Alongside the 2017 GMS contractual requirement, practices are also legally required under the HSCA (Health and Social Care Act) 2012 to provide the information requested for the WMDS. This is because the collection has been enacted under Section 259 of the HSCA, which gives the DHSC (on behalf of the Secretary of State for Health and Social Care) or NHSE the statutory power to direct NHS Digital to require data collection from health or social care bodies or organisations in England.
The data set includes personal information about staff members, including their NI number, name, date of birth, gender and ethnicity. This information is anonymised and used to ensure every primary care workforce member is included in baseline data. Age, gender and ethnicity are all important indicators for monitoring the demographic of the workforce and for future planning.
Under Section 10 of the DPA (Data Protection Act) 1998, an individual is entitled to object to the processing of their personal data if they believe that the processing is likely to cause damage or distress. However, the legal obligation mandated by Section 259 of the HSCA overrides Section 10 of the DPA, meaning that staff members cannot refuse to have their information collected. The HSCA also overrides the requirement under the common law duty of confidentiality to seek consent from staff members when releasing identifiable data about them.
The Information Commissioner's Office has stated that it would not consider practices to be in breach of the DPA in providing the WMDS, including staff information, to NHS Digital, as this is a disclosure required by law.
Although the right to object under the DPA is removed, practices are advised to inform their staff about the data collection and the way information about them will be used. This is to ensure practices comply with the fair processing principle of the DPA. The NHS Digital website provides a template for fair processing notices, which is available for practices to use.
National Insurance Number
Practices have raised concerns about the inclusion of the NI number within the data set. The purpose of the NI number is to enable NHS Digital to assign a unique identifier to each member of the NHS workforce, to map the workforce across different sectors and to determine headcount. The NI number is used to produce a pseudonymised workforce identifier at the first stage of the data process, to link data from different NHS settings. The NI number is not retained once this has been done.
We believe initial use of NI numbers to assign unique identifiers is the best option to ensure workforce data is accurate. An accurate workforce picture will enable the BMA to hold the government and national commissioners to account with regard to the NHS Long Term Plan and other emerging workforce plans.
Privacy impact assessment consultation
Prior to implementing the new data collection, NHS Digital undertook a PIA (privacy impact assessment) to inform stakeholders about the information governance and data protection risks associated with the WMDS, and proposed mitigating actions for the risks. Stakeholders were invited to respond to the PIA's findings, and to raise any additional concerns not already addressed by the PIA.
Our response highlighted the concerns initially raised by practices, particularly around the length of data retention periods, and the perceived lack of adequate data security and information governance arrangements. We also challenged NHS Digital's assertion that an individual's right to object to the processing of their personal data is overridden by the direction under the HSCA, arguing that rights for a citizen to object to the processing of their personal confidential data exist under the NHS Constitution and EU law. We have, however, since been assured by NHS Digital and HEE that the data collected is both secure and anonymised before analysis.
The NHS Digital response to the consultation is available on their website.