Pulse exclusive Each GP practice will need to perform a data protection impact assessment (DPIA) before NHS Digital’s controversial mass extraction of patient data from practice systems takes place, Pulse has learned.
The Information Commissioner’s Office (ICO) has told Pulse that General Practice Data for Planning and Research (GPDPR), ‘as it involves processing health information (special category data)’, is ‘likely to result in a high risk to individuals’.
This means data controllers – GPs, in this case – ‘will need to perform a DPIA’, it said.
The ICO explained that this is a legal requirement since the new Data Protection Act came into force in May 2018 and comes as Pulse revealed last month that privacy campaigners fear the new automatic extractions of data will be ‘far bigger’ and ‘more intrusive’ than the scrapped care.data project.
An ICO spokesperson said that the DPIA is ‘a way to help you identify and minimise data protection risks’.
It further added that if any high risks are identified which ‘cannot be minimised through additional measures’, controllers ‘must consult the ICO’. Such a process could take 8-14 weeks and may result in the ICO blocking the data processing from taking place.
However, NHS Digital told Pulse that it has prepared and shared its own DPIA with the ICO and that this covers the risks from both the perspective of the GP and NHS Digital.
In addition, NHS Digital intends to make a GP DPIA available for practices to use ‘if they wish’, to ‘support them to consider the risks and be confident they have discharged their obligations under the Data Protection Act 2018 and UK GDPR’.
It also stressed that with regards to the GPDPR data collection, GP practices ‘are legally obliged to share the data requested with NHS Digital under the Health and Social Care Act 2012’.
But Phil Booth, coordinator of data confidentiality advocacy group MedConfidential, argued that general practice needs to design its own DPIA.
He said: ‘Clearly, NHS Digital has designed and is running the system. It must publish its DPIA, as [it knows] what the system is and only [NHS Digital] can describe it.
‘But, they are clearly conflicted. They are doing a DPIA of their own system, which is their duty, but, in doing so, they may miss or not think of certain aspects. They certainly won’t be thinking of it from the perspective of the GP, as a data controller.
‘There clearly needs to be a DPIA that is independent of the NHS Digital one, which is owned and backed by the RCGP, BMA and maybe LMCs.’
Hampshire GP and data autonomy advocate Dr Neil Bhatia further stressed that GP concerns ‘would need to be referred to ICO, as there are high risks of data subject rights not being upheld, [including] the right to be informed’.
But he suggested particular groups of GP practices should team up to consult the ICO.
He told Pulse: ‘The ICO won’t be very happy if 7,000 GP practices do it. One might hope that a representative sample of practices [consult the ICO] – rural practices, university practices, those with a very high number of elderly patients who are not necessarily digitally enabled.’
De Montfort University professor of cyber security Professor Eerke Boiten told Pulse that NHS Digital providing a DPIA for individual practices to use will ‘save GPs the individual effort’ of filling in the forms themselves but said those with additional ‘insight or worries’ could decide to design their own.
He said, however, that GPs can ‘reasonably justify’ allowing the data to be processed as NHS Digital ‘is legally required to be a responsible holder of central medical data’.
An ICO spokesperson said: ‘People having confidence in how their data is being used and shared is an important part of people’s broader trust in an organisation.
‘When handling health data, organisations need to take extra care and put safeguards in place to protect people’s privacy, ensuring their data is not used or shared in ways they wouldn’t expect. We have recently produced updated guidance and tools to help organisations share data safely and with confidence.
‘We are aware of the GP Data for Planning and Research programme and we’ve discussed with NHS Digital their data protection obligations.’
It comes as the Government this week delayed the date for the GPDPR extraction from 1 July to 1 September, amid concerns the public has not been sufficiently informed.
Health secretary Matt Hancock also said that the deadline for patients to opt out of the data extraction would be extended from the previous date of 23 June, but he has not yet announced a new date.
This followed concerns raised by the BMA and RCGP, which have both advised on the GPDPR system that will replace the GP Data Extraction Service (GPES).
Following the announcement, Mr Hancock asked former RCGP chair Professor Helen Stokes-Lampard to advise the Government on the project.
This story first appeared on our sister title, Pulse.