This blog was written prior to the government’s announcement on 8th June 2021 which confirmed that the GPDPR project would be delayed by two months until the start of September:
GPDPR: A lesson in transparency…or lack thereof
Heard of the GP Data for Planning and Research (GPDPR) programme? Quite possibly not, and almost certainly not from NHS Digital who are responsible for it. Details of the programme first began to emerge in April and May 2021 with the project scheduled to go live just a short while later at the end of June. A number of news articles have recently picked up on the GPDPR which has led to a fair amount of noise on social media. But what’s it all about?
Over the next four weeks, we’ll delve into the GPDPR programme to uncover the current shortfalls, the lessons that should have been learned from care.data, and what you will need to do to meet your obligations for GPDPR. This series covers:
- Lessons from history – the care.data debacle
- What lessons can be learned from care.data for GPDPR?
- Where could the GPDPR programme have improved?
- What can those affected by the GPDPR do now?
Hidden away on NHS Digital’s website, you’ll find a few web pages which explain the purpose of the project. You’re in the habit of routinely delving deep into NHS Digitial’s website to see what they’re up to with your data, right?
NHS Digital describe GPDPR as follows:
“The data held in the GP medical records of patients is used every day to support health and care planning and research in England, helping to find better treatments and improve patient outcomes for everyone. NHS Digital has developed a new way to collect this data, called the General Practice Data for Planning and Research data collection.”
“The new data collection reduces burden [sic] on GP practices, allowing doctors and other staff to focus on patient care.”
Sounds fairly innocuous – so why all the fuss?
To understand this we need to rewind things a little and see this in the context of a previously failed NHS project you may have heard of – Care.Data.
Lessons from history – the Care.Data debacle
It’s spring 2013. The then Health and Social Care Information Centre (HSCIC) had just announced their latest flagship project – Care.Data. The aims of the project were both ambitious and laudable. It sought to extract data from GP surgeries into a central database through the General Practice Extraction Service (GPES) for use in anonymised form by health care researchers, managers and planners including those outside the NHS such as academic institutions or commercial organisations.
Arguably, Care.Data wasn’t revolutionary. It intended to build on existing NHS data collections which had been in place since 1989. Data on hospital stays, known as hospital episode statistics (HES), had been collected and used for many years and had proved invaluable, playing a role in uncovering both the Bristol heart and Mid-Staffordshire scandals. It had also helped to provide some of the evidence that led to the introduction of targeted bowel cancer screening in 2006. By expanding data collections to include GP data it was hoped that this would allow insights into what was happening to patients when they were under the care of GPs.
The ambition of Care.Data to link patient data to support advances in quality and patient safety through the use of GP data sounds spookily familiar to the current GPDPR programme doesn’t it?
Wind forward to 2016 and the Care.Data programme had been scrapped with all the potential benefits it was expected to bring being lost. The BMJ put it well in their analysis in 2016:
“…if all had gone to plan, England would be reaping the early benefits of a national database of patients’ medical records spanning primary and secondary care. Patients would have the comfort of knowing that their records could soon be accessed wherever they were treated; the ability to monitor outcomes might already be suggesting better ways of doing things; and researchers might be starting to interrogate anonymised datasets to generate and test hypotheses.”
How could something which seemed so valuable, and which appeared to have employed so many safeguards around patient confidentiality, go so horribly wrong? More importantly perhaps, if the latest GPDPR programme is so similar Care.Data, what lessons should have been drawn from that previously failed programme to prevent history repeating itself?
Where did Care.Data get it so wrong?
The Care.Data project was plagued by criticism from the outset with condemnation coming from groups as varied as the British Medical Association, privacy campaign group Big Brother Watch and the Association of Medical Research Charities.
The primary accusation levelled at the programme was that NHS England had failed to effectively communicate the scheme and clearly explain its underlying purposes to the public. The importance of this had been highlighted previously by the late Dame Fiona Caldicott, the first National Data Guardian, in both her 1997 and 2012 reports into patient confidentiality and the use of data by the NHS. She was to later show her frustration that her earlier advice had not been headed in her third report completed in 2016 after Care.Data had been formally scrapped. In 2020 an 8th ‘Caldicott Principle’ was also introduced, clearly with failures of Care.Data acting as one of catalysts for its introduction:
“Principle 8: Inform patients and service users about how their confidential information is used
A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information – in some cases, greater engagement will be required.”
NHS England did distribute leaflets to all households in England in an attempt to publicise the Care.Data programme. Even this was criticised however (perhaps unfairly) for only describing the benefits of the scheme, and not including an opt-out form. There were also issues with the effectiveness of this approach with one report finding as many as two-thirds of the public had not seen the leaflets come through their letterboxes. A video animation was also produced, but it was only available on YouTube and NHS England’s website. There was no national TV campaign and no press conference called to launch the marketing campaign – unusual omissions for such a large scale and significant national project. When asked about the approach taken by NHS England, officials at the Department of Health stated that, had they been in charge of the programme, they would never have run it in that manner.
There was also a lack of clarity around the options available for opting out of the data extraction. Members of the English population who were registered with GP practices were informed that data on their health would be uploaded to HSCIC unless they exercised their rights to object by informing their GP. The process for doing so however was not clearly explained and in practice, involved individuals actively contacting their GP. This was seen by many as an unreasonably onerous task for both members of the public and for the GPs that would need to process those opt-outs through the addition of the relevant ‘opt-out codes’ onto patient records.
These issues were all compounded by concerns that data might be accessed by commercial companies. The BMJ described this as a “toxic possibility”, yet the programme commenced in 2013 without a decision on this key issue having been made. Indeed, a discussion to determine whether access by commercial companies would be permitted was not scheduled until March 2014 – nearly a year after the programme was first announced. How could members of the public possibly make an informed choice about the use of their data if the purpose and scope of the proposals had not even been decided?
Together this would prove to be a devastating combination for the programme. In the end, more than one million people opted out of the scheme. A damning indictment of the NHS’ failure to convince the public of the benefits of the scheme.
In the next part of our four-week series, we’ll look at the lessons that should have been learned from care.data for GPDPR; covering the impact on public trust, transparency, and individual choice and control.
How can 8fold help?
At 8foldGovernance we help you to resolve any potential barriers around the implementation of GPDPR, DCB0129 or any other data protection standards including the Digital Technology Assessment Criteria (DTAC). We will support you to better identify and analyse any problems in your workflow, understand the local architecture and select appropriate solutions that stand the greatest chance of achieving success. It’s what we do.
From planning prototypes, to medical device certification, governance, cyber security and marketing, we’ve got you covered. Contact us today for a free no-obligation chat to find out more about how we can help resolve your IG barriers, or help bring your innovation to market and achieve success.
Find out more about Our Services.
Do you meet the statutory requirements under DCB0129?
Ensure that clinical safety is a core practice for your organisation and that the statutory requirements for health IT in the UK (DCB0129) are met, including having a named clinical safety officer. To find out how we can help, contact us for a no-obligation call. We’ll help you to understand what your obligations are and also what needs to be done to ensure that you are compliant with the mandatory requirements.