top of page

Medical surveillance net is closing around us

Demand answers and create change within the NHS

YOU may remember an article from the Byline Times in May 2021 entitled: The Government wants to sell your GP medical records, here’s how to opt-out, by Phil Booth.


And you may have opted out by signing forms both with the GP and the NHS. The public outcry led to the project being delayed, a move apparently welcomed by the Information Commissioner’s Office (ICO).

Close call. But has our data been quietly stolen behind the scenes?

Around the time that Covid-19 was no longer deemed to be a High Consequence Infectious Disease (HCID) on 19 March 2020, the Department of Health and Social Care (DHSC) quietly issued a Control of Patient Information (COPI) notice. It read:

“This notice is necessary so that NHS Digital can lawfully and efficiently disseminate confidential patient information… for the purposes of the health service or other persons employed or engaged by a government department or other public authority in communicable disease surveillance in connection with the health and social care system’s management of the response to Covid-19.”

These notices remain in effect to this day. A Notice issued under a Regulation cannot legally remove our rights under the Data Protection Act 2018, or remove our lawful right to confidentiality. They used Covid-19 to justify it, but, according to the public record, that pretext did not exist.

The British Medical Association (BMA) confirms that “GP practices are data controllers for the data they hold about their patients”.

I asked two practices if any of my data had been shared with NHS Digital or other third party. I received assurances that it had not. I asked for assurance that my opt-out form had been received, and that they needed nothing else from me to ensure no data left the practice or could be accessed by NHS Digital or other third party. I received such assurance. I requested my full medical record. Imagine my surprise when the following note appeared every month or so over the past two years: “Additional SCR dataset uploaded under COPI regulations. Summary Care Record [SCR] Update sent as part of a Central Bulk Upload. The patient’s preference is for only core items to be included in their Summary Care Record. This has been overridden so that additional items will be included in this patient’s Summary Care Report.”

I asked for an explanation of what this included and what the legal justification was. The answers varied from its being about sharing prescriptions with the pharmacist (my prescriptions have been electronic for many years), to routine blood tests, to a statement that my SCR had been automatically shared as they had no record of an SCR opt-out form, to no explanation is available as they referred it to the Medical Protection Society. I also received an assertion that Covid-19 has been considered an HCID from March 2020 to 2022, and therefore they did what the COPI Notice instructed.

The SCR you see online has a note stating: “This view of your record is not your actual Summary Care Record”. How can it be right that we are the ones unable to access our own medical data? The real SCR dataset is comprehensive, including potentially 3,000+ data items describing our full medical history.

Additional Information includes:

  • significant medical history

  • reason for medication

  • anticipatory care information (such as information about the management of long-term conditions)

  • end-of-life care information immunisations

Just the data you would need for a Covid-19 passport, perhaps?

My record also shows “Covid-19 Patient Screening”. I have not seen a GP during this time, so I asked what this entailed and how it was done. They were unable to answer.

I asked about several entries saying: “System One Outgoing Record Sharing consent changed to Not Asked – Record Shared”. The response was, ‘Record Shared’ means the record was not shared.

It would seem opt-outs and patient preferences count for nothing, despite public assurances to the contrary.

How can NHS Digital have all adult data if GP's told me they haven’t shared any?

Where might they have got this information? Helpfully, the NHS tells us that the General Practice Extraction Service (GPES) provides two of the seven sources for Databricks.

Is this where our SCR data has gone? This data is enabling AI to make judgements about who should be jabbed.

On July 1, 2022, the COPI Notices were again extended. They are seeking an “alternative, sustainable legal basis” on which to permanently destroy our fundamental right to medical privacy. The Information Commissioner’s Office, it appears, is helping NHS Digital by recommending that it agrees a National Data Sharing Agreement for GP Connect, so that they can continue to benefit from this sharing of our most precious data once the COPI Notice expires.

It will then no longer need to be referred to in the GP's or NHS Privacy Notices, and patients will be none the wiser. Doesn’t this give the ICO a potential conflict of interest when investigating data complaints about GP's, NHS Digital, GP Connect and COPI Notices?

I find it unforgivable that GP's and their Data Protection Officers are unaware of the status of Covid-19, given many of us mere members of the public have known this since March 2020. They appear to have taken no legal advice and simply followed orders, despite being legally accountable for protecting our data. The Covid-19 status surely also begs the question whether any of the other Covid-19 measures were lawful or legal.

I find the NHS long-term plan terrifying, and so I hope I have inspired you to ask your own questions. Perhaps lawyers and journalists will also investigate?

The more of us who demand answers, the more unlikely it is that they will succeed. We have more power than we know, when we act together.

Ultimately, we need a system which respects the fact that this is OUR data, and we should be the ones who decide who we can trust with it.


  1. news-and-blogs/2021/06/ elizabeth-denham-welcomes-a-delay-to-the-launch-of-the-gpdpr/


  3. coronavirus-covid-19- response-information- governance-hub/control-of-patient-information-copi-notice

  4. gdpr-november-2019.pdf

  5. summary-care-record/scr-inclusion-final.xlsx

  6. information-in-scr

  7. coronavirus-covid-19- response-information- governance-hub/control-of- patient-information-copi-notice/ national-data-sharing-gp- connect-and-scra

  8. health-and-social-care- protecting-the-vulnerable


  10. 19-notification-to-organisations-to-share-information/coronavirus-covid-19-notice-under-regulation-34-of-the- health-service-control- of-patient-information-regulations-2002

  11. national-data-sharing-gp-connect-and-scra

  12. https://www.longtermplan.

10 views0 comments
bottom of page