From April 2013 the General Practice Extraction Service (GPES) will form part of the NHS's new process to provide a centrally managed primary care data extraction service. The service will extract information from General Practice (GP) systems for specific and approved purposes, removing the current complex scheduling processes, and support payments to GPs and Clinical Commissioning Groups (CCGs).

GPES is being developed on behalf of the NHS by the Health and Social Care Information Centre (HSCIC) (an Executive Non-Departmental Public Body set up under the Health and Social Care Act) with the sponsorship and support of the Department of Health. The service is aimed at assisting researchers, organisations and healthcare providers make better decisions about the demand for primary health care services and provide greater insight into the uptake of medicines.

Any individual or organisation can apply to receive GPES data extracts from the HSCIC. Provision of the requested data will depend on the intended use of such data and will be subject to approval by an Independent Advisory Group (IAG). The advisory group is comprised of nine members, which will determine whether providing the requested data is in the public interest and whether the data is "effectively anonymised" or patient identifiable.

Public controversy has surrounded the GPES, with public rights organisations and the British Medical Association expressing concerns for the risks posed to patient confidentiality. The main areas of contention are the risks associated with disclosing patient identifiable information and of re-identification of patients.

Recipients of GPES data must sign an agreement with HSCIC to protect the data and use it only for the agreed purposes. If the data is patient identifiable, the recipient becomes a data controller (as that term is used under the UK Data Protection Act 1998 (DPA)) and must comply with the DPA's obligations, meet or exceed the Department of Health governance standards contained in the Information Governance Toolkit and be certified against the international security standard ISO 27002. For any particularly sensitive data (i.e. information that may be used in a discriminatory way and is likely to be of a private nature), the recipient must also agree to comply with any additional legal or regulatory standards that may come into force.

The sensitivity of patient data will require data recipients to establish comprehensive security measures. Recently, the Information Commissioner's Office (ICO) advised that data controllers should assess the potential harm if a security breach occurred to determine the appropriate security measures; in the case of patient data the security measures would need to be particularly comprehensive.

Retaining patient identifiable data is inherently risky. The ICO has traditionally reserved its most stringent penalties for organisations breaching patient confidentiality. Additionally, given the public controversy surrounding the GPES, organisations are likely to face severe reputational damage if they breach their obligations.

The GPES system offers researchers, healthcare providers and organisations a relatively cheap source of valuable primary care data extracts that will likely assist them make difficult strategic and commercial decisions. However, the responsibility and risk associated with retaining and using patient information will require comprehensive privacy policies and procedures to be in place.