There is widespread policy interest in how health data can be better used to improve healthcare decision making and patient outcomes, and to support research and innovation. The latest contribution to these deliberations, the Sudlow Review, has highlighted the enormous potential societal benefits offered by uniting the UK’s health data within a new National Health Data Service to streamline research and analysis.1 The recommendations from the Sudlow Review have built on previous UK-wide reviews, including the Tony Blair Institute for Global Change report, the UK’s Data Saves Lives policy, and international recognition of the importance of computerised medical records (CMRs) to support health and care systems.2–4
As the main source of longitudinal health data, the Sudlow Review has reaffirmed that UK general practice CMRs are the key data asset to build on to develop ways of sharing and linking data across different healthcare, policy, and research sectors. GPs and primary care teams need to engage with these policy discussions in terms of how to maximise the secure reuse possibilities for general practice data.
We believe there are two distinct roles that have not yet been given sufficient attention in terms of training and support for GPs and their primary care teams. These are enhancing the role of the GP as trustworthy data controllers, and formalising the existing role as custodians of patient data. These roles both need greater attention if we are to realise the potential of primary care data.
The status quo: general practices are the data controllers
GPs and their teams are regarded by their patients as highly trustworthy.5 They are the data controllers of their patients’ CMR data. This role of acting as a data controller involves legal responsibilities for handling requests for access to their patients’ data and protecting the security of these data as set out in the UK General Data Protection Regulation (GDPR) and the 2018 Data Protection Act.6 The NHS supports GPs in this role by providing access control through mechanisms such as requiring users to have smartcards, a secure data environment and email system, ensuring primary care CMR systems provide security, business continuity plans, and respecting patient choice not to share their data for research through a National Data Opt-Out (NDOO).
Acting as data controllers carries individual practitioner-level as well as practice-level responsibilities. Individual primary team members need to ensure that their patients’ medical records are of good quality (complete, accurate, relevant, accessible, and timely), that confidentiality is maintained, and that the CMR is used only for the intended purpose. Practice-level responsibilities include making patient data available to support direct care, appointing or sharing a Data Protection Officer, providing privacy notices of what information is collected and why, and complying with the NDOO. The NHS Data Security and Protection Toolkit provides the tools to demonstrate compliance with data laws and good practice.7 As data controllers, practices can also agree to share data for research purposes.
While many of the data access requests dealt with in primary care are straightforward, some involve risk. GPs and primary care teams, however, currently receive little in the way of training around the risks of being data controllers and maintaining their responsibility for ensuring that access to data and request for data sharing are appropriately managed. Primary care professionals need to have the confidence and skills to identify and manage those few cases where abuse or control are a potential risk. We advocate for more case-based learning around the common areas where there are challenges including how to assess and document risk of serious harm, the possibility of third-party identification through record access, medical harm if a patient is not aware of a serious diagnosis, and challenges around disclosure of redacted information. The goal is to enhance the trustworthiness of general practice as a data controller.
Data custodian: formalisation of this existing role in general practice
Alongside their role as data controllers, we propose system-wide recognition of the existing role of general practice as data custodians. Support and development of this role would give general practice teams the opportunity to curate the lifelong primary care record in a way that maximises individual patient and societal benefit. Expert data custodianship goes beyond the legal responsibility described above and is about harnessing health data to improve care delivery and health outcomes. The latter can be achieved both through improving direct care as well as supporting research, innovation, and health service planning. The better the data, the better the outcomes.
As data custodians, individual primary care team members would facilitate engagement with patients and carers about how and why their health data are used. They would also have a responsibility to ensure there is high quality recording of data in consultations beyond the ‘accurate’ record required by GDPR, ‘Coding is Caring’.8 GP teams can increase the global value of the CMR when they choose to add data as computer-readable codes rather than as simple text, for example, a code for a precise diagnosis or a physical sign. Good coding means good care, where those codes allow computerised safety and decision support alerts and computerised summaries for past medical history. Beyond the practice, those codes allow others to safely access the record (such as the patients themselves and other NHS organisations) and they are essential to ensure provision of high-quality data for research and health planning purposes.
At a practice level, data custodianship requirements are changing as more patients are given online access to their own records, and those that care for them, such as family members and carers (proxies), who may also be given online access. GP software systems were never designed with the intention of being viewed by patients and their proxies, and current implementations are adaptations of existing software rather than patient-centred design. Considerable human resource is needed to make sure the records are safe and appropriate to share, and that only the right people are given access.9
Practices will curate data and findings of clinical significance from investigations and letters, and ensure that key data from practice portals used for triage and managing on-the-day care are coded. As well as adding good data, less relevant data must also be removed from high-level summaries to avoid crowding out data of greatest relevance. Custodianship will be about how better data will improve patient care beyond the minimum set out as a responsibility of controllership. This might include improved summary data being made available for specialist care, improved informational continuity, flagging cases for prevention, providing care across health sectors, and ensuring patient safety. With the deployment of the updated NHS software ‘GP Connect’, it is now possible for coded data to be transferred in computer-readable ways that allow these to be integrated in safety and decision support tooling in any NHS setting where, for example, an allergy recorded in the practice can produce a warning in a hospital accident and emergency department. Alongside areas of clinical importance, active involvement in sharing data for policy, planning, and service improvement alongside research and innovation should be part of this role.
Conclusions: trust, training, and a contractual framework
As a trusted pillar of society and the cornerstone of the NHS, general practice should be enabled to maximise the benefit of healthcare data. Given the policy impetus towards their use, it is the time to positively develop the role of GP and the primary care team as the trusted custodians as well as the controllers of the primary care record.
We believe this can be achieved through training and system-wide support, including:
professionally-led training across primary care careers. For GPs there should be a continuum, from registrar years to professional training; this should apply to all the members of the primary healthcare team, with some responsibilities held at practice level; and
contractual changes that recognise the very considerable opportunities and responsibilities associated with being a trusted data controller and expert custodian of the lifelong CMR. Contractual changes have achieved rapid and sustained developments in chronic disease management, in practices working together in primary care networks, and in service delivery and vaccination across the pandemic.10 Contractual change is an appropriate vehicle to achieve improved coding and increased sharing of high-quality primary care data.
Bottom-up, professionally-led custodianship of data is a core general practice role alongside data controllership, with the patients’ best interests at its core, and should be a priority.3 This change is essential if the societal value of our health data are to be realised.
Notes
Provenance
Commissioned; not externally peer reviewed.
Competing interests
Simon de Lusignan has received funding for vaccine-related work through the University of Oxford from AstraZeneca, GSK, Moderna, Pfizer, Sanofi, and Seqirus. He has been a member of advisory boards for GSK, Sanofi, and Seqirus, and has been funded for conference travel or received a speaking fee from AstraZeneca and Moderna. Tom Nichols is a clinical advisor to PRIMIS at the University of Nottingham, who were previously contracted to deliver training for the previous information management and technology directed enhanced service. Tom Nichols, Imran Khan, and Nada F Khan are members of the RCGP Health Informatics Group.
- © British Journal of General Practice 2025
