care.data2 - General Practice Data for Planning and Research (GPDPR)
www.gpdpr.info


This non-commercial website was written by Dr Neil Bhatia, General Practitioner (GP)
Records Access Lead, Caldicott Guardian, Information Governance Lead, Data Privacy Officer, Data Protection Officer, Data Autonomy Advocate.

Twitter: @docneilb

This is a personal website and in no way affiliated with any GP surgery, Clinical Commissioning Group, STP, ICS, or any other organisation (including NHS Digital).

All information is correct, and up to date, as far as I can tell.
Opinions on lawfulness, fairness, transparency, confidentiality, privacy, misuse of private information, and loss of control, are my own.

Links to further sources of information are provided.

Visit www.nhsdatasharing.info to find out about the very many ways by which information from your electronic GP record is, or can be, made available to others.

There is no third-party user tracking technology present on this website.
See my privacy policy


"Confidentiality, once breached, is lost for ever"

Cream Holdings Limited and others (Respondents) v. Banerjee and others (Appellants) [2004] UK House of Lords


Do you just want the opt-out information for care.data2/GPDPR?
Jump straight here.

An open letter to the government about GPDPR


care.data2 only applies in England

Personal confidential information will be collected from GP medical records about:

The Department of Health have temporarily paused care.data2 in order to address the serious privacy concerns raised by GPs and associated organisations.

You can read the letter sent to GP surgeries about this.

Read the Health and Social Care Committee, Oral evidence: General practice data for planning and research (GPDPR), HC 581, Tuesday 20 July 2021

We must all wait and see if, genuinely, the privacy concerns are addressed satisfactorily.


Index to sections

Click to drop down/close an index, if you just want to jump straight to a particuar section


Opt-out or not?

This website - www.gpdpr.info - aims to provide information to everyone about care.data2 - the General Practice Data for Planning and Research (GPDPR) extraction - so that you can make an informed decision about opting-out or not.

It tells you about the different formats that NHS Digital disseminates and trades your information in - anonymised, pseudonymised, and clearly identifiable.

This site tells you how to control your GP record, so that you decide what happens to your personal confidential information. Once you know what can happen, or is already happening, to your personal information, then you can make an informed choice as to whether to allow such data sharing to happen or continue - in other words, whether to opt-out or not.

So you can share data on your terms.

It's a binary choice - opt-out or not. And the decision is yours, but only once you know that you can do something.


"Privacy is not something I’m entitled to. It’s an absolute prerequisite."
Marlon Brando

Back to index


Getting involved in medical research

Click to drop down/close more information about getting involved in medical research

You can help medical research, and contribute to, or help, the NHS in a multitude of other ways.

One of the best places to find out information about contributing to, and getting involved in, medical research is the National Institute for Health Research (NIHR).

They have an excellent "Public Information Pack (PIP): How to get involved in NHS, public health and social care research".
The guide has been written for patients, carers and members of the public who are interested in getting involved in health or social care research. It aims to answer the questions that people frequently ask when they first get involved in research.

And they have an excellent "Public Information Pack (PIP) Supplement: Finding out more".
This resource provides information about some of the different organisations that are involved in health and care research, which may be useful to know about.

If you are interested in contributing to medical research, with your explicit permission, then have a look at NIHR's Be a Part of Research website.

The NIHR also have a "People in Research" website, a database of opportunities for members of the public to get involved in research.

Research for the Future is an NHS-supported NIHR campaign that helps people find out about and take part in health and care research. It helps researchers find the right people to take part in their studies. Participation is completely voluntary (that is, only with your explicit consent) and you can withdraw from a study, or from the Research for the Future database, at any time.

The Medical Research Foundation "funds and supports research in areas of great clinical need but where there is low investment".
There are always opportunities to help them raise funds for such research.


Successful research studies carried out during the COVID19 pandemic such as the RECOVERY trial were conducted according to strict research ethics guidelines and with patient consent, not with a "data grab".
Health data, medical confidentiality, and the right to privacy - is GPDPR the new care.data?, Nuffield Council on Bioethics

Back to index


You need a Type 1 opt-out to prohibit the extraction and uploading of your GP information to NHS Digital for care.data2 / GPDPR

The Type 1 opt-out stops your GP from being extracted and uploaded, to NHS Digital, for care.data2

The National Data Opt Out alone will not stop that extraction and processing.

The National Data Opt Out only affects information about you if and when NHS Digital get hold of it.

The NHS App only allows you to set your National Data Opt Out.
You cannot express a Type 1 opt-out, to your GP surgery, via the NHS App.
You cannot express a Type 1 opt-out "online".
You need to contact your surgery directly.

This chart explains it.

Back to index


A few myths about care.data2/GPDPR - debunked

Back to index


Terminology:

Click to drop down/close more information about terminology in data protection and data privacy

Data protection: the lawful control and use of personal data held by an organisation (the data controller). Data protection encompasses data security, data privacy, and data ethics. An important part of data protection is ensuring control over the access of personal information, as held by the controller, to third parties; and in particular, ensuring that there is no unauthorised access or disclosure.

Data privacy: ensuring and empowering data subjects to control the use, dissemination, and access to, their personal (and sometimes confidential) information. It enables people to make their own decisions about who can process their data, and for what purposes - autonomy over their personal information. That means upholding a person's right to privacy under Article 8 of the Human Rights Act.

"Privacy is having the choice - it is the right to decide who we tell what, to establish boundaries, to limit who has access to our bodies, places and things, as well as our communications and our information."
Privacy International

Data security: the protection of data from accidental, or intentional but unauthorised, modification, destruction, or disclosure of data held by an organisation. In other words, and simply - keeping data secure. Not keeping data secure may result in a data breach.

Data ethics: the correct, appropriate, proportionate, responsible, fair, privacy-respecting, subject rights respecting, harm-avoiding, use (or processing) of an individual's personal information.
Fairness, transparency, accountability.
It includes respect for the individual's right to know what is happening to their information (to be informed), and their right to control it - the right to autonomy over their personal information.

"You need to stop and think not just about how you can use personal data, but also about whether you should.”
Information Commissioner's Office

Personal data: any information relating to an identified or identifiable natural person (data subject). Examples include your name, home//work address, email address, your computer IP address - and your medical records. Personal data includes personally identifiable information, special category data, and confidential data.

Personally identifiable data (or information): sometimes referred to as PII. Personal data which can be used to distinguish or trace an individual's identity, such as their name, NHS number, medical records, alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.

Special category data: sometimes called sensitive data. Personal data revealing or concerning certain types of data, such as racial or ethnic origin, political opinions, religious beliefs, genetic data, sexual orientation, and health data (medical records).

Confidential data (or information): information given in circumstances where it is expected that a duty of confidence applies, and that information cannot normally be disclosed without the information provider's permission. Your medical records are confidential data.

So your medical records, whether held by your GP surgery or a hospital, clinic, or service:


Your information is personal confidential information when disclosed to NHS Digital for caredata2/GPDPR. It is not anonymised.
Your information is personal confidential information as held by NHS Digital for caredata2/GPDPR. It is not anonymised.
Your information is personal confidential information when disclosed by NHS Digital in pseudonymised and clearly identifiable formats.


Primary uses are uses of data for the main purpose for which they were originally collected directly from the individuals concerned.

For your GP record, this means making that information available, to healthcare professionals that you are seeing, within your GP surgery, for your direct medical care.

You have the right to opt-out of allowing your medical record to be shared, or be directly accessible, for primary purposes - for your direct medical care - beyond your GP surgery, if you so wish.

You can opt back in to primary uses of your GP record at any time in the future.

Secondary uses are uses of existing data for purposes other than those for which they were originally obtained.

For your GP record, this means making that information available, to anyone (not just within the NHS), for purposes other than providing your direct medical care.

Examples of secondary uses include, research, audit, healthcare planning, "population health management", commercial and even political uses.

You have the right to opt-out of allowing your medical information to be used for secondary purposes - in ways unrelated to your direct medical care - if you so wish.

You can opt back in to secondary uses of your GP record at any time in the future.

Back to index


care.data2 - what is going to happen?

care.data, the planned data-grab project that ended in disaster in 2016, is back from the dead. And it's bigger than before.

From the upload date (whenever that is now) and every day thereafter, NHS Digital will extract a vast amount of information from your GP record and upload it to its servers. It will then disseminate that information, for purposes beyond your direct medical care, to various third parties.

Data from every living person at the your surgery will be extracted and uploaded to NHS Digital. Every man, woman, and child.

Unless you have opted out.

What will be extracted from my medical record?

Pretty much everything.

Almost a full copy of your GP record.

Information about your:

Information from the following sections in your GP record:


Is this anything at all to do with COVID-19?

NO.

GP surgeries are already, and quite separately, providing NHS Digital with information for that (they are legally compelled to).


Will anything "sensitive" be extracted from my GP record?

YES.

Lots and lots. More than I can possibly fit on this web page.

medConfidential have a list that you can look at here.

Almost a full copy of your GP record.

Legally restricted codes for Gender Recognition, Human Fertilisation and Embryology will not be collected.

Other items not collected are as follows:

NHS Digital does not collect names and full addresses - because it does not need to. It already holds that information about you within the Personal Demographics Service that it is the data controller for.

It can easily link your medical information to your demographic data.


Will I be asked for my consent before my data is extracted and uploaded to NHS Digital?

NO.

If you do nothing, this will happen by default. All you can do is to object to it : to opt-out.


Consent plays no part in care.data2

At no point - ever - are you asked for your permission for anything to happen to your medical records.

NHS Digital will arrogantly assume that if you do not opt-out then you are happy for your information to be taken.
It does not matter to them

They do not care. They just want the information.


"To be sure I must; and therefore I may assume that your silence gives consent."
Plato



Is this really an "NHS data grab"?

grab (verb) \græb\

: a sudden attempt to hold, get, or take something

NHS Digital aren't asking for your information.

They're not asking you for permission.
Your consent plays no part in care.data2

They're not asking your GP surgery for permission.
Your surgery is legally compelled to upload.

They're taking your information.
Legally, but arguably not fairly. Not transparently.


"Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them."
Steve Jobs



Will I be informed about this extraction of my personal confidential information to NHS Digital?

Well, you're being informed by reading this site. But millions of people simply will not have a clue that this is happening.

In a recent survey by Which?, 45% of adults had not heard of GPDPR.

Their right to be informed is not being upheld. And, as a consquence, they will not be afforded the right to object : the right to opt-out.

No radio or TV ads, no letters to individuals, no junk mail to households. On the quiet.


"The general population doesn't know what's happening, and it doesn't even know that it doesn't know."
Noam Chomsky


GPs have a legal duty to make their patients aware of:

If you, your family, your friends, your neighbours, or your work colleagues, are not informed, and GP records are permanently uploaded to NHS Digital and so processed indefinitely, then you, or they, might quite rightly believe:


Can I ever get my uploaded information deleted, for example if I opt-out after 1st September?

NO.

No. You can never get your uploaded GP record deleted.

There is no Right of Erasure.
There is no "Right to be Forgotten".

NHS Digital will never stop processing your uploaded information, even if you opt-out, even if you die, and will continue to disseminate/trade it in anonymised, pseudonymised, and clearly identifiable formats.

Forever.


"Patients do not have a right under the UK GDPR to request deletion of their data collected by NHS Digital as part of this data collection. This is because the legal basis under the UK GDPR for the data to be collected is Article 6(1)(c), legal obligation and the right to be forgotten under Article 17 does not apply in these circumstances."
NHS Digital, FOI response


NHS Digital are not saying that they can't delete your data - they absolutely can reidentify your information and delete it.
They're saying they won't delete it.

The could offer the right of erasure - the deletion of your uploaded data whenever you did express a Type 1 opt-out at your GP surgery - even if they are not legally obliged to (under UK GDPR).


"Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds."
John Perry Barlow



Will my information be anonymised by my surgery before it is extracted and uploaded, or upon arrival at NHS Digital?

NO.

Your information is not anonymised by your GP surgery before it is sent to NHS Digital.

Your information is not anonymised by NHS Digital once received by them.

Click to drop down/close more information about anonymisation and caredata2

Neither your uploaded GP record nor the caredata2 database is anonymised.

If it was anonymised by your GP surgery, before uploading to NHS Digital, then there would be no Type 1 opt-out for this.
Because the Type 1 opt-out prohibts the disclosure of identifiable information from your GP record.

And the information uploaded to NHS Digital is identifiable (to NHS Digital), personal confidential data.

It will be pseudonymised at source, so made less identifiable. But not anonymised.
NHS Digital hold your data in a pseudonymised format, and NHS Digital hold the "key", so you can, and will (upon request, and if justified), be reidentified.

And pseudonymised data could quite easily identify you if it was given to an organisation that already holds other data about you.

Pseudonymised data remains personal data, and remains confidential data.
It remains subject to the UK GDPR, the Data Protection Act 2018, and the Common Law of Confidentiality.

Yes, NHS Digital can produce anonymised data analytic outputs, which may or may not contain information about you (you'll never know and never be able to find out if so). But that's the extent of "it's anonymised" in caredata2.

And even then, your linked record as held by NHS Digital is so rich in information about you that, arguably, effective anonymisation of individual records is not possible.


Can I request that only anonymised information about me is uploaded?

NO.


What will NHS Digital do with my personal confidential information?

It will link it with any corresponding information about you that NHS Digital has obtained from NHS Trusts, mental health providers, ambulance trusts, and community providers, and then disseminate the linked information about you to third parties, for purposes such as commissioning, population health management, NHS planning, and research.

Any purpose beyond your direct medical care, if so badged as "healthcare".

NHS Digital may anonymise your linked information before disseminating it.

NHS Digital may keep your linked information as pseudonymised before disseminating it.

NHS Digital may re-identify you before disseminating your linked information (clearly identifiable information).
It can do this because it holds the reidentification key.

Recipients of your linked information will be from within the NHS and out with the NHS, including:

some in the UK, some overseas.

Any organisation that can convince NHS Digital that it needs your information for "healthcare purposes", for "planning", for "research".

And it is certain that Palantir Foundry, currently analysing data for COVID-19 purposes, will have access to this gigantic database.

You can see, in detail, the types of organisations with which NHS Digital currently trades information, here:

www.theysolditanyway.com

There may well be "panels" scrutinising applications for your confidential medical information (such as IGARD - and one would expect nothing less), but every decision about who can access your information, for what purpose, at what price, and in what format, is made by someone else other than you.

You may be happy about that, or you may not.


Will NHS Digital sell/trade my information to those requesting it?

You decide.

NHS Digital are not giving away your information for free.

sell (verb) \'sel\

: to exchange (something) for money
: to make (something) available to be bought
: to be able to be bought for a particular price

trade (verb) \'treid\

: exchange (something) for something else, typically as a commercial transaction


NHS Digital charges money in exchange for providing data that it holds, especially if it contains personal confidential data.
"Paid dissemination", if you'd rather call it that.

That they make little or no profit from such trading is irrelevant (and perhaps poor business acumen).

How much will organisations have to pay to get hold of my personal data?

It depends on the format of your data.

The full NHS Digital price list - the "menu" - is here.


You may feel strongly that your personal confidential information should not be monetised by NHS Digital, in this way, without your express permission.

But all you can do to prevent it is to opt-out.



Can I request that NHS Digital anonymise all the information that it holds about me?

NO.

NHS Digital will not anonymise all the information that it holds about you.

NHS Digital cannot anonymise that information, as if they did:

NHS Digital hold information about you in a linked, pseudonymised format, and adds to your personal record on a daily basis.
They hold the "key" and can easily reidentify your record as a result, if so required or requested.
They can match your linked record to your demographic details (name, address, telephone number, email address).

They coudn't do that if your information had been anonymised.

Pseudonymised records stored by NHS Digital under care.data2 consist of individual-level, reidentifiable information.


Opting out of caredata2 - the Type 1 opt- does not prevent your GP surgery from providing completely anonymised, or aggregate (just numbers), data to anyone (including NHS Digital), for any purposes, including NHS planning, disease surveillance, prescription monitoring, and medical research.

Such information is anonymised, or aggregated, by the surgery and before it is disclosed to any recipient.

The Type 1 opt-out does not prevent any of that.

Click to drop down/close more information about GP surgeries and anonymised data

GP surgeries already do this via aggregate data uploaded from GP systems as part of the Quality and Outcomes Framework (QoF) - data that cannot identify you.

Many practices contribute information to QSurveillance, a real time clinical surveillance system based on data from 3,400 EMIS general practices spread throughout the UK. QSurveillance collects, analyses and reports of rates of infectious diseases and vaccine uptake (flu, pneumococcal, DTaP/IPV/Hib, MMR, shingles and rotavirus), but crucially only extracts summary data which is aggregated (just like QoF).

Much is made of prescribing data - that is, the prescriptions issued by GPs, dispensed by pharmacies, and taken by patients. That data is already available, via NHS Prescription Services.

The Type 1 opt-out does not prevent any of the above.



Will doctors and nurses treating me have access to the information in the care.data2 database?

NO.

Medical staff treating you in GP surgeries, hospitals, A&E, pharmacies, NHS 111 call centres and GP out-of-hours centres will not use, or be able to use, this database.

They will have access to your medical information in other ways, such as their own clinical records, access via the National SCR, or local shared care record schemes..
A Type 1 opt-out will not prohibit such access.

care.data2 is not about sharing your medical information with doctors, nurses and other health professionals outside of your GP surgery.

It's not about enabling the sharing of patient medical records between hospitals and GP surgeries.
It's not about the ways in which your GP shares information about you as part of providing essential medical care.
It's not about ensuring that hospital specialists have the information that they need when you are referred to see them.
It's not about creating a single electronic record that can be viewed by healthcare professionals in any clinical setting.
It's not about submitting information so that GP surgeries and hospitals are paid appropriately for the care that they provide.

It is about data extraction, linkage and analysis: in other words, data mining.
A "data trawl", if you prefer a commercial fishing analogy.


Can I limit the information uploaded about me under care.data, e.g. not include certain diagnoses or my smoking/alcohol habits?

NO.

It's your whole GP record, and everything in it, or nothing.


Will it be a one-off upload of my data?

NO.

Your GP data will continue to be uploaded, on a daily basis. So any new diagnoses, medication prescriptions and results will be automatically uploaded and added to the copy of your record held by NHS Digital.


Who will be the data controller for my uploaded information?

NHS Digital will be.

Once the data has been extracted, the GP practice is no longer the data controller for that information, and cannot control or protect in any way how that information is used, shared, sold, or who has access to it.

Your GP will neither be the data controller nor any sort of joint data controller with NHS Digital for your uploaded information.


Is this really care.data2?

YES.

Click to drop down/close more information about the similarities between care.data1 and care.data2

Just like its predecessor, care.data2 involves:

But care.data2 is:

NHS Digital will use care.data2 as a replacement for certain existing data disclosures by GP surgeries (so called GPES extractions), because the extraction now involves so much information from the GP record.

But that does not make this extraction, and this project, any less of another care.data


"If it looks like a duck, walks like a duck and quacks like a duck, then it's a duck"
American saying

Back to index


Your anonymised and aggregate information

Will I be informed when my anonymised or aggregate information is released or sold to organisations?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.

Will I be asked for my consent before my anonymised or aggregate information is released or sold to organisations?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.


Consent - your informed, explicit permission - plays no part in care.data2

At no point - ever - are you asked for your permission for anything to happen to your medical records.



Can I object to my information being provided or sold to organisations in an aggregated or anonymised format?

NO.

You cannot prevent, or control in any way, the release or sale of aggregate information about you from NHS Digital.

You cannot prevent, or control in any way, the release or sale of anonymised information about you from NHS Digital, even though it could possibly identify you.

The National Data Opt Out will not stop NHS Digital trading your information in aggregated or anonymised formats.
The National Data Opt Out only prevents some - but not all - disclosures by NHS Digital where your information is clearly identifiable, personal confidential information.

Aggregate and anonymised information, because it is "de-identified", no longer counts as personal data as far as NHS Digital believe, and so (they assert) fall outside of GDPR and the Data Protection Act and the Common Law of Confidentiality.

That means NHS Digital can give or sell any aggregate or anonymised information about you:

You won't know that it's happening, and you won't be able to find out if your information was used in this way.
NHS Digital won't tell you, and will claim they can't tell you.

Anonymous (or anonymised) information is data which does not relate to an identified or identifiable individual (ie data that is not personal data).
Anonymisation is the processing of personal data into anonymous information so that an individual is not (or is no longer) identifiable.

For the purposes of data protection law, applying anonymisation techniques to turn personal data into anonymous information counts as processing.

The same information can be anonymous data to one organisation, but personal information in the hands of another organisation.

Many experts believe that there is no such thing as anonymised information, especially where such information consists of individual-level records, and very information-rich, linked health record datasets.


"You should therefore exercise a level of caution. For example, it is common to refer to datasets as 'anonymised' when in fact they still contain personal data, just in pseudonymised form. This poses a clear risk that the requirements of UK data protection law may be disregarded in the mistaken belief that the processing does not involve personal data."
ICO, Introduction to anonymisation


If you don't want NHS Digital to trade anonymised information about you then you have to stop NHS Digital getting hold of your information in the first place.
By expressing a Type 1 opt-out to your GP surgery.

Back to index


Your pseudonymised, personal confidential information

Will I be informed when my pseudonymised information is released or sold to organisations?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.

Will I be asked for my consent before my pseudonymised information is released or sold to organisations?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.


Consent - your informed, explicit permission - plays no part in care.data2

At no point - ever - are you asked for your permission for anything to happen to your medical records.



Can I object to my information being provided or sold to organisations in a pseudonymised format?

NO.

You cannot prevent, or control in any way, the release or sale of pseudonymised information about you from NHS Digital.

You cannot prevent, or control in any way, the release or sale of pseudonymised information about you from NHS Digital, even though it could possibly identify you.

The National Data Opt Out will not stop NHS Digital trading your information in pseudonymised formats.
The National Data Opt Out only prevents some - but not all - disclosures by NHS Digital where your information is clearly identifiable, personal confidential information.

Pseudonymisation is a type of processing designed to reduce data protection risk, but not eliminate it. It is a security and risk mitigation measure, but not an anonymisation technique by itself.

For example, it may involve replacing names or other identifiers (which are easily attributed to individuals), such as the NHS number, with a reference number.

Pseudonymisation means that individuals are not identifiable from the dataset itself, but can be identified by referring to other information held separately, such as a decryption key or cipher, or by linking the dataset with other information about the individuals concerned (such as might be held by a third party, or publicly available information acquired from social media).

The DPA 2018 refers to "de-identified" personal data as personal data that has undergone pseudonymisation as defined in the UK GDPR rather than (for example) anonymous information.

Although pseudonymised information could quite easily identify you, you cannot stop NHS Digital from releasing or selling your uploaded GP information to organisations in this format.
Nor can you insist that it must not be released or sold to organisations that may hold other information about you.

Such as Google, Facebook, Amazon, Apple. And many others that hold vast amounts of information on all of us.


"No matter what level of de-identification techniques are applied to personal data, there is always a residual risk that data can be re-identified by linking it with other datasets, inferring information from proxy variables, or by applying advanced data mining techniques."
Centre for Data Ethics and Innovation's (CDEI), Privacy Enhancing Technologies (PETs) Adoption Guide


You won't know that it's happening, and you won't be able to find out if your information was used in this way.
NHS Digital won't tell you, and will claim they can't tell you.

If you don't want NHS Digital to trade pseudonymised information about you then you have to stop NHS Digital getting hold of your information in the first place.
By expressing a Type 1 opt-out to your GP surgery.

Back to index


Your clearly identifiable, personal confidential information

Will I be informed when my clearly identifiable information is released or sold to organisations?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.


Will I be asked for my consent before my pseudonymised information is reidentified by NHS Digital?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.


Will I be asked for my consent before my information is provided or sold to organisations in a clearly identifiable format, once I have been reidentified by NHS Digital?

NO.


Consent - your informed, explicit permission - plays no part in care.data2

At no point - ever - are you asked for your permission for anything to happen to your medical records.


Click to drop down/close find out more about disclosure of your clearly identifiable information

Organisations seeking your identifiable, personal confidential information can obtain approval by the Confidentiality Advisory Group (CGA) of the Health and Rsearch Authority (HRA) for such a disclosure by NHS Digital. That authority sets aside the normal requirement for your explicit permission (your consent) to be required first, and such information can be requested for both research and non-research purposes.

You might be asked for your permission, first, in a few exceptional circumstances. That is where an organisation is seeking authority from CAG simply for NHS Digital to disclose your contact details (which is still personal confidential data) in order for you to be invited to contribute to a specific research study. Such approval would be granted as Class 3 support under Regulation 5 of COPI 2002.

But you won't be asked for your consent before your contact details are provided to such organisations.
You only might be asked for your consent after you have been contacted.

In reality, such applications simply for Class 3 support are rare. Most simply ask for disclosure of medical information without consent, using class support under Regulation 5 of COPI 2002.

CAG provides authority for non-consented disclosures of personal confidential information, where consent would not be feasible, from all data controllers in England and Wales, not just NHS Digital.
But with care.data2, NHS Digital will hold the largest amount of confidential information, by far.

Organisations can also simply request that GP surgeries to write to such patients (identified by their GP), inviting them to make contact with the researchers if they wish to participate - without the initial disclosure of any confidential information to the research organisation. Any subsequent disclosure of medical information would then come from the GP surgery (not NHS Digital) with the express consent of the individual who had signed up to the study. CAG authority would not be needed as no non-consented disclosures would be taking place.


Can I object to my information being provided or sold to organisations in a clearly identifiable format, once I have been reidentified by NHS Digital?

YES.

That is what the National Data Opt Out is for.

Remember - the National Data Opt Out will not stop your GP record being uploaded to NHS Digital in the first place.
The Type 1 opt-out will though.

But be aware of this: the National Data Opt Out is not guaranteed.

"However, CAG can, in exceptional circumstances, approve an application that has robust justification for opt-outs to be overridden, for example 100% inclusion is statistically required. In such rare situations CAG can deem that there is an overriding public interest for the research to go ahead without opt-outs being upheld."
GDPR: Lawful basis, research consent and confidentiality, Medical Research Council

The National Data Opt Out does not stop every identifiable disclosure about you. More on my other site.

If you don't want NHS Digital to trade any clearly identifiable information about you then you have to stop NHS Digital getting hold of your information in the first place.
By expressing a Type 1 opt-out to your GP surgery.

Back to index


All data formats

Do I have any say in who my data (anonymised or otherwise) is given to, or for what purpose?

NO.

You cannot choose how to "invest your information".
NHS Digital is the "fund manager" and it makes all of the decisions.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I object to particular aspects of my data (anonymised or otherwise), such as certain diagnoses, being provided or sold to organisations?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I object to my data (anonymised or otherwise) being provided or sold to "health harming" industries or organisations?

NO.

You cannot "invest your information" ethically.
NHS Digital is the "fund manager" and it makes all of the decisions.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I object to my data (anonymised or otherwise) being provided or sold to particular organisations, or for particular research, that I find ethically unacceptable?

NO.

You cannot "invest your information" ethically.
NHS Digital is the "fund manager" and it makes all of the decisions.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I object to my data (anonymised or otherwise) being provided or sold to organisations based overseas?

NO.

You cannot "invest your information" in the UK only.
NHS Digital is the "fund manager" and it makes all of the decisions.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I object to my data (anonymised or otherwise) being provided or sold to organisations who might already hold other information about me?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I object to my data (anonymised or otherwise) being provided to government departments, like DWP and the Home Office?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I object to my data (anonymised or otherwise) being provided to the police or security services?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I insist that my data (anonymised or otherwise) is provided only for health research and NHS planning, and not given or sold to commercial companies or insurance companies?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I insist that my data (anonymised or otherwise) is provided or sold only to organisations within the NHS?

NO.

You cannot "invest your information" in the NHS only
NHS Digital is the "fund manager" and it makes all of the decisions.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I object to my data (anonymised or otherwise) being provided or sold in ways that might contribute to the closure of local NHS services (such as my local A&E department or hospital trust)?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I object to my data (anonymised or otherwise) being monetised - sold by NHS Digital?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I insist that NHS Digital charge for access to my data (anonymised or otherwise), and that all profits made are reinvested into the NHS?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.

Can I insist that NHS Digital trade my data (anonymised or otherwise) only with organisations that will not use it for data monetisation opportunities?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.


Will setting my National Data Opt Out stop NHS Digital providing or selling any and all information about me?

NO.

You lose all control of your GP record once it is uploaded to NHS Digital.


"You never understand how dear your privacy is until you lose it."
Rosie Perez


Back to index


What about my children's records?

NHS Digital is taking everyone's medical records, no matter how young or old you are. As soon as newborn children are registered at their GP surgery, their data will be uploadable.

Your children's medical records will be uploaded too, on 1st September, unless you opt them out.

When your children are old enough to understand and make a decision for themselves about the transfer and use of their data in this way, they will never be able to get that information deleted should they wish. It's far too late.

You do not need to see, discuss with, or seek the permission of your GP (or anyone else for that matter) before opting your children out of care.data2, if they are too young to understand and make that decision for themselves.

An opt-out for your children now means an opt-in if and when they want, when they're older.

You can give them that choice - and ensure that they retain control over their medical information.

If you opt-out your children now, that will remain in force indefinitely, until such time as either you or they (once they are old enough) revoke it (i.e. opt back in).
The opt-out will not automatically be disabled once your children reach 13,16, or 18 years of age, so they do not need to opt out again once they are older.


"No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence"
Article 16, The United Nations Convention on the Rights of the Child (UNCRC)


Back to index


What happens when I die?

When that happens, no further information flows from your GP surgery to NHS Digital (as if you had opted out whilst you were alive).

But NHS Digital retain all the information that it has on you, and can continue to disseminate and trade your information long after you die.
Seemingly, forever.

Your digital legacy is important, and few people have considered it, despite most of us having a very large amount of information "online".

When you die:

So, consider whether you want your GP record to be used, by NHS Digital and indefinitely, "beyond the grave" - and if you do not want that, then opt-out.


Can I find out what information NHS Digital holds about me, now, and in the future if I don't opt-out?

YES.

Your can make a Subject Access Request (SAR) to NHS Digital.

Click to drop down/close more information about subject access requests and NHS Digital

By law, NHS Digital must then provide you with information that it holds about you.
You can ask for:

And after 1st September, assuming you do not opt-out:

By law, NHS Digital must provide you with this information within 30 days, and it costs nothing to make a Subject Access Request.

Back to index


Your GP surgery

Do I own my GP record - do I own my data?

NO.

Neither the GDPR nor the Data Protection Act grant people "ownership" of their data.
Data ownership isn't a term recognised in data protection law, or by data protection practitioners.

Click to drop down/close more information about data ownership

Your GP surgery holds, and processes, information - personal confidential medical information - about you. You are the "subject" of that information, and so that information is about you. And indeed, every GP surgery you have ever been registered at still holds information about you (archived, albeit).

Your (current) GP surgery is the data controller, you are the data subject. Neither "own" your data.

Being the data subject gives you certain rights - data subject rights - certain levers, as it were, that you have to be aware of, control, and protect your information.

You have the right to know how your surgery is processing your information. You have the right to get incorrect information corrected.

You can obtain a copy of your information (and even then, the surgery has the right to withold some of the information in your GP record), but you cannot take the information from your GP surgery, leaving the surgery with no information and you with the only copy of the information. However, you do own the copy of your information.

You don't have the right to take your information away, or "take back", from your surgery, as would ordinarily be expected of something that you might "own".

You don't have the right of erasure - to get your information deleted by the surgery, in part or whole, and leaving no one with information about you, including you, as would ordinarily be expected of something that you might "own".

You have the right to object to ways in which your information is processed by your surgery. But those rights are not absolute, and your GP surgery can still process (e.g. disclose) your information despite any objection that you might have. The surgery might be legally obliged to do so.

And you cannot tell your surgery to process your information in a particular way. For example, you cannot say "put my medical record on Facebook", or "send it to this solicitor". Your surgery is under no obligation to do so, and would likely, or almost certainly, refuse. You can, if you so wish, obtain a copy of your information, which you then own, and can do what you like with it.

So you definitely don't own your data. But neither does your GP surgery.

And NHS Digital absolutely does not own it.

Mind you, if you did own your data then taking it - without your permission - would be nothing short of theft.


Is it true that GP surgeries do not share data?

NO.

GPs do share information about patients as part of providing excellent clinical care, for example:

Have a look at nhsdatasharing.info to see the myriad of ways that GP surgeries share information.

Have a look at this surgery's detailed privacy notice to see the myriad of ways that GP surgeries share information.

But GP surgeries do not upload vast amounts of personal, confidential and identifiable information about you, from your GP record, forcibly, hurredly, without your explicit consent and probably without your knowledge, to databases out with your GP surgery, into the hands of different data controllers, for purposes unrelated to your direct medical care.

Until now, that is.


Will care.data2 be the only source of information from my GP record for NHS Digital?

NO.

NHS Digital already holds some information about you, derived from your GP record.

Opting out of care.data2, via the Type 1 opt-out, won't affect data about you that NHS Digital already hold.


Will my GP surgery mind if I opt-out?

NO.

Your GP surgery justs wants you to find out what's going to happen to your medical records, read, think, and decide whether to opt-out or not.


If I opt-out now can I opt back in later?

YES.

You can opt back in to care.data2 at any time in the future.

If you want.
When you want.
It then becomes an opt-in scheme for you - so your record will only be uploaded with your explicit consent.


Will my GP surgery undertake a Data Protection Impact Assessment (DPIA) before proceeding with the processing of personal data in this way?

Maybe.

They should, by law.

They should be able to demonstrate a DPIA that they have produced, in order to be accountable.

The ICO has made it clear that the surgery is the data controller, and where a DPIA is warranted the surgery is therefore responsible for it.

But surgeries are overwhelmed at present, with NHS work, with COVID work, with vaccinating the population.

They simply will not be able to provide the information blitz required to uphold their patients' right to be informed.
They will find it very challenging to undertake more than a cursory DPIA.
They absolutely should undertake a DPIA first.

No-one can do a DPIA on their behalf. There is no data processor involved in the processing to NHS Digital (who becomes the data controller for the uploaded information).

And they haven't been provided with the NHS Digital DPIA to help them. That's still not in the public domain.


Will my GP surgery be breaching the common law of confidentiality by uploading my personal confidential information to NHS Digital?

NO.

The Common Law of Confidentiality mandates that there be a legal basis for the disclosure and processing of such information for secondary uses.
For example, the explicit permission of the individual, or approval by the Health and Research Authority - Regulation 5 of The Health Service (Control of Patient Information) Regulations 2002.

One other legal basis is "legal obligation" and as GP surgeries are under a legal obligation to upload to NHS Digital for care.data2, no legal breach of confidentiality will occur.


Is care.data2 unlawful?

Maybe. Almost certainly, had uploads commenced on 1st July.

But all such processing must comply with the principles of the UK GDPR and the Data Protection Act 2018.

And for any processing to be lawful (under UK GDPR), it must also be compliant with Article 8 of the Human Rights Act - the right to privacy. And privacy is inherent on the ability to control your private information.

Everyone has the right to be informed. To know what is going to happen to their information and what they can do to stop such processing, should they wish.

If people - in this case, the entire population of England - are unaware of what will happen, and so their right to be informed is not being upheld, then that is neither transparent processing nor fair processing.

If people cannot opt-out because they don't know that they can opt-out, or they are told to opt-out via the National Data Opt Out when that will not stop extraction and uploading of their GP record to NHS Digital, then that is neither transparent processing nor fair processing.

And if processing of our most personal and confidential information is neither transparent nor fair, then that is unlawful.

If you are deprived of the ability to control your private information, because you were not informed that you could control it (i.e. opt-out), then that is a breach of your privacy. Especially because once uploaded you can never get your information deleted.
You may view that then as a misuse of your private information.


"There's no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights."
Information Commissioner's Office, July 2017



Can my GP surgery refuse to supply information to care.data2?

NO.

GPs are legally compelled to upload to NHS Digital.
You can read the data provision notice that compels them to process your information in this way.

But GP surgeries cannot, and should not, comply if that would result in the surgery (as tha data controller) breaking data protection law.

If such processing would be unfair and unlawful.

And you can absolutely refuse to supply your personal confidential information to care.data2, if you so wish.

Back to index


Where can I find more information about care.data2 (GPDPR) (and sharing medical records in general), so that I can make an informed decision about opting out?

Back to index


GPs have written on open letter to the government about GPDPR, expressing their concerns

Click to drop down/close the open letter about GPDPR

An Open Letter to the Government regarding GPDPR

As data controllers and doctors with a duty of confidence to their patients, GPs are obliged to ensure that patients are properly informed of significant new data processing and that their permission has been sought prior to us sharing their data - and that this data is and will be handled responsibly, securely, and transparently.

Due to insufficient action and clarity on the part of the Department of Health and Social Care (DHSC), the former Health Secretary's tech vision unit, 'NHSx', and NHS Digital (NHSD) on these issues, we are currently unable to determine that the GP Data for Planning and Research (GPDPR) programme will meet these fundamental requirements.

Therefore, we welcome NHS Digital's withdrawal of the Data Provision Notice (DPN) on GPDPR and call on the Government to address the following prerequisites before any future DPN is issued. GPs can only complete the Data Protection Impact Assessment (DPIA) - that we are legally required to perform before enabling the GPDPR sharing agreement to begin sharing our patients' identifiable personal data - once we are satisfied that these minimum requirements have been met::

Yours Faithfully,

Dr Jackie Applebee, Chair Tower Hamlets Local Medical Committee (LMC)
Dr Osman Bhatti, Chief Clinical Information Officer (CCIO) North East London (NEL) Clinical Commissioning Group (CCG)
Dr Mark Sterry, Secretary Solihull LMC
Dr Paul Evans, Chair Gateshead and South Tyneside LMC
Dr Zuhaib Keekeebhai, CCIO North Central London (NCL) CCG

Back to index


Opting out of care.data2 / GPDPR

So do I stop my GP record from being uploaded to NHS Digital? How do I opt-out of care.data2?

If you decide to opt-out then it's easy. Just ask your GP surgery to record a Type 1 opt-out in your GP record and those of your family.

And if you do decide to opt-out, do this fast. Uploads to NHS Digital start on the 1st of September, and whilst an opt-out recorded after that date will prevent any future uploads to NHS Digital from your GP record, it will not result in your already uploaded data being automatically deleted by NHS Digital.

They will hold your GP record forever. And they can then process it forever.

You cannot get your uploaded information deleted.

And even if you could, any information about you traded by NHS Digital, and provided to third parties, is gone forever.
Pretty much untraceable. You can never get that information deleted.

You can fill in any one of the forms below, and hand it in to your GP surgery, or post it, or email it.


You need the Type 1 opt-out to prevent your GP record being uploaded.
The National Data Opt Out will not prevent the extraction and upload to NHS Digital.

You can opt-out verbally at your practice should you wish. A verbal expression of your wish to opt-out is perfectly valid.

You can do so if you happen to be having a telephone conversation with a member of staff at the surgery, or a telephone consultation with a doctor or nurse.

You can do so if you happen to be having a face to face surgery appointment with someone at the surgery.


Please do not make an appointment with your GP, or ring your surgery, just to opt-out. You do not need to.

Just hand in, post, or email a Type 1 opt-out form, or a letter, to your GP surgery.
Or use your surgery's eConsultation system (if it has one) - just make clear that you are expressing a Type 1 opt-out to GPDPR, and select the "I want administrative help" section in the online form

That's it. Simple. No questions asked.

Don't forget to opt-out your children as well. They may well thank you for that when they're older.

It does not matter if you have opted out previously.
It does not matter if you're not sure if you've opted out previously.
It does not matter how many times you opt out.

If you're not sure whether you have opted out previously, just opt out again.
Your GP surgery won't mind.
It's far easier for them just for you to opt-out again, than for you to try to contact them to make that enquiry.

Back to index


Remember - you can opt back in (and revoke your Type 1 opt-out) at any time in the future.

You do not have to lose all control of your medical records to help the NHS with research and planning.

Do not let anyone tell you that care.data2 is the only way.

Click to drop down/close more information about why you shouldn't worry about the Type 1 opt-out

Do not worry about the Type 1 opt-out.

Neither opting out of care.data2, nor setting your National Data Opt Out to "do not share", have any effect on your direct medical care.

Neither opting out of care.data2, nor setting your National Data Opt Out to "do not share", will prevent your GP surgery from uploading information about you to NHS DIgital (or anyone else) for the purposes of your direct medical care.

Neither opting out of care.data2, nor setting your National Data Opt Out to "do not share", prevents you form contributing to medical research - if you are asked for your explicit permission first.

Have a look at my National Data Opt Out site, or read this leaflet about Type 1 opt-outs, to be reassured about this.

They are your medical records and you have the absolute right to determine if, how, and why, they are being used for purposes beyond your direct medical care.

Research is important, but it must be undertaken correctly, fairly, ethically, with people being informed, given time to decide, and with people having the right to object at any time.

The Type 1 opt-out and the National Data Opt Out:

The Type 1 opt-out and the National Data Opt Out:

Neither the Type 1 opt-out nor the National Data Opt Out will prevent you from using the NHS App (or any other, similar, online services app), or any of the features it provides, including secure online access to your electronic GP record.

Back to index


Feel free to send me constructive comments about this site.

Neil.Bhatia@nhs.net

PGP public key: 9651 BDC9 46B5 7768 3B3F AF79 8FE1 DACC FEFA 344F

S/MIME public key: 61EA AD3A 8356 258B 4390 4362 AE0C 8DCA 3ACC 50CA

Last updated: 29.07.2021


Privacy Policy

This website is hosted by 1&1 IONOS Ltd.

This website does not accept or host any advertising.

This is a non-commercial website and receives no external source of funding from any organisation.

This website does not use first-party cookies, third-party cookies, or ad-trackers..

This website does not collect or process personal data.

This website does not use Google Analytics or Facebook Pixel.

All links from this website are provided for information and convenience only.

This is a personal website and in no way affiliated with any GP surgery or Clinical Commissioning Group.

Back to index