Campaigners challenge NHS England's latest plan to share patient data

Warrington, United Kingdom - March 6, 2016: Warrington, UK - march 6, 2016: View of the NHS (National Health Service)  logo at the Springfields Medical Centre in the centre of Warrington, Cheshire.

Remember the debacle? Now, a new move by NHS England to move the records of 55 million patients into a database that will be accessible by third-party companies is under fire by privacy campaigners, who claim it could be unlawful. 

The new General Practice Data for Planning and Research (GPDPR) service was unveiled earlier this month by NHS Digital, which described it as a way to "improve" the collection of patient information that would allow better planning of healthcare services and use of data in medical research.

People can opt out of the scheme by filling in a form and taking it to their GP before 23 June, but campaigners say this has not been communicated effectively.

The government's last attempt to shake up patient data-sharing – 2013's scheme – suffered from a number of false starts and was eventually shut down in 2016.

Its demise came after the Caldicott review into safeguards found issues with consent and opt-out processes. By then, a million patients had opted out of the programme.

Campaign group Just Treatment, with the help of legal firm Foxglove, has sent a letter to the Department of Health and Social Care questioning the lawfulness of the plan, such as the short six-week opt-out period which gives people limited time to consider the changes.

The main complaint is that the public has not been adequately consulted on the plans, and there are a number of unanswered questions, such as who gets access to the data and on what terms, and who benefits – the public, the NHS or private companies?

In the case of, every household in England was informed of the plans via a leafleting campaign. The earlier scheme also only included prospective information, but the GPDPR will cover a patient's entire medical history.

"If you're going to pool the health records of 55 million people you have got to ask their permission," said Foxglove's Cori Crider on the BBC Today programme this morning.

"People I think are open to their health data being shared if they are asked, but once you start to talk about commercial access for pharmaceutical companies or large tech companies, that trust starts to erode very quickly," she added.

Responding to the claims, Dave Roberts, head of primary care information at NHS Digital, told the BBC that pseudonymised data is already being used every day to plan use of NHS resources, including the COVID-19 vaccine rollout.

"This is simply a way of better coordinating that, and making it easier for people to access that data and do planning and research," he said.

The changes had been communicated via the press, the NHS website, and via communications to GP practices "so they can make this information available to all patients," continued Roberts, adding that the opt-out option has been available to anyone since 2013.

NHS Digital insists that the GPDCR "has been designed to the most rigorous privacy and security standards, to meet patient expectations with regards to the confidential management of patient data", and patient information "is only shared with organisations who have a legal basis and meet strict criteria to use it".