GPDPR: A lesson in Transparency…or lack thereof (part 3)

This blog is part 3 in a series delving into the GPDPR programme to uncover what went wrong, the lessons that should have been learned from and what you will need to do to meet your obligations for GPDPR.  Links to the other blogs in this series can be found here:

Part 3: Where could the GPDPR Programme have improved?

In fairness to NHS Digital and their GPDPR programme, the scope of the initiative does seem to have been fairly well defined.  The information which is available on the NHS Digital website specifically deals with many of the key questions:

The issues start however when it comes to effective public communications (or lack thereof).  The media reports and social media activity would seem to indicate that the publicity around the GPDPR hasn’t been anywhere near sufficient.  A Full Business Case was approved for the development of GPDPR in September 2018, yet the first publicly available information did not emerge until April 2021.  GPs across England were only formally notified of the programme 7 weeks prior to the intended go live date (currently scheduled for the 1st July 2021) and beyond a few web pages buried deep within the NHS Digital website which went live on 26th May, no other public communications appear to have taken place. Unless you are in the habit of trawling through NHS Digital’s website on a regular basis it’s hard to see how the average member of the public could have reasonably known about this.  It seems bizarre given the obvious parallels to Care.Data which was scrapped barely 5 years ago and the criticisms that programme faced over its proposed uses of patient data and it’s poor approach to public communications.

Another area in which the GPDPR programme could have taken a more effective approach around transparency would have been in respect of the Data Protection Impact Assessment (DPIA) for the project.  The Requirements Specification document for the GPDPR released by NHS Digital states that it should be read alongside the DPIA, yet this wasn’t made publicly available.  Most concerningly, requests made to NHS Digital for the DPIA to be published or otherwise made available for review, even internally within the NHS itself, were not initially met. The reason?  The DPIA has been referred to the Information Commissioner’s Office (ICO) for review – something which is only necessary where a high risk has been identified which cannot be mitigated.  Of course, NHS Digital may well have chosen to refer the DPIA to the ICO out of an abundance of caution rather than in response to any specific risk, however if nothing else, this is certainly enough to raise some eyebrows amongst cynics and sceptics.  Better to get the DPIA completed and all consultations completed prior to announcing a project to the public or committing to a go-live date.

Transparency vs Choice and Control

Linked to this is the issue of individual choice and control.  Although Type 1 Opt Outs have been available to patients since 2013 and the National Data Opt Out has been available since 2018, public and professional awareness of these still appears to be fairly low.  It only tends to be when new initiatives like this are announced that the public and professionals sit up and take notice of the way data is used and the choices patients have.  If the NHS is not transparent and proactive in communicating what it is doing with people’s data and what choices people have, how can individuals be expected to make informed decisions and effectively exercise meaningful control over their data?

Overall, the GPDPR seems to have overlooked the parallels and similarities to the ill-fated Care.Data programme, learn the many lessons available from this, or heed the repeated advice from the late Dame Fiona Caldicott within successive reports about the need for effective transparency and public communications.  It appears that NHS Digital may have significantly underestimated the level of concern the public would have with the GPDPR programme and in doing so, may have damaged (possibly irrevocably) public trust in the NHS to use patient data appropriately.

What are the wider implications of Care.Data and GPDPR?

Sadly, the impact of GPDPR may be more significant in real terms than it’s Care.Data predecessor.  In recent years the incredible value of patient data available within the NHS to support planning and research has increased significantly.  Large investments have been made at a local, regional and national level in data analysis tools to support Population Health Management (PHM) and other analytics activities.  These are designed to underpin a data-driven approach to the way NHS and social care services are designed, managed and delivered, hopefully leading to better decision making by system leaders.  

If the GPDPR leads to a loss of public confidence and trust around the way the NHS uses patient data, this could easily translate into a large number of patients choosing to opt out and restrict the ability of the NHS to use their data for planning and research.  This seems like a distinct possibility given the public response to the GPDPR.  The completeness and accuracy of data available, and therefore its value, will be significantly diminished, potentially leading to inaccurate, ill-informed or incorrect conclusions being drawn from the data and as a result, poorer decisions being made.  With more and more data analysis being conducted at a local and regional level as well as centrally, this national programme could have a damaging effect on local initiatives which are dependent on processing patient data in support of planning and research.  I’m sure local health and social care systems and leaders won’t be thanking NHS Digital for this any time soon.

There is also the potential that, even though the GPDPR is solely about the use of people’s data beyond their direct care, it is possible that people’s confidence in all data sharing could be damaged.  If people also start to object to or opt out of the sharing of their health and social care records to support their direct care, this could lead to patient safety risks with information being unavailable to those providing direct care to patients.

A further knock on effect could be that the use of data by other organisations associated with the health and care sector, such as health technology providers or academic researchers, could also be tarred with the same brush.  Public confidence in these types of organisations is already at a lower level than that enjoyed by the NHS, often as a result of perceived links to the private sector, big pharma or big tech.  Unfair as it may seem, NHS scandals like the GPDPR can have unintended consequences beyond the NHS alone.

Next week

In the next and final part of our four-week series, we’ll look at what those affected by the GPDPR programme can do now, with some useful guidance to get you started. 

How can 8fold help?

At 8foldGovernance we help you to resolve any potential barriers around the implementation of GPDPR, DCB0129 or any other data protection standards including the Digital Technology Assessment Criteria (DTAC). We will support you to better identify and analyse any problems in your workflow, understand the local architecture and select appropriate solutions that stand the greatest chance of achieving success. It’s what we do. 

From planning prototypes, to medical device certification, governance, cyber security and marketing, we’ve got you covered. Contact us today for a free no-obligation chat to find out more about how we can help resolve your IG barriers, or help bring your innovation to market and achieve success.

Find out more about Our Services.

Do you meet the statutory requirements under DCB0129?

Ensure that clinical safety is a core practice for your organisation and that the statutory requirements for health IT in the UK (DCB0129) are met, including having a named clinical safety officer. To find out how we can help, contact us for a no-obligation call. We’ll help you to understand what your obligations are and also what needs to be done to ensure that you are compliant with the mandatory requirements.

Leave a Reply

Your email address will not be published.