Patient records from surgeries across Gedling borough will from today (September 1) start being uploaded to a new system which gathers data held by GPs and feed it into a central NHS database.
The brand-new system called the General Practice Data for Planning and Research, or GPDPR, will then share this data with third parties for research and development.
Patient information – going back over the past 10 years – will be transferred to the database.
Patients were given the opportunity to opt out of sharing their data, with an initial deadline of September 1, but this has since changed.
The electronic database will hold incredibly sensitive data, such as mental health, sexual health and criminal records.
While this data will be made anonymous with unique identification codes, the NHS will be able to access the original data showing patients’ names – where there is a valid legal reason to do so.
This has raised concerns around privacy, as Ruby Ashby, associate in Nelsons’ expert dispute resolution team, discusses.

According to the NHS, the new system will help to reduce the burden on GP practices, allowing doctors and other staff to focus on patient care, with the data being used to support a wide variety of research and analysis that will help to run and improve services.
The NHS has made it clear that anyone had the right to opt-out if they wished to do so, with an initial cut-off date of September 1.
However, changes have been introduced since then which will allow introduced patients to change their ‘opt-in’ status at any time.
Is GPDPR compliant with data protection legislation?
From a data protection standpoint, it’s necessary to question whether GPDPR conforms with UK General Data Protection Regulation (UK GDPR) legislation and the Data Protection Act 2018. One concern is that a majority of patients won’t have given their explicit consent to the sharing of data, with many potentially being completely unaware of the plans.
While this is a valid point, it is important to understand that consent is not always required. Consent is only one lawful basis for processing data and there are an additional five that allow an organisation to lawfully process data without consent. As a public body, the NHS will be able to process the data without people’s consent if the processing is regarded as being in the public’s interest.
Another concern is that, while patients will be identified with unique codes, the NHS will be able to access the original data that shows the patients’ names. The use of codes rather than names is known as pseudonymisation. This is a commonly used technique in the processing of data, which means that individuals can’t be identified from the data itself and only by referring to other information held separately.
Therefore, the NHS will need to take care that the additional information that can identify the individual is kept separately, with relevant controls in place, to ensure it’s not possible to re-identify the patient, except for in very specific circumstances as permitted by UK GDPR.
For more information on data protection, please visit https://www.nelsonslaw.co.uk/business-agreements-contracts/data-protection-solicitor/data-breach-compensation/