care.data – “anticipating things to come” means confidence by design

“By creating these coloured paper cut-outs, it seems to me that I am happily anticipating things to come…I know that it will only be much later that people will realise to what extent the work I am doing today is in step with the future.” Henri Matisse (1869-1954) [1]
My thoughts on the care.data advisory event Saturday September 6th.  “Minority voices, the need for confidentiality and anticipating the future.”

Part one here>> Minority voices

This is Part two >> the need for confidentiality and anticipating the future.”

[Video in full > here. Well worth a viewing.]

Matisse – The cut outs

Matisse when he could no longer paint, took to cutting shapes from coloured paper and pinning them to the walls of his home. To start with, he found the process deeply unsatisfying. He felt it wasn’t right. Initially, he was often unsure what he would make from a sheet. He pinned cutouts to his walls. But tacking things on as an afterthought, rearranging them superficially was never as successful as getting it right from the start. As he became more proficient, he would cut a form out in one piece, from start to finish. He could visualise the finished piece before he started. His later work is very impressive, much more so in real life than on  screen or poster. His cut outs took on life and movement, fronds would hang in the air, multiple pieces which matched up were grouped into large scale collections of pieces on his walls. They became no longer just 2D shapes but 3D and complete pictures. They would tell a joined-up story, just as our flat 2D pieces of individual data will tell others the story of our colourful 3D lives once they are matched and grouped together in longitudinal patient tracking from cradle to grave.

Data Confidentiality is not a luxury

From the care.data advisory meeting on September 6th, I picked out the minority voices I think we need to address better.

In addition to the minority groups, there are also cases in which privacy, for both children and adults, is more important to an individual than many of us consider in the usual discussion. For those at risk in domestic violence the ability to keep private information confidential is vital. In the cases when this fails the consequences can be terrible. My local news  told this week of just such a woman and child whose privacy were compromised.

“It is understood that the girl’s mother had moved away to escape domestic violence and that her ex-partner had discovered her new address.” (Guardian, Sept 12th)

This story has saddened me greatly.  This could have been one of my children or their classmates.

These are known issues when considering data protection, and for example are addressed in the RCGP Online Roadmap (see Box 9, p20).

“Mitigation against coercion may not have a clear solution. Domestic violence and cyberstalking by the abuser are particularly prevalent issues.”

Systems and processes can design in good privacy, or poor privacy, but the human role is a key part of the process, as human error can be the weakest link in the security chain.

Yet as regards care.data, I’ve yet to hear much mention of preventative steps in place, except an opt out. We don’t know how many people at local commissioning levels will access how much of our data and how often. This may go to show why I still have so many questions how the opt out will work in practice, [5] and why it matters. It’s not a luxury, it can be vital to an individual. How much of a difference in safety, is achieved using identifiable vs pseudonymised data, compared with real individual risk or fear?


“The British Crime Survey (BCS) findings of stalking prevalence (highest estimate: 22% lifetime, 7% in the past year) give a 5.5% lifetime risk of interference with online medical records by a partner, and a 1.75% annual risk.”
This Online Access is for direct care use. There is a greater visible benefit for the individual to access their own data than in care.data, for secondary uses. But I’m starting to wonder, if in fact care.data is just one great big pot of data and the uses will be finalised later?Is this why scope is so hard to pin down?


The slides of who will use care.data included ‘the patient’ at this 6th September meeting. How, and why? I want to have the following  explained to me, because I think it’s fundamental to opt out. This is detailed, I warn you now, but I think really important:

How does the system use the Opt out?

If you imagine different users looking at the same item of data in any one record, let’s say prescribing history, then it’s the security role and how the opt out codes work which will determine who gets to see what.



I assume here, there are not multiple copies of “my medications” in my record.  The whole point of giant databases is real-time, synched data, so “my medications” will not be stored in one place in the Summary Care Record (SCR) and copied again in ‘care.data’ and a third time in my ‘Electronic Prescription Service (EPS). There will be one place in which “my medications” is recorded.


The label under which a user can see that data for me, is their security role, but to me largely irrelevant. Except for opt out.


I have questions: If I opt out of the SCR programme at my GP, but opt in at my pharmacy to the EPS, what have I opted in to? Who has permission to view “my medications”  in my core record now? Have I created in effect an SCR, without realising it?


[I realise these are detailed questions, but ones we need to ask if we are to understand and inform our decision, especially if we have responsibility for the care of others.]


If I want to permit the use of my record for direct care (SCR) but not secondary uses (care.data) how do the two opt outs work together,  and what about my other hospital information?


Do we understand what we have and have not given permission for and to whom?
If there’s only one record, but multiple layers of user access who get to see it,  how will those be built, and where is the overlap?
We should ask these questions on behalf of others, because these under represented groups and minorities cannot if they are not in the room.

Sometimes we all need privacy. What is it worth?

Individuals and minorities in our community may feel strongly about maintaining privacy, for reasons of discrimination, or of being ‘found out’ through a system which can trace them. For reasons of fear. Others can’t always see the reasons for it, but that doesn’t take away from the value it has for the person who wants it or their need for that human right to be respected. How much is it worth?

It seems the more we value keeping data private, the more the cash value it has for others. In 2013, the FT created a nifty calculator and in an interview with Dave Morgan, reckoned our individual data is worth less than $1. General details such as age, gender and location are in the many decimal place range of fractions of a cent. The more interesting your life events, the more you can add to your data’s total value. Take pregnancy as an example.  Or if you add genomic data it  goes up in market value again.

Whilst this data may on a spreadsheet be no more than a dollar amount, in real life it may have immeasurably greater value to us on which you cannot put a price tag. It may be part of our life we do not wish others to see into. We may have personal or medical data, or recorded experiences we simply do not want to share with anyone but our GP. We might want a layered option like this suggestion by medConfidential to allow some uses but not others. [6]

In this debate it is rare that we mention the PDS (Personal Demographic Service), which holds the name and core contact details of every person with and NHS number past and present, almost 80 million. This is what can compromise privacy, when the patient can be looked up by any A&E, everyone with Summary Care Record access on N3 with technical ability to do so. It is a weak link. The security system relies on human validations, effectively in audit ‘does this seem OK to have looked up?’  These things happen and can go unchecked for a long period without being traced.

Systems and processes on this scale need security designed, that scales up to match in size.

Can data be included but not cut out privacy?

Will the richness of GP record / care.data datasharing afford these individuals the level of privacy they want? If properly anonymised, it would go some way to permitting groups to feel they could stay opted in, and the data quality and completeness would be better. But the way it is now, they may feel the risks created by removing their privacy are too great. The care.data breadth and data quality will suffer as a consequence.

The requirement of care.data to share identifiable information we may not want to, and that it is an assumed right of others to do so, with an assumed exploitation for the benefit of UK plc, especially if an opt-out system proceeds, feels to many, an invasion of the individual’s privacy and right to confidentiality. It can have real personal consequences for the individual.

The right to be open, honest and trusting without fear of repercussion matters. It matters to a traveller or to someone fleeing domestic violence with fears of being traced. It matters to someone of transgender, and others who want to live without stigma. It matters to our young people.

The BMA recognised this with their vote for an opt-in system earlier this year. 

Quality & Confidence by Design

My favourite exhibition piece at Tate Britain is still Barbara Hepworth’s [3] Pelagos from 1946. It is artistically well reviewed but even if you know little of art, it is simply a beautiful thing to see. (You’re not allowed to touch, even though it really should be, and it makes you want to.) Carved from a single piece of wood, designed with movement, shape, colour and shadow. It contains a section of strings, a symbol of interconnectivity. (Barbara Hepworth: Pelagos[4]). Seen as a precious and valuable collection, the Hepworth room has its own guard and solid walls. As much as I would have liked to take pictures, photography was not permitted and natural light was too low. Visitors must respect that.

So too, I see the system design needs of good tech. Set in and produced in a changing landscape. Designed with the view in mind of how it will look completed, and fully designed before the build began, but with flexibility built in. Planned interconnectivity. Precise and professional. Accurate. And the ability to see the whole from the start. Once finished, it is kept securely, with physical as well as system-designed security features.

All these are attributes which care.data failed to present from its conception but appear to be in progress of development through the Health and Social Care Information Centre. Plans are in progress [6] following the Partridge Review, and were released on September 3rd, with forward looking dates. For example, a first wave of audits is scheduled for completion 1/09 for four organisations. HSCIC will ‘pursue a technical solution to allow data access, w/out need to release data out to external orgs. Due 30/11.’ These steps are playing catch up, with what should have been good governance practices and procedures in the past. It need not be this way for GP care.data if we know that design is right, from the start.

As I raised on Saturday, at the Sept 6th workshop advisory committee, and others will no doubt have done before me, this designing from the start matters.  Design for change of scope, and incorporating that into the communications process for the future is vital for the pathfinders. One thing will be certain for pathfinder practices, there will be future changes.

This wave of care.data is only one step along a broad and long data sharing path

To be the best of its kind, care.data must create confidence by design, build-in the solutions to all these questions which have been and continue to be asked. We should be able to see today the plans for what care.data is intended to be when finished, and design the best practices into the structure from the start. Scope is still a large part of that open question. Scope content, future plans, and how the future project will manage its change processes.

As with Matisse, we must ask the designers, planners and comms/intelligence and PR teams, please think ahead  ”anticipating things to come”. Then we can be confident that we’ve  something fit for the time we’re in, and all of our kids’ futures. Whether they’ll be travellers, trans, have disabilities, be in care or not.  For our majority and all our minorities. We need to build a system that serves all of the society we want to see. Not only the ‘easy-to-reach’ parts.

”Anticipating things to come” can mean anticipating problems early, so that costly mistakes can be avoided.

Anticipating the future

One must keep looking to design not for the ‘now’ but for tomorrow. Management of future change, scope and communication is vital to get right.

This is as much a change process as a technical implementation project. In fact, it is perhaps more about the transformation, as it is called at NHS England, than the technology.The NHS landscape is changing – who will deliver our healthcare. And the how is changing too, as telecare and ever more apps are rolled out. Nothing is constant, but change. How do we ensure everyone involved in top-down IT projects understands how the system supports, but does not drive change? Change is about process and people. The system is a tool to enable people. The system is not the goal.

We need to work today to be ahead of the next step for the future. We must ensure that processes and technology, the way we do things and the tools that enable what we do, are designing the very best practices into the whole, from the very beginning. From the ground up. Taking into account fair processing of Data Protection Law, EU law – the upcoming changes in EU data protection law –  and best practice. Don’t rush to bend a future law in current design or take a short cut in security for the sake of speed. Those best practices need not cut out the good ethics of consent and confidentiality. They can co-exist with world class research and data management. They just need included by design, not tacked on, and superficially rearranged afterwards.

So here’s my set of challenge scenarios for NHS England to answer.

1. The integration of health and social care marches on at a pace, and the systems and its users are to follow suit. How is NHS England ensuring the building of a system and processes  which are ‘anticipating by design’ these new models of data management for this type of care delivery, not staying stuck on the model of top-down mass surveillance database, planned for the last decade?

2. How will NHS England audit that a system check does not replace qualified staff decisions, with algorithms and flags for example, on a social care record? Risk averse, I fear that the system will encourage staff to be less likely to make a decision that goes against the system recommendation, ‘for child removal’, for example. Even though their judgement based on human experience, may suggest a different outcome. What are the system-built-in assumed outcomes – if you view the new social care promotional videos at least it’s pretty consistent. The most depressing stereo typed scenarios I’ve seen anywhere I think. How will this increase in data and sharing, work?

“What makes more data by volume, equal more intelligence by default?”

Just like GP call centre OOH today, sends too many people calling the 111 service to A&E now, I wonder if a highly systemised social care system risks sending too many children from A&E into social care? Children who should not be there but who meet the criteria set by insensitive algorithms or the converse risk that don’t, and get missed by over reliance on a system, missing what an experienced professional can spot.

3. How will the users of the system use their system data, and how has it been tested and likely outcomes measured against current data? i.e. will more or fewer children taken into care be seen as a measure of success? How will any system sharing be audited in governance and with what oversight in future?

Children’s social care is not a system that is doing well as it is today, by many accounts, you only need glance at the news most days, but integration will change how is it delivers service for the needs of our young people. It is an example we can apply in many other cases.

What plan is in place to manage these changes of process and system use? Where is public transparency?

care.data has to build in consent, security and transparency from the start, because it’s a long journey ahead, as data is to be added incrementally over time. As our NHS and social care organisational models are changing, how are we ensuring confidentiality and quality built-in-by-design to our new health and social care data sharing processes?

What is set up now, must be set up fit for the future.

Tacking things on afterwards, means lowering your chance of success.

Matisse knew, “”Anticipating things to come” can mean being positively in step with the future by the time it was needed. By anticipating problems early, costly mistakes can be avoided.”

*****

Immediate information and support for women experiencing domestic violence: National Domestic Violence, Freephone Helpline 0808 2000 247

*****

[1] Interested in a glimpse into the Matisse exhibition which has now closed? Check out this film.

[2] Previous post: My six month pause round up [part one] https://jenpersson.com/care-data-pause-six-months-on/

[3] Privacy and Prejudice: http://www.raeng.org.uk/publications/reports/privacy-and-prejudice-views This study was conducted by The Royal Academy of Engineering (the Academy) and Laura Grant Associates and was made possible by a partnership with the YTouring Theatre Company, support from Central YMCA, and funding from the Wellcome Trust and three of the Research Councils (Engineering and Physical and Sciences Research Council; Economic and Social Research Council and Medical Research Council).

[4]  Barbara Hepworth – Pelagos – in Prospect Magazine

[5] Questions remain open on how opt out works with identifiable vs pseudonymous data sharing requirement and what the objection really offers. [ref: Article by Tim Kelsey in Prospect Magazine 2009 “Long Live the Database State.”]
[6] HSCIC current actions published with Board minutes
[8] NIB https://app.box.com/s/aq33ejw29tp34i99moam/1/2236557895/19347602687/1
*****

More information about the Advisory Group is here: http://www.england.nhs.uk/ourwork/tsd/ad-grp/

More about the care.data programme here at HSCIC – there is an NHS England site too, but I think the HSCIC is cleaner and more useful: http://www.hscic.gov.uk/article/3525/Caredata