GPDPR: An astounding lesson in Transparency…or lack thereof (Part 2)

This blog was written prior to the government’s announcement on 8th June 2021 which confirmed that the GPDPR project would be delayed by two months until the start of September.

This blog is part 2 in a series delving into the GPDPR programme to uncover what went wrong, the lessons that should have been learned from and what you will need to do to meet your obligations for GPDPR. You can read Part 1 of this series here.

Part 2: What lessons can be learned?


The first lesson to be drawn from Care.Data is the need for a clear and well-defined scope whenever a project involves the use of people’s data.  In hindsight, it’s difficult to see how the issue of whether patient data would be shared with commercial companies wasn’t seen as something which would need to be determined before announcing the programme to the public.  Rather than focus on this specific issue however, the lesson to be drawn is much broader.

Questions around the purposes for which people’s data will be used, the extent to which data will be shared, and the potential recipients of the data, go to the heart of what the public are concerned about.  This is not to underplay the challenge this often poses – it is exceptionally difficult to peer into the future and try to anticipate all of the possible ways data may one day prove useful so this can be communicated to individuals up front.  Just because something is difficult however, doesn’t mean it can’t (or shouldn’t) be done.  In fact, the questions of purpose, sharing and potential recipients of data are not only of crucial importance to the public, they are essential for ensuring compliance with data protection and confidentiality law.  

Data Protection Impact Assessments

Having clarity of scope also makes accurate and effective public communications much easier and reduces the risk of awkward questions arising which can’t be answered, potentially eroding the confidence and trust of the public.  An excellent way of assessing whether scope has been well defined, and then considering the best way to approach a project involving data, is to embed a ‘data protection by default and design’ approach into project delivery. 

Data protection by default and design can be achieved by following a Data Protection Impact Assessment (DPIA) process throughout the lifecycle of any project.  This can help to identify where material changes to the scope of a project may be occurring and where further communications or additional mitigation activities or safeguards may be required.  This can also be incorporated into a robust change management process that can help to ensure any unforeseen developments which may arise in the future can be identified and assessed at an early stage.  Preventing unintended and potentially damaging scope creep when it comes to projects involving personal data is essential and so it is important that DPIAs are seen as a process and not a one-off exercise at the start of a project.


Publishing DPIAs (or summaries) can be an excellent way to build public trust and improve transparency.  When people understand how their data is being used and can see that organisations are treating their personal data with care and respect, they tend to be more willing to allow their data to be used.

A 2018 report by Healthwatch England showed that public trust in the NHS in terms of data sharing remained fairly high at almost 77%.  

“When compared with other sectors including banking, retail and government, the health sector is…seen as the most trusted in terms of keeping people’s data safe and the most likely to use data appropriately.”

That still leaves nearly a quarter of the population however who are somewhat sceptical (or perhaps even downright mistrustful) of the NHS when it comes to data use and sharing.  That’s a large and potentially vocal minority which can’t be ignored.  Indeed, if that 23% of the public were to translate their scepticism into some form of opt-out from data sharing, that’s a painfully significant portion of the population whose data would not be available for use.  Ask any clinician, data scientist or analyst and they will tell you how challenging their jobs become when nearly a quarter of the information they need is unavailable.

Clearly therefore, effective communications which allow the scope of any initiative to be conveyed to the public in a transparent manner are essential.  This needs to take into account both the content of, and the manner in which, communications take place.

A national leaflet drop and some YouTube videos were seen as insufficient to publicise Care.Data so more is clearly needed to support any programme of a similar scale or focus in the future.  TV, radio, print media and social media are all avenues in which messages could be more effectively communicated to the public at large.  Special interest groups such as patient groups and well-known charities are also excellent ways in which schemes can be publicised to hard to reach groups or those who may have a particular interest in how their data is being used (who may also potentially be the most publicly vocal or critical if not  engaged with in a positive way).

Individual Control and Choice

Lastly, the issue of what control or choice individuals have needs to be tackled head on.  Individuals have the right to object to the purposes for which their personal data will be used under data protection law (although interestingly there are circumstances in which objections don’t need to be upheld or respected).  Current NHS policy also provides patients with the ability to ‘opt out’ of various uses of their data which the NHS holds.  NHS policy in this area is however woefully out of date and has been far too slow to change in order to keep pace with, and effectively support changes in the way NHS data needs to be used.  Some attempt was made to address this following the recommendations of the 2016 Caldicott report:

Recommendation 11: There should be a new consent/ opt-out model to allow people to opt out of their personal confidential data being used for purposes beyond their direct care. This would apply unless there is a mandatory legal requirement or an overriding public interest.”

The National Data Opt Out was introduced in response to this recommendation, however it was rather unhelpfully launched in May 2018 – the same month that the General Data Protection Regulation (GDPR) came into force.  You may remember receiving a large number of emails around that time from anyone and everyone you had ever bought something from talking about your personal data and asking for your consent in response to GDPR.  On reflection, even NHS Digital would probably admit this wasn’t the best time to launch something relating to the use of people’s data as it meant much of the messaging was lost amongst or confused with everything surrounding the GDPR.

Furthermore, the National Data Opt Out is extremely limited in its scope, and in practice it only really applies to the very small number of data disclosures which occur under Section 251 of the NHS Act 2006 and have been approved under Regulations 2 and 5 of the Health Service (Control of Patient Information) Regulations 2002 (and even then there are numerous exceptions which can still allow a person’s data to be shared or used).  It is therefore by no means an effective way for patients to effectively control the way their personal data is used.  This has clearly been appreciated by the NHS as an alternative method of opt-out – known as a ‘Type 1 Opt Out’, as it remains available to patients to control the usage of their GP data. Type 1 Opt Outs are applied by GP Practices within the patient’s electronic GP record and prevent any data from leaving the Practice for any purposes beyond the individual’s care. 

Even the most generous analysis of the situation however would not describe this as a simple or straightforward approach for either the general public, or GPs who invariably have to handle complex patient enquiries relating to opt outs and then potentially apply this within their GP record, to deal with. 

Next week

In the next part of our four-week series, we’ll look at where the GPDPR programme could and should have improved following lessons from 

How can 8fold help?

At 8foldGovernance we help you to resolve any potential barriers around the implementation of GPDPR, DCB0129 or any other data protection standards including the Digital Technology Assessment Criteria (DTAC). We will support you to better identify and analyse any problems in your workflow, understand the local architecture and select appropriate solutions that stand the greatest chance of achieving success. It’s what we do. 

From planning prototypes, to medical device certification, governance, cyber security and marketing, we’ve got you covered. Contact us today for a free no-obligation chat to find out more about how we can help resolve your IG barriers, or help bring your innovation to market and achieve success.

Find out more about Our Services.

Do you meet the statutory requirements under DCB0129?

Ensure that clinical safety is a core practice for your organisation and that the statutory requirements for health IT in the UK (DCB0129) are met, including having a named clinical safety officer (CSO). To find out how we can help, contact us for a no-obligation call. We’ll help you to understand what your obligations are and also what needs to be done to ensure that you are compliant with the mandatory requirements.

Leave a Reply

Your email address will not be published.