Key Takeaways
- Care.data, GPDPR, and now Streeting's Direction follow the same pattern: ambition, controversy, pause, post-mortem. The diagnosis is always “we failed to build trust” — but the real failure is architectural
- Every GP data sharing programme focuses on what data to extract and who should consent. The hard problem is governing what happens to data once it crosses an organisational boundary
- Consent without provenance is theatre. Patients cannot verify where their data has been, who accessed it, or whether the purpose matched what they agreed to
- There is no machine-readable record of who held responsibility for data, when it transferred, under what authority, and with what constraints. Contracts exist. Infrastructure does not
- The Seven Flows framework defines the seven governance flows that must be present and machine-verifiable every time data crosses an organisational boundary
- The Data Use and Access Bill envisions records flowing across hundreds of organisational boundaries. The contractual governance model cannot scale to that reality
Care.data. Abandoned in 2016 after confidentiality complaints. GPDPR. Halted in 2021 after the BMA, RCGP, and the public revolted. Lord Bethell admitted they had made the mistake of treating it as “an IT project.” Now, in 2025, Wes Streeting has issued a Direction to NHS England to enable GP data sharing for research — initially with UK Biobank, Our Future Health, and Genomics England. The Data Use and Access Bill promises interoperability across all NHS trusts, GP surgeries, and ambulance services.
The pattern is unmistakable. Every few years, the same conversation starts again. The same promises are made about safeguards, consent, and trusted research environments. The same objections are raised. The same programme stalls, pauses, or dies.
And every post-mortem reaches the same conclusion: we failed to communicate properly. We failed to build trust.
This is the wrong diagnosis.
The problem isn't communication. It's architecture.
Every iteration of GP data sharing has focused on the same two questions: what data should be extracted, and who should consent. These are important questions. But they assume the hard problem is getting data out of GP systems. It isn't. The hard problem is governing what happens to data — and the responsibility that travels with it — once it crosses an organisational boundary.
When a GP record moves from a practice to NHS England to a research environment, it crosses at least three organisational boundaries. At each crossing, a transfer of responsibility occurs. Someone was accountable for that data. Now someone else is. The patient's GP was the data controller. Now NHS England is managing access. A research team is consuming de-identified records under a data sharing agreement.
But the infrastructure for tracking, auditing, and enforcing that responsibility transfer does not exist. There is no machine-readable record of who held responsibility, when it transferred, under what authority, and with what constraints. There are contracts. There are data sharing agreements. There are policies. All of them are documents. None of them are infrastructure.
This is why trust collapses. Not because patients weren't told — but because the system cannot demonstrate, in real time, that it is doing what it promised.
Consent without provenance is theatre
The current model treats consent as a binary gate. A patient opts in or opts out. If they opt in, data flows. If they opt out, it doesn't. But consent alone cannot answer the questions that actually erode trust.
Where has my data been? Who accessed it? Under what authority? Was the purpose consistent with what I consented to? If something goes wrong — a re-identification, a breach, an unapproved use — who is accountable, and can the system prove it?
These are provenance questions. They require infrastructure that can track the lineage of data as it moves between organisations, the conditions under which it was shared, and the chain of accountability at every step. This infrastructure does not exist in the current NHS data architecture. Without it, consent becomes a tick-box at the front door of a building with no internal security.
What governance infrastructure actually looks like
At Inference Clinical, we've spent three years building the infrastructure layer that GP data sharing — and every other inter-organisational data flow in healthcare — actually requires. We call it the Seven Flows framework.
Every time data crosses an organisational boundary in healthcare, seven governance flows must be present and machine-verifiable:
- Identity — verified, non-repudiable identity of the actors and systems involved in the transfer
- Consent — granular, auditable consent that travels with the data and can be enforced at every boundary
- Provenance — a complete, immutable record of where data has been, who touched it, and under what authority
- Clinical Intent — the clinical or research purpose that justifies the data movement, encoded and enforceable
- Alert & Responsibility — explicit assignment of who is responsible for acting on the data at each stage, with machine-verifiable handoff
- Service Routing — governed routing that ensures data reaches the right service, in the right organisation, with the right context
- Outcome — a closed loop that records what happened as a result of the data being shared, enabling audit and learning
If any of these flows is absent, the governance boundary is open. Data may cross it, but responsibility doesn't follow. And when responsibility doesn't follow data, trust is impossible to maintain at scale.
Why this time won't be different — unless the infrastructure changes
Streeting's latest push is more careful than its predecessors. The scope is narrower — three approved research programmes, not wholesale extraction. The consent model is explicit. The Trusted Research Environment model is a genuine improvement.
But the underlying architecture remains the same. Data will be extracted from GP systems, pseudonymised, and made available through controlled access. The governance model is still contractual, not infrastructural. The audit trail is still organisational, not cross-boundary. And the moment scope expands — as it inevitably will — the same trust deficit will reassert itself.
The Data Use and Access Bill envisions NHS patient records available across all trusts, GP surgeries, and ambulance services. That is hundreds of organisational boundaries. Thousands of responsibility transfers per day. The contractual model cannot scale to that reality.
GP data sharing doesn't need another communication campaign. It needs governance infrastructure — machine-verifiable, real-time, embedded in the data architecture itself. Infrastructure that makes the system's behaviour auditable by the patients whose data it holds.
Until that infrastructure exists, every new data sharing programme will follow the same arc. Ambition. Controversy. Pause. Post-mortem. And the conclusion will be the same every time: we failed to build trust.
No. We failed to build the infrastructure that trust requires.
