GP Data (for Planning and Research), 2021

This page covers events in 2021 – events before and after that are covered elsewhere.

After (v1.0) was finally cancelled in mid-2016, its last monthly Programme Board meeting took place that September. The replacement Programme Board started in the same calendar slot the following month – and culminated in a programme, General Practice Data for Planning and Research (GPDPR), that was supposedly ready to ‘go live’ in October 2019… then January 2021… then March 2021… then finally May 2021. 

The papers of that Board show how various promises to patients were removed over time, resulting in what happened next. To save you having to read them all, we have compiled a blow-by-blow timeline of the evolving programme in their own words.

At its meeting in March 2021, the Programme Board decided to reduce the frequency of its meetings because it believed there was little left to do. medConfidential were first formally told about the GPD(f)PR programme towards the end of March 2021, a couple of days before it was due to launch. What we said caused an immediate and, at that point, indefinite delay.

Our engagement in subsequent weeks covered a broad range of issues including:

  • lack of proactive communication with both GPs and the public (‘fair processing’); 
  • the amount and types of sensitive data that would be extracted; 
  • the purposes for which the extracted data would be used; clearly not just ‘Research and Planning’; 
  • the legal bases for processing, and the way in which GPs would be required to surrender their patients’ data;
  • problems with the Data Provision Notice, and the absence of a (mandatory) Data Protection Impact Assessment;
  • the copying (‘dissemination’) of data to third parties, and transparency around that; 
  • the broken consent / dissent processes that patients were (not) being offered.

On this last point, it should be noted it was medConfidential who fixed several aspects of the National Data Opt-out forms, as evidenced by the metadata of the PDF form for families with children. An NHS form for Type 1 opt-outs was only created when it was pointed out that otherwise medConfidential would be the only ones offering such a form to the public. medConfidential were also the only ones who posted patients the necessary opt-out forms for free throughout the entire period. 

On 12 May 2021, the programme was publicly announced with the publication of a Data Provision Notice (DPN) to GPs, a news article on the NHS Digital website, and a background briefing for some members of the press.

As noted above and in various board papers, at launch there was still no Data Protection Impact Assessment (DPIA) for GPs to assess, no proper patient information, an overly complex multi-step opt-out process, and no widespread public notification.

Nonetheless, the publication of the DPN began a 7-week countdown to the first data extraction from GP systems, and press and public scrutiny began. 

Media pickup was initially slow – not least because it appears NHSX failed to send out a general press release to all journalists – but early pieces in The Register and Byline Times began to draw attention. Public awareness grew with the publication of a story in the Financial Times on Foxglove’s legal challenge to the ‘GP data grab’ and, as official statistics later showed, over 1.25 million patients opted out in June alone:


Meanwhile, officials at NHSX and DHSC assured their press liaisons that improvements to the programme were coming, in an attempt to mitigate some of the worst problems. Then the Director of Policy and Strategy at NHSX wrote a briefing to Ministers assuring them that nothing needed to change.

Nothing changed.

The programme’s so-called ‘fact check’ got fact checked, and was found to be so misleading it was removed. And with officials still trying to stick to their artificial deadline, Ministers realised they had been misled – and just days later on 8 June 2021 the start of GPDPR data extraction was publicly delayed for the first time, until 1 September.

A couple of weeks later, in an adjournment debate on the ‘Use of Patient Data’ in the House of Commons, David Davis MP and the Secretary of State for Health in his final Parliamentary appearance both agreed on the risks of disseminating patient-level data. (That the examples given were for hospital data suggest what comes next must cover that too, not just GP data.)

In the debate, Matt Hancock proposed a number of important changes, most notably “strengthening the opt-out” and ending the dissemination of pseudonymised data; instead access would solely be via a Trusted Research Environment (TRE).

On 19 July 2021, these were confirmed by Parliamentary Under Secretary of State for Health, Jo Churchill MP, in a letter she wrote to GPs officially pausing the GPDPR programme for an indefinite period. Before it could proceed, and before any patient’s GP data is extracted, the Government said four ‘tests’ must have been met:

  • the opt-out backlog will be cleared [this was largely achieved by early September];
  • patients who choose to opt out from having their data extracted will be able to delete their data, even if it has already been uploaded;
  • NHS Digital will implement a Trusted Research Environment (TRE), and access to data will be via TRE-only;
  • patients will be made aware of the GP data scheme through a campaign of engagement and communication.

The programme is still under a name that appears designed to mislead and confuse the public (GDPR? GPDPR?) about the protection of their data, though it will probably have to be renamed before making another public appearance. Meanwhile, DHSC and NHSX NHS England’s ‘Transformation Directorate’ are spending vast sums of public money on consultants, trying to figure out communications  – with still no detail, months later, on what will be communicated or how.

See the ongoing story for what happened next.