Matt Hancock has quietly told your GP to hand over your health data. Why?
If you live in England, all your encounters with your GP – information about your physical, mental and sexual health – could be ‘sold’ to third parties
From 1 July this year, if you’re registered with a GP in England, the government will be taking a copy of every medical event your GP recorded on their systems since you first registered with them. (Your children’s records, too, if you have children.)
According to the NHS website, the events – called ‘codes’ – it will collect include: “Data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, mental and sexual health”.
Every single one of these events will be linked to your NHS number, your full postcode and your date of birth. Does that sound like “anonymous” data to you? (The ‘pseudonyms’ that will be used to obscure those bits of information are readily reversible, and the body running the database freely admits it has the ability to do so.)
All your encounters with your GP, once copied to the central database, will be “disseminated” for payment to third parties, including companies outside the NHS. (In case you find that hard to believe, here’s this year’s price list for the data already held centrally, such as that of your hospital visits). Did you have any idea your medical data was worth so much... or so little?
Once it has been taken, your GP data – much more sensitive than data about hospital visits – will never be deleted.
You’d be forgiven for not knowing any of this, because the government is making little effort to tell you. Indeed, NHS Digital – the central NHS body that health secretary Matt Hancock last month ordered to extract all of this health data – appears not to have sent out a press release, announcing the programme via a news item on its own website on 12 May.
You might, at this point, be getting a sense of deja vu. The last time the government tried to get its hands on our GP data, through the notorious ‘care.data’ programme announced in 2013, there was an outcry from patients and professionals. The scheme collapsed, with the government unable – or unwilling – to convincingly reassure people about who exactly would end up having access to our GP records.
This new 2021 plan is the government's failed 2014 programme, 'care.data', on steroids
This new 2021 plan is care.data on steroids. It’s far bigger, taking far more data. It’s far more intrusive, collecting highly sensitive codes, such as those relating to sexual health or drug and alcohol history, that even care.data wouldn’t dare touch. And it’s being rushed out in far more of a hurry – with less notice, less communication, and less time to act than in 2013 – while we’re in a pandemic and GPs are “overwhelmed” with a backlog of care and delivering vaccinations, as the BBC reported on 27 May.
At least care.data sent a junk mail leaflet to every household in the land about its planned massive data slurp, kicking up such a stink that people got wind of how to opt out of it. Indeed, part of the reason for the scheme’s collapse is that so many people did exactly that.
So the main lesson that the government appears to have taken from the care.data debacle is that if you want to obtain people’s GP data, to share with whoever you see fit, you need to do so on the quiet.
NHS Digital’s ‘mythbusting’ web-page about data sharing confusingly directs people to a different, weak ‘opt-out’ link that won’t actually prevent your GP records being taken from 1 July.
So why does the government want your data so badly?
One reason is the good it can do. No one disputes that health data can be used to help with planning, in legitimate ethical research, or to improve systems for health and social care. But in order to preserve the trust that is necessary to the health of the health system, both doctor-patient confidentiality and public confidence, every use of patients’ data must be consensual, safe, and transparent. After all, your GP record is the most rich and most valuable kind of health data there is; while hospitals treat ‘conditions’ and discharge you, general practice builds lifelong care relationships – and records everything relevant to your medical history; be it your physical, mental or sexual health.
The other reason, and the one the government is talking about the least, is because it’s so valuable to others. To the “entirely new industries” the government’s life sciences adviser, John Bell, proposed in 2017 as part of its Life Sciences Industrial Strategy. To the profit-seeking corporations that are already gaining access to copies of patients’ hospital data – often via ‘information intermediaries’, who need only pay a one-off extra £10k to guarantee their customers’ names don’t show up in any public lists. And even to customers (firms and public bodies) who have broken the rules (or the law) in the past, despite a promise from the government after care.data that those who did so deliberately or repeatedly would face a "one strike" ban from any future access.
And it’s your GP data next.
The additional statutory protections the government added in 2014, limiting data-sharing to being used for the “promotion of health”, clearly haven’t stopped the international trade in patients’ data with US companies, pharma, even big tech – all of whom continue to access the data they’re so hungry for, via “sub-licensees”.
A look at the kind of companies that are already accessing the data, shows them offering services to their customers including market insights for commissioners, strategic market access, even selling back to the NHS... but still NHS Digital says “we don’t approve requests for marketing purposes”.
Maybe it doen’t. Not directly. But it does regularly hand millions of people’s linked hospital histories to companies that serve those who do. And that’s the very same approvals process it will be using for your GP data later this year.
It’s also instructive to look at what has happened to the GP data that has been gathered under the extraordinary pandemic ‘Control of patient information’ powers for nearly a year. We were reassured that COVID-related data would largely be analysed in a highly secure ‘safe setting’, preventing onwards use and dissemination. But MedConfidential's analysis of the official release registers show that nine times out of ten, that ‘safe setting’ has not been used.
So much for reassurances. Trust is not about the good you could do, it’s about the less savoury stuff that still gets done. And no process is secure or trustworthy if there are ways to get around it.
But save your anger at NHS Digital. It’s more scapegoat than instigator; as a statutory body it can, and must, do with data what Matt Hancock and Boris Johnson tell it to do. Hancock directed NHS Digital to do this and not tell you.
The government wants your GP data, and it hasn’t given GPs much of a choice – but you can do something. Opt out. By 23rd June.
Get our weekly email