Rebuilding trust in care.data

In response to a care.data feature in the November Pharma Times Magazine,  I wrote a brief reader letter which was published, slightly abbreviated, on p.13 in the December issue.[1]

The November article had given me the impression that legislation in the Care Act from July was considered to have ironed out most patient concerns.

And it said that GPs opting patients out at practice level ‘would be illegal’.

I suggested three things.

1. The importance that legislation would be seen and enacted before the pathfinders to:

a) shore up trust of the broad definition of purposes to rule out commercial [re]use

b) enact an opt out

c) lend any legal weight to the role of National Data Guardian

Public and professional scrutiny and consultation on these changes will be required to ensure much talked of transparency is seen to be meaningful

2. Pathfinders must not only as the article stated intend to “test all aspects of communication and extraction”  in the pilot, but have a watertight plan for managing the planned broadening of both scope and access [2]

after all, how can communications be tested and considered effective which tell patients only part of the story how their data is planned to be used in future? Its merger with social care data, just one example.

and

3. a clarification was worth noting on the GP position regards opt out; that with certain conditions, the ICO had said that GPs opting out patients at practice level would be lawful regards their Data Protection obligations.

Data protection laws do not prevent doctors from adopting the approach recommended by the group Patient Concern, practice-wide opt out and offering opt-in at local level, the Information Commissioner’s Office (ICO) had said, providing certain conditions are met.

“If GPs choose to opt out all of their patients, then that is an issue for them and NHS England – the Data Protection Act does not prevent it,” said strategic liaison group manager at the ICO, Dawn Monaghan, according to a report in GP Online and Pulse. [3]

“However, the Data Protection Act would still require patients to be given a full explanation of the options open to them, and why the GP has chosen to opt them out.”

The Health and Social Care Act however requires GPs to release data to the HSCIC so would practices be in non-compliance with the Health and Social Care Act by doing so?

NHS England threatened one practice in November 2013 with penalties for doing just that a year ago. In fact, it was that position and article [4] which first prompted me to join the twitter social media debate, and my very first tweet on care.data.

caredata twitter

 

A full year on, and here we are, still unclear on opt out.

A full year on and our HES and other data is still being released without our consent, or fair processing.

Whilst the GPs may remain unclear if they would be sanctioned for practice wide opt out of care.data even if they maintain data protection compliance, it seems the penalty for data misuse after release is unchanged.

Whilst there was talk of new penalties for data misuse by companies and organisations, no ‘one strike and out’ ever materialised.

Whilst legislation by the Secretary of State promised patients a statutory right to opt out, it hasn’t happened.

On February 25th 2014, he said in Parliament:

“people should be able to opt out from having their anonymised data used for the purposes of scientific research.” [col 148]

“When they extended the programme to out-patient data in 2003 and to A and E data in 2008, at no point did they give people the right to opt out. We have introduced that right, which is why we are having the debate.” [5]

However until that opt out for our GP care.data and our A and E, HES, and other data for secondary purposes is on a legal footing, the opt out has no value for patients compared with the weight of the Health and Social Care Act.

When will the Secretary of State follow through on his word?

Right now, our HES/other secondary data is being released even if we have indicated our opt out to GPs for secondary uses, 9nu4. [6]

It appears to date, we lack both legislation and the technical tool to operate the opt out.

This position seems to be in urgent need of clarification for patients to have our opt out rights confirmed for both GP held data and the existing data held by HSCIC. As well as needing clarified for the GPs and HSCIC as data controllers to be clear on their responsibilities.

When the system has proven so flawed in the past we need change to show why it is different now.

It’s not enough to tell patients things will be different. We want to see that they are.

We can only trust a system which is underpinned in law particularly at a time when, ahead of a General Election, many promises may have been made and will be made. Ministers move roles. Their word alone is frankly, going to be of little value to many. Experience tells us, promises may not always turn out as expected in practice.

I asked one of my local community leaders what he thought of the current position on the programme and what his reaction would be if in fact the opt out came to naught and health data was to be extracted and used for research without consent. “We’d be out on the streets,” [in protest] was his prompt reply. Whilst many are happy for data to be used in research, the majority want to know about it first; who will access it and for what purpose. Not everyone is happy for their data to be used in research. And over half were happy only with active consent or not at all, according to a survey carried out by Ipsos MORI in June 2014.[7]

The Data Guardian role [8] too, should be a positive addition to underpin the importance of ethical practice in data management but again, can only be truly meaningful with legislative weight behind it.

The recent DH November announcement said this would happen, ‘at the earliest opportunity.’

How much longer will it be before that opportunity?

When can we expect to see the rules around uses, opt out and the oversight role of the Data Guardian published for public and professional consultation and scrutiny?

If we are to rebuild trust in the programme, it must first offer a foundation for doing so.

*

In the same Pharma Times December issue [2] there is also a feature on George Freeman MP and on EU Data sharing. Well worth a read.

My submitted reader letter:

Your November article ‘Taking care of our data’ states proposed changes to the Care Act 2014 will be laid before Parliament in the new year.

It is imperative this is done before the care.data pilots’ launch. Only meaningful changes underpinned in law will provide patients the basis on which to rebuild their trust in the programme.

Data use purposes remain overly broad, the newly appointed role of National Data Guardian has no legal teeth, and the Health Secretary’s word that a patient’s objection will be respected, is not enough.

The rules around access, oversight and opt out must be pinned down.

And parliamentary scrutiny of these changes, open to professional and public consultation, will be fundamental to public confidence.

Pathfinders must not only ‘‘test all aspects of the communication and extraction process” ready for an imminent rollout. New communications must present real improvements and a watertight plan for managing the planned broadening of the future scope and access.

And finally, one clarification worth noting; under certain conditions, the ICO ruled that GPs opting out patients at practice level would be lawful regards their Data Protection obligations.

Refs:

[1] December Pharma Times p 13

[2] care.data expansion roadmap

[3] GP Online October 22, 2014

[4] Pulse, November 2013

[5] Hansard, February 25th 2014

[6] HSCIC DARS releases

[7] Ipsos MORI poll of almost 2000

[8] National Data Guardian appointed  November 13, 2014