NHS Digital’s decision to push back the deadline for patients to opt out of the GP Data for Planning and Research scheme (GPDPR) – a scheme to allow patient GP records to be extracted and shared to a central NHS Digital repository – has re-invigorated societal debate about the sharing of patient records for purposes beyond individual care and the governance of patient data (who would be accessing patient records and for what purposes).
There is considerable discussion in the public domain about the current state of play. Support for the goals of GPDPR, intended to respond to the challenges of data collection and linkage during the pandemic and to support research that benefits patients, is combined with suspicion that the data could be misused, particularly in the hands of third-party commercial organisations. Public discussion is important, and – supported with evidence and facts – will increase clarity and reduce confusion. This piece is intended to clarify some key points and enable a better societal engagement with GPDPR.
The GPDPR is a proposal to legally mandate GP practices to deposit all their patients’ records into a central store held by NHS Digital. This would allow NHS Digital to share those records for purposes other than patient care, so brings into question the governance of patient data, particularly as it relates to data sharing with third parties for research and commercial purposes.
Similarities with the 2013 NHS England Care.Data proposal (2013) are striking. Proposed to ‘link information from different NHS providers to give healthcare commissioners a more complete picture of how safe local services are, and how well they treat and care for patients across community, GP and hospital settings’, Care.Data went through a cycle of discontent and ‘techlash’. Criticism that the proposal was announced with limited consultation engendered widespread concern from professionals, civil society and members of the public, leading to the plans being scrapped in 2016.
Much has changed since 2013. From Cambridge Analytica to DeepMind’s private public partnership with the NHS’s Royal Free Trust, found to breach the Information Commissioner’s Office’s guidelines, and the introduction of the EU General Data Protection Regulation (GDPR), public awareness about how data is used has increased, just as increasing datafication has amplified the power imbalances that exist around data use.
The public response to the GPDPR proposal shows that there’s still much to be learned about the governance of third-party data deals and engaging the public in meaningful debate so they can help shape decisions before they are made.
Our five messages are:
- Facts matter to people: it’s important to get the facts right, and to take collective responsibility for communicating them clearly.
- GPDPR and Care.Data are use cases that reveal how ‘decide, announce and defend’ approaches to decision-making can undermine trusted uses of data.
- Trustworthiness must be demonstrated first, and trust and support will follow.
- Good communication and transparency must be accompanied by a more open, deliberative approach to engaging the public in high-stakes decisions.
- Good public engagement must move beyond informing people, and towards enabling patients and people to shape decisions about their data.
1. Getting the facts right: two opt-outs, one (moved) deadline
To fully engage with GPDPR, it is important to clarify some facts around what this ‘Type 1’ opt-out refers to, particularly in relation to the existing opportunity patients have to opt out – the National Data Opt-out. Limited knowledge about the two opt-outs has itself generated confusion. Understanding how the two opt-outs work alongside each other influences our understanding of the agency patients have when it comes to decision-making about sharing data with third parties (i.e whether they wish to do so or not).
i. The National Data Opt-out
In May 2018, the NHS announced plans to enable wider data sharing and use from patients’ medical records across health and social care. This came with the National Data Opt-out, where patients could register a preference for their confidential information not to be shared legally with different organisations beyond the purpose of providing individual care – including for management, research or planning purposes.
Those accessing this data would not be mandated to ask for consent, as these purposes would be allowed under certain GDPR processing (public interest) rules. To date, this opt-out has no deadline, and patients can continue to register their preference for their confidential information not to be shared for purposes beyond what is necessary to provide care.
Withholding consent under the National Data Opt-out would stop NHS Digital from sharing data beyond what was required for someone’s care. Unless patients exercise their National Data Opt-out, NHS Digital will be able to share data with different parties for secondary purposes including research and planning.
ii. GPDPR: the type 1 data opt-out
The latest controversy relates to the GPDPR data-sharing proposal – and engages questions about the expiration of the type 1 data opt-out, which was originally June 2021 but has recently moved to September. Exercising a right to a type 1 opt-out means that GP practices cannot deposit someone’s data with NHS Digital.
While patients are still able to exercise their opt-out rights for sharing with third parties under the National Data Opt-out (see above), both the deadline and the potential sharing with as-yet-unnamed third parties from NHS Digital have engendered considerable societal disquiet.
In communications about GPDPR measures, members of the public and societal commentators have been left unclear as to the exact purpose of placing an expiration date on the type 1 opt-out, what the ‘public benefit’ justifications are, or what the key safeguards, impacts or proportionality measures might be. Recent Ada Lovelace Institute research on data lessons learned during COVID19 has highlighted that clarity on purpose, good public engagement and clarity about the wider data landscape are essential factors that enable trusted data sharing.
2. The perils, risks and costs of ‘decide, announce and defend’
One of the major lessons from Care.Data was the importance of involving the public in deliberations and decisions about how they might want their data to be used.
Care.Data and GPDPR reveal the negative consequences of a decision-making model that appears to ‘decide, announce and defend’ controversial measures and policies – when experts, policymakers and/or politicians assemble and announce a solution, and are prepared to deal with any public and media (and social media) backlash.
This approach is particularly unsuited to complex or controversial issues like health data sharing , or scenarios where successful implementation is highly dependent on buy-in from patients and the public. Concern that there will be a backlash to the ‘data grab’ has been raised by the medical research community under the auspices of Health Data Research UK, who support the goals of the GPDPR and have welcomed the opportunity for future engagement on how the data will be accessed and questions around commercial use. It will be revealing to learn how many people have chosen to exercise their rights to ‘opt out’ as a result of the furore.
These approaches can actively undermine the potential for data to be used in ways that benefit patients and the public, which recent citizen juries identified as a priority. We therefore welcome and encourage a deliberate move towards an approach that is more thoughtful, open to change, deliberative and consensual.
3. ‘Show, don’t tell’: we know what engenders trust, but trustworthiness is demonstrated through good governance
The Care.Data and GPDPR examples illustrate how much more we still need to do to demonstrate trustworthiness. Measures to learn the lessons from Care.Data led to the 2013 independent Caldicott Review and the formation of the National Data Guardian’s office in 2014, ensuring there were future safeguards and governance mechanisms to protect sensitive information from people’s health and social care records. Over the years, the Caldicott Principles, distilled from Care.Data learnings, have guided public-sector use of public and patient data, with enforceable penalties being levied when organisations do not access or use data within updated legal frameworks.
Engaging with the public and media commentary relating to GPDPR, the National Data Guardian wrote a statement in support of upholding the Caldicott Principles, highlighting the importance of the eighth principle in particular – saying ‘it is important that there are no surprises for the public about how confidential information about them is used. ‘
Other principles set out in the Caldicott Review require proportionality, access to confidential information on a ‘strict need to know basis’, and a clear justification of the purpose(s) for using the confidential information. There is extensive research that continues to be a good starting point for developing more trustworthy and transparent systems.
Principles, however, can only take us so far as it is evidence of trustworthiness exhibited by those who use and access data that matters the most. Building from this insight, we propose that demonstrating, and not simply stating alignment with the Caldicott Principles is what will most likely engender public confidence and trust. It is not enough to have principles – it’s important to demonstrate how these principles have been adhered to, consistently, and over time.
Constructive measures that might help demonstrate trustworthy uses of patient data could include investing in and resourcing trusted research environments, such as OpenSAFELY, to ensure a proportionate use of and access to health data for research purposes.
Governance of terms and conditions, contracts for procurement processes and data access and sharing with third-party partnerships remain opaque and untransparent, despite numerous high profile examples of societal concern before and during COVID-19. There is also some public concern that asymmetries of power between a resource-constrained NHS and better resourced commercial organisations are at risk of being exploited. Until the NHS is able to demonstrably evidence good governance of these partnerships, it is unlikely that measures to pool and link NHS data will generate public support and buy-in – regardless of the availability of ‘opt’ out mechanisms under the National Data Opt Out.
Extensive public attitudes and deliberation research conducted by the Ada Lovelace Institute reveals that technologies and data systems are judged as part of the whole system they are a part of and that it is that system that must be trustworthy and not just the technicalities of opt out or the data infrastructure itself. To ensure third-party data partnerships are trustworthy and accountable – an issue we considered at length in citizen juries on the foundations of fairness for data sharing in 2020 – we recommended more transparency about the nature of the data partnerships including a central register of those partnerships, mechanisms for audit and impact of the partnerships, and clear justification as to how third-party partnerships engendered public benefit.
4. Transparency and good communication matters, but it’s more important to be open and deliberative
There are risks to assuming that it is merely an information gap that is engendering societal disquiet – rather than a legitimate set of ethical concerns, or a societal debate about norms, values and the right balance to strike when it comes to the use of health data. Our public deliberation research has shown that, while people are keen to see the effective use of their data for societal benefit, they also have concerns about commodification or misuse of their data, inequities engendered by uncritical uses of data and asymmetries of power between NHS organisations and commercial companies in particular. They want to see an approach that embodies the values of data stewardship, not data commodification. Trust is relational, and very often is not about an information gap, but rather a gap or differences in expectations, hopes and values.
5. Good public engagement must give people a say, and demonstrate how people have been able to shape decisions about their data
In shaping initiatives such as these, and other uses of NHS data, it is important that people are involved and able to shape decisions about the use and governance of patient data. The consequences of the ‘decide, announce’, defend’ approach prevents policymakers from being able to ‘engage, deliberate and decide’, ensuring that stakeholders have some power to be able to affect the outcome of the process, rather than being simply ‘informed’ about what will happen.
Effective engagement with the public should follow The Gunning Principles, which set out how and when consultations should be carried out. These principles, enshrined in UK law, require that:
- the public is involved before decisions to implement a strategy are finalised
- people are given clear and adequate information to make decisions
- people are given time to think about and to respond to proposals
- finally, that their responses have bearing on the final outcome, and there is evidence that their responses have been considered.
As Sherry Arnstein (1969) argues in her seminal paper on citizen participation – efforts to engage members of the public or patients without the intention to allow them the opportunity to shape the proposals, or simply to inform people about the uses of their data are not ‘genuine’ or meaningful public engagement.
At Ada, we have been able to demonstrate in practice how effective deliberative processes such as mini-publics and lived-experience panels are at being able to anticipate and respond to some of the nuanced and complex assessments that members of the public make about potential harms and benefits of data sharing and data use. It will be important that future public engagement on GPDPR and other similar initiatives to follow these principles if they are to be effective and bring members of the public with them.
In the case of the GPDPR, a closed decision-making process that did not clearly communicate justification and rationale, together with unclear governance of the NHS’s partnerships with third parties, has eroded public confidence. This undermines the NHS and partner organisations’ ability to access and use data for health purposes with a public mandate and with a positive vision – at times of crisis and beyond.
For more on the Ada Lovelace Institute’s research and public engagement on the challenges and opportunities for health data use, access and sharing, please see: Foundations of Fairness: Where next for NHS health data partnerships?, The data will see you now, Learning data lessons: Data access and sharing during COVID-19 and the Data divide on public attitudes to tackling health and social inequalities in the COVID-19 pandemic and beyond.
Image credit: marvinh
Exploring the datafication of health: what it is, how it occurs, and its impacts on individual and social wellbeing
The use of NHS health data to develop new technologies raises important questions for people and society.