If you are registered with a GP in England, the government has demanded your GP upload your full medical history to a central database on 1 September – but there are serious concerns about who will have access to your data and what they will do with it. Here, we answer your top questions following on from our live expert discussion on 1 July about the data grab.

1) Who owns my GP data?

No one ‘owns’ personal data. In UK law, your GP is the ‘data controller’ of your individual GP records – you have legal rights, and your GP has a legal duty to protect them.

(How we all can benefit from the use of health data collectively, is a bigger question – one that requires a political debate to scrutinise the bold claims of Big Tech against what we really want the future of health provision to look like).

2) So can the government force GPs to hand our data over?

Some GP practices are already saying they won’t comply with the direction to upload our data, due to their lawful data-protection obligations.

But they are under pressure, and many are not well informed themselves.

Many GPs are concerned that there aren’t enough protections to prevent inappropriate access to our data by organisations and companies, including commercial exploitation of patients’ “pseudonymised” but re-identifiable personal data. They are also worried about patient trust – after all, this is highly sensitive data with detail on everything from our mental health to our sex lives, as well as our medications and treatments.

openDemocracy thinks the government’s actions breach current data protection law – which is why we’ve joined forces with Foxglove, Just Treatment and others to mount a legal challenge. But that takes time and money, and outcomes are never certain.

3) So what can I do if I want to be sure my GP data won’t be uploaded to a central database?

You need to give or send a ‘Type 1’ opt out to your GP – for yourself, and for your children if you have them. The easiest way is to print out a form and hand it in to your local surgery. If you don’t have a printer you can ask NHS Digital (0300 303 5678 / [email protected]) to post you the Type 1 opt out form. You should do this as soon as possible (to make it easier for your GP) but definitely before 25 August.

Following pressure, the government has agreed to delay the upload by a couple of months to 1 September, but so far, it’s not clear that they’re going to use that time to improve the flaws sufficiently.

4) Will opting out affect my medical care?

Absolutely not. This is one of the most misleading claims, which has even confused some NHS staff. If you opt out from having your GP data extracted for “Planning and Research” purposes, doctors and nurses treating you will still be able to access your medical records for your direct care. “Planning and research” is government and NHS shorthand to describe uses of your data for purposes other than your individual care – which includes public and private sector-funded research, health service planning and policy-making, and commercial re-use.

5) Can I be selective – allowing legitimate, public interest uses of my GP data while stopping private firms from getting it?

Unfortunately not. So far, the government is not giving people the option to choose what kinds of “research and planning” purposes – and by what kinds of organisations – their data is used for. So it’s all or nothing. You can either opt out of your GP data being fed into the central “research and planning” database, or not.

6) What else can I do in addition to opting out?

Tell others what’s happening and how they can opt out. The last time the UK government tried this kind of data grab, in 2013, it was defeated because millions opted out. For the data to be usable, it must have been collected lawfully and ethically – and the programme must be able to demonstrate it has public trust. (It’s worth saying that openDemocracy was amongst the first to cover that earlier attempt. So do consider funding our journalism so we can keep digging and keep everyone informed).

Write to your MP – this is a cross-party issue, with MPs from Labour’s Dawn Butler to the Conservatives’ David Davis MP expressing strong concern.

Sign our petition – and donate to the crowdfunder of the legal challenge.

Talk to your GP. See if they are aware of the issue and that other practices are refusing to comply, and check they know what to do with their patients’ Type 1 opt outs.

7) Doesn’t the government have my data anyway?

Information on hospital attendances is already held centrally – and there are already concerns about who this is being sold on to – though this data tends to be less comprehensive than GP data. There is a separate opt-out for this, though it has no specific deadline. This page from MedConfidential explains in detail. The key point is that at the moment your GP data is controlled by your GP and no one else – once it leaves the surgery, it’s hard to be confident it will be fully protected, on the basis of current information from government, unless you complete and hand in or send your GP a Type 1 opt out form.

8) How are people supposed to know this is happening?

Good question! Aside from some pages buried on the NHS Digital website, the government has so far largely left it to GPs to inform people – even though GPs themselves haven’t been well informed or supported about what’s going on. Share this article – and spread the word!

9) If I opt out, can I selectively opt in if I want to take part in specific research projects, like Biobank?

Yes. The normal procedures for research projects will apply and the opt out will not affect any that you consciously choose to be part of.

10) What could the government do to make the system acceptable?

For starters, it could write to every patient by name, enclosing any forms that they need, and give them enough accurate information to make their own informed decision about whether they want to opt out, or not.

The Data Protection Impact Assessment for the scheme must be published, and independently approved by the medical profession. And all data that is collected must be held in a ‘Trusted Research Environment’ – a highly secure setting with robust rules and procedures that restrict access to legitimate, trusted researchers and analysts.

11) I just don’t feel I know enough to make a decision, what should I do?

If you opt out, you can always opt back in at any stage if the scheme is improved and your concerns are addressed. But if you don’t opt out before your GP data is uploaded, your lifelong GP history will be taken, and never deleted.

12) Does the scheme also apply in Scotland, Wales and Northern Ireland?

No. This affects the data of patients currently registered with a GP in England only.

Scotland and Wales already have their own systems for research uses of patients’ data, known as SPIRE (Scottish Primary Care Information Resource) and SAIL (Secure Anonymised Information Linkage) respectively. Whilst not perfect, both of these have some safeguards to prevent data being accessed by companies unknown. Having said that, some regions of Scotland are developing a project called DataLoch’, which is raising concerns – and which we are investigating.