The inevitable and afterwards – GPDPR Situation Report 7

medConfidential’s GP data grab Situation Reports are a series of updates sent to stakeholders; this one is public.

The long delay was inevitable

The announcement of the short delay in June to 1st September was largely due to NHSx and DHSC thinking they understood their mistakes; as the GPDPR Data Provision Notice has now been withdrawn, and any new DPN will have process to go through, GP data collection can now begin no earlier than the 2nd September.

The next announcement, of a longer delay, will mark the inevitable realisation of the magnitude of these past mistakes – a delay already referred to by the former Secretary of State in his last speech at the despatch box, where he said:

It will take some time to move over to the new system, hence I have delayed its introduction, but we have also made that delay to ensure that more people can hear about it.

Both the Secretary of State and David Davis MP also entirely agreed in that debate on the risks of dissemination. It is therefore clear that the (very welcome) commitments on the use of Trusted Research Environments must apply to hospital data, e.g. HES, as well as GP data.

This realisation may yet come slowly. On HES, it may take a legal opinion quoting the Secretary of State’s speech, next to the ICO’s guidance on UK GDPR and DPA 2018, next to current DHSC policy that requires NHS Digital to disseminate the sensitive, identifiable personal data of every hospital patient in England – even if they have dissented – thousands of times a month. 

We understand it will be difficult to decide today, that from tomorrow HES is identifiable special category personal data, when the data was disseminated yesterday (and for years before).

The best time to have complied with the UK’s 2018 Data Protection Act was in May 2018; the second best time is now.

Sequencing of Events

While the delay was announced so the Trusted Research Environment (TRE) could be built to the satisfaction of research, there is now time to do everything in the right order. Hopefully.

NHSx may have gotten to choose the starting point but, as the Health and Care Bill demonstrates, it missed the boat. The headline focus of the Bill, Clause 1, formally re-names NHS England, but nowhere in the Bill does NHS Digital get a re-name. Perhaps DHSC expects to use its new powers to abolish NHS Digital – thereby abolishing the statutory safe haven? That is untenable.

There is, however, still time for the proposed legislation to be amended to resolve some critical data trust issues. The Bill should, for example, have a hook to put the National Data Opt-out onto a statutory footing – so patients can know and have confidence in what the rules are, so the profession all know what the rules are, and so the various national bodies know what the rules are – and so that everyone knows how those rules can be changed (in either direction) in future.

As the use of GP data evolves, there should be discussion as to whether the National Data Opt-out (NDOO) should apply to data leaving GP systems and going to NHS Digital, or not. If the conclusion is that it will not, then the Type 1 GP data opt-out must live on. If the NDOO were to be clarified in legislation to have the same effect as the current GP opt-outs, then Type 1s could effectively be deprecated for all but the most critical concerns – for a statutory opt-out is much better than a non-statutory one.

Hospital data

All of the examples given in David Davis MP’s adjournment debate were to do with hospital data, and the Secretary of State agreed on the risks of disseminating patients’ identifiable GP data, explicitly stating his intent that “The dangers that come with the dissemination of pseudonymised data are removed.”

So why is NHS hospital data not also being made ‘TRE-only’ from summer 2021 onwards? 

If NHS Digital and NHSEx wish to demonstrate to the GP profession (and to patients and the public at large) that the TRE-only approach will work, the most straightforward way to do so would be to show it working for the hospital data NHS Digital already collects – with a variety of researchers and, say, NHS England’s ‘Data Services for Commissioners’ Regional Offices (DSCROs) demonstrating good use of it. 

Such a transition should also make the DSCROs and other ‘DHSC / NHS family’ users far happier, as they will be getting both a much better data analysis environment for their ongoing work, while increasing safety as well. 

As the Health and Care Bill puts obligations on Integrated Care Systems to ‘use more data’, such patient-level data usage should also all be in formally NHS-accredited Trusted Research Environments – initially NHS Digital’s, also ONS’s or Genomics England’s. (‘Five Safes’ TREs are entirely achievable, but some will claim they meet the standard when they do not. Hence the need for formal, likely mutual, accreditation; trust in all being dependent on the weakest link in the chain.)


The need to communicate directly to the entire public actually makes other problems easier to resolve; with the data opt-out definitions written down in legislation, what is left for debate (as was the case in 2014) is exactly what text will fit on two sides of A4 – the text for the opt-out / opt-back-in form being derived from the legislation itself. 

This process could start with the last consensus draft of the Advisory Group letter because, as a public advocate of the programme said, GPDPR is

NHS Digital, NHSx, and the new power to amend legislation

While NHSx may choose how many (NHSx-liveried, crowd pleasing…) elephants are in the ‘tech vision’ parade, it continues to be NHS Digital that has to follow it around with a shovel. And whoever holds the shovel will forever be in tension with those who want more elephants.

Many of the persistent problems around data are the result of such tensions, not necessarily the organisation itself that is making a decision. The same criticisms of NHS Digital would apply to the cancer registry, which learnt the hard way that giving data to a “causes of cancer study” is not such a good idea when the study is run by a tobacco company.

Someone has to enforce the rules that DHSC advertises as “strict”; that is currently NHS Digital.

It is not NHS Digital that decides what data uses there could be – it responds largely to requests. Sometimes it recognises that a request is valid but that an analysis would be better done by someone else. (A “causes of cancer study” is not inherently a bad thing.) But, as a result, NHS Digital gets a reputation for saying no to people – mostly because few notice the thousands of data file releases it does make every month.

It is, and should be, the job of a statutory safe haven to have a deep understanding of what is possible, what is legal, and of the necessity of keeping promises to patients. (Keeping promises not being a recognised strength of this Government.)

Any body fulfilling the role of safe haven must be transparent about where data goes. NHSEx have been actively dishonest in that regard, and – even if that was initially a mistake – have then explicitly refused to correct the record, and have repeated the dishonesty.

Differing interests may not like individual decisions that NHS Digital takes, medConfidential included – but what must be recognised and emulated is that it tells the public what those decisions are and why they were made, and people can know what we don’t know.

With DHSC and NHSEx, however, the cronyism and corruption of the Government’s approvals processes means not only is there no picture of what we don’t know, there appears to be an explicit desire to make sure no-one knows. 

Perhaps we are being unfair on the ‘organisation’ behind the first version of the NHS COVID-19 app that barely made it to pilot stage; the group which pushed GPDPR forward against expert advice, and which vetoed suggested improvements of GPDPR before it collapsed; the outfit that misleads stakeholders on what it publishes; which simultaneously added domestic vaccine passports for users of the NHS app, and which (still) expects NHS patients to hand an unlocked smartphone to the border guards of a hostile nation,  but we believe one’s actions speak for themselves.

(Of course, the person who signed the GPDPR Direction got promoted shortly thereafter. When NHSx is abolished, NHSx policy functions should really revert to DHSC – not because any particular incumbent has any particular talents, more because officials always move on.)

If NHSx – or any actual NHS bodies, for that matter – wish to be seen as trusted, they must show themselves to be trustworthy. Downgrading the statutory safe haven and/or transferring its statutory powers without reference to Parliament is unlikely to help in this regard.

New Secretary of State and Life Sciences 

To push our earlier analogy, some of Sajid Javid’s team will be retracing the path of Matt Hancock’s elephant – with a shovel to clean up those emissions that still litter the building.

And those whose ‘Vision’ is less rose-tinted will recognise the “alignment” claimed in the restated Life Sciences strategy was prompted more by the overwhelming necessity of combating a common enemy than any real change in institutional politics or public attitudes. It is notable also that the stakeholders on whose data the Vision depends, the public, get short shrift in a document whose focus is to “deepen collaboration and trust between Government, the NHS, and the [Life Sciences] Sector”.

Aspirational statements for “the full support of patients, the public and NHS, and must build trust into [the Vision’s] delivery” are hard to square with the far more clearly-defined intent that: “governance and oversight of NHS health data must be simplified to drive research and innovation”.

We welcome the commitment to consensual, safe, and transparent data infrastructure for a 21st century health and care system; as we have been saying for years, a modern TRE for research and all other secondary uses is inevitable. The best time to have started was in 2013; the second best time is now.

Available next steps: