– my six month pause, anniversary round up [Part 2]

In part one, I looked at the status of what data extracts – examining scope, the role of management of scope creep in trust, opt out management, and the who, of accessing our data and for what purposes.

Here in part two, I want to give a six-month status update of my opinion of where the public is on understanding the HOW of Governance & Oversight, Legislation, changes to the scope governance to include Research, examine work-in-progress and look to explaining the WHY of, the Communications of the programme as a whole.  Leading to ask, WHEN will any of this happen?

To go back to part one of this post > click here. – a six month pause, anniversary round up – Part 2

What legislative changes may influence sharing?

In July, at an ADT meeting Dr.Geraint Lewis was billed in the agenda to be speaking on [8] At the same meeting, the item on European Data directive, where the Wellcome Trust presenter [5] noted that the new EU legislation would require informed consent for identifiable data sharing, and limit pseudonymous data sharing without consent deserves a special mention, and question all of its own.

Mr.Kelsey pointed out in January, at the ISCG meeting that his colleague was over in Brussels to discuss the new EU law. So they are clearly well aware there are implications.

Now a theoretical question. If you were designing a process upon which new legislation were going to have a big effect, would you a) try and design your process accordingly to take the new law and best practice into account to be ‘ahead of the game’ or b) rush to get the project finished before the change of law affected it, and hope it is not retroactive?

Q. Is this coming change in EU Data Protection one reason for the big rush to get extracted?

In terms of UK legislation, what has changed since the pause? The Care Bill became the Care Act in May.

Senior figures in the Lords, in public health as well as MedConfidential raised concerns and proposed amendments.

Considerations included defining:

1. Purposes to exclude commercial exploitation

2. Oversight & Governance

3. Opt out on statutory basis

In the preceding Care Bill debate, Jamie Reed outlined the amendment to wording and how the public may interpret its effect. I agree with what he said:

“the new clause provides for entirely elastic definitions that, in practice, will have a limitless application.”

Unless there are plans to sub-define the clause and to legislate to support that,  I await to see how that ‘purposes ‘ definition can do anything to help support our trust that actuaries & insurance firms, health or pharmaceutical marketing researchers or other third parties we cannot imagine, will be legally entitled to request to buy data. The HSCIC can only measure requests against the law under which it is given to operate after all.

a) the promotion of health – interpret that how you will.

“The DARS process has three stages – Application, Approval, and Access.”

I fear this kind of sets the tone for the expectation of applicants, you ask you get – and there’s no mention of rejection in there. But then, I’m probably being too cynical. A list of the number and type of rejected applications by organisation, would improve my trust here. CAG publishes it, where is the same transparency for DAAG? How many applicants are rejected vs accepted each month?

How will DARS interpret “the promotion of health?” I’d like for them to give case scenarios of the problematic past releases, and judge now, whether they would be accepted again or not.

Mr. Kelsey identified that this definition of purposes was vital to the public in February, but I don’t think it has been clearly addressed since.



I look forward to hearing more about what clear and specific guidance there will be to the Data Access Group,  and what protections there will be for corrective action on data mismanagement, the so called ‘one strike and out’, which must encourage breach transparency, not drive reporting underground.

The second big ticket  item the Care Act is to have brought in, is a change to oversight.

Changes to Oversight and Governance?

Again, I am yet to see any documented organisational mapping of how Data Access will be reviewed and regulated going forward, taking this new legislative amendment into account. There was some mention of CAG and IIGOP at the HSCIC stakeholders’ meeting, but nothing documented to view how recommendations may become enacted. Progress is somewhat unclear, but awaiting monitoring in the pause.

Mr. Kelsey has said the the IIGOP has been asked to advise, but I understand it has no statutory footing, nothing to make its recommendations effective, should the Patients & Information Directorate at NHS England disagree. [We do well to remember past form here. The Caldicott 2 recommendations on data sharing, which stated they ‘the Review Panel does not support such a proposition’ [7.2] that there should be dated shared for commissioning in an assumed ‘consent deal’ without clear legal basis and patient communication. It goes so far as to say it is not aligned to the rights and commitments in the NHS Constitution. This was chaired by Dame Caldicott, who also chairs IIGOP.]

When the Patients & Information Directorate /NHS England and the BMA vote also disagree, and NHS England seems to have ignored the BMA ARM call for opt in at least I have seen no public facing statement which even acknowledged it had happened at all – which strikes me as being just plain rude to your most significant stakeholder – it gives me little hope that the Patients & Information Directorate at NHS England is going to take another group’s perspective into account. I hope I am proved wrong.

But there is no outside oversight or governance which can impose action, or intervene with any legal weight in disputed decision making like this.

GPs as Data Controllers are between a rock and a hard place still. Legally bound to release data by the Health and Social Care Act 2012 if the Patient & Information Directorate at NHS England directs them to do so, professionally bound to maintain confidentiality.second

In February at the HS Committee, Dr. Nagpaul said they were,

“looking forward to the next six months enabling our patients to be properly informed so …they can make an informed choice.

Since the Care Act and scope have changed since then, the opt out mechanism is unclear, and nothing has come from national level to acknowledge their call for opt out, I for one am not surprised patients have still not been informed in these six months. It would be hard to pin down what we could have been informed of precisely.


The Secretary of State wrote on April 25th, asking to ensure current practices are up to the task, but as polite as it is, a letter is no form of governance.  It rather feels like a distant wave at a drowning swimmer, acknowledging an issue, but staying well clear from actually having to go into the water.

Currently it is IAG which reviews the requests for changes to the scope of the GPES extraction tool. It has direct governance and independence. Where it fits ongoing between CAG and DAAG is unclear to me.

And what about research?

This is possibly the latest *new* development, that the advisory minutes hints at. That research purposes will now be put forward to the IAG in a formal request for the GP part of to be accessible for research. (Because yes, despite all the campaigning and everyone and their kittens saying how good would be ‘for research’ it’s still, to date, only approved for commissioning purposes. NOT for research.) HES, SUS other  data which HSCIC already has is used in research already. Whilst some primary care data may used in research today where practices have otped in to other research databases, such as CPRD, I believe that is only in an anonymous format. Now, how this works today with linkage via HSCIC and how much we know about it, may be unclear to the public. But it’s not the same as GP primary data in identifiable format being extracted and stored and linked with every other part of your health and social care records and more, for research and sale, as is the intent.

I would like to see this instead considered, a layered approach to opt in.  This enables some personal level of data governance as well as consent. Saying yes to public research, but no to commercial marketing research or re-use. Personally, I’d also want to split out genomics from other research. This supports patient choice, so oft touted as core to the new NHS. The current set up is diametrically opposed to everything NHS England purports to stand for. How can patients trust a system, which says one thing, and acts entirely against it?

Well, if the proposers can define ‘research’, I’m happy to consider signing up to opt in for its use. If it’s a blank cheque to use the knowledge of my children for just anything, unlimited in scope and time – forget it. And why? Because I am concerned that the pseudonymous use of data and use of pseudonymous tissue are too loosely governed. Who is auditing today the ethical combining of genomic mapping and pseudonymous data use? Who is using it, and for what? Where is it information that may be sold, and to whom? I don’t want their future choices limited by something I didn’t pay attention to on their behalf, today.

Why does the NHS England Patient and Information Directorate want to extract Have we lost sight of the most valuable purposes of data, and how to use it well, through the commercial drive for UK plc – purposes put ahead of research? Commissioning purposes and commercial mining are taking precedence over care and confidentiality.

Stephen Dorrell MP,  in Parliament on March 11th (Col. 198) focused rightly on defining the purposes of  In fact the IAG has not approved research for (GP extracted) to be used in research:

Mr Dorrell: First, we must concentrate the rationale for the programme on to patients. Looking back at how NHS England has got itself into this position over the past few weeks and months, I have lost count of the number of times I have been told how important the programme is for research. I absolutely agree that it is important for research, but the health and care system does not exist to support research; it exists to treat and care for patients. The logic of allowing commissioners to develop joined-up services that respond to individual people’s needs—and the pattern of need based on multi-morbidity to which the right hon. Member for Sutton and Cheam (Paul Burstow) has referred—must be placed centre stage in the justification for the improved handling of data in the health and care system.

I go back to the point that this must be about treating people, not conditions. We cannot achieve that if we do not have the information to allow us to connect up the experience of the patient between one part of the system and another. In regard to the logic behind NHS England’s plans, yes there is a research argument, but—with apologies to the research scientists—it is a secondary argument. The primary argument is that we must improve the services delivered to patients and service users.

Which is why it was odd at the time, to see the Wellcome Trust driven ‘Peter’ campaign supported by the 40 research charities, championing the need to have our data. It was data (in HES/SUS) they already had access to.  At the same time [wave one, primary care GP extraction] was collapsing under the weight of the press and public shock that our hospital records had been shared with third parties for years without consent.

What has practically been done by the bodies involved in data sharing?

From an NHS England point of view, I’ve seen little. HSCIC on the other hand has seemed proactive and productive. [10]

The most significant undertaking was the Partridge Review, which analysed in depth 10% of the data sharing agreements of the last eight years.

The HSCIC has undertaken to continue complete logging of registered approved data releases on a  quarterly basis.

There is also an audit function in development. “These audits will check that our customers are adhering to the obligations documented in the Data Sharing Contract and Data Sharing Agreements.”  Whether or not that will mean that HSCIC auditors will go onsite at data recipients in FDA manufacturing audit-style, is probably another matter.

The access mechanism is under review, and at the open HSCIC meeting in July Kingsley Manning stated that a secure access lab will be part of their offering next year. How that will affect who has what access to what data, remains unknown. But it appears there may be work-in-progress:

On 1st September, Ciaran Devane posted on twitter that, “With advisory group chair hat on, well done to hscic team who listened very well at session on proposed secure data facility.”

Today in contrast, there are currently two ways in which data can be accessed:

  1. Data are released to you using a Secure File Transfer Mechanism.
  2. You may access Hospital Episode Statistics (HES) data using the HES Data Interrogation System.

The HSCIC Data Access Policy has been updated on their website and now states it is supported by the following principles which includes:

  1. share information to support the provision of health and social care and the promotion of health; not for solely commercial purposes;

{my italics} Solely, does not exclude enough in my opinion. This is where the will meet resistance still, if it cannot see the wisdom of giving up its use for commercial purposes.

Their stakeholder meeting “Driving Positive Change” hosted at The King’s Fund was minuted here.

My own opinions on attending the meeting, are in these past blogs posts. Part one and Part two.

HSCIC also updated their Freedom of Information Disclosure Log which had been out of date by well over 6 months.

Lots going on at HSCIC.

What else has happened in between then and now? What were the expectations of the pause?



The HSCIC did have a Code of Confidentiality consultation, which was most recently published.

The Department of Health issued their Annual Assessment of the NHS Commissioning Board (Brand name NHS England), which made a passing reference to on page 10.

There was a rather obtuse and confusing ASH consultation on data sharing which stressed it ‘wasn’t’ yet included many of the same items, and were for purposes which included commissioning and risk stratification, ostensibly purposes of The whole thing was rather a mess. Aside from the data sharing aspects, it included whether the organisations would be State or commercially owned, and changes to consent and data sharing for people with learning disabilities.  It was really, far too wide ranging, and had a very short consultation period. Personally, I feel concerned other less defined organisations may now be made legally entitled to access our primary care records, ostensibly not under ‘’ but for similar yet even more obtuse purposes.

[addition Sept 2nd after publishing – medConfidential has released an in-depth set of documents regarding secure data access design and the ASH on their blog > here]


Communications was and is repeated over and over, as the key flaw in the roll out. The doordrop junk mail was widely cited as a misjudged marketing campaign. I hope, through the above, to dispel that myth. Communications is the ‘how’ you tell people – in it’s the ‘what, why, who and when’ which is missing as well. The Communications process cannot clearly inform if the substance of the message is in flux or unclear.

Have there been any national direct communications to citizens and patients from the Patients & Information Directorate at NHS England? Some online letters? Yes, from Mr. Kelsey here and here. “This is the first in a series of updates on I hope you will help shape it by giving your views on the programme,” said his letter. None since then. The advisory group notes are somewhat internal minutes for the public, but give us some idea of direction.

Local activities? Perhaps. There have been a couple of events posted online, such as was held via Healthwatch in Essex, but nothing in my own area. Some more accessible versions of the communications leaflet were released.

Have there been events open to the public to hear about Yes, but not widely promoted to individuals. The second hosted by the advisory committee is coming up in London on September 6th: “This event is for health bodies and organisations representing a wider constituency perspective and will take place on Saturday 6 September in London from 10am to 2pm.”

The NHS England website states that,  at the beginning of August, we have taken part in over 150 local and regional events.” I know that I actively look out for any mention of events online, and I’ve been aware of about half a dozen, none of which has been in my county although it is included in the published list. I’ve asked at my local CCG, and neither they nor the NHS England Area Team are aware of any having been in West Sussex either. So, if these 150 events are taking place, it is not widely publicly communicated.

I attended the June 17th NHSE Open Day which included one hour on  I’ve not yet seen any follow up of the questions which were asked by others then, and I blogged about then, here. The feedback from that Open Day has yet to be published > here. The site states that all the listening event feedback will be published ”later in the summer.” School’s back, summer’s over. Time for some of that feedback to be shared? I hope it’s soon, so that there is time for proper digestion, consultation and adaption before the pilot rollouts.

I’ve been to one public event which was primarily intended for charity group representatives,  and the HSCIC stakeholder event, which was not about, but the review after the Partridge audit. All three of these events were advertised online as open to the public. I’ve asked my CCG about it at two meetings, and had no follow up and nothing from my GP practice at all.

The NHS England Board in July didn’t mention at all.

If I’m actively looking to find out what is happening, and that’s all I find, what does the general public know?

I proposed two topics for NHS Citizen consideration: [as did someone else as well] and genomics. Neither made the cut for public discussion. Where can these issues which will shape the NHS so fundamentally and touch every patient and citizen, get into mainstream discussion?

So far, because any gathered listening on has been kept to the Patients & Information Directorate and not made public, we don’t know what has been actioned. But from my event attendance and online discussions, I think feedback is fairly consistent.  Summed up by what Mr.Kelsey asked the Open Day by a show of hands, how many feel confident they even know what is? The answer was clearly, not enough.

The July advisory group minutes state that a communications consultancy was about to be hired to review materials.

What will be interesting to see is how the communications materials are relaunched with new information. Simply repackaging what was there before won’t do. If there have been significant changes in content and process, as has been suggested are the successful results of the Partridge Review and Care Act, then they must be reflected in communications content. Just as the real concerns and questions received in the listening events over the last 6 months must also be addressed.

No one seems keen to tell us. The same questions have been batted about, for a year and a half now. From April 2013, the minutes are really worth reading again. The sharing for commercial cash flow was omitted in potential uses, but did flag concerns sharing ONS data with commercial intermediaries. The Partridge Review April 2014 since showed part of the extent to which the data mining of our health records was happening in the background. The desire to get access across to all health and social care data hints in 2013 at the unbound scope they still struggle to define today. Fast forward a year, and the project was put on pause.

Six months later, when will we find out what concrete improvements have been made in this pause? What are plans for the WHAT of Scope and its future change management, the WHO of Data Access and Sharing, the HOW of Governance & Oversight, Opt out management, Legislation, and the WHY Communication of the programme as a whole? And WHEN will any of this happen?

“This purpose is broad, and poorly defined. It needs to be better specified through the core values of the NHS to ensure that makes the contribution that it is capable of to the future of the NHS.”

James Wilson, Discover Society, June 2014

Has the commercial exploitation of HES poisoned the pool of data uses for everyone else who wants access to our NHS world leading data?

Have we lost sight of the most valuable purposes of data, and how to use it well, through the commercial drive for UK plc – purposes put ahead of research? Commissioning purposes and commercial mining are taking precedence over care and confidentiality.

Is the Patients & Information Directorate NHS England still going for gold in a world class model, is it sneaking up the back straight for a sprint finish, or is pulling out from the race?


[1] Second delay to rollout announced – The Guardian February 18th 2014:

[2] NHS England directions to HSCIC September 13th 2013:

[3] BMA vote for opt In system:

[4] July 14th at Wellcome Trust event ‘Sharing Government Administrative Data: new research opportunities’

[5] EU Data Legislation

[6] DWP data linkage prrof of concept trial 6 year period of primary and secondary data, December 2013

[7] Developments in Access to DWP data 2014

[8] NHS data sharing – Dr.Lewis July 2014 presentation

[9] Possible UK Legislation

[10] Progress of the changes to be made at HSCIC recommendations of the Partridge Review

[11] Scope list p22 onwards:

[12] Health and Social Care Transparency Panel April 2013 minutes