GP Data opt out Information

There are changes expected in how NHS Digital collect data from GP surgeries from 1st September 2021 (initially scheduled 1st July).
South East London CCG have provided resources with information about what this means for practices and patients, and how to make choices about how your data is used. We urge patients to optimise these resources to enable you to make informed decisions. Please follow this link to their website General Practice Data for Planning and Research – South East London CCG (selondonccg.nhs.uk)  and find additional information below

NHS Digital briefing – General Practice Data for Planning and Research (GPDPR)
Q&A

• Why do you need this data?
Patient data is used every day to improve healthcare services through planning and
research in England, helping to find better treatments and improve patient care.
It helps to decide what new health and care services are required in a local area, informs
clinical guidance and policy, and supports researching and developing cures for serious
illnesses, such as heart disease, diabetes, and cancer.
• What are the benefits?
The pandemic led to a significant increase in the need for GP data from NHS Digital to
support clinicians, researchers, academics and commissioners. It has been used by NHS
organisations and researchers to help run and improve health and care services.
This includes identifying those most vulnerable to coronavirus, rolling out vaccines, and
for critical COVID-19 research, including the University of Oxford’s RECOVERY trial which
identified that treatment with dexamethasone improves the chances of survival
for people hospitalised with COVID-19.
Patient data is already being collected to improve health and care services. NHS Digital has
collected patient data from general practices using a service called the General Practice
Extraction Service (GPES). This system is over 10 years old and now needs to be replaced.
NHS Digital has engaged with doctors, patients, data and governance experts to design a
new and improved system to collect data from general practice that:
o reduces work for GPs so they have more time to focus on patient care
o explains clearly how data is used to help patients feel confident and informed
o means data is collected, stored and accessed in a secure and consistent way
• What are you taking?
We will not collect your entire GP record.
We will not collect:
o patient names and full addresses
o written notes (free text) of any consultations or interactions between patients and
clinicians
o images, letters, videos, or documents
o medicines, appointment, or referral data over ten years old
o legally restricted data such as IVF treatment or gender reassignment
We will collect most of the structured and coded elements of the GP record.
• Who are you giving it to?
The data will only be used for health and care planning and research purposes by
organisations who have a legal basis and legitimate need to use the data. We publish the
details of the data we share on our data release register so we can be held to account. We do not allow data to be used solely for commercial purposes. NHS Digital will not
approve requests for data to be used for:
o insurance or marketing purposes
o promoting or selling products or services
o market research
o advertising
Once data is shared, we carry out independent audits and, where necessary, post audit
reviews to check organisations are using the data for the purposes they said they would, in
accordance with the terms and conditions of their data sharing agreements.
• Why are you trying to take data without telling anyone?
GPs already share data with other organisations for planning and research purposes in
accordance with their own data sharing agreements and patients have had the opportunity to
opt out of this type of data sharing for several years using the Type 1 Opt Out.
We have provided support and materials to GPs so that they are also able also let their
patients know about the collection. This contains detailed information about it, and the ways that patients can opt out.
NHS Digital is promoting this new data collection through our website, engagement with
media, through our stakeholders and patient groups and on social media channels. We want to raise awareness of the collection and its importance to help the NHS and research take place, but also to provide patients with a choice if they do not want their data to be used in this way.
• Why isn’t it opt out instead of opt in?
It is really important that the data is as reflective of the population as possible to be to draw sound conclusions from it. If a large number of people opt out then the data becomes less useful for planning services and conducting research. This is a particular problem if people from certain areas or groups are more likely to opt out. If that happens then services may not reflect the needs of those groups or areas and research may reach misleading conclusions.
Making data available for research will lead to better NHS services for patients, better
treatments and medicines.
• What profits will you make from selling data?
NHS Digital does not sell data. It does however charge those who want to access its data for the costs of making the data available to them. This is because we are not funded centrally to do this. Charges only cover the cost of running the service and means that those organisations who need access to the data bear the costs of this, rather than NHS Digital.

We do not make profits from the service.
The data will only be used for health and care planning and research purposes by
organisations who have a legal basis and legitimate need to use the data. We publish the
details of the data we share on our data release register so we can be held to account.
We do not allow data to be used solely for commercial purposes. NHS Digital will not
approve requests for data to be used for:
• insurance or marketing purposes• promoting or selling products or services
• market research
• advertising
• How do you know it won’t be sold on to a third party?
Once data is shared, we carry out independent audits and, where necessary, post audit
reviews to check organisations are using the data for the purposes they said they would, in
accordance with the terms and conditions of their data sharing agreements.
Any serious breach of our terms and conditions of use would result in the data access being
withdrawn and we may report the breach to the Information Commissioners Office (ICO) for investigation.
• How can we trust you to keep the data secure?
We take our responsibility to safeguard patient data extremely seriously. Data shared by
NHS Digital is subject to strict rules around privacy, security and confidentiality and the new service has been designed to the highest standards.
We do not collect patients’ names or exactly where they live. Any other data that could
directly identify someone, for example their NHS number, full postcode and date of birth, is
pseudonymised before it leaves their GP practice and the data is also securely encrypted.
• But you have the keys to reidentify it?
We would only ever re-identify the data if there was a lawful reason to do so and it would
need to be compliant with data protection law. For example, a patient may have agreed to
take part in a research project or clinical trial and has already provided consent to their data being shared with the researchers for this purpose.
This would also need to be agreed through the Independent Group Advising on the Release
of Data (IGARD) and the GP Professional Advisory Group (PAG), which is made up of
representatives from the British Medical Association and the Royal College of General
Practitioners.
• Why are you collecting sensitive data about things like domestic violence and
STIs?
We need to collect sensitive data to help plan and design services, and research conditions
to better support the people affected. For example, we need to collect data about domestic
violence to ensure the right local support services are in place. Victims of physical and
sexual violence are also more likely to suffer from mental health problems. But without data about these sensitive events and conditions it is much more difficult to conduct research to provide better services and support.
We respect and protect all the data we collect to the same high standards, but we have also
added additional protections as we know how important it is to protect this sensitive data.
This includes going through our Data Access Request Service (DARS) process which
means the Independent Group Advising on the Release of Data (IGARD) and a GP
Professional Advisory Group (PAG), with representatives from the British Medical
Association and the Royal College of General Practitioners, can scrutinise it to ensure the
use of that data is absolutely necessary and is legal and appropriate.
• You tried this before and it failed – this is care.data2.This is not an extension to, or evolution of, care. Data.
Patient data is already being collected and used to improve health and care services. This is a new system, designed over the last three years, to improve how data from your GP is
shared with organisations involved in the planning of the health and care system, and clinical researchers.
Our processes for accessing data are now very different to those seven years ago when
‘care.data’ was developed. We uphold the Caldicott Principles for ethical data sharing and
are also bound by data protection laws such as the General Data Protection Regulation
(GDPR).
There is also oversight from independent experts on data sharing. This includes the
Independent Group Advising on the Release of Data (IGARD) and a GP Professional
Advisory Group (PAG), with representatives from the British Medical Association and the
Royal College of General Practitioners.
• Why haven’t you published a DPIA?
We have carried out a very rigorous and full data protection impact assessment (DPIA) as
this is required under the UK General Data Protection Regulation (GDPR) rules.
This is currently going through a final review and assurance process and we will publish the baseline version of it shortly. However, a DPIA is not a static assessment and, therefore, will be reviewed and updated regularly to reflect changes and developments in the service. We will publish updated versions of it from time to time