No Security Blanket – why consent packages fail our children – care.data and more

As a mother, I want to know that my children’s personal data, when it is collected by any organisation, will be kept safe and used in ways I would expect. I see it as my responsibility safeguarding my children today, to also think of their future.

We should seek to protect the fundamentals in the Universal Declaration of human rights for all:

Everyone in the community should find the free and full development of his personality is possible. Everyone has the right to work, to free choice of employment.

In effect, these basic human rights seek to prevent discrimination and interference.

But it feels as though the world around us in England has gone mad. Risking stigma, discrimination, giving our kids’ personal information quite freely away and with it, their future autonomy.

Here’s five recent case studies and why they fail our young people.

The Department of Education’s National Pupil Database & Personal Demographics Service

What About Youth is reportedly using contact details directly from the Personal Demographic Service (PDS) data stored at HSCIC and the schools’ database, the Department of Education’s National Pupil Database, and giving them to IPSOS Mori, the poll research organisation to carry out the What About Youth? study on behalf of the Health and Social Care Information Centre, funded by the Department of Health. To contact our 14-16yr olds directly.

“Your contact details were taken from NHS Registration data, held by the Health and Social Care Information Centre and the Department of Education’s National Pupil Database, which contains details of every pupil in England. The NHS Registration data has been used as it is a reliable source of details such as name, address, date of birth and NHS Number. It does not include any medical data so we don’t know anything about any illnesses or conditions you have had or received treatment for.

We have received approval to use your contact details only for this study. We won’t be using them for any other purpose, nor will we share them with anyone else. “

I don’t know that any parent would find that an expected use of their personal contact details to be contacted by the third party directly.

How is the questionnaire coded I wonder, whilst “the answers will not have the child’s name and address on, so no-one who sees them will know whose they are,” the “aim of the study is to make it easier for doctors, nurses and local authorities to help young people.” So it would appear Local Authority is going to be coded at least. And your individual postcode. And child’s age and gender and ethnicity and more.

If the child (14-16yr olds) agrees to being re-contacted, I would want to know as a parent exactly how, when and for what. But parents are encouraged not to influence the child completing the form, so we may never know. The survey asks about all sorts of insecurities, not all of which I believe every 14 year old will have yet considered. Is it right that the State should intrude with these topics into my child’s private time and thoughts? The content deserves scrutiny from parents before the children are involved. At least, not done in school, we get a letter and know about it at home.

But how can the project ethically ask my child to give their consent to share intimate details not only about themselves but about our whole household and potentially agree to future contact, whilst expressly asking me not to be involved in the decision?

I wonder how pupils will feel whose parents suggest they would prefer their child does not complete it?

Surely if the Department of Education’s National Pupil Database is obligatory it should not assume OK to give out personal contact details to anyone? Some families choose to be ex-directory. Does the cross-purposes use of the Personal Demographics Service make that now impossible?

Should our children and parents, who trust that their personal details are used for registering for the basic rights of health and education, not be allowed to trust those contact details are held in confidence, rather than shared with third parties?

What is the government thinking about, as it manages our young people’s data privacy?

The National Citizen Service and Health Data stored at the Health and Information Centre

While I was looking more closely at the DAAG (HSCIC) minutes this week as related to care.data, I looked at the approval for consent advice and request for future data linkage with the National Citizen Service (NCS) project, open to all 16 and 17-year-olds in England. The request checked that the consent was appropriate for future sharing of Mental health and Hospital Records with the Cabinet Office.

While I was at it, I took a look a close look at the NCS sign up process. At the bottom of the online register in small print was the required check box to proceed:

I agree to my personal data being stored, shared and used by the NCS Trust and other organisations to inform me of NCS and graduate opportunities and to support the delivery of NCS and its graduate programme. I agree to the NCS Terms & Conditions and Privacy Policy.

Then you need to click down twice, to the T&C and Privacy Policy.
From the Terms&Conditions we need to take another step:

Information about you : We will never pass any details you provide to us on to anyone other than those specified in our privacy policy.

You also need to go to the separate Privacy Policy. which turns out stating there is virtually nothing private about managing your personal data after you enquire at all – but is in fact a  ‘Data Sharing Policy’:

 “By submitting the Expression of Interest form you agree to your personal data being stored, shared and used by the NCS Trust (the data controller) and the following organisations: NCS contractors and their sub-contractors, government bodies, strategic partners of NCS, fraud detection organisations, organisations supporting the delivery of NCS or other organisations (including any organisation running or supporting all or part of NCS in the future).”

You must agree or cannot proceed with the application.

Where does the consent to link to a child’s medical Mental Health and Hospital records get asked I wonder? Does it get expressly asked later in the project or on paper because it does not get asked online in the Young Person nor the Adult/Guardian’s sign up. Is this the consent process the DAAG approved? Is it just meant to be included in the blanket “government bodies”? Perhaps the wording is still to be amended?

Sign the child (and your own ‘Guardian’ details) up for NCS and there is no choice but to accept that data sharing agreement. You must accept it to sign up for the programme but there is an open ended who, when and for what in the blanket consent …”supporting all or part of NCS in the future.” The NCS sign-up and consent doesn’t explicitly mention sharing data with named sub-contractors anywhere either.

The charities involved may do great work. But why Serco? Is this the organisation that we would wish to be managing our young people’s personal data? Think I agree with Navca on this one. By signing away rights …”in the future,” we have no idea WHO will own the data  later.

Should our children who need this NCS programme most, not be allowed to particpate unless their personal and potentially medical details go to all these unknown future places?

UCAS and student applications – further education

When I read recently in the Guardian about Ucas selling student records of our under 18s applying to university I was equally surprised.

At a time when teen deaths from alcohol consumption often mixed with energy drinks appear regularly in the news, it is highly irresponsible to me as a parent, to know that a commercial company promoted new energy drinks by sending cans to 17,500 selected students in order to create a “social media buzz”. I know from my own experience, university is often the place we are first exposed to a regular bar life. And so does business.

This goes far beyond the scope of what our teens signing up should expect their data to be used for. Who will decide what products and what uses of data will be acceptable in future?

I am fed up of these blanket consent approaches which deny a service unless we also sign away the knowledge of our personal habits and preferences for others to commercially exploit.

This mixing of purposes in which data privacy is to one’s disadvantage, is an abuse of trust. And it is the importance of trust and exploiting mixed purposes, which for me, has been so starkly highlighted in the management of our medical records.

Dental Service – the NHS Business Service Authority


When I signed the form to pay for my recent dental treatment I read the small print. The Dental Admin Assistant shared my surprise to find that the data processing takes place outside the UK, and requires data sharing with processors in ‘India or Sri Lanka.” WHO WILL USE IT WHERE and FOR WHAT PURPOSES? I am required to sign the form to agree to pay for my treatment. It gives permission to share with Dept of Work and Pensions, HM Revenue and Customs, local authorities and CCGS (then PCTs). But why should the one signature to bind them all, mean sending my personal confidential data abroad, outwith EU data laws even?

Is there fair processing on this form, does it indicate properly for what purposes the wide ranging bodies will be given access? Surely they don’t all need it for “fraud prevention and to ensure correctness” about my dental check up?

If the government bodies are all working together and can share data at will under these blanket assumptions, without our explicit consent or knowledge, then a great number of people will be rightly concerned. I am concerned by powers this Memorandum gives NHS Protect and the Border Agency from 2011 and I am a legitimate resident. ” To provide a centre of excellence for NHS anti-crime work by applying a strategic, coordinated and intelligence led approach.”  I only went for a scale-and-polish!

This default to wide sharing seems to be increasingly seen as the norm. Surely it should be assumed that the minimum data should be shared with the minimum necessary recipients? Current policies seem to have confused a drive for Open Data with giving away our privacy.

How could it be done differently?

If I sign a form to pay for my dental treatment, surely it should be only that. If you want other permissions, ask in other check boxes. I believe our NHS should be managing our NHS data within our borders, but that is a separate debate.

This blanket consent approach excludes the service unless you are happy to give open ended access to your personal data to Government and its contractors.

Should I not be allowed to have NHS dental treatment, for which I pay on completion, unless my personal details go to all these other places?

Let’s consider an alternative. Enable the ability to say yes to paying for my treatment, without sharing fully identifiable data with other government bodies or sending it abroad.

It is one thing to share truly anonymised data. And quite another to extract identifiable personal details for at minimum ten years or longer. Time limit the consent.

If the 14-16yr old on the What About Youth questionnaire agrees to ‘future contact’ they presumably are agreeing to  having identifiable data and contact data kept with their answers, to enable that future contact.

If children agree to the NCS blanket sign up, they are signed up for an unspecified time. These sign ups remove our children’s autonomy later in life, and they can never get it back.

Right now, I wouldn’t let my children’s personal data anywhere near any of these systems if I wanted to retain any future control of it at all. But do I have a choice? My children are in school, and that will mean in the Department of Education’s National Pupil Database. And they will have NHS records. I see some subject access requests ahead.

Given past historical purposes of the ONSET project at the Home Office, Contact Point and DWP I would want to keep my kids’ data free from all of these.

Some may ask, why does it matter?

Because this joining up of services is interweaving systems whose aim is on the one hand compassion and care, with those on the other which are punitive and controlling. Their aims are not aligned. And inevitably it is the systems which shout loudest, under any government of the day, whose opinion tips the balance of purpose and decision making. And recent claims of micro managing in Health show, top down control usually wins.

Because I believe the earlier we label our children the harder it is for them to become anything more.  Inevitably labels shape expectations. Not only for the individual but those who interact with them. It is only the very best educators and social care staff or police or medics who manage to put those aside and see the individual in each episode of contact. The future intent for care.data is integration of data sharing between medical contact, social care and education, under local authorities, health and wellbeing boards and more. How far would the impact of one wrong label spread in a child’s lifetime, in different places?

Because our children should enter adulthood with as few restrictions placed upon their development and self-determination as possible. Even, I would argue, those children who need the contact with all those organisations. I could argue, all the more so, precisely because they have those extra needs and contact. They may need excellent care and transition between youth and adult services. They need it facilitated first and foremost by qualified individuals who are trusted to do the job they trained for and have a vocational passion to complete. Yes the staff need data, but proportionate to the individual need, for the time period it is needed. We need to protect the extra vulnerable in many extra ways.

And we also need to protect the fundamentals in the Universal Declaration of human rights for all. Everyone in the community should find the free and full development of his personality is possible. Everyone has the right to work, to free choice of employment. In effect, these basic human rights seek to prevent discrimination and interference.

Our young people don’t care about the risks of personal data sharing?

Our young people are more savvy than we give them credit for. In a world of shared selfies and social media, it can be wrongly assumed that they are careless with their own privacy. This  Electronic Patient Records work run by the Academy of Engineering in 2010, with support from the Wellcome Trust, came out with a report and seven key questions p.39 which are very pertinent today. The young people identified themselves the risks of prejudice and discrimination. The concerns they raise are no different from concerned adults. Our young people are switched on to the risks of personal data sharing.

When it comes to our children’s data, organisations should be going the extra mile to be transparent. I believe they should carefully consider how the public will perceive anything that looks hidden. Consents should be all up front on the top layer of sign up forms. One consent per sentence. If you want to contact my children, ask me first. And if you offer a public service, would you consider first not piggy-backing a commitment to sharing with other bodies or commercial companies on to the consent package?

Why these blanket consents fail our children

These blanket consents are ubiquitous in modern data sharing, from the obvious supermarket sign ups, to which even David Cameron does not consent, to the totally surprising in education and health. Yet he happily signed us up under a blanket assumed opt in to be ‘willing research patients.’ This mixing of purposes under one blanket consent, in which looking after your data privacy is to one’s disadvantage, or criticised as selfish, is an abuse of trust. And an abuse of our children’s future freedoms. They fail to give proper governance of who will own the data once shared. They fail to give proper information of what it may be used for. And they fail to clearly limit the time period for which the consent is given, and after which data will be destroyed.

Not only trust, but the needs of genuine purposes in the public interest are undermined by mixing all these purposes into one consent. Worse still, assuming yes for all these conflated uses unless you opt out.

If there had been singular purpose, care.data would have been easier to understand and less likely to have failed to win our support.

I for one, am fed up with blanket consent. We can do it differently. We can do better for our children.

 

{cartoon: From Al.com via Scott Stantis 2007}

care.data – Transparency and Remit vs Truth and Responsibility

A year ago Big Brother Watch wrote that an opt out right had been won from the original plan to extract all our GP records without any choice. Caught trying to avoid the DPA and Fair processing, ICO recommended the need for a public awareness campaign.

At that time, I was a merry mother unaware of the machinations of our civil society. Then the powers-at-be closed my local mini blood mobile (I had just started as a donor) and decided to sell off our plasma supply, which was considered a rather poor idea so I read all the Annual Reports and asked questions about it. And I started to pay rather more close attention to what was going on in health. Now I listen to Radio 4 not 2, I buy papers (actual, printed versions) and would you believe, watch Parliamentary TV. And if you want more scandal which actually matters more than your average soap, you should too.

On the 8th April the Health Select Committee (at least part of it) interviewed Sir Kingsley Manning and Max Jones from the Health and Social Care Information Centre. The hope for us, as citizens and patients whose data this current debate is about, is that we will gain insight and understanding into how our medical records have been used in the past and are being so now. This will enable us to trust in the intent of how HSCIC will handle our patient data in the future, whether under the care.data or any other label.

If HSCIC and Government wants to achieve this, they seem to be going a backwards way about it.

Stop talking transparency and remit, and start talking truth and responsibility.

The question was asked how decisions are made within HSCIC by their Data Access Advisory Group about our patient data management. Specifically, it discussed the subject of an application from last summer by the Cabinet Office OC/HES/030 – Project National Citizen Service Data Linkage Project. It was included only 6 months later in the January 2014 minutes.

The very application title, reveals its intent, to link the mental health and hospital records of our young people who take part in the National Citizen Service together with their NCS project gathered data.

Caught with this concrete ‘Out of Committee’ governance approach, the HSCIC staff were both adamant in response to the MP’s question in insisting that no data was shared. 

“Q230 Barbara Keeley: What was requested was linkage of data, wasn’t it? It was linkage to medical data.
Kingsley Manning: No, he was asked by the Cabinet Office to give professional advice on the consent model they were considering. He gave that advice, which was a perfectly sensible thing for him to do. That was the end of the matter.”

Well, I’m sorry but I’ve read the document, And the DAAG minutes say clearly “The intention was to link to HES/MHMDS in the future.” I paste it below.

So, that was not the end of the matter, but is in fact the beginning. The intent is for future data sharing. Our young people at the start of their adult lives, by the very fact of taking the initiative and enquiring to take part in the Activities / Community Project-based work of the NCS, will find their intimate health records linked with the project data, with an unspecified end date.This is a real and active request which was approved, not some past mistake to dismiss. It was and still is approved,for future data sharing.”

Whilst I may believe HSCIC that no data was shared last summer,  and I might believe you were trying to be factual in answering the question, I do not believe that even you could think that consent advice was the sole intent of the DAAG approval, had you read the minutes of your own DAAG meeting. And clearly you had or would not have been so adamant in the answers.

The Guardian article Mrs. Keeley MP mentions, also had their own opinion of the relationships between the parties involved.

Bizarrely almost, we are repeatedly told as reassurance that any organisation with access to pseudonymous health data, which tries to re-identify the individuals whose data it was, would be doing so illegally. Yet the Cabinet Office wants to take medical records and match it to known individuals on their youth programme and keep and share those enriched records without it seems, any qualms at all?

Our trust needs to be based on absolute truth, not manufactured transparency. Truth is bigger and complete with background intent. Not just scraping out the minimum facts in carefully worded language to be legally compliant.

To increase our public trust, we have been told we will know who has had our data in the past, when and for what purposes. In Parliament on March 25th Dan Poulter Health Minister said,  “a report detailing all data released by the HSCIC from April 2013, (including the legal basis under which data was released and the purpose to which the data are being put), will be published by HSCIC on April 2.”

It didn’t happen. HSCIC made available only some. Those made under some sort of data agreement. What of those with direct access to HES at their site, or the police, others have asked?

The Commissioning Board NHS England, tells us repeatedly that they contacted every household in England by leaflet to tell us about care.data and our ‘choice’ to object.

It didn’t happen. Many did not get a leaflet, not just those who opted out of junk mail. Tim Kelsey said he was looking into it. With urgency. Two months later, not a cheep!

So far, we have no report or indication there will be any. Why there were not enough or not delivered leaflets? What they are doing to fix that? It cost the equivalent of at least 50 nurses’ annual salary and the best publicly avaialble information we have from the Information Commissioner’s Office, is that it should never have gone ahead at all. 

So who is taking responsibility for that? Over £1M of public money junked through some letter boxes for the dog to eat. Which no one could understand because it was deliberately obtuse.

And so we come to our future Data Controllers HSCIC. Who seem to have no control at all.

Based on their own admission they have no idea where our medical records are being used, by whom today, and yet we are expected to trust them to use care.data wisely in future?

Barbara Keeley: So have you got the information because I have asked for it twice, but not been given it? For all those 249 organisations with a commercial reuse licence, can we know who all the end users of our data are?

Kingsley Manning: No, because they are using it and putting it into additional services. So, for example, a company such as McKinsey or KPMG would have used it to support Monitor or the NHS TDA in advising on the transformation of health care services.

The Chair of the Heath and Social Care Information Centre has no idea know who has our medical and personal confidential data or what they are using it for.

You get the feeling now, that they are only looking into all of this because they got caught having had no audits in the past of data recipients. Sir Nick Patridge is now leading a review due in a couple of weeks. I sincerely and respectfully hope that his review is more transparent than the last.

Who has taken responsibility for where we have got to in the last year?

Government? Mr. Poulter, Hunt or Cameron, whose plan is this anyway? There has been nothing but dismissive comment which fails to address serious issues and party political point scoring, or no comment at all but how “fantastic for humanity” it will be. Yet care.data is meant ‘only for commissioning.’ See why we’re confused Mr. Hunt and Poulter when you both claim care.data has entirely different purposes? Where is the truth we can trust?

NHS England? Mr. Kelsey now seems to be hiding behind a tree. Or perhaps playing jazz as he tweeted the night before the Public Health Select Committee the last time. Whilst I appreciate it was at a health conference, Nero and Rome sprang to mind. I’ve asked nicely and been ignored, what happened and who is fixing it? Will there be some sort of public progress announcement from NHS England, perhaps from Ciarán Devane, who is on NHS England Board and now chairing the Care.data Advisory Committee trying to latch the stable door? There’s just been stunning silence since the pause announcement.

HSCIC? Clearly nothing to expect from them. Because Kingsley Manning and Max Jones seemed to believe everything was in their remit, legal, and not their fault if the directions from government and NHS England allowed sharing data with all comers. And their Get-Out-of-Jail-Free-Card, they shared concern with the Department of Health about the publicity campaign. (Admittedly, 3 months after the GPES advisory group and others had done so).

Amazingly, Kingsley Manning seemed to thrust the opt out rate from HES into the arena as some sort of achievement. in terms of the number of people who have acted to opt out, it is 14 over the past four years.”

Which only confirms how few of us knew HSCIC stored it and could link Secondary Uses data with Personal Demographic data on demand. (Compared with how many are opting out now we know, of care.data).

And whilst until this whole debacle I and most of the public did not know our hospital records were shared with any other organisations, beyond the NHS and legitimate public research, we now find the gradually closing net around our health data uses, means understanding it has gone to all sorts of commercial organisations. And clearly HSCIC has been caught doing something which now feels wrong even if legal, the HSCIC defended not the action, but their legitimacy for doing so:

Kingsley Manning: We operate according to the Act as it has been passed. We make decisions on the basis of the current regulations. It is not our job to make a judgment on whether we agree or disagree with the nature of a commercial organisation. That is not a criterion on which we act.

Q270 Barbara Keeley: So you are prepared to release even sensitive data out to organisations that just want to do a price comparison website on different pay procedures between different hospital consultants. That was what you did.
Kingsley Manning: I am terribly sorry, but we are bound by the law and the regulations. Under the current regulations that is perfectly legal and legitimate. Indeed, it is arguable that it is a benefit to the health and social care system as a totality. That is an argument that you, Parliament and the public will have to consider.

As part of the public, I have considered it. Too often in the last 8 months. Even whilst making yellow pea soup today, I was thinking how wrong it is for the government to sell our confidential data without having asked us if they could have it in the first place. To take something without asking, we teach our children, is wrong.

Not one person responsible for their part in the execution of the care.data rollout has yet said they are sorry as an apology. I am terribly sorry here, was interchangeable with ‘well, pardon me.’ 

But a true apology for such an almighty mess (Ben Goldacre said so on twitter in better words on February 22nd, but I try and keep readable above a PG rating), would at least be an admission that there is room for improvement. Improvement we can hope to build trust upon. Right now, we have vital Public Health research which it appears, is now on hold and costing money, because it is lumped in with all these commercial uses.

People are opting out of clinical research. And withholding information from their GPs.

Between the three of your organisations, Government, NHS England and HSCIC, if you want us to trust your intentions for the handling of our NHS patient data in future, try harder. Try to seem truthful and seem like you care. And mean it.

Because right now, it only looks like you’re sorry you got caught. You’re playing pass-the-parcel with responsibility. And using our public money to do so.

Kingsley Manning said previously, we should have “intelligent grown up debate” around care.data. Please, lead the way. For right now, it feels like kids squabbling in the back of the car, hoping we’ll just muddle though to get to October and they can ask, “are we there yet?”

As anyone with kids will know, that doesn’t make for happy parents.


********* For reference, the Health Select Committee extract about the Cabinet Office OC/HES/030 – Project National Citizen Service Data Linkage Project *********

Barbara Keeley: There was a lot of saying, “It’s nothing to do with us, guv; this all happened in the past.” You answered the question in that way when this person was a very senior manager, to the extent that he accompanied the Secretary of State on a trip to the United States to sign a data-sharing memorandum of understanding, and, to me, it is astonishing that you should say that the person who had been the chair of the DAAG did not have that responsibility and that you are still wriggling to try to get out of that now. I am not happy with that answer, Chair; I just do not think that is acceptable. 

Kingsley Manning: I am sorry. We are trying to be as transparent as possible.

Barbara Keeley: I don’t think so. I really don’t think so.
Kingsley Manning: May I just talk you through the history of this so that you can get a sense of it? [see full text for history] At that point, we knew that Dr Davies was redundant. He had been made redundant on the abolition of the information centre, and we put in place a plan to deal with that. He was in post. We were not in a position—
Q222 Barbara Keeley: Sorry—you had a plan to make him redundant last year?
Kingsley Manning: No, no. He was made redundant by virtue of the abolition of the NHS IC. It was not our decision.
Q223 Barbara Keeley: So you kept him on for eight or nine months?
Kingsley Manning: We kept him on because we needed to have cover on clinical governance and on clinical advice.
Q224 Barbara Keeley: In fact, he was a very senior manager, and he did accompany the Secretary of State on the visit when they shared the memorandum of understanding. And—
Kingsley Manning: He did. I was there also.
Q225 Barbara Keeley: Let me say a bit more. This is the person that you were making redundant, but you let him chair the DAAG, and he made a number of controversial decisions, including the decision out of committee to release the sensitive medical records of individual teenagers—
Kingsley Manning: I am sorry; that is not true, I am afraid.
Q226 Barbara Keeley: It was reported to be true—
Kingsley Manning: I think you are referring to the fact that he was asked to give advice by the Cabinet Office. He had actually worked for the Cabinet Office on the matter. He gave advice on the consent model that they were going to use. We never released any data and we have not been asked for any data by the Cabinet Office on this matter.
Q227 Barbara Keeley: This was reported last summer by The Guardian newspaper that the sensitive medical records of teenagers on the National Citizen Service were released. That was apparently “an out-of-committee decision” by the chair. Dr Mark Davies was allowed to make decisions out of committee as the chair, and that decision was apparently taken last summer.
Max Jones: I can clarify that Mark Davies did provide advice, as is one of DAAG’s functions, on the consent model, which was being considered by the Cabinet Office, but we have not received a request for that data, nor have we provided any data. The discussion that Mark had was referenced and recorded in the January—I think it was January; I’ll check in a minute—DAAG minutes.
Q228 Barbara Keeley: At least six months after the discussions took place.
Max Jones: That may be the case.
Q229 Barbara Keeley: So this is the person that you are going to make redundant—
Max Jones: No data was requested nor shared. Advice was requested on the consent model, which was given.
Q230 Barbara Keeley: What was requested was linkage of data, wasn’t it? It was linkage to medical data.
Kingsley Manning: No, he was asked by the Cabinet Office to give professional advice on the consent model they were considering. He gave that advice, which was a perfectly sensible thing for him to do. That was the end of the matter.
 Max Jones: And that was recorded in the minutes of DAAG held—
Q231 Barbara Keeley: Yes, I have a copy of that in front of me. You talked earlier, and it is quite important, about transparency. To have recorded this six months after it happened and to then be trying to change something—I am not aware that The Guardian was challenged on the fact that data had been released. It seems there is a very hurried after-the-event style of things happening here, and that is not good for transparency. This is being talked about quite a bit. People’s confidence in what you do has been really undermined by this and the fact that there could have been any suggestion of linkage to medical records for those people taking part in the National Citizen Service. For heaven’s sake, there are all kinds of undertakings made to them as they sign up to that service, and quite rightly. They even have an opt-in for their personal data, so to even consider that, and not to have documented what was happening until six months after the event, just makes you look shady.
 Kingsley Manning: I agree, but we did not have a data request. I absolutely agree, by the way, with your essential point, which is the sensitivity of linking these data in any way with receipt of data—benefits and all the rest of it.

Care.Data – Raw Highlights from The Health Select Committee

Words from The Health Select Committee 8th April 2014 – created via Wordle

From the Health Select Committee hearing on Tuesday April 8th, I have waded through all the words to come out with what I think are raw highlights of the key learnings and issues raised. The original in context, is here. The image is an indication of the emphasis of who spoke about what, based on word count alone.

Highlights from the Health Select Committee Members:

“…because what was happening in that meeting was that a lot of wriggling was going on”
“But you wrote to us, Mr Jones, with Mr Kelsey. Following on from my colleagues, we are not quite sure that the answers are very helpful. Could you turn to the letter and I will ask you for some information? This is very concerning and I hope this will be published on someone’s website—either yours or certainly the Health Committee’s website—so that people can see some of these answers and follow them up.”
“When things go wrong, as they appear to have done, we are entitled to ask you questions. I am absolutely appalled. I think the majority of us are, which is why you are back here again to try to work out why you don’t know what is going on in your organisation. This is a simple thing. It is either in the agreement, or it is not. “
“If we go back to the insurance actuaries—the Staple Inn Actuarial Society—these comments are from the report that it produced on the use of 188 million records taken from HES. It talked about the data as being “highly detailed”. We get an answer back saying that the data are in aggregated and anonymised form. Don’t forget that the HES database started off as an admin database for handling payments and information about patients. It was never set up to feed into the insurance industry, was it? After it had run all the things that it wanted for commercial reasons against hospital data, it said that HESID “does allow all periods of care for” a patient “to be identified and linked””
“Well, there is, because normally in the civil service, when there is a debate about something, civil servants will prepare a report, and find out the information and give it to the Minister, so that the Minister tells Parliament the correct position. That is not happening here, is it? A Minister can go into the Chamber and say something that is totally wrong…”
“We need to know what is out there now. There is a very strong feeling—I subscribe to it—that this data is not protected enough and has been let go. It is out there. You mentioned that there were 249 commercial reuse licences, of which 112 are left, but some of the ones I mentioned are also selling it on to other people. We have had lots of examples.”
“I looked at this [HES & other systems opt out] form and I found it difficult. We have been navigating around this system. After all these quite intrusive demands for information, we get on to an explanation of what happens if you request your patient information to be removed or anonymised. It states that “your data will be anonymised rather than removed”, but it goes on to say that there is a further step where you can request removal of your records from the NHAIS. Then it says this most damning thing: if you do that, your GP would no longer wish to have you on their list, and you would not be called for screening for things such as aortic abdominal aneurysm, which is a serious condition. Effectively, that is saying to people, “Yes, we can remove your records, but your GP wouldn’t want you on his list, and you wouldn’t be called for quite serious medical screening.” Surely there is something that falls short of that where a person can say, “I don’t want my records sold to these commercial companies, or to be used by insurance actuaries or comparison websites; I just want them used for my care.” I have asked the Minister this. You have produced a form that, I have to tell you, is quite scary. It is quite intrusive and it is quite scary. It says that if you fill it right to the end—it is quite confusing as to whether there are different steps here—your GP would no longer wish to have you on their list, and you wouldn’t be called for screening for serious medical conditions.” [note this is not the care.data opt out, but an additional choice]
“What we are talking about is audit. Can you audit? There are apparently going to be audits. Can you audit all the data releases? Can you say for all the HES data where it has gone, who is using it and for what?”
“there is a real difference from your pronouncements of what you say is the situation with data and what the people out there—commercial organisations that have HES data and already have large databases—are saying.”
“You have been seeking to demonstrate to us that you believe that the control regime you apply is effective for HES data, but now we are saying that for GP data, the control regime in future will be fundamentally different.”
“You said it would be treated differently “at its launch”. What changes do you anticipate? In other words, are we actually saying that we will pretend to give you additional security until we get that information from the public and the GPs, and after that we will subject it to different tests? In other words, this is a con job isn’t it? Dick Turpin with or without a mask is still Dick Turpin.”
“We don’t. There is actually no right to opt out in law. The Secretary of State has agreed that any objection will be dealt with, but we do not have a legal right.”
“That is CPRD, isn’t it? Is there any plan to bring CPRD under the HSCIC?”
“But the question I put to the Minister, which we do not seem to be getting to, is that I think there is a very strong drive for people to say, “I want my individual health records to be used for my care, and even for commissioning that care, but not for all these other uses.”  I think that is a very powerful desire. Why shouldn’t people ask for that?  The data is about them.”
“The implied consent model breaks down at the point at which people’s data starts to be used for marketing purposes.”
“It is different if your data is being used by researchers and academics, and by people who have built up a career and have integrity.”
“A lot of people are not comfortable that their data are used for such things, and nor am I.  You say that, constitutionally, you cannot make that distinction, but that is the point at which we lose confidence in the consent that was always there.”
““Without pseudonymisation, you risk substantial levels of patient and citizen objections. Without pseudonymisation, you lose data and devalue your dataset. Without pseudonymisation, the GP patient relationship is damaged and care may be impaired.” I must say, I think the patient reasons are a lot more compelling than the IT management reasons.”
“would it not be prudent to wait until you have that report on cyber-security before we press ahead with the data extraction?”

Highlights from the Health and Social Care Information Centre (HSCIC) Max and Manning:
“we have inherited the duties and responsibilities of the information centre and its 500 people, although they have been rewritten in the Act, but that is one part of what is now an organisation of 2,200 people”
“if you can demonstrate where we have not acted within the current law and the current regulations…”
“We need to be much more transparent about that.”
“The security threat and the volume of data are much greater, and the public’s confidence in public bodies to handle data—not just us, but across the whole public sector—has significantly changed. ”
“When I became chairman last June, it was clear that the approaches that had been adopted by the information centre were no longer entirely appropriate, given both the degree of data we were able to collect and a change in public expectations. It was also clear that some of the processes that the previous information centre had been operating were not as transparent or as consumer-friendly, if you like.”
“We think that, as of April 2013, there were 249 organisations that had extant data-sharing agreements issued by the NHS information centre…those data-sharing agreements applied to where we are issuing pseudonymised or identifiable data. This is where there is a theoretical risk of identification, so that is where we have data-sharing or data-reuse agreements in place.  There were 249 in April that had been issued by the NHS IC of which, in April this year, there remain 112, so they are running off as we go forward.”
“One of the areas that we think they should look at is indeed the extent to which we share or should share data with other Government bodies. This is an area where there is a lack of clarity and a great deal of sensitivity. We know from our research, by the way, that one area where we have absolute sensitivity is in this. People are very, very worried about the use of their medical records in any way that might have an impact on their tax returns, their benefits payments, their housing, or any of these things. This is where we would very much welcome the advice of Parliament and CAG—the extent to which this is possible. At the moment, as you know, we have not released any data to DWP or any such body but we absolutely recognise that it is a key issue.”
“The organisation used our logo without coming to us to seek our permission to do so. They were entitled to have access to that data under the agreement which they had..”
“We have an accountable relationship with our sponsor branch within the Department of Health, which results in us having a formal monthly meeting. I meet the permanent secretary on a monthly basis. That is the nature of an arm’s length body. We are accountable, then, through our attempt to be as transparent as possible to the public and Parliament.”
“Government policy has for a long time been to encourage the use of this data to advance both the health and social care system in this country and the economy.”
“.. I have a suspicion that it is because they [GPs] will not get paid if you are not on the list*.  You won’t appear on the register, and if you are not on the register, they won’t get paid.” [*not with reference to care.data but to the ‘third’ opt out form to opt out for other systems stored at HSCIC].
“At its launch it will be fundamentally different, because that was the basis on which the independent advisory group agreed to the extraction going forward. That was the basis, as I understand it, that NHS England negotiated with the RCGP and the BMA and other representatives. I think that is entirely appropriate.”
“As you are probably aware, there is considerable pressure from medical charities and researchers on the limitations—”
“There are no plans that I am aware of. Just for clarity we do handle data on behalf of CPRD to ensure the pseudonymisation process. We act as a contractor for CPRD”
“I cannot answer that question. I do not have that responsibility. You have to address the question to NHS England.”
“We are extremely concerned about the current threats to data security across the whole health and social care system. We will be carrying forward a series of actions, as I said, to significantly increase our surveillance and measures to attempt to get an enhanced level of assurance across the system as a whole.”
“The record of our ability to deliver high-quality technology systems is in the fact that the lights are on and on all the time in the NHS.”
“We are planning [for care.data launch] on the basis of what has been the last announcement, which is that it will be, I think, in October.”
“We have a good record. I used to be part of the Connecting for Health regime. We had a good working relationship with Atos running the choose and book service. Its delivery and performance on this first extract with the GP extraction software over the last few weeks has been encouraging.”
“Some of the older systems we have within the health and social care system simply cannot handle objections.”
“Patients have the ability to record two types of objection. The first type of objection is to any detailed information about them leaving their GP practice to the HSCIC. “
“The issue regarding what we would call dynamic consent—giving consent for different purposes—is one that we are conscious of. We think that we need to move in that direction.”
“I completely accept that the current consent models are too limited and that the objection process is too complicated. We need to be able to make it reversible as well.”
“the position in terms of care.data is entirely circumscribed.  We have already identified that that data is to be used only for very specific purposes; it will not go beyond that purpose.”
“All Governments have seen that as being a base upon which we can support and promote our health care and pharmaceutical industries. The health care research industry in this country is worth £5 billion a year, which is critical to the UK economy, and it is fundamentally linked to availability of data. The fact that we have that data is critical to the continuation of that research industry in this country. We must therefore balance issues such as privacy, access and the support of the industry. People have to have that debate, but we need to identify benefits from this data, as well as the issues you have raised.”
“Secondly, we have to recognise that we as the HSCIS have an awful lot of other information. When we think about pseudonymisation, we are going to link these data we collect to other data sources”
“We are therefore talking to the research community. It may well be a sensible solution with regard to supporting commissioning, where we may look at the costs and feasibility, to move to a situation where we will effectively provide an analytical service where researchers and others can effectively undertake the research within our data lab. That is something we think is a very good idea. HMRC do it already, and we have looked at that, and also the CMS in the States, which is the equivalent body to ourselves. We think it is very good. I am meeting with the MRC in the near future to discuss it for researchers. “
“In so doing, there was a view taken by the Department of Health and their lawyers that the document that we then produced did not meet the constitutional requirements of being a code of practice. What we did do was publish a guide to confidentiality which meets all the requirements of the code of practice. “
“In terms of your care record, if you opt out of type 1, your data will not be transferred for the purpose of the care.data programme for secondary uses. It won’t affect, by the way, the transfer of data for direct care.  It won’t impact on any direct service to you as a patient.”
“In terms of the number of people who have acted to opt out, [from secondary uses of hospital data, HES] it is 14 over the past four years.”
“we welcome the proposed involvement of the CAG, which would bring precisely that ethical and moral dimension to these decisions. We agree entirely that that dimension has been absent in the past..”
“It does cover HES data. At the moment, the only users of that HDIS service are in the public sector, not the private sector, during the trial period. We also make sure that all individuals who are users have been through individual training.”
“There are always going to be lots and lots of people who want to accumulate lots and lots of data in their own boxes. One of the reasons why we are interested in exploring the idea is because we are getting a plethora of databases being accumulated in universities and various other places. That gives us a technical problem because of the transformation errors that arise. These databases therefore are changed as they go through time.  I suspect that we are always going to have individuals who say, “I want to have my particular database.” We will have to discuss whether that will be feasible; there will always be that tension.”
“I know it is antiquated, but the danger is not the technology, but the people.”
“it deals with security and may include matters that we do not want to have in the public domain, but I am sure we could share it with the Committee on an individual basis. However, I do not want to go through the detail.”
“Our website is incredibly complicated, to say the least—I think we all recognise that. It is extremely good if you plough through it, but if you are unlucky, you will end up downloading 10 million lines of prescribing data.”
“You have raised an interesting point. When somebody says they do not want us to hold their record, do we delete it?”

HSCIC website

What is Care.data? Defined scope is vital for trust.

It seems impossible to date, to get an official simple line drawn around ‘what is care.data’. And therefore scope creep is inevitable and fair processing almost impossible. There is much misunderstanding, seeing it as exclusively this one-time GP load to merge with HES. Or even confusion with the Summary Care Record and its overlap, if it will be used in read-only environments such as Proactive care and Out-of-hours, or by 111 and A&E services.  The best unofficial summary is here from a Hampshire GP, Dr. Bhatia.

Care.data is an umbrella initiative, which is planned over many years.

Care.data seems to be a vision. An ethereal concept of how all Secondary Uses (ref.p28) health and social care data will be extracted and made available to share in the cloud for all manner of customers. A global standard allowing extract, query and reporting for top down control by the men behind the curtains, with intangible benefits for England’s inhabitants whose data it is. Each data set puts another brick in the path towards a perfect, all-knowing, care.data dream. And the data sets continue to be added to and plans made for evermore future flows. (Community Services make up 10 per cent of the NHS budget and the standards that will mandate the national submission of the revised CIDS data is now not due until 2015.)

Whilst offering insight opportunity for top down cost control, planning, and ‘quality’ measures, right down to the low level basics of invoice validation, it will not offer clinicians on the ground access to use data between hospitals for direct care. HES data is too clunky, or too detailed with the wrong kinds of data, or incomplete and inaccurate to benefit patients in care of their individual consultants. Prof Jonathan Kay at the Westminster Health Forum on 1st April telling hospitals, to do their own thing and go away and make local hospital IT systems work. Totally at odds with the mantra of Beverley Bryant, NHS England of, ‘interoperability’ earlier the same day. An audience question asked, how can we ensure patients can transfer successfully between hospitals without a set of standards? It is impossible to see good value for patients here.

Without a controlled scope I do not wish to release my children’s personal data for research purposes. But at the moment we have no choice. Our data is used in pseudonymous format and we have no known publicly communicated way to restrict that use. The patient leaflet, “better data means better care” certainly gives no indication that pseudonymous data is obligatory nor states clearly that only the identifiable data would be restricted if one objected.

Data extracted now, offers no possibility to time limit its use. I hope my children will have a long and happy lifetime, and can choose themselves if they are ‘a willing research patient’ as David Cameron stated in 2010 he would change the NHS Constitution for. We just don’t know to what use those purposes will be put in their lifetime.

The scope of an opt-in assumption should surely be reasonably expected only to be used for our care and nothing else, unless there is a proven patient need & benefit for otherwise? All other secondary uses cannot be assumed without any sort of fair processing, but they already are.

The general public can now see for the first time, the scope of how the HSCIC quango and its predecessors have been giving away our hospital records at arms-length, with commercial re-use licenses.

The scope of sharing and its security is clearly dependent on whether it is fully identifiable (red),  truly anonymous and aggregated (green, Open data) or so-called amber. This  pseudonymous data is re-identifiable if you know what you’re doing, according to anyone who knows about these things, and is easy when paired with other data. It’s illegal? Well so was phone hacking, and we know that didn’t happen either of course.  Knowledge once leaked, is lost. The bigger the data, the bigger the possible loss, as Target will testify. So for those who fear it falling into the wrong hands, it’s a risk which we just have to trust is well secured. This scope of what can be legitimately shared for what purposes must be reined in.

Otherwise, how can we possibly consent to something which may be entirely different purposes down the line?

If we need different data for real uses of commissioning, various aspects of research and the commercial ‘health purposes,’ why then are they conflated in the one cauldron? The Caldicott 2 review questioned many of these uses of identifiable data, notably for invoice validation and risk stratification.

Parents should be able to support research without that meaning our kids’ health data is given freely for every kind of research, for eternity, and to commercial intermediaries or other government departments. Whilst I have no qualms about Public Health research, I do about pushing today’s boundaries of predictive medicine. Our NHS belongs to us all, free-at-the-point-of-service for all, not as some sort of patient-care trade deal.

Where is the clear definition of scope and purposes for either the existing HES data or future care.data? Data extractions demand fair processing.

Data is not just a set of statistics. It is the knowledge of our bodies, minds and lifestyle choices. Sometimes it will provide knowledge to others, we don’t even yet have ourselves.

Who am I to assume today, a choice which determines my children have none forevermore? Why does the Government make that choice on our behalf and had originally decided not to even tell us at all?  It is very uncomfortable feeling like it is Mother vs Big Brother on this, but that is how it feels. You have taken my children’s hospital health records and are using them without my permission for purposes I cannot control. That is not fair processing. It was not in the past and it continues not to be now.  You want to do the same with their GP records, and planned not to ask us. And still have not explained why many had no communications leaflet. Where is my trust now?

We need to be very careful to ensure that all the right steps are put in place to safeguard patient data for the vital places which need it, public health, ethical and approved research purposes, planning and delivery of care. NHS England must surely step up publicly soon and explain what is going on. And ideally, that they will take as long as necessary to get all the right steps in the right order. Autumn is awfully close, if nothing is yet changed.

The longer trust is eroded, the greater chance there is long term damage to data quality and its flawed use by those who need it. But it would be fatal to rush and fail again.

If we set the right framework now, we should build a method that all future changes to scope ensure communication and future fair processing.

We need to be told transparently, to what purposes our data is being used today, so we can trust those who want to use it tomorrow. Each time purposes change, the right to revoke consent should change. And not just going forward, but from all records use. Historic and future.

How have we got here? Secondary Uses (SUS) is the big data cloud from which Hospital Episode Statistics (HES) is a subset. HES was originally extracted and managed as an admin tool. From the early days of the Open Exeter system GP patient data was used for our clinical care and its management. When did that change? Scope seems not so much to have crept, but skipped along a path to being OK to share the data, linked on demand even with Personal Demographics or from QOF data too, with pharma, all manner of research institutions and third party commercial intermediaries, but no one thought to tell the public. Oops says ICO.

Without scope definition, there can be no fair processing. We don’t know who will access which data for what purposes. Future trust can only be built if we know what we have been signed up to, stays what we were signed up to, across all purposes, across all classes of data. Scope creep must be addressed for all patient data handling and will be vital if we are to trust care.data extraction.

***

 

care.data – 3. A mother’s journey: Fears and Facts

MGM 1939 The Wizard of Oz

My final of 3 parts response to The Times article recently which mentioned unfounded fears which ‘evaporate like candyfloss’.

The Wizard of Oz that article touched upon, is a threatening fantasy story for many children. But the threats created by the removal of the confidentiality between patient and GP in care.data are real.

We risk patients who will not go to the family GP for care, knowing that the record may be seen by someone other than our trusted local doctor. Or who hold back facts which will influence their treatment. Teens may not visit a clinic believing it can no longer treat them anonymously. These are threats for Public Health. There are other risks of concern for particular groups such as those with disabilities.

Separately, but it seems ever more often built into the current narrative, is the path towards Electronic Patient Record access, which will need all sorts of privacy issues addressed within families and for the vulnerable. The at-risk woman made to reveal her medical record by a threatening partner checking up on her, or checking that there is nothing about him. Women may not speak up with their GP. Carers may even inadvertently, put pressure on the elderly at home, to know all. I know there will be many who want to access their own record. I would myself if it did not mean a fully identifiable record held at a central level. But we should not march on leaving the vulnerable behind a digital divide. It is not just ‘Internet banking’. My fear is that for those who want no electronic record, it will not just mean getting no front end access. It should not be created at all.

Identifiable extraction and re-identifiable data releases to third parties increase the risks of identity fraud, discrimination in education, insurance, and employment. And risk of provider fraud by the commercial third party providers now used ever more widely in the NHS, since the Health and Social Care Act 2012.

It is between these third parties that NHS England demands identifiable data shared for invoice validation. Did Mr. X get treatment Y from provider A? Has the Health and Social Care Act created a dichotomy for NHS confidentiality? Some common identifier is needed to match data with other data held too.

Whilst identifiable data is ‘a no brainer’ for clinical use, we should not be expected to have it extracted, stored, and available to link on demand for bespoke requests to any customer. The vague ‘health purposes, benefiting health and social care’ as undefined yet a small body, with little public oversight at the arms-length HSCIC decides if they are met.

There are decisions reached, out of committee, which are not detailed in the minutes of approval meetings. With only 4 people on the group, it would be easy no matter how well intentioned, for the decision to be much more swayed by someone approaching the group outside of the process, or for there to be conflict of interest. It’s quite a different set up at the Health Research Authority. I fear that my idea of legitimately approved uses in research differ with those of the MRC. Who champions the patient when I have no voice at the table?

Why should a Cabinet Office get given personal confidential information on teenagers, requesting both physical and mental health data, who are taking part in a non-health project, as was done last summer, and which only got documented in January? Even with consent, that seems excessive and unnecessary. We have no control over what future governments may want our data for. The HSCIC Data Advisory Group is yet to fully publicly document those purposes, alongside each new application in any detail. (Compared with CAG which lists a named individual applicant and precise purpose).

Will my children be labelled with a condition which they might outgrow but their notes share it with others for their lifetime and beyond? Will they be stigmatised and discriminated against by deciding NOT to share records and be seen as hiding something? Some people comment, ‘it doesn’t matter I’m not a celebrity or state figure’, as if that somehow entitles one to a greater degree of privacy. But even if we accept that, what of our children, who knows who they may yet become?

We have no idea to what uses their data may be put in our children’s adulthood. We have no idea where it may be stored. Their NHS number is with them from cradle to grave and will be increasingly used across health and non-health settings. The future of medical research and its applications are unimaginable today.

If we are to give them away, it must be  under the strictest of governance and well documented and workable processing solutions.There is a strong argument for allowing queries to share information, not extracts of actual data. The master copy, nor in-part sections of the database, would not leave the secure environment at HSCIC.

Facts often inform and can chase away fears. But until the needed changes are made in process and governance, these fears cannot ‘evaporate like candyfloss.’ They are founded on facts, and shared by many professional bodies as well as individuals.

The leadership team and others needs to stop trying to scare us into submission too. Patients will die if we don’t carry on with care.data.  The end of the NHS is nigh. Tim Kelsey told the Health Select Committee if 90% opt out there will be no NHS. Well, perhaps that is the crux of the question. What is the NHS today? Whom does it serve? It belongs to all of us. If you’re doing something that means the end is nigh, then hurry up and tell us what.

If we see care.data as business intelligence in order to make financial transactions flow between a disparate set of providers, then yes, without it, the payments process may need to change or fail without our data. But for patients, that is not what the NHS is about. We want to make it work, but not at the expense of the age old principle of good care: confidentiality.

What needs to happen? 
Fix the Data Protection for pseudonymous data.
Fix boundaries for scope creep, and vague changing purposes.
Fix the failure of Fair Processing and put in place a continual change communications’ plan.
Facilitate the objection and clarify what it means, as offered by the Secretary of State.
Focus on the reality of care.data now, not Online Patient Access in a down-the-line vision.
And fundamentally, be honest with us patients.
Engage with patients without commercial drivers.

Why are we really funding this massive top-down programme, and leaving local hospitals unable to interact? That is what patients need when they transfer between care settings. Beverley Bryant said in London at a conference this week, that ‘interoperability’ was key. Yet between hospitals the Clinical Informatics Director, NHS England, emphasized at the same event, the need for local systems and that there would be no top down support or directive for enforced  interoperability standards. There is a massive disconnect between two leaders in the same quango. I fear this is the biggest challenge – what is care.data really about? The business case cover, according to the February 2014 Board Performance Pack, was still not in place.

To face up to and fix these issues, will take courage. The question should be, not what are we patients afraid of, but have our future Data Controllers, NHS England and HSCIC, the head and heart for the task ahead?

care.data – 2. A mother’s journey in Oz: communication & choice

David Aaronovitch’s Times’ opinion article on March 27th stated data privacy fears have made health-data sharing “toxic” and that campaigners are nothing but a ‘man with a megaphone’, like the Wizard of Oz. My response, part two. Communications & Choice.

1939 – The Wizard of Oz – MGM

Honesty, clarity and real communication, not PR, is fundamental to a renewal of trust across these areas.

The announcement via HSJ today comes, that the HSCIC Chair had concerns over the impact of the care.data leaflet drop, and asked the Department of Health to intervene. One wonders then, who made the decision to go ahead? 

On care.data communications, the Times commentator said HSCIC has probably thought, “Stick out a leaflet, bish, bash, bosh.” The result seems to be more ding, dong. The balloon upped and left before anyone was ready to go  and ICO, GPs, representatives from the BMA and others, including the campaign group, had well founded, and serious concerns.

I spoke with HSCIC communications and managers directly last October, as well as my MP and the Department of Health, to flag how misleading I felt it was for patients to say ‘your name is not extracted’ when it is held at HSCIC already but most of us did not know that. Many of the same leaflet concerns were, much more significantly than by little ol’ me, raised by both GPES advisory group in September and ICO before the launch. So now, despite the £1-2M state funded doormat drop leaflet & cartoon, it’s all up in the air.

(Whilst I know for HSCIC with its own budget of £220M and control of a £1BN annual spend, it may be peanuts, but what a waste of money. At a conservative estimate of £1M for the leaflet drop, at least 50 nurses could have been employed for a year on that. That makes me cross.) We still have no explanation of why so many did not get delivered, what they did when they heard they had not been nor any plans to clarify that. It was our money spent. We deserve to know.

I received a reply to my October letter, from the Secretary of State to assure me that ‘patient identifiable data was not and will not be shared with third parties’. I think with subsequent information coming out about releases, that is at best, may I say, questionable? It has been shown that patient data at individual level has been shared, and we know with researchers for sure. They are not my clinicians, they are not the only third party who may have access. It’s clearly documented by CAG and releases by DAAG from 2013 have just been released in detail for the first time today.

Through the campaign groups’ and ICO intervention that demanded a national communications programme and the subsequent ICO FOI release about the leaflet review and its shortcomings, we go a significant step forwards towards transparency why the leaflet failed to work for patients. It shows that all the issues we found after the event; junk mail vs letter, hard to reach groups, unclear language, missing opt out form, lack of internal communication and the Information Commissioner’s concerns were clearly known but ignored in advance. Why it happened, who made the decision to go ahead anyway and what follow up will be, remains to be seen. With all the past experience and tools at the disposal of NHS England it is stretching my credulity to believe it was simply poorly executed. Let’s not forget, the original plan was to not tell us at all.

We need to stop hearing we need a fix to communications. I’m trying to understand why, with everything at their disposal, they could want or have allowed to let such a thing happen? It was no surprise the leaflet drop was a disaster. HSCIC communications, leaders and now it seems the Department of Health knew clearly. So why go ahead?

The point of the communication should have been to give us fair processing and the leaflet said, ‘you have a choice.’ I have a duty to my children to safeguard their own health, its provision in a safe State health service and to safeguard their autonomy for future. As it stands, it seems an impossibility to choose all three.

Whilst the leaflet nominally gives us a choice, I struggle to see what value it is. It is some, but limited. The only choice we have truly, is before the extraction happens. A GP in Hampshire devised this flow chart to try to help his patients understand it. Anyone can object now and opt in later. But once opted in, there is no get out clause.

If I don’t opt my children out now, they are in for life whether they later want to exercise their Right to be be Forgotton, or not. If I change my mind later and want to opt out (after a media scandal huge breach, for example. Or perhaps my child grows to become a public figure, or contracts a rare condition and we worry about discrimination), it is impossible. Records will just be re-labelled as pseudonymous. Really?

So, if I share their data for secondary purposes by doing nothing, by allowing their data sharing with even health purposed non-NHS intermediaries who sign up to care.data, it feels like I may as well flog it on ebay myself. But although I want to share it, under good governance only for their care and its commissioning, that is impossible.

Surely we should be able to have their health records used only for their care and its direct management, in all forms? Pseudonymous is not anonymous. But we’ve been given a very limited choice. We can only restrict fully ‘identifiable’ data flows according to the leaflet.
The data that HSCIC already holds, is simply given a new label, the HES ID instead of my NHS number, and linked depending on the bespoke request design, I don’t know what else modified, and then exchanged for cash with buyers from commercial health analysts to medical researchers to intermediaries. Amendment to the Care Bill changes nothing, because as long as ‘health purposes’ are served, the customers are deemed acceptable.

What real kind of patient choice is that? Is my hospital data in pseudonymous, potentially re-identifiable form required from all, for all purposes, for all time whether I like it or not? They haven’t given us that choice in the only communication which we were meant to have received (but no one in my area did), the leaflet ‘Better information, means better care‘.

Right now, the only options are to restrict fully identifiable patient confidential data sharing. The leaflet says this means 1) you can restrict a flow between GP and HSCIC of the NHS Number, DOB, Postcode and Ethnicity, and/or 2) flowing out from the HSCIC, for anything other than commissioning to the regional DSCRO (One of 11 Data processing Centres at regional level). The second option also prevents researchers, even with Regulation 5, Section 251 approval, from obtaining red, fully identifiable data.

However, the objection code is not yet operational, so right now, our fully identifiable hospital data may be released without our knowledge or consent. Other data, considered non-personal, diagnoses, GP practice code, other local IDs from our records can still be shared. And according to September meeting minutes, there is no need to respect an objection for pseudonymous data.

To restrict identifiable flow for care.data from the GP record, we need to apply the code 9Nu0 to our record. 9Nu4 restricts the identifiable HES data flow. But NHS number is extracted with anonymous and aggregated data to identify who opts out. Since that must be matched with HES data to find the record we want restricted already at HSCIC, I don’t see how that can  work without landing, matching and being pseudonymised for all of us. I await to be corrected.

We cannot restrict pseudonymous, potentially identifiable data sharing from HES at all. Patients were not told us before HES was extracted, that it would have all these secondary uses, and now they tell us, tough luck? Without fair processing, it’s not even legal. The Health and Social Care Act, the Secretary of State’s direction of Section 251, and waiving the common law of confidentiality all still require us to be informed before the event.

There is no clarity on the options offered in the leaflet or mention of sharing pseudonymous data even if you opt out. That is not choice. The only publicly loud supporters of real choice are campaigners who provided an opt out form, that official channels still have not.

Six weeks into the six month pause, there has been no public communication to give us any clue what is going on to improve the situation, neither by NHS England nor the Secretary of State for Health.  This is not good communication. And knowing that many parents, including friends, have no idea about the initiative I just feel this is wrong.

I’ve written to my MP for the second time. I found in the whirlwind of information and my frustration, that Twitter #caredata and #datasharing offers an informed group of interested individuals. Thank goodness for their support, insights & banter in this tumultuous journey trying to understand what is going on. Until the ‘pause’, HSCIC and NHS England staff would engage and answer questions, too. Now they seem to have gone very quiet.

Like Dorothy, after seeing behind the curtain of how political and state decisions are made and executed, I have been surprised that so much happens ‘about us, without us,’ and will now never be quite as naive. We all deserve the full story, as patients and citizens. According to Jeremy Hunt at frequent presentations, and Tim Kelsey at Strata and other events, we are on the cusp of a brave new world of health data use and its wide ranging impact in our future healthcare provision of personalised medicine. If they expect to use me in that, I want to know how. So right now, there is no way I’m going home, until we know how the story ends.

Now, all this is not very constructive. Not like me at all. But what is past cannot be brushed away without clear answers. That would effectively say, ‘we don’t care we wasted your state money. We don’t care we misled you. We don’t care what you think.’ Get out the broomstick and clear up what went wrong and why. Then we can start fresh and see if together we can find solutions which fit the needs.

We are more than a cohort, and we are not a commodity. We need change.

If we should be Cameron’s ‘willing research patients’, then tell us precisely what that involves. Give me a definition with a limited scope. I support appropriate research use. Aside from the fact that we didn’t know about this either, research approved by CPRD, Thin, QResearch all have a different approach however, from the commercial and apparently limitless dynamic of care.data. It is quite one thing for researchers to access data and contact us for trials. Quite another to find without our knowledge our data may have been exchanged for cash and I want to know it has not been used in research abroad nor with projects with which my ethics may fundamentally disagree.

Data is not just a collection of codes and academic algorithims. It is the detailed knowledge of the inner workings of our mind, bodies and lifestyle which we entrusted to our medical guardians. Of individual people who did not ask nor sign up to become part of Big Data.Treat my children’s data with the respect that it deserves.

No number of animations, leaflets or letters with ‘improved communication’ is going to gloss over the fundamental fixes needed in handling patient data. Show us the flaw and what you have done to fix it. Along the lines of, ‘you said’, ‘we did’. Real communication.

And if you do decide to give us real choice, then make it statutory for life. Choice will only be worth having if we know that what we choose today, does not get transformed into something else tomorrow. It needs more than a magic wand to wave away the issues. Let’s hope the new care.data advisory group, can make it happen.

care.data – 1. A mother’s journey in Oz: transparency.

1939 The wizard of Oz MGM

David Aaronovitch’s Times’ article on March 27th stated data privacy fears have made health-data sharing “toxic” and that campaigners are nothing but a ‘man with a megaphone’, like the Wizard of Oz.

Mr. Aaronovitch chose the perfect fairy tale, but like Dorothy, it landed the wrong way round.

It is long overdue that the curtain of secrecy, behind which the mechanics of the Health and Social Care Information Centre has operated, was finally pulled away. Our medical records shared and sold for over 25 years? We had no idea, yet now find out with whom and how it has been used only though the campaigners. 

The group the article described as ‘not speaking for most of us’, MedConfidential, has in fact spoken with support from leading figures across a wide range of professional organisations, including before the Health Select Committee alongside the Chair of the BMA GP Committee on Feb 25th.  They have spoken about patient choice and fair processing, technical security issues and good governance to get the care.data scheme right, and secure a good future foundation on which to build safe & trusted patient data practices.

I should think ‘not most of us’, but in fact all of us, want to get these things right. These things need to be right, in order for the informed public to support the system. Not just come autumn, but for life. Otherwise they risk revolt and more than just this system, will lose support.

Yet six weeks into the six month delay, we see no publicly communicated changes.

The toxic ‘smoke and mirrors’ lack of transparency to date must change, this scheme is too important to hide away and get wrong. This sort of attitude is precisely why it has repeatedly cost the country billions in failed IT programmes over 10 years whether at the MOD, BBC or Department of Health. The NPfIT via the now named HSCIC, continue making the same mistakes at arms-length from the DH and whilst refusing to apologise, projects carry on regardless, wasting money, time, public and professional trust.

Kingsley Manning, Chair of HSCIC said last week, “One of our key measures of success might have been that we were safely below the radar of public attention.” He may as well have said, “Pay no attention to the man behind the curtain!”

He stated an “innocent lack of transparency” has fuelled suspicion that arrangements for organisations’ use of data were “unfairly tipped in favour of profit making”. Perhaps it’s rather the HSCIC 2013-15 Roadmap which gives us fact, not suspicion. By 2015 HSCIC  would ‘agree a plan for addressing the barriers to entry into the market for new commercial ventures’ using our data provided by the HSCIC and:

“Help stimulate the market through dynamic relationships with commercial organisations,
especially those who expect to use its data and outputs to design new information-based services.”

Working with care.data is promised as a sweetener to commercial business, to ‘innovators of all kinds’  including Google for unproven State economic development and gain. Why should any commercial monkeys, even under the wings of ‘healthcare purposes’, carry off a piece of our most intimate personal data without asking our permission, when we go for healthcare at our most vulnerable and trusting?

Thank goodness for the privacy campaigners, the Freedom of Information requestors, the experts and professionals who altruistically take the time and trouble to champion the patient and public interest. Otherwise, we would not have been informed at all of plans.

The rights of fair processing and Data Protection appear to be trampled upon in the rush to implement the increased sharing of pseudonymous data, which is not anonymous yet not protected.

MedConfidential offers a simple method to enable the opt outof identifiable data flows which NHS England did not do. A right to objection was offered by the Secretary of State for Health and would be upheld as, ‘a constitutional rather than legal right.’ The Commissioning Board NHS England’s unclear leaflet wording and no form compared with the SCR opt out makes the intent of the process hard to understand.

We need honesty, clarity and communication, not PR. Transparency is fundamental to a renewal of trust across these areas.

Don’t tell us one thing and say another to business and government. Talk to us without spin. Give us clarity of purpose, choice, good independent governance, defined scope and an ongoing communications plan. Let me understand why you need fully identifiable data and how it will be used by whom and how you will protect pseudonymous, re-identifiable records. Don’t appear to use technicalities to get what you want. Not only must our data protection be legal, but be seen to be legally appropriate. Listen to the informed critics. Ensure ethics champion commercial decision making. Address the risks as well as the benefits and tell us your forward plans. Then perhaps, you will have paved the pathway to properly use our world class data in the world class NHS, for the public good.

Oh, and please get rid of the monkeys.

care.data – Intro. A mother’s journey in Oz.

Mother’s Day seemed as good a day as any, to reflect how I safeguard my children in future, in a cloud-based digital world and currently, on care.data. Ever since I first read last summer about the initiative to be implemented by the Health and Social Care Centre, I have followed as in depth, as much as time has permitted. I began the journey, as an NHS patient who believed my health records were used by my GP at my GP practice. In 2010 I had opted out of the Summary Care Record. I usually read forms to the end and tick the boxes or not, to keep my data confidential.

Along the way, I have been surprised to learn our hospital records were used for anything other than our care and its delivery. I’ve been shocked to see how it has been widely distributed to third parties, in various formats. I’ve come to understand how our health data entered at a whole range of different entry points (Prescription Service, Choose and Book, Mental health and more), end up stored in linkable silos under the umbrella of one organisation. And I’ve learned that the more I know, the more patients like me, should know. So, feeling that this is missing in the current online debate, I’ve decided to share my point-of-view and learnings, from a patient’s point-of-view.

David Aaronovitch’s Times’ opinion article on March 27th stated data privacy fears have made health-data sharing “toxic” and that campaigners are nothing but a ‘man with a megaphone’, like the Wizard of Oz. Whilst he is correct that there is a vocal minority, I believe it is simply because the majority are not able to take the time or had the interest to get to grips with the subject in depth. I have, albeit as an ordinary lay person on the outside.

There has been little opportunity for discussion of our ordinary patient opinion. Yet it is all of our records, ordinary patients, parents and children, which are being handled as a commodity beyond our direct care, without past knowledge or consent. I think a lot about it, and have broken this into parts. Part one: Transparency, Part two: Communications and Choice. Part three looks at the simplest concrete risks the Times article believed, “have made for public disquiet, but when you examine them they behave like candyfloss”.

I’ve followed it for almost eight months now. Its highs and lows still need a brain, heart and courage. By standing up, I risk being labelled ‘selfish’, a consent fetishist, or scaremongering. I don’t believe it is any of those to seek facts, education and engagement.

So here’s my #caredata story so far.

Thinking to some purpose