GP websites - desk research into information about patient data use

Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018, GP practices are named as data controllers which means they determine the purpose and means for how personal data is used and processed, including its purpose and the length of time for which that data can be used. Following a discussion at the Public and Patient Engagement and Communications Advisory Group (PPECAP) on 27 October 2022 on commercial uses of GP patient data, we wanted to explore how GPs communicate to patients about how data is stored, collected, and used.

While GP practices may communicate to their patients through other channels, such as text, letters, social media or materials within practices (such as posters and leaflets at waiting rooms), we focused on information communicated via their websites as this was the most accessible channel to explore in the first instance and expected to hold content around data protection, how data is used and opting out. While GPs share data in a range of different ways, not just with NHS Digital, there was no way of assessing the full breadth of data sharing activity. As a result, we took information on websites as the full and complete picture of how and what data GPs shared.

This research sought to explore how a small, randomly selected sample of 55 GP surgeries in England communicate to their patients about patient data use via their website.

The desk research sought to establish the following:

• is there web content about sharing GP patient data
• does web content explain the purpose of data sharing
• is there web content on data protection and opting out

We used a randomly generated list of England postcodes to identify GP surgeries for this research. In addition to answering the above questions, we rated whether web content was easy or hard to find. We used a sample of 55 surgeries in England.

Website design

Out of the 55 GP surgery websites, we found that 40 GP surgery websites contained web content about sharing GP patient data. 35 websites mentioned the purpose of sharing the data and provided information around data protection and opting out.

Of the 40 websites that had information about sharing GP patient data, information was difficult to find in 24 websites and easy to find in 16 websites.

Websites that were difficult to find information on GP patient data sharing often lacked intuitive design and architecture. 7 websites required 3 – 5 clicks to get to the correct information, and 15 websites required the use of a search bar to find relevant content. 2 websites attempted to link to opt-out content but presented an error webpage.

Websites that were easy to navigate required 1 – 2 clicks to find relevant content. The customer journey across all 16 websites that were easy to navigate commenced from the homepage and often had clear navigation options. For example, 6 websites had navigation tabs on the homepage dedicated for relevant information such as ‘data choices’ or ‘data matters’. 4 websites held content on data sharing in the homepage, linking to further information. In some instances, this was out-dated content relating to the GPDPR privacy notice from 2021. Relevant information was found within the privacy statements for 3 websites, and 3 websites held information on summary care record or shared care record webpages.

Website content varied across the sample we looked at. 4 websites held content on dedicated webpages explaining how GP patient data was shared – covering off direct care, research and planning purposes. Content on these websites was very comprehensive and was communicated effectively with patients.

Content around how GP patient data was processed was included within the privacy notice of 17 websites, often in a PDF format rather than web pages. Although content was within the privacy notice, it was very comprehensive and covered the primary and secondary use cases on how GP patient data was used, which organisations it was shared with, legal justification for data processing and patient rights. Use case examples covered direct care, research and planning.

13 websites had light touch content that did not provide a lot of detail on how GP patient data was used. Content for these websites centred around data use for direct care purposes and opting out. Of these websites, 5 referred to a digital copy of the ICO Your Data Matters leaflet. 5 websites provided very limited content about how GP patient data was used, focusing only on summary care records. 

The findings from this desk research shows that there are inconsistencies in how GP surgeries communicate with their patients via their websites. We have a broad understanding of what makes a good customer journey and potential barriers in finding relevant web content on how patient data is used by GP surgeries.

What we have not established is the experiences of GP surgery staff responsible for uploading content to their websites. Our next step is to explore options on how we can engage with GP staff in a meaningful way to better understand their experiences. Specifically, we would want to establish content design capabilities. While GP Practices are responsible for communicating to patients about how their data is processed and shared, we would like to understand how wider NHS teams could take to improve consistency and user experience for patients.

Furthermore, we have not established the role that website providers have and their responsibility in shaping the customer journey. Due to the limited market for GP website providers, we would like to explore their role in developing a customer journey, and the role they have with GP practices in how GP patient data sharing is communicated.