rather than allowing access for next to nothing.
The government does not appear to have built in effective safeguards to protect the intellectual property arising from this precious data, meaning that the products and services corporations build from it could be sold back to the NHS for eye-watering sums.
Health data is extremely useful in the hands of medical researchers. But any involvement of private companies should be open to public scrutiny and debate. Without it, trust is damaged to the extent that legitimate researchers will be denied the kind of comprehensive data that could be most of use.
Indeed, mounting concerns about the government’s approach led to NHS Digital’s call centre “melting down” under the numbers of people calling them this week to request opt-out forms, with over half a million already having opted out, according to Phil Booth of medConfidential.
Meanwhile GPs – who are the legal guardians of patients’ confidential information – are deeply unhappy.
Rosie Sharpe, a GP at Doctors’ Association UK, said: “GPs were barely informed of this major change – how are patients expected to know about it?” and warned that the government’s approach made doctors’ lives “impossible”.
A growing number of GPs are refusing to hand over the data on 1 July, even if that means breaching a legally binding order from Matt Hancock.
Jan Shortt of the National Pensioners Convention said that the government’s approach had “excluded older people” and added the organisation was “very concerned about the lack of consultation and publicity about this except a lone government website. Most of our members have never heard of this.”
The race to get the scheme rolled out while the public and medical profession is still reeling from COVID means that there is little time for journalists and members of the public to use Freedom of Information laws to find out more about what’s going on – including how the government thinks its actions can possibly be compliant with the laws on data protection.
The government is hiding behind secrecy and ambiguity as it runs down the clock to 1 July.
So we’ve had no choice but to issue an urgent legal warning. Because we think the public urgently needs to know what the plans are for their personal information, and have the opportunity to consent – or not – before it’s too late.
The coalition is today launching a crowdfunder to cover the cost risk of the legal claim.
Get our weekly email