Every day, your practice generates data. Appointments, diagnoses, prescriptions, referrals. That data sits in your clinical system and you probably do not think about it much beyond making sure your system is working and your staff can log in.
But that data has enormous commercial value and in recent years, a pattern has emerged that every practice manager should be aware of. The companies holding that data have repeatedly been involved in serious incidents, and in each case, the contracts have continued.
The companies involved
Three of these companies you will recognise, one you may not but between them, they touch almost every GP practice in England.
TPP (SystmOne)
Holds records for around 50 million NHS patients. Between 2015 and 2018, it shared records for 150,000 patients who had explicitly opted out of data sharing. Its founder made racist comments about an MP in 2024. The BMA said he failed the NHS fit and proper person test. New contracts were still awarded.
EMIS (EMIS Web)
The other major GP clinical system. In 2015, a company part-owned by EMIS sold the personal data of over 21,000 NHS patients to marketers, including companies under criminal investigation. EMIS said it did not know. In 2023, EMIS was sold for £1.2 billion to UnitedHealth Group, the largest private health insurer in the US.
Palantir
Awarded a £330 million contract to build the NHS Federated Data Platform. It has deep ties to US defence and intelligence agencies. Multiple NHS trusts declined to join. Questions about conflicts of interest were raised. The contract proceeded.
Pharmacy 2U
Part-owned by EMIS at the time. Fined £130,000 for selling patient data at 13p per record. Buyers included a company under criminal investigation for targeting elderly people with chronic conditions. The ICO called it a serious breach. The BMA called for custodial sentences.
The pattern that should concern you
In each case: something serious happened, statements were made, investigations were carried out, and then the contracts continued.
This is not about individual bad actors. It is about a system that has become structurally dependent on a very small number of technology providers. The NHS cannot simply switch clinical systems overnight without real risk to patient safety. The companies know this. So do the commissioners.
Your patient data, built up over decades of NHS care, is one of the most valuable health datasets in the world. It includes population-level, health records that no private company could replicate. That value is not hypothetical. Companies have paid billions to get access to it.
What this means for Practice Managers
You probably cannot change which clinical system your practice uses. But there are things within your control, and things worth being informed about.
- Know your data sharing agreements. What have you signed up to, and what have your patients been told? Your DSPT submission is the starting point, not the finish line.
- Take opt-outs seriously. Patients who have opted out of data sharing have a right to expect that is honoured. The TPP case shows that does not always happen automatically.
- Stay engaged with national developments. The EMIS acquisition by UnitedHealth is not a small story. Press reports suggest it may be sold again to private equity. The infrastructure that runs your clinical system may change hands without you being consulted.
- Use your professional voice. Bodies like the BMA and IGPM exist precisely to raise these issues collectively. Individual practices cannot hold billion-pound companies to account. Collective professional bodies can.
- Ask questions when new data-sharing arrangements are proposed, whether at PCN level, ICB level, or nationally. Who benefits? What are patients being told? What happens to the data after the stated purpose is fulfilled?
The bottom line
Patient data is not a byproduct of running a GP practice. It is the record of care that your patients trust you to protect. The companies that hold and process that data have in some cases treated it as a commercial asset. The accountability mechanisms have not kept pace with the commercial value at stake.
As practice managers, we are not powerless. But we do need to be informed, we do need to be in control.
Adrian Down, IGPM Regional Representative
