Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018, GP practices are named as data controllers which means they determine the purpose and means for how personal data is used and processed, including its purpose and the length of time for which that data can be used. Following a discussion at the Public and Patient Engagement and Communications Advisory Group (PPECAP) on 27 October 2022 on commercial uses of GP patient data, we wanted to explore how GPs communicate to patients about how data is stored, collected, and used.
While GP practices may communicate to their patients through other channels, such as text, letters, social media or materials within practices (such as posters and leaflets at waiting rooms), we focused on information communicated via their websites as this was the most accessible channel to explore in the first instance and expected to hold content around data protection, how data is used and opting out. While GPs share data in a range of different ways, not just with NHS Digital, there was no way of assessing the full breadth of data sharing activity. As a result, we took information on websites as the full and complete picture of how and what data GPs shared.
Websites that were difficult to find information on GP patient data sharing often lacked intuitive design and architecture. 7 websites required 3 – 5 clicks to get to the correct information, and 15 websites required the use of a search bar to find relevant content. 2 websites attempted to link to opt-out content but presented an error webpage.
Websites that were easy to navigate required 1 – 2 clicks to find relevant content. The customer journey across all 16 websites that were easy to navigate commenced from the homepage and often had clear navigation options. For example, 6 websites had navigation tabs on the homepage dedicated for relevant information such as ‘data choices’ or ‘data matters’. 4 websites held content on data sharing in the homepage, linking to further information. In some instances, this was out-dated content relating to the GPDPR privacy notice from 2021. Relevant information was found within the privacy statements for 3 websites, and 3 websites held information on summary care record or shared care record webpages.
Website content varied across the sample we looked at. 4 websites held content on dedicated webpages explaining how GP patient data was shared – covering off direct care, research and planning purposes. Content on these websites was very comprehensive and was communicated effectively with patients.
Content around how GP patient data was processed was included within the privacy notice of 17 websites, often in a PDF format rather than web pages. Although content was within the privacy notice, it was very comprehensive and covered the primary and secondary use cases on how GP patient data was used, which organisations it was shared with, legal justification for data processing and patient rights. Use case examples covered direct care, research and planning.
13 websites had light touch content that did not provide a lot of detail on how GP patient data was used. Content for these websites centred around data use for direct care purposes and opting out. Of these websites, 5 referred to a digital copy of the ICO Your Data Matters leaflet. 5 websites provided very limited content about how GP patient data was used, focusing only on summary care records.
The findings from this desk research shows that there are inconsistencies in how GP surgeries communicate with their patients via their websites. We have a broad understanding of what makes a good customer journey and potential barriers in finding relevant web content on how patient data is used by GP surgeries.
What we have not established is the experiences of GP surgery staff responsible for uploading content to their websites. Our next step is to explore options on how we can engage with GP staff in a meaningful way to better understand their experiences. Specifically, we would want to establish content design capabilities. While GP Practices are responsible for communicating to patients about how their data is processed and shared, we would like to understand how wider NHS teams could take to improve consistency and user experience for patients.
Furthermore, we have not established the role that website providers have and their responsibility in shaping the customer journey. Due to the limited market for GP website providers, we would like to explore their role in developing a customer journey, and the role they have with GP practices in how GP patient data sharing is communicated.
Last edited: 15 February 2023 12:59 pm