Protecting Healthcare Data: The Challenges Posed by NHS Digital's GPDPR

There is increasing pressure for patient health data in the UK to be shared for planning and research, particularly in light of COVID-19. This has been demonstrated by recent NHS plans for patient data in England to be shared with third parties. These plans have now been delayed until September 2021 after opposition from GPs and privacy advocates.

NHS Digital’s General Practice Data for Planning and Research (GPDPR) system will see a decade’s worth of patient information from GP surgeries in England uploaded to a database in near real-time. It comes after a similar program, Care.data, failed after years of controversy.

If appropriately implemented with safeguards in place, advocates say there are multiple benefits to the data sharing outlined by the NHS program. These include ground-breaking research and treatments fueled by vital data that cannot currently be collected at scale.

At the same time, there are concerns about health data being accessed by approved third parties, including research organizations and private companies. Tech giants Google and Amazon have made no secret of their ambitions to go into the healthcare space.

So what are the issues involved in sharing healthcare data, and what steps need to be put in place to ensure this can be done securely and with privacy in mind?

Pseudonymized, Not Anonymized

One of the biggest issues with the NHS digital program is the complexity involved in opting out, which the patient must do. At the same time, the task of seeking patient consent is being given to GPs, who say it is an administrative burden at a time when they are already under increased pressure due to the pandemic.

“If you want to opt-out, you have to find out what is happening, how to stop it and then actually stop it,” says Dr Neil Bhatia, a GP and data protection officer.

There are also concerns about who will have access to the rich data collected by GP surgeries. Information collected covers people’s mental, physical and sexual health, such as the details of symptoms, test results and diagnosis, in addition to data on gender, ethnicity and sexual orientation. People can already gather this information from GP practices on request, and NHS Digital says the new database will ensure data is accessed and stored more consistently.

Under the new program, NHS Digital will have a comprehensive view of everyone’s history that it can use for various purposes, says Phil Booth, political campaigner and co-ordinator at medConfidential. “They can use it for research and planning and to manage and improve services, but they don’t talk about the commercial exploitation of patient data.”

Booth’s organization focuses on the ethos that every use of data should be consensual, safe and transparent. Candidly, he reveals that he does not think that the program adheres to these guidelines yet.

There are concerns about who will have access to the rich data collected by GP surgeries
There are concerns about who will have access to the rich data collected by GP surgeries

From September this year, patient information can be analyzed and converted into numbers to assess, for example, the number of diabetics living in a certain area. The information is pseudonymized, rather than anonymized, says Dr Bhatia. “It can’t be anonymized, or it wouldn’t have a link to your record.”

This opens the possibility of reidentifying people, Dr Bhatia says, which is especially worrying if private companies can get their hands on the data.

Another issue exists around the method of data collection, which experts say could put the vulnerable at risk. “GP confidentiality is gone; people might end up lying, for example, about domestic violence or being an alcoholic,” Dr Bhatia comments.

Taking this into account, experts say there should be a more granular choice about how data is used and who it is given to. “There is no granularity of control: There is no option to say that ‘I want it to happen, but I don’t want Google to have my information,’” Dr Bhatia says.

In addition, there doesn’t appear to be a way of deleting historical information if patients opt-out after September. “If you opt-out, they will not continue to collect data – so any new diagnoses won’t be uploaded, but they will continue to hold historical data and give it to organizations,” Dr Bhatia adds.

Consent Misnomer

The NHS plans are facing tough opposition, but advocates point out that sharing patient data has multiple benefits. From a healthcare provider’s point of view, it allows for better planning of services and helps provide seamless care, says Abbas Kanani, pharmacist at Chemist Click. “Analyzing data can also help to reduce inefficiencies within healthcare services, ultimately with the end goal of improving patient outcomes.”

A group of experts and academics recently published a call in The Lancet for better access to anonymized health data for research purposes. This paper outlined recommendations about how the process could be done safely. These included: creating a national process for data access that balances the risks of privacy breaches with the benefits to science and health policy; establishing an All-Party Parliamentary Group to review how researchers can safely and legally access data; and ensuring there is transparent, consistent, uniform and clear information for data custodians about how data will be used.

One of the paper’s authors, Sarah Shenow, head of research at MQ Mental Health Research, says, “It is possible to do this in a way that maintains privacy and is safe.”

"It is possible to do this in a way that maintains privacy and is safe"

This is the aim of DATAMIND, an organization covering the use of mental health data for research in “safe, secure, and innovative” new ways.

In order for data sharing to be done in the right way, public conversation is key, says Shenow. At the same time, she points out that asking for explicit consent can bias research because highly educated people are more likely to say yes.

In addition, she says that when used for certain purposes, consent isn’t actually needed under the EU update to General Data Protection Regulation (GDPR). “It’s a bit of a misnomer that consent is needed. There are ways of deidentifying information and sharing group data so no individual piece of data is exposed and only the results are shared.”

Julian Hayes, partner at BCL Solicitors LLP, confirms this. He says the UK’s data protection legislation does not present “insurmountable obstacles” to the NHS proposals and permits the processing of sensitive personal data where necessary, both in the public interest and for public health reasons. “But where less intrusive solutions exist, such as the Trusted Research Environment arrangements for accessing health and care data, does the claim that the new scheme is necessary hold water? As the ICO previously said about sharing health data, ‘just because you can, doesn’t mean you should.’”

The Risk of Unauthorized Access

It’s clear that data sharing is important if the proper safeguards are in place to ensure it is private and secure. In the case of NHS Digital’s program, shared data doesn’t include names and addresses – considered personal data under GDPR – and instead uses a postcode that is replaced by a random and unique code. At the same time, the NHS says not all details in written notes will be collected, such as conversations people may have with medical staff.

The NHS also says data will not be used for marketing or health insurance purposes, nor will it be used to promote products or services or market research and advertising. Yet, some private organizations will be able to see specific data.

Data privacy is not the only issue. Security problems can also arise with wider patient data sharing. The NHS proposal to collect data from GP practices will cover millions of people, which in itself is a potential target for attackers, says David Emm, principal security researcher at Kaspersky.

If any healthcare data is also shared with third parties, it widens the risk of unauthorized access, says Emm. “The NHS will not have direct control over how third parties handle the data, and although the plan is to pseudonymize it, the NHS has made clear that it will be able to undo this where there is a valid legal reason. If they can do so, would it be possible for anyone else to do the same?”

Security problems can arise with wider patient data sharing
Security problems can arise with wider patient data sharing

The most prominent challenges include ensuring individuals’ data rights are not compromised and that they have consented appropriately to how their data is used as it travels across the healthcare supply chain, says Dr Saif Abed, a medical doctor and founding partner and director of cybersecurity advisory services at the AbedGraham Group. “Then it’s about ensuring the healthcare supply chain itself is secure, and that patient data is not stolen or made inaccessible when it’s needed most, such as during a ransomware attack. This is easier said than done as more stakeholders are involved in data access, storage and transfers.”

Transparency, accountability and audit are “key elements” in data sharing, Dr Saif Abed says.

Data sharing for health purposes is an emotive yet important subject. No one is against sharing this data when used for the right purposes and done correctly, taking patients into account. The NHS Digital program has clearly demonstrated the challenge in getting this balance right, and many experts agree it has to change before it can be rolled out.

The benefits of greater healthcare data sharing are tied to improved patient care, convenience, safety and outcomes, says Abed. “There is not a universal answer as to whether the benefits always outweigh the risk, or vice versa. Instead, each organization must conduct its own assessment to determine its acceptable levels of residual risks, tailored to its patient population and their requirements.”

What’s Hot on Infosecurity Magazine?