Tag Archives: transparency

The Economic Value of Data vs the Public Good? [1] care.data, Concerns and the cost of Consent

They say ‘every little helps’.  care.data needs every little it can get.

In my new lay member role on the ADRN panel, I read submissions for research requests for any ethical concerns that may be reflected in wider public opinion.

The driving force for sharing administrative data research is non-commercial, with benefits to be gained for the public good.

So how do we quantify the public good, and ‘in the public interest’?

Is there alignment between the ideology of government, the drivers of policy [for health, such as the commissioning body NHS England] and the citizens of the country on what constitutes ‘the public good’?

There is public good to be gained for example, from social and health data seen as a knowledge base,  by using it using in ‘bona fide’ research, often through linking with other data to broaden insights.

Insight that might result in improving medicines, health applications, and services. Social benefits that should help improve lives, to benefit society.

Although social benefits may be less tangible, they are no harder for the public to grasp than the economic. And often a no brainer as long as confidentiality and personal control are not disregarded.

When it comes to money making from our data the public is less happy. The economic value of data raises more questions on use.

There is economic benefit to extract from data as a knowledge base to inform decision making, being cost efficient and investing wisely. Saving money.

And there is measurable economic public good in terms of income tax from individuals and corporations who by using the data make a profit, using data as a basis from which to create tools or other knowledge. Making money for the public good through indirect sales.

Then there is economic benefit from data trading as a commodity. Direct sales.

In all of these considerations, how does what the public feels and their range of opinions, get taken into account in the public good cost and benefit accounting?

Do we have a consistent and developed understanding of ‘the public interest’ and how it is shifting to fit public expectation and use?

Public concern

“The importance of building and maintaining trust and confidence among all stakeholder groups concerned – including researchers, institutions, ethical review boards and research participants – as a basis for effective data sharing cannot be overstated.”  [Wellcome blog, April 2015]

If something is jeopardising that public good it is in the public interest to say so, and for the right reasons.

The loss of public trust in data sharing measured by public feeling in 2014 is a threat to data used in the public interest, so what are we doing to fix it and are care.data lessons being learned?

The three biggest concerns voiced by the public at care.data listening events[1] were repeatedly about commercial companies’ use, and re-use of data, third parties accessing data for unknown purposes and the resultant loss of confidentiality.

 Question from Leicester: “Are we saying there will be only clinical use of the data – no marketing, no insurance, no profit making? This is our data.” [NHS Open Day, June 2014]

While people are happy for the state to use their data without active consent for bona fide research, they are not for commercial purposes.

Much of the debate and upset caused by the revelations of how our hospital episode statistics were managed in the past centred on the sense of loss of ownership. And with that, the inability to consent to who uses it. This despite acknowledgment that patients own their data.

Significant concern centres on use of the information gleaned from data that patients consider commercial exploitation. For use segmenting the insurance markets. For consumer market research. Using data for individual targeting. And its utter lack of governance.

There is also concern about data being directly sold or exchanged as a commodity.

These concerns were raised meeting after meeting in the 2014 care.data “listening process.”

To read in Private Eye that commercially sensitive projects were discussed in various meetings between NHS England and supermarket giant Tesco throughout 2014 [2] by the Patients and Information Director, responsible for care.data, is therefore all the more surprising.

They may of course be quite unrelated.

But when transparency is the mother of trust, it’s perhaps a surprising liason while ‘listening’ to care.data concerns.

It could appear that greater confidentiality was given to the sensitivity of commercial meetings than citizens’ sensitive data.

Consent package deals may be a costly mistake

People are much more aware since care.data a year ago, that unknown third parties may access data without our consent.

Consent around secondary NHS data sharing and in wider fora is no longer an inconvenient ethical dilemma best left on the shelf, as it has been for the last 25 years in secondary use, dusted off in the care.data crisis. [3]

Consent is front and centre in the latest EU data protection discussions [4] in which consent may become a requirement for all research purposes.

How that may affect social science and health research use, its pros and cons [5] remain to be seen.

However, in principle consent has always been required and good practice in applied medicine, despite the caveat for data used in medical research. As a general rule: “An intervention in the health field may only be carried out after the person concerned has given free and informed consent to it”. But this is consent for your care. Assuming that information is shared when looking after you, for direct care, during medical treatment itself is not causes concerns.

The idea is becoming increasingly assumed in discussions I have heard, [at CCG and other public meetings] that because patients have given implied consent to sharing their information for their care, that the same data may be shared for other purposes. It is not, and it is those secondary purposes that the public has asked at care.data events, to see split up, and differentiated.

Research uses are secondary uses, and those purposes cannot ethically be assumed. However, legal gateways, access to that data which makes it possible to uses for clearly defined secondary purposes by law, may make that data sharing legal.

That legal assumption, for the majority of people polls and dialogue show [though not for everyone 6b], comes  a degree of automatic support for bona fide research in the public interest. But it’s not a blanket for all secondary uses by any means, and it is this blanket assumption which has damaged trust.

So if data use in research assumes consent, and any panel is the proxy for personal decision making, the panel must consider the public voice and public interest in its decision making.

So what does the public want?

In those cases where there is no practicable alternative [to consent], there is still pressure to respect patient privacy and to meet reasonable expectations regarding use. The stated ambition of the CAG, for example, is to only advise disclosure in those circumstances where there is reason to think patients would agree it to be reasonable.

Whether active not implied consent does or does not become a requirement for research purposes without differentiation between kinds, the public already has different expectations and trust around different users.

The biggest challenge for championing the benefits of research in the public good, may be to avoid being lumped in with commercial marketing research for private profit.

The latter’s misuse of data is an underlying cause of the mistrust now around data sharing [6]. It’s been a high price to pay for public health research and others delayed since the Partridge audit.

Consent package deals mean that the public cannot choose how data are used in what kids of research and if not happy with one kind, may refuse permission for the other.

By denying any differentiation between direct, indirect, economic and social vale derived from data uses, the public may choose to deny all researchers access to their all personal data.

That may be costly to the public good, for public health and in broader research.

A public good which takes profit into account for private companies and the state, must not be at the expense of public feeling, reasonable expectations and ethical good practice.

A state which allows profit for private companies to harm the perception of  good practice by research in the public interest has lost its principles and priorities. And lost sight of the public interest.

Understanding if the public, the research community and government have differing views on what role economic value plays in the public good matters.

It matters when we discuss how we should best protect and approach it moving towards a changing EU legal framework.

“If the law relating to health research is to be better harmonised through the passing of a Regulation (rather than the existing Directive 95/46/EC), then we need a much better developed understanding of ‘the public interest’ than is currently offered by law.”  [M Taylor, “Information Governance as a Force for Good? Lessons to be Learnt from Care.data”, (2014) 11:1 SCRIPTed 1]

In the words of Dr Mark Taylor, “we need to do this better.”

How? I took a look at some of this in more detail:

Part two: The Economic Value of Data vs the Public Good? [2] Pay-for-privacy and Defining Purposes.

Part three: The Economic Value of Data vs the Public Good? [3] The value of public voice.

Update note: A version of these three posts was combined into an opinion piece – care.data: ‘The Value of Data versus the Public Interest?’ published on StatsLife on June 3rd 2015.

****

image via Tesco media

 

[1] care.data listening event questions: https://jenpersson.com/pathfinder/

[2] Private Eye – on Tesco / NHS England commercial meetings https://twitter.com/medConfidential/status/593819474807148546

[3] HSCIC audit and programme for change www.hscic.gov.uk/article/4780/HSCIC-learns-lessons-of-the-past-with-immediate-programme-for-change

[4] EU data protection discussion http://www.digitalhealth.net/news/EHI/9934/eu-ministers-back-data-privacy-changes

[5] Joint statement on EU Data Protection proposals http://www.wellcome.ac.uk/stellent/groups/corporatesite/@policy_communications/documents/web_document/WTP055584.pdf

[6] Ipsos MORI research with the Royal Statistical Society into the Trust deficit with lessons for policy makers https://www.ipsos-mori.com/researchpublications/researcharchive/3422/New-research-finds-data-trust-deficit-with-lessons-for-policymakers.aspx

[6b] The ‘Dialogue on Data’ Ipsos MORI research 2014 https://www.ipsos-mori.com/researchpublications/publications/1652/Dialogue-on-Data.aspx – commissioned by the Economic and Social Research Council (ESRC) and the Office for National Statistics (ONS) to conduct a public dialogue examining the public’s views on using linked administrative data for research purposes,

[7] AdExchanger Janaury 2015 http://adexchanger.com/data-driven-thinking/the-newest-asset-class-data/

[8] Tesco clubcard data sale https://jenpersson.com/public_data_in_private_hands/  / Computing 14.01.2015 – article by Sooraj Shah: http://www.computing.co.uk/ctg/feature/2390197/what-does-tescos-sale-of-dunnhumby-mean-for-its-data-strategy

[9] Direct Marketing 2013 http://www.dmnews.com/tesco-every-little-bit-of-customer-data-helps/article/317823/

[10] Personalisation in health data plans http://www.england.nhs.uk/iscg/wp-content/uploads/sites/4/2014/01/ISCG-Paper-Ref-ISCG-009-002-Adult-Social-Care-Informatics.pdf

[11] Tim Kelsey Keynote speech at Strata November 2013 https://www.youtube.com/watch?v=s8HCbXsC4z8

[12] Forbes: Illumina CEO on the US$20bn DNA market http://www.forbes.com/sites/luketimmerman/2015/04/29/qa-with-jay-flatley-ceo-of-illumina-the-genomics-company-pursuing-a-20b-market/

 

care.data – one of our business cases is missing

“The government takes the view that transparency is vital to healthy public services. It has created a new Statistics Commission to improve the quality of information collected (and to end arguments about “fiddling” figures).” [Tim Kelsey, New Statesman, 2001] [1]

In a time of continuing cuts to budgets across the public sector the members of the public have every right and good sense to question, how is public money spent and what is its justification.[#NHS2billion]

For the flagship data extraction care.data programme, it is therefore all the more surprising, that for the short and long term there is [2]:

a) no public proof of how much the programme is costing,
b) little around measurable tangible and intangible benefits,
c) or how the risks have been evaluated.

The Woolly Mammoth in the Room

The care.data programme has been running under its ‘toxic’ [3] brand in a similar form now, for two years.

When asked directly on costs at the Health Select Committee last month, the answer was, at best, woolly.

“Q655   Rosie Cooper: While I appreciate that, can you give us any rough figures? What would a CCG be contributing to this?

Tim Kelsey: I cannot answer that question, but we will very rapidly come back to you with the CCGs’ own estimates of the costs of the programme and how much of that cost is being met by the programme.” [Hansard January 2015][4]

The department appears very unwilling to make public and transparent its plans, risks and costs. I’ve been asking for them since October 2014, in a freedom of information request. [5]

They are still not open. Very much longer will look decidedly shady.

A few limited and heavily redacted parts were released [2] in poor quality .pdf files in Jan 2015, and don’t meet my request as there’s nothing from April-October 2014, and many missing files:

Transparent?

As I followed the minutes and materials released over the last 18 months this was a monstrous gap [7], so I have asked for it before.[8]

I had imagined there was reticence in making it public.
I had imagined, the numbers may be vague.
I hadn’t imagined it just didn’t exist at all.

For the programme whose watchword is transparency, this is more than a little surprising.  A plan had to be drafted to drive transparency, after the FOI was received [which I believe fails section 22 refusal criteria, as the decision to publish was made after the FOI]

– here’s the plan [9] – where are the outcomes?nessie

Is the claim that without care.data the NHS will fail, [10] no more than a myth?

 

Why does the business case and cost/risk analysis matter? What is the future of our data ownership?

 

Because history has a habit of repeating itself and there is a terrible track record in NHS IT which the public cannot afford [22] to allow to repeat, ever again.

The mentality that these unaccountable monster programmes are allowed to grow unchecked, must die out.

Of the NPfIT, Mr Bacon MP said: “This saga is one of the worst and most expensive contracting fiascos in the history of the public sector.”

Last autumn, a new case history [23] examined its rollout, including why local IT systems fail to deliver patient joined up digital records.

Yet, even today, as we hear that IT is critical to the digital delivery of NHS care and we must all be able to access our own health records, we read that tech funds are being cut.

Where is common sense and cohesion of their business planning?

These Big Data programmes do not stand alone, but interact with all sorts of other programmes, policies, and ideas on what will be done and what is possible in future for long term data purposes.

The public is not privvy to that to be able to scrutinise , criticise and positively contribute to plans. That seems short-sighted.

And what of previous data-based ventures? Take as a case study the Dr. Foster IC Joint Venture [NAO, February 2007] [24]

“The Information Centre spent £2.5 million on legal and consultancy advice in developing the joint venture, and setting up the Information Centre. The Information Centre contends that £855,000 of the money paid to KPMG was associated with costs for setting up the Information Centre which included business planning.

However, they could not provide an explicit breakdown of these costs […] We therefore calculate that the total cost to the taxpayer of a 50 per cent share is between £15.4 million and £16.3 million.”

“The Information Centre paid £12 million in cash for a 50 per cent share of the joint venture (see Figure 2 overleaf).

The UK plc made a sizeable investment here. The UK state invested UK taxes in this firm – so what’s the current business case for using data? How transparent are our current state assets and risks?

Being a shareholder in one half, it is fair to ask who are we now sharing the investment risk with or was this part sold soon after?[25] Was that investment a long-term one, or always meant to be so short term and are there any implications for the future of HSCIC?

In 2011 this report [26] another investment group, Bamboo holdings [related to other investor companies], wanted but did not succeed in selling its Dr. Foster stock at an acceptable price, said the portfolio introduction due in their words, to ‘poor performance’.  [Annual investor review from 2013 [p.5]

So what risks does the market see as a whole which are not made available to the public which affect how data is used and shared?

What of the other parts of Dr. Foster Research and so on, we, the state, went on to buy or sell later? It appears complex.

Is the commercial benefit to be made for private companies, seen as part of the big picture benefit to the UK plc or where does state investment and expectation for economic growth fit in?

What assessment has been made of the app market in the NHS and how patient data is expected in future to be held by the individual, released by personal choice to providers through phones?

Is a state infrastructure being built which in the surprisingly short term, may see few healthy people who store their data in it or will we see bias to exclude those with the money and technology to opt out who prefer to keep their health data in a handheld device?

What is the government plan for the future of the HSCIC and our data it manages? The provider Northgate was just bought by European private equity firm Cinven, which now manages a huge swathe of UK’s data [32] and HSCIC brought others in-house. [33]

“Its software and services are used by over 400 UK local authorities, all UK police forces, social housing providers in the UK and internationally, and NHS hospitals. Its IT projects support the sharing of information for criminal intelligence and investigations across UK police forces and the management of health screening records in the UK and in Ireland.”

All the easier to manage – or to manage to sell off?

Is the business plan future-proofed to survive the new age of health data management?

One of the problems with business cases for programmes which drag on and get swamped down in delays, is they become obsolete.

The one year mark has now passed in the announced care.data pause, announced on February 18th 2014.

The letter from Mr.Kelsey on April 14th 2014, said they would use the six months to listen and act on the view of patients, public, GPs and stakeholders.

Many of the open questions remain without any reply at all, never mind public answers to solutions to open issues.

The spine proposal by medConfidential [30] is one of the best and clearest proposals I have found with practical solutions to the failed opt out 9Nu4 for example.

Will these be addressed, or will NHS England answer the Data Guardian report and 27 questions [31] from December?

Is care.data arthritic or going quietly extinct? The last public information made available, is that it is rolling on in the background towards the pathfinders.

“By when will NHS England commit to respect the 700,000 objections to secondary data sharing already logged but not enacted?” [updated ref June 6th 2015]

How is the business plan kept up to date as the market moves on?

Is Big Data in the NHS too big to survive or has the programme learned to adapt and changed?

As Peter Mills asked a year ago, “Is the Government going to take this, as a live issue, into the next general election? Or will it (like the National Programme for IT) continue piecemeal, albeit without the toxic ‘care.data’ banner? “

The care.data programme board transparency agenda in Nov 2014 : “The care.data programme has yet to routinely publish agendas, minutes, highlight reports and finalised papers which arise from the care.data Programme Board.

“This may lead to external stakeholders and members of the public having a lack of confidence in the transparency of the programme.”

We all recognise the problem, but where’s the solution?

Where’s the cost, benefit and risk analysis?

Dear NHS England. One of your business cases is missing.
Why has the public not seen it?
Why are you making it hard to hunt down?
Why has transparency been gagged?

Like Dippy, the care.data business case belongs in the public domain, not hidden in a back room.

Like the NHS, the care.data full risk & planning files belong to us all.

Or is the truth that, like Nessie, despite wild claims, they may not actually exist?

***

more detail:

[1] New Statesman article, Tim Kelsey, 2001

[2]http://www.england.nhs.uk/ourwork/tsd/care-data/prog-board/ care.data programme board webpage

[3] http://www.infosecurity-magazine.com/news/nhs-caredata-pr-fiasco-continues/

[4] http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/health-committee/handling-of-nhs-patient-data/oral/17740.html

[5] https://www.whatdotheyknow.com/request/caredata_programme_board_minutes?nocache=incoming-621173#incoming-621173

[6] http://www.england.nhs.uk/wp-content/uploads/2015/02/cd-prog-brd-highlt-rep-15-12-14.pdf

[7] http://www.telegraph.co.uk/news/science/science-news/11377168/Natural-History-Museums-star-Dippy-the-dinosaur-to-retire.html

[8] https://jenpersson.com/care-data-postings-summary/

[9] http://www.england.nhs.uk/wp-content/uploads/2015/02/propsl-transpncy-pub-cd-papers.pdf

[10] http://www.computerweekly.com/news/2240215074/NHS-England-admits-failure-to-explain-benefits-of-caredata

[11] http://nuffieldbioethics.org/blog/2014/care-data-whats-in-a-dot-and-whats/

[12] http://www.theinformationdaily.com/2014/03/26/business-scents-boom-in-personal-information-economy

[13] http://www.hscic.gov.uk/article/3887/HSCIC-publishes-strategy-for-2013-2015

[14] https://jenpersson.com/flagship-care-data-2-commercial-practice/

[15] http://www.publications.parliament.uk/pa/ld201415/ldhansrd/text/141015-0001.htm

[16] http://www.publications.parliament.uk/pa/ld201415/ldhansrd/text/141015-0001.htm

[17] http://www.legislation.gov.uk/ukpga/2014/23/pdfs/ukpga_20140023_en.pdf

[18] https://jenpersson.com/hear-evil-evil-speak-evil/

[19] https://www.whatdotheyknow.com/request/nhs_patient_data_sharing_with_us

[20] http://www.hscic.gov.uk/hesdatadictionary

[21] http://www.bbc.co.uk/news/uk-politics-24130684

[22]  http://www.nao.org.uk/wp-content/uploads/2007/02/0607151.pdf

[23] http://www.cl.cam.ac.uk/~rja14/Papers/npfit-mpp-2014-case-history.pdf

[24] http://www.nao.org.uk/wp-content/uploads/2007/02/0607151.pdf

[25] http://www.healthpolicyinsight.com/?q=node/688

[26]http://www.albion-ventures.co.uk/ourfunds/pdf%20bamboo/Bamboo%20IOM%20signed%20interims%2030611.pdf

[27] http://www.v3.co.uk/v3-uk/news/2370877/nhs-needs-patients-digital-data-to-survive-warns-health-chief

[28 ]http://uk.emc.com/campaign/global/NHS-Healthcare-Report-2014/index.htm

[29 ] http://uk.emc.com/campaign/global/NHS-Healthcare-Report-2014/index.htm

[30] https://medconfidential.org/wp-content/uploads/2015/01/2015-01-29-A-short-proposal.pdf

[31] https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/389219/IIGOP_care.data.pdf

[32] http://www.privateequitywire.co.uk/2014/12/23/215235/cinven-acquire-northgate-public-services

[33] http://www.ehi.co.uk/news/EHI/9886/hscic-starts-sus-and-care-id-transfer

 

Deregulation – the UK Bill and the Titanic TTIP

The Deregulation Bill will go to the Lords Committee stage on 6th November. [For ongoing progress, see here.]

Deregulation Bill

 [graphic added Nov 21st: This was the concluding statement by Lord Tunnicliffe on November 20th.]

I write this in follow up to a previous post of because it’s a big bill with one very important little clause, amongst much detail which needs careful review in the public interest:

What is it? Clause 83: Exercise of regulatory functions, economic growth:

(1) A person exercising a regulatory function to which this section applies must,  in the exercise of the function, have regard to the desirability of promoting  economic growth.

(2) In performing the duty under subsection (1), the person must, in particular,  consider the importance for the promotion of economic growth of exercising  the regulatory function in a way which ensures that—

(a) regulatory action is taken only when it is needed,

and

(b) any action taken is proportionate.

This section of the Deregulation Act which is currently passing through Parliament, suggests the removal of any regulation that conflicts with the interests of a profit-maker.

 

There are domestic and regulatory bodies for which we should carefully consider this implication.

The Deregulation Bill surely creates an ethical conflict or at least challenge, when in law it must consider commercial gain on a statutory footing above other factors?

The clause is openly worded, that regulatory action should be taken only when it is needed and that any action taken should be ‘proportionate’.

That suggests that regulatory interventions should be reduced. Who and how will it be decided when and what is proportionate?

The Bill provides that a person exercising a regulatory function specified by the Minister:

In detail, what does that mean? If it’s not important why include it at all? If it is important, why have we heard so little about it?

That Lord Tunnicliffe would make such a forceful statement should not be taken lightly: …”if our fears comes to pass, these three clauses could wreak havoc in a regulatory regime within this country.”

Which bodies will this affect?

Functions to which section 83 applies:

There is a long list of regulatory organisations at the end of this post.
Click on the organisation’s name below to read about each one.

The implications for them are unclear but should be examined for public bodies whose function today is not for profit.

For one area in particular, and close to my heart, we should understand its impact on  regulation of the NHS; Monitor and CQC, the MHRA and HFEA (Fertility and Embryology) and how about the Human Tissue Authority? A body whose purpose is to:

“manage the interests of the public and those we regulate at the centre of our work. It aims to maintain confidence by ensuring that human tissue is used safely and ethically, and with proper consent.” [Ref: HTA]

It is unclear how this profit aim will be helpful for these bodies in healthcare, especially considering some of the issues in state social care .

A different body where others share a concern about the impact of clause 83 is for the EHRC.

 

The Joint Committee Reported on Human Rights, June 14th 2014 has concerns about the impact of this, listed in this report:

The Government intends this economic growth duty to apply to the EHRC. We believe that applying this growth duty to the EHRC poses a significant risk to the EHRC’s independence, and therefore to its compliance with the Paris Principles and the Equal Treatment Directives as implemented by the Equality Act 2010. The Government is therefore risking the possibility of the EHRC’s accredited “A” status being downgraded and of putting the UK in breach of its obligations under EU equality law. Unless the continuing discussions between the Government and the Commission satisfy the Commission that the growth duty will not in any way impact upon its independence, we recommend that this duty not be applied to the EHRC.

[Nov 21st update: this clause was specifically debated >  see Column GC229 < and whilst verbal assurances were made, it appears nothing has changed in the Bill, and that the EHRC said in response:

“While we welcome this undertaking we understand that this doesn’t mean that we’ll be removed on the face of the Bill”.

So what value the assurances from  the Minister who will have left his post long before the Bill may be in effect?]

A large number of organisations play a part in securing compliance with the law. They include national regulators, local authorities, and bodies independent of Government, some of which have statutory regulatory functions.  The list below of the main national regulators is not exhaustive, but long. Clause 83 will have a very wide reach.

We should understand just how wide ranging this apparently small function in the Bill may turn out to be.

I believe this clause will serve to mop up the real or imagined economic leakage that the government seeks to collect from all these bodies. Resources that are as yet, untapped.

How will these regulatory bodies promote economic growth?

I wonder how, in the best public interest at all times, economic interest should come first in bodies responsible for oversight?

Will they be compelled to consider [further] cost cutting, selling assets, or charging for services?  Or how about entering into commercial partnerships?

Will the Drinking Water Inspectorate under DEFRA stay entirely independent?

What about the Gambling Commission – in its remit is ‘to protect children and vulnerable people from being harmed or exploited by gambling’?

How will the Office for Nuclear Regulation (ONR) hope to promote economic growth? Or the Forestry commission?

The consequences of such widespread promotion of deregulation and the requirement to actively promote profit seems ill-thought through and given little public attention.

Could it be that under austerity, and desperate to squeeze every drop of monetary gain from our state bodies, that this clause will open the gateway to increased fees, or the start of fees for some current non-charging access by the public to services?

Or will they be encouraged as schools were once, to sell off land and assets? Many of these bodies hold little land. The assets they both produce and hold, is data. It is clear from current practice and the direction of travel across government departments, that information is seen as a commodity and an untapped resource for sale. Perhaps this is an area each body will look at selling?

What about authorities which charge the public fees for services or could do so – the CAA for airspace regulation, the DVLA or the ICO? Will we see an increase in service charges – it is perhaps almost inevitable if the desirability  to promote economic growth is to be given statutory footing.

In addition to looking at what may actively promote commercial growth by direct sale or raising fees, rather than imaginary direct marketing concepts, in order to promote economic growth, will we simply find it more likely that indirect growth is encouraged through change in regulatory practices?

Most importantly perhaps, will we see regulations slackened which cost money to oversee?

Will the organisations which are to be regulated, permitted to do more which promotes commercial interest over other policies, or ethics?

I wonder if a future state aims to deregulate the market in almost every field of activity to enable profits for private commercial businesses, and if the intent is not desirable economic growth for the state directly, but indirectly?

If so, will the ideology that once deregulated, somehow private business interests will contribute more to the economy than they do today, be realised in practice? How has the deregulation of trains, postal services, water and utilities benefited the public interest over economic growth?

If the benefit is to be state economic growth,  whether through revenue direct or indirect, and whether or not it is achieved in the way it may be hoped, there will be other consequences.

Have we learned lessons from other areas in which oversight of regulation has been slackened in recent times, such as banking?

What happened since Banking was deregulated?

Anyone who can look back at the deregulation of the financial markets and say it was all, without any doubt a good thing, should say subprime mortgage deregulation and wash their mouth out.

“Regulation did not keep pace and became mismatched with the risks building in the economy. The Financial Crisis Inquiry Commission (FCIC) tasked with investigating the causes of the crisis reported in January 2011 that: “We had a 21st-century financial system with 19th-century safeguards.” [FCIC report]

“It found widespread failures in financial regulation; dramatic breakdowns in corporate governance; excessive borrowing and risk-taking by households and Wall Street; policy makers who were ill prepared for the crisis; and systemic breaches in accountability and ethics at all levels.” **[FCIC]

In summary,  has any cost risk benefit analysis has been done on the impact of what this widespread cross-market promotion of deregulation and the desirability of economic growth in a regulatory function will mean?

Why may this be seen as a desirable course of action?

Deregulation is tacking its way to its destination through the Lords in the UK. Whether it will reach it before the end of this parliamentary term is perhaps unclear.  But let’s not forget deregulation is the course on which we are set globally, at full steam ahead.

This UK Bill is simply a sponge on the deck of the Titanic of deregulation, the TTIP.

The purpose of the Transatlantic Trade and Investment Partnership is to remove the regulatory differences between the US and European nations. Its plan to cross the Atlantic at break neck speed has been somewhat slowed. But its purpose remains steadfast. There are effectively no tariff restrictions in place any more, so the barriers left to lift are those of regulatory intervention:

“The US and the European commission, both of which have been captured by the corporations they are supposed to regulate, are pressing for investor-state dispute resolution to be included in the agreement.” [The Guardian, Nov 4 2014]

This peer-reviewed  paper looks at the imagined trade and its consequences, “leaving the investment component of TTIP on the sidelines. Going forward, valuable insights could be drawn by further extending the analysis of TTIP’s financial effects.”

[Update Nov 13, letter today in the FT: quotes the same research paper and notes, “Even the most vocal proponents of free trade admit that there’s nothing irrational about opposing such big issues of public policy being traded off behind closed doors.” Nick Dearden, Director, World Development Movement]

Whilst much is made, with some confusion, around the potential for impact on the NHS, TTIP is indisputably very real for the rest of industry and wider market. And any deregulation as a whole touches many NHS bodies.

Despite wide professional and public criticism the TTIP discussions continue with little transparency. Deregulation appears to have become the UK government’s mantra for achieving economic growth, though in coalition not everyone may agree it is right.

In conclusion:

There should be detailed analysis and an impact assessment made for this Deregulation Bill clause 83 as it stands alone.

It must also be seen in conjunction with proposals for deregulation under TTIP,  and the impact analysed for the vast number of regulatory bodies and functions we have under the State wing, for the public good.

I sincerely hope our legislators in the Lords are taking this into account and not as a stand-alone Bill, but in the wider picture of current TTIP trade negotiations, and that the failures created in part through deregulation twenty years ago in banking, are not recycled now across the board.

Can society afford “dramatic breakdowns in governance, risk taking, learning by mistakes, or systemic breaches in accountability and ethics?” ** as we saw as a consequence in banking?

Oversight serves an important purpose.

It is often to ensure a balance between the needs of people, and search for profit. Whilst it is an accepted practice in our market economy, to seek to  make a profit,  oversight and regulation can ensure it’s not at the expense of the greater good.

Some of these public services that the regulatory bodies oversee in England will be harmed if they are not free to all at the point of their delivery. The independence of their ethical decision making will be challenged if it competes with promoting economic growth.

Who will help the public understand what this Deregulation Bill clause really will mean and complete proper and transparent public analysis of its impact for each regulatory authority?

I hope that those responsible for scrutiny of the Bill see value in maintaining first and foremost, independent oversight and ethics, in the Public Interest.

Or will the band continue to play as TTIP sails on? And will the Deregulation Bill pass as is, to promote the desirability of economic growth at all costs?

———

[Update November 21st:

Significant concerns raised in yesterday’s discussion by Lord Tunnicliffe and others on this Clause 83: The promotion of Economic Growth for Regulatory Bodies.

Social Care:
On a previous day of debate (Nov 18th) it appears regulation of Social Care staff is to be scrapped without proper consultation or scrutiny, in Clause 71.

Column GC116: “This is despite the fact that there was no clear support for removing regulation in the original consultation responses.

“The Government did not consult on this issue as part of the consultation in April 2014 on extending outsourcing in children’s social work. During the debate in Committee in the House of Commons on whether the clause should stand part of the Bill, the Deputy Leader of the Commons, Tom Brake MP, acknowledged that there had been no clear support for removing the registration requirement.”

“The Office of the Children’s Commissioner for England raised concerns and stated: “We consider all delegated social care services should be required to have formal registration with Ofsted in addition to an expectation that they will be held to account by rigorous and expert inspection, just as local authorities currently are”.

Scrutiny and Bill quality and clarity:
In particular concerns are raised in the Lords on lack of proper documentation and new legislation included which has not had scrutiny by the HoC or Scrutiny Committee.

Column GC142 “it is inefficient for Parliament to try to scrutinise line by line material which is obscure and possibly not very well expressed in terms of the material we are given and the notes.”
“One is that without a Keeling schedule relating to the particularities of the Bills being amended, it is almost impossible to work out what they are.”

Column GC144 “… that we are discussing now was not discussed in the Commons. It was not discussed by the Pre-Legislative Scrutiny Committee, as we have heard, and there has been no real opportunity to call those who drafted it to account. A blow for better government.”

Lord Tunnicliffe concluded on November 20th:

“We are all on the same side, but if our fears comes to pass, these three clauses could wreak havoc in a regulatory regime within this country that, generally speaking, is doing pretty well.” [Hansard]

My concerns seem founded, supported by many of these comments in recent debate in the Lords. I feel this Bill is a disaster lying in the future path of the Public Interest.  “Iceberg, right ahead!”

End Nov 21st update.]

Please feel free to comment below or find me on twitter @TheABB

*********

List of The National Regulators

Animal Health and Veterinary Laboratories Agency (AHVLA)

Animals in Science Regulation Unit

Architects Registration Board (ARB)

British Hallmarking Council (BHC)

Care Quality Commission (CQC)

Charity Commission for England and Wales

Civil Aviation Authority (CAA)

Claims Management Regulation Unit

Coal Authority

Companies House

Competition Commission

Professional Standards for Health and Social Care (PSA)

Disclosure and Barring Service (DBS)

Drinking Water Inspectorate (DWI)

Driver and Vehicle Licensing Agency (DVLA)

Driving Standards Agency (DSA)

Employment Agency Standards Inspectorate (EAS)

English Heritage (EH)

Environment Agency

Equality and Human Rights Commission

Financial Reporting Council (FRC)

Fish Health Inspectorate (FHI), Centre for Environment, Fisheries and Aquaculture Science (Cefas)

Food and environment research agency (plant and bee health) and (Plant Variety and Seeds)

Food Standards Agency (FSA)

Forestry Commission

Gambling Commission

Gangmasters Licensing Authority (GLA)

Health and Safety Executive (HSE)

Higher Education Funding Council for England (HEFCE)

Highways Agency (HA)

HM Revenue and Customs (Money Laundering Regulations and National Minimum Wage)

Homes & Communities Agency (HCA)

Human Fertilisation and Embryology Association (HFEA)

Human Tissue Authority (HTA)

Information Commissioner’s Office (ICO)

Insolvency Service including Insolvency Practitioner Unit

Intellectual Property Office (IPO)

Legal Services Board (LSB)

Marine Management Organisaton (MMO)

Maritime and Coastguard Agency (MCA)

Medicines and Healthcare Products Regulatory Agency (MHRA)

Monitor

National Measurement Office (NMO)

Natural England

Office of Communications

Office for Fair Access (OFFA)

Office for Nuclear Regulation (ONR)

Office for Standards in Education, Children’s Services and Skills (OFSTED)

Office of Fair Trading

OFQUAL

Office of Rail Regulation (ORR)

Office of the Regulator of Community Interest Companies

OFGEM

Pensions Regulator

Rural Payments Agency (RPA)

Security Industry Authority (SIA)

Senior Traffic Commissioner

Sports Grounds Safety Authority (SGSA)

Trinity House Lighthouse Service (THLS)

UK Anti-Doping (UKAD)

Vehicle and Operator Services Agency (VOSA)

Vehicle Certification Agency (VCA)

Veterinary Medicines Directorate (VMD)

Water Services Regulation Authority (OFWAT)

care.data should be like playing Chopin – or will it be all the right notes, but in the wrong order? [Part two]

How our data sharing performance will be judged, matters not just today, or in this electoral term but for posterity. The current work-in-progress is not a dress rehearsal for a care.data quick talent show, but the preparations for lifetime performance and at world standard.

How have we arrived where we are now, at a Grand Pause in the care.data performance? I looked at the past, reviewed through the Partridge Review meeting in [part one here] the first half of this post from attending the HSCIC ‘Driving Positive Change’ meeting on July 21st. (official minutes are online via HSCIC >>  here.)

Looking forward, how do we want our data sharing to be? I believe we must not lose sight of classical values in the rush to be centre stage in the Brave New World of medical technology. [updated link  August 3rd]* Our medical datasharing must be above and beyond the best model standards to be acceptable technically, legally and ethically, worldwide. Exercised with discipline, training and precision, care.data should be of the musical equivalent of Chopin.

Not only does HSCIC have a pivotal role to play in the symphony that the Government wishes research to play in the ‘health & wealth’ future of our economy, but they are currently alone on the world stage. Nowhere in the world has a comparable health data set over such length of time, as we do, and none has ever brought in all it’s primary care records into a central repository to merge and link, as is planned with care.data. Sir Kingsley Manning said in the current July/August Pharma Times article, data sharing now has to manage its reputation, just like Big Pharma.

reputation
Pharma Times – July/Aug 2014 http://www.pharmatimes.com/DigitalOnlineArea/digitaleditionlogin.aspx

Countries around the world, will be watching HSCIC, the companies and organisations involved in the management and in the use of our data.  They will be assessing the involvement and reaction of England’s population, to HSCIC’s performance. This performance will help shape what is acceptable, works well and failings will be learned from, by other countries, who will want to do the same in future.

Can we rise to the Challenge to be a world leader in Data Sharing?

If the UK Government wants England to be the world leader in research, we need, not only to be exemplary in how we govern the holding, management and release of data, but also exemplary in our ethics model and expectations of each other in the data sharing process.

How can we expect China [1] with whom the British Government recently agreed £14 billion in trade deals, [2] India, the country to which our GP support services are potentially poised to be outsourced through Steria [3] or any other organi Continue reading care.data should be like playing Chopin – or will it be all the right notes, but in the wrong order? [Part two]

care.data communications and core concepts [Part one]

“My concerns about care.data are heightened, not allayed by the NHS England apparently relentless roll-out and focus on communications. Whilst they say it will take as long as it needs, there is doublespeak talk of Oct-Nov. pilots. It is still all about finding the right communications, not fixing flaws in core concepts.”

Today at the Health Select Committee Mr. Tim Kelsey, on behalf of NHS England, said that care.data pilots will be in October/ November and in the meantime they are listening to the “constructive challenge to NHS England how to build trust in the [care.data] programme.”

Here’s my real experience of that listening, why it may not help and what still needs done. (And in under 4 months if in time to be of any use for the pathfinder pilots, which are only of use to the whole if done properly. )

[Part one]  care.data communications and core concepts – Ten takeaways from the Open House event.

The NHS England led Open House Day [1] on June 17th was a listening opportunity according to the draft agenda for:

“patients and the public to influence the work of NHS England at national and regional level.”

Here are some of the things I learned:

1. Public Awareness

Mr.Kelsey asked the room (he was in London, other locations took part by live link) how many have:

a) heard of care (dot) data and

b) how many think they understand what it is is?

We couldn’t see his room, but he said ‘about half’ understood it. Our room’s show of hands was similar.

My reaction: One would expect everyone attending to have heard of it, the event after all was billed as in part about care.data. The level of understanding should be higher than the average in the public, since many (in Basingstoke at least) were NHS England or more involved than the average citizen.

Feedback overall was consistent with the latest MORI Ipsos poll [2] commissioned by the Joseph Rowntree Reform Trust in which the minority know it well and over 50% say they have never heard of it. That’ s a long way to go to reach people, inform them adequately to meet legal Data Protection minimums and let them enact their patient choice.

ipsosmori_q4know

2. Communications Message & Scope

A consistent, frequent communications message is that ” there are FAQs and materials, we have the answers, we just need to communicate them better.”

My response: communication is failing because the core scope of what care.data is, is fluid. Without something concrete and limited, it cannot be explained neatly. As one NHS England communications member of staff said to me this week, ‘we haven’t got an elevator pitch.’  So it’s not about the materials or the methods, it’s the substance that is flawed. When you’re talking about extracting, storing, sharing and selling some of our most intimate information, a vague notion of pooled experience is not good enough to trust. People want to know exactly what information, is being shared for what purpose, with whom, where. And how long will they keep it for?  NHS England simply do not have the answers to that, so, that elevator pitch? It’s never going to get off the ground in a meaningful way. And anything less than the answers to those questions, doesn’t meet the Fair Processing requirement of Data Protection Law.

Today at the Health Select Committee Mr.Kelsey was asked, will patients be able to trace in future where their data went? There was a rare and stunning silence. And after a benefits statement, there was still no answer given to the question. [update: Hansard now available, Q525/526]

Scope cannot be fluid and changing – the use of our personal information that we sign up to today, must stay what we agreed to tomorrow.

Data Protection requires that the minimum data is extracted so this ever increasing scope creep, but only *one* chance at opt out are at odds with each other.  What plans are in place to meet Data Protection fair processing EVERY time new things should be added and more data could be extracted? It’s a legal necessity. An ongoing change communications process MUST be in place.

3. Timing

Mr. Kelsey said, on rollout timing that NHS England would take it  ‘as slowly as we need to.’

My response: This reiterates the ‘no artificial deadlines’ but appears to be doublethink in contrast with the statement confirming  ‘autumn 2014’ extraction for Pathfinder (pilot) 100-500 practices. How will the pathfinder (pilot) locations be ready to test a communications process which as yet does not exist? How will it pilot a consent process for young people, the vulnerable, those with complex health system needs, the at risk, those outside ‘the system’ with GP records? A process which by its nature must be applied to any opt in or opt out choice, if others make a decision on their behalf yet from the meetings’ discussion, whose informed consent appears not even begun to be considered?  Or how will solutions to past Data protection Law failings be found from thin air, when data has been breached in the past, continues to be shared in the present and there is no solution to resolving those failings for the future?

4. Language simplification

There is a tendency to oversimplify the language of the Care Act, into ‘care.data will not be used for any purpose other than ‘health benefit’ – whereas benefit is not mentioned in the wording:

Care Act 2014My response: Is to question why this is? Does benefit sound better than promotion perhaps? Again, words should be used accurately.

5. Users simplification of the Care.Act wording

The actual wording is ‘the promotion of health’.

NHS England are similarly very keen to point out explicitly that care.data  cannot possibly be used for insurance or marketing purposes, such as junk mail.

My response:  Yet again, the wording of the Care Act does not state this explicitly. In fact, it leaves pharmaceutical marketing for example, quite open, ‘for the promotion of health’. And there is no legal barrier in the Care Act per se, for firms which receive data for one purpose, such as BUPA the hospital provider in London, using it for another, such as BUPA as refining premiums. BUPA Health Dialog received individual level patient data in the past. How do those patients know what it was then used for or shared with? Perhaps Data Sharing Agreements can specify this, but the Care Act, does not.

Claims to rule out “solely commercial” can’t be backed up by the wording of the Act. Will “the promotion of health” still permit uses such as marketing by pharmacies or ‘healthy eating’ campaigns from big food chains?  There is no obvious definition – and leaves wide interpretation open.

When Sir Manning spoke at the Health Select Committee he (rightly) said HSCIC can only restrict and determine what they do ‘within the law’. The law needs to be tight if the purposes are to be tight. Loose law, loose uses.

6. Use by Data Intermediaries to continue

care.data will continue to be on offer to third party Data Intermediaries it was confirmed in the panel Q&A.

My response: some third party intermediaries in part perform outsourced data services for the NHS. But do they also use the data within their own business to inform their business intelligence markets? They sell knowledge gleaned from raw data onwards,  or have commercial re-use licenses for raw data over which we in the public have no visibility or transparency.  We cannot see within these businesses how they build their own ‘Chinese walls’, self-imposed restrictions to ensure security between different parts of the same umbrella organisation. Allowing third parties to re-sell data means control over its use, owners and management is lost forever. Not secure, transparent or trustworthy. I explore their uses with commercial brokers more here in a previous post. [3] Considering I was told that my personal confidential data will not be shared with third parties, in a letter signed by the Secretary of State for Health, I am most unhappy about this. I will find it hard to trust new statements of best intent, without legislation to govern them.

7. Data Lab – restricting user access

Mr. Kelsey indicated that going forward the default access to our health data will be on the premises of HSCIC, the so called “Fume cupboard” or “Data Lab.” However he noted, this would not be for all, but be the ‘default’.

”The default will be access it on the premises of the IC. That won’t be universal for all organisations….”

My questions: Whilst a big improvement from giving away chunks of raw data via CD or to remote users, these processes need documented and publicly communicated for us to trust they will work. When will it be built and operational? How will we know who all the end users are if the same rules do not apply to all? How will those exceptions be granted? Documented? Audited? Will raw data extraction still be permitted? It’s the exceptions which cause issues and in future, the processes and how they are seen to be governed must be whiter than white. For those with direct access, users of the HDIS or HES, will a transparent list of users be published? At least for now, they do not show up on extraction audits so the public cannot see what those users access or why. So, a good step, but can’t stand alone.

Until this secure data lab is physically built, any data extracted cannot go into it. That won’t happen by October/November I should think. So will NHS England be prepared to extract data anyway, into a setting they *know* is LESS secure and a NOT yet a safe setting?

8. Governance

We were informed, an Independent Information Governance Oversight Panel (IIGOP), chaired by Dame Fiona Caldicott, has agreed to advise the care.data Programme Board to evaluate the first phase pathfinder (pilot) stage.

My feedback: I find this interesting not least because the Information Governance Review [4] under her direction in March 2013 decided that commissioning purposes were insufficient reason to extract identifiable data. Personal confidential data should only be disclosed with consent or under statute and “while the public interest can also provide a legal basis for disclosure it should not be relied upon for routine data flows. [footnote, p.63]”

What value is Independent Governance if it has no legislative teeth and can only advise? At the Health Select Committee today, he said she would be able to offer a view, and a number of parties will be able to express views & be ‘in agreement’. But I wonder who owns the ultimate final go/ no-go decision whether the pilot should progress to full roll-out?

9. Anonymous Sounds Safer

Feedback on the handout: The care.data notes need not only to be accurate but transparently truthful.

In my opinion, words are again misused words to indicate that data is anonymous. 1706204_datauses Whilst the intention of the merged CES output (GP records combined with HES files) may be that some users will see only pseudonymous data, the extracted and stored data is identifiable unless opted out. Name is held in the Personal Demographics Service. [5] This is one of the key communications messages I have taken up with HSCIC, NHS England, raised to the DH through my MP. To reassure the public by saying name is not stored, is deliberately deceptive unless it states simultaneously that it may already be held in the PDS and/or linked on demand.[6]

1706datauses

The Partridge Review [7] has dispensed with the notion that data is anonymous once and for all. Now it must be managed accordingly as identifiable data within Data Protection law and communications must stop misusing the anonymous concept to reassure the public.

“It’s a beautiful thing, the destruction of words.”                                 ( George Orwell, 1984)

10. My own experience of engagement

The most interesting part of the day for me personally however, were the discussions which were unstructured and when we were free to talk amongst ourselves. Unfortunately, that was very little. The structure (at least in Basingstoke and appeared similar on screens elsewhere) was based around tables of about 10 which included at least two NHS England staff at each.

At the end of the morning session, before lunch, as the other participants had left the table, a Communications person and I got into conversation on the differences between care.data, the Summary care Record (SCR) and where Patient Online was to fit in our understanding of which data was used for which purpose.

We discussed that since care.data is only monthly retrospective extracts, not for real-time record access, it would not be a suitable basis for Patient Online access – care.data is for secondary uses. So, we moved onto the challenges of SCR access at local level and how it will be possible to offer everyone Patient online when so many have opted out of the Summary Care Record. We began to talk stats of SCR availability and actual use in hospitals.[8]

Sadly, the table facilitator appeared to decide at that point, that our discussion needed guidance and rushed to fetch a senior member of staff from Strategic systems. And rather than engaging me in what had been a very positive, pleasant two-way conversation, with the Comms person asking me questions and our exchange of views, the Strategic Head took over the conversation with her NHSE team member, effectively restricting further discussion, even with her body positioning and language. Being informed is OK, as long as its the ‘right’ information?

I don’t think that’s what patient engagement is about. The subject needs real, hard discussion, not just managed exchange using pre-designed template cards of topics that we are told we ‘should’ discuss. Perhaps ignorance is strength, but in my opinion, keeping Communications staff informed only ‘on message’ and not of the wider facts and concerns is shortsighted and does them, and patients, a disservice, but then again:

“If you want to keep a secret, you must also hide it from yourself.” (George Orwell, 1984)

For [Part two] care.data communications and core concepts – Questions, Communications and Actions : link here >>

*****

[1] The NHS England Open House recording June 17th http://www.nhsengland-openhouse.public-i.tv/core/portal/NHSopenhouse

[2] IPSOS Mori poll conducted for the Joseph Rowntree Foundation: http://www.ipsos-mori.com/Assets/Docs/Polls/jrrt-privacy-topline-nhs-2014.pdf

[3] My post on uses of our records with commercial Data Brokers – https://jenpersson.com/flagship-care-data-2-commercial-practice/

[4] The Information Governance Review ‘Caldicott 2‘ https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf

[5] The Personal demographics Service at HSCIC (including name) http://systems.hscic.gov.uk/demographics/pds/contents

[6] The Data Linkage Service at HSCIC http://www.hscic.gov.uk/dles

[7] The Partridge review: http://www.hscic.gov.uk/datareview

[8] Summary Care Record use statistics https://www.whatdotheyknow.com/request/scr_care_settings_with_viewing_c#incoming-446569

***

Fun fact: George Orwell’s Nineteen Eighty-Four is currently number 5 in the UK Classics Fiction Amazon ranking. And 86th in fiction overall. Sales up over 5,000% in the US since the Snowden revelations, a year ago.

MORE BACKGROUND ON THE EVENT:

Within the other programmes of Patient Online and Patient Participation, care.data was a one hour session. It included the blue plasticine people short animation, a speech by Mr.Kelsey, a 15 minute table discussion on one pre-given theme from a range of four, reading aloud the summary of that discussion from each table within the room, one question per venue raised outside the room to the panel via video link in London, and their answers. Our discussion topics were brief, controlled and relatively superficial. It could have been a productive day’s workshop on only that.

The Open House  took place simultaneously in four venues across England, Basingstoke, Leicester, York and London, connected through a live videolink at a number of points throughout the day. The recording in part, can be viewed here.

I attended the Basingstoke event, particularly keen to learn about national programmes such as care.data and hear about any updated plans for its rollout, to learn about patient online, and to meet the NHS England team in the South as well as other interested people like me. I hoped for some real public discussion and to hear others get their questions aired, shared and on the table for resolution.

I met one other ‘only’ patient and whilst I was kindly told by a further active PPG organiser, that I should never refer to myself as ‘only’ a patient, but you know what I mean. I’ve applied as a lay rep on our local CCG for an opening next year, until then, I’m learning as much as I can from others. Other attendees I met were those already more closely involved with NHS England in some way already. As NHS England staff, facilitators, representatives from Clinical Commissioning Groups, Patient Leaders and PPG leaders.

Hear no evil, see no evil, speak no evil – the impact of the Partridge Review on care.data

3wisemonkeysThe Partridge Review came out on Tuesday 17th and everyone should read it. But not just the summary. Both the full version and [1] summary are here.

So what is positive about these massive revelations? At long last it appears that the hands have come off the ears and the real issues are being listened to.

My summary: “NHS England cannot now put a hand over its eyes & hope care.data issues are only about communications.”

I feel somewhat relieved that the issues many have been concerned about for the last ten months, have now been officially recognised.

Amongst them,  it has confirmed the utter lack of clear, publicly transparent and some quite basic, governance procedures.

It’s no surprise then, that our medical records, on at least two occasions in this sample 10% review of the releases, have gone to undocumented destinations. (Let’s ignore the fact of the other 90%!? of which we have no visibility yet).

At least eight insurers or re-insurers were in this 10% sample, so how many times did such companies get it, in the other 90% which has not been reviewed and we haven’t heard about?

How will ‘promotion of health’ purposes exclude them in future? In my opinion, it won’t.

Why would an insurance company be excluded if it requests data in order to provide health care coverage?

This is the wording of the Act, not ‘for the benefits of the NHS’ or any other more ‘friendly’ patient facing framing.

Care Act 2014At the NHS Open Day on Tuesday, the same day as the release, a panel spokesperson stated that commercial information intermediaries [2]  will continue to be approved recipients. Gah – why this is such a bad idea, I wrote about here. [3]

The Partridge review said there had been no complaints.  [4] MedConfidential pointed out an example of those of which they know. Kingsley Manning told the Health Select Committee [5] on 8th April, there had been seventeen opt outs of Hospital Episode Statistics, ever.  Fourteen in 2013 and three prior to 2013.

“Q377Chair: There is not an opt-out rate for care.data yet, presumably.

Kingsley Manning: No, not on that, but in terms of the number of people who have acted to opt out, it is 3 opt-outs up until April 2013 and a further 14 opt outs since 1 April 2013.”

Would I be wrong to suspect each was accompanied by a  complaint? You don’t usually opt out of something you are happy with.

The reason for these low numbers of both complaints and opt out in the wider public? WE DID NOT KNOW. The public didn’t know we had anything to be unhappy about. Many still do not.

As soon as I fully understood the commercial selling of my family’s patient records, this below is the query for advice / complaint I made in January to ICO, before the launch was postponed.

I wanted some guidance from an outside body, because I was being told the law permitted this extraction, so what good would a further complaint to HSCIC do? I had already written to my MP and had a response from the Secretary of State / Department of Health (which tried to tell me patient identifiable data was not shared with third parties), as well as feedback to my concerns raised by email with HSCIC, all of which only tried to reassure me. I had no one to otherwise raise concerns with. The ICO advisor I spoke to told me at that time, that they had had many similar complaints.

I’ll be blunt and say now, especially since the Open Day [more on that later, especially on the content of care.data FAQs we received], I think it’s fair to say I am far better informed about care.data than most in the public. When Mr. Kelsey asked for a show of hands, how many had heard of care.data, all put their hands up. Bearing in mind the rooms were full of highly involved people, NHS England staff, CCG and PPG leaders, and few ‘ordinary patients’ like me, and the agenda contained a section on care.data, it’s unsurprising we had heard of it. When Mr.Kelsey asked, “how many of you understand what it is?” the response was around 50%. I’d dispute also, that all of those 50% truly do.

Some of the comms material we were given is factually incorrect, for example, around research. Currently, GP held data planned for care.data extraction and its merger with HES, into Care Episode Statistics (CES), is approved for commissioning purposes but not for research by the GPES group. It’s not approved for research purposes, so its no good telling us how good it is to have it for the benefit of research. What has already been released for research, and continues to be so, is what was already extracted in the past, with or without consent, and informing patients.

Records will not be deleted which raises all sorts of historical reporting concerns if mistakes are identified in retrosepct.

I have spoken with several NHSE Communications people who genuinely asked me, or left me asking the question for them in my own mind, “If I don’t understand it, then how is the public expected to?”

The concerns I had now almost five months ago, seem vindicated by the report. The actions taken since, the loose wording of the Care Act 2014, and little evidence of intention to make any change which is binding i.e. the opt out is only granted at the whim of the Secretary of State, it’s not statutory and that there is no independent governance to be put in place , have done nothing to bolster my confidence these gaps have been filled.

Simon Denegri, Chair of INVOLVE – the UK’s national advisory group on public involvement – and NIHR National Director for Public Participation and Engagement in Research, wrote a response on his blog [6]. I agree with the spirit of his post, and positivity, [he also writes excellent haiku] but where I disagree I outline below. There is room for positive hope for care.data, but first, let’s properly address the past.

“I am sure that many better informed people than I will pore over the detail. Others will use it to strengthen their case that we should put a stop to any manner of data sharing.”

Perhaps most key, I disagree with his fears the report could be used by ‘others.’ I don’t know anyone who wants to see a stop to ‘any manner’ of data sharing, including me. It’s the *how* and *why*  and *with whom*  that still needs work. Some of us may not want it without active consent, but that is part of the how, not if.  It’s not *any* manner that I object to, it’s *this* manner specifically.

I have read the Review in detail and whilst there is much positive in attitude in the Review, the reality of what difference this will make with any real bite, is hard to find.

For example, “The HSCIC will plan a new ‘data laboratory’ service which will protect the public’s information by allowing access to it in a safe environment with HSCIC managed networks and facilities.”  But this is with caveats, as it’s the “default,” Tim Kelsey said on Tuesday to the NHSE Open House. It does not mean *all* and if global third party intermediaries and business intelligence companies are still to receive data, then I can’t imagine the  global likes of IMS Health, or Experian, or Harvey Walsh will send someone along to Leeds every time they want to extract data. Who will  be given special permissions and how will they be decided and recorded, how will it be documented what data they access, if they get a free pass?

Unknown others have direct access to the HES system now through HDIS. Public Health should rightly use our health data, but a  transparent list of all approved organisations here too, would be a positive step.

Simon’s post continues,

“As you would expect from a previous Chair of INVOLVE, Nick Partridge, has secured fundamental changes in the governance of HSCIC and data releases going forward.  These include patients and the public sitting on the main committees reviewing data releases, open publication of data releases and a programme of ‘active communication’ with the public”.

Patients and public on the DAAG committee. If they are informed about data governance law and good practices, yes, if it’s just ‘representative’, not so useful. But DAAG is HSCIC staffed, and HSCIC has a legal and policy remit from the Department of Health and in its roadmap to distribute data, and will create ‘a vibrant market of data intermediaries’, as it would be wrong to exclude private companies simply on ideological grounds.  So the concept of ‘independent’ is flawed. Where are the teeth needed to reject an application, if it’s in the interest of the reviewing body, to accept it?

“It’s my view that the Partridge review, its recommendations, and the swift response from the Health and Social Care Information Centre (HSCIC), offers us the opportunity of a fresh start with the public on this issue.” [S.D.]

This could be used as an opportunity to brush the past aside and say time for a fresh start, but it can only be so if there is confidence of change.

NHS England cannot now put a hand over its eyes and hope the issues go away or that it’s only about communications.

The past needs fisking, issue by issue, to avoid they happen again. And the real risks need addressed, not glossed over. Why?

Because let’s assume the public all thinks it’s fine, and none of us opt out. Then through these still flawed process holes, a huge data leak. The public loses trust all over again, and the opportunity for the care.data benefits is lost forever.

Get it right now, and you build a trustworthy and seaworthy future, for the future public good.

There are other more detailed questions I would raise, [I previously worked in functional database design amongst other things] and I will believe these recommendations will have an effect, if and when I see the words become actions. The Review by PwC and Sir Nick Partridge is a positive listening and speaking exercise, but the plans must become reality with actions, some under legislation, in my view.

And perhaps the simplest, unspoken point seems to being deliberately ignored as if just not seen, unmentioned, except by data protection gurus [7]. There is legal obligation to provide information to citizens before their data is released, in a transparent way, to whom and for what purpose. What happened to Fair Processing? [8] Past and present?

Sir Kingsley Manning, Chair of HSCIC, asked in the Guardian on 22nd January [9] that we have ‘intelligent, grown up debate’ about data sharing. Well my hand is certainly off my mouth. I wrote a feature in my local paper and I’m still speaking to anyone I can to promote fact-based informed decision making.  But wider Public Debate is still sorely lacking [BBC Question Time anyone?] Through it, I’d like to encourage wider knowledge of the why, who and what of secondary purposes of data sharing and to ensure we can get it done transparently and safely.

Why?

To ensure we, as patients, continue to trust telling our GPs and hospital consultants all the information that we need to, and have no fear it will be held against us by an insurer or others.

We need to trust we will not be penalised whether through disclosure, by stigma and exclusion from policy or care; or whether by opting out, we could be penalised for not participating and not get ‘advantages’ offered to others, just like store loyalty cards.

We may think the insurance debate is irrelevant, if like me, we are not ‘self-payers’ or don’t use a private insurer. With a £30bn gap in planned budget and needed spend over the next five years, someone is still going to be paying for our healthcare.

If it’s not the State, then who? The risk more of us will pay for our own care in future is real. If not for us, for our kids, and their privacy will be a whole different ball game if genomics gets involved.

Meanwhile, we are told for care.data identifiable personal data is crucial for patient safety tracking. In my opinion, patient safety will be harmed if confidence in confidentiality fails. The relationship between clinician and patient will be harmed. And no number of Dr. Foster Intelligence reports by tracking quality or safety, will be able to fix those failures which it has helped create.

Perhaps most tellingly, NHS England is still to make a statement on the Review. There is no news yet here.

It still seems to me the NHS England leadership and its data sharing policy carried out through IC past and present, wants to continue without grown up debate under the PR motto ‘it’s all going jolly well’, and to act with the attitude of a teenager, who with a shrug of the shoulders will tell you:

‘It’s easier to ask for forgiveness than permission.’

***********

January 25th, 2014 – my ICO complaint / guidance request

{abbreviated only to show  issues I feel still need addressed}

Dear ICO
I would like to ask for your urgent advice.

I am a mother of X children under 12. […] Our confidential patient data is being extracted via care.data to the HSCIC. Until my recent research to understand what this was all about, I did not know that HSCIC stored all our patient confidential health data from all sorts of health providers: Hospitals, Mental Health, National Child Measurement Programme, [10] Immunisations and Health visitors.

I have not knowingly given my permission for our data to be stored or transmitted to or from HSCIC in any format in the past. If by signing a consent form for treatment I also signed consent for sharing with this central body, it was without my knowledge and therefore without informed consent.

I have significant concerns over its use, now that I understand how widely our patient data may be used and now even shared abroad. [11] […]

There is no public information on :

1. How long our data will be stored for  – data retention and data deletion and cross border governance
2. There is no opportunity for health record deletion of anything which was simply a mistake i.e.: recorded on the wrong record, or a misinformed opinion on lifestyle entered by the GP, not fact
3. How will future governance be assured that it will not be slackened to allow less strict pseudonymisation, and identifiable releases; for example to US firms who establish themselves in the NHS England healthcare market?

I do not believe that the legal rights created through the Health and Social Care Act are sufficient justification to overrule the Common Law of Confidentiality, and the Data Protection Act 1998. [And the data shared before 2012 was not covered by the Act which did not exist and was not retrospective.] Even if the dissent codes are applied, patient data has been or will be extracted to the HSCIC (without my permission) and it will contain identifiable items such as clinician name, practice and CCG locations, and referral dates which may be used as identifiers to connect with HES data stored at HSCIC – since HSCIC also holds data in the Personal Demographics Service [PDS], [12] I believe they may also link the data [13] then to my personal demographic identifiers. Just an undefined or internal  governance procedure to suggest that they would not, when it is technically possible, is not sufficient oversight. […]

I do not consent for the use of our [hospital HES or other] data in health research – because it has not been explained to me, what that term means and the implications of this assumed consent.

I cannot know what the other future uses will be for our health information stored today. I do not feel that I can apply any fair processing to their health records due to the lack of publicly available information and scope of the full uses of their data today and in future. […]

Sincerely,
Jen Persson
XXXXXXX

———————————

[1] The Partridge Review Summary and Full report http://www.hscic.gov.uk/datareview

[2] On selling data to Intermediaries and the governance which permits it  https://medconfidential.org/category/press-releases/

[3] Commercial users of NHS patient data – third party use – my blog https://jenpersson.com/flagship-care-data-2-commercial-practice/

[4] Complaints and why confidence needs restored https://medconfidential.org/2014/press-release-partridge-review-patients-need-proof-to-restore-confidence/

[5] Health Select Committee 8th April 2014 http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/health-committee/handling-of-nhs-patient-data/oral/8416.html

[6] Simon Denegri’s blog response to the Partridge Review http://simondenegri.com/2014/06/17/partridge-reviews-elegant-demolition-of-past-practice-on-personal-data-offers-opportunity-for-fresh-start-with-the-public/

[7] Information Rights and Wrongs – Jon Baines’ blog http://informationrightsandwrongs.com/2014/06/18/the-partridge-review-reveals-apparently-huge-data-protection-breaches/

[8] ICO Processing Data Fairly and Lawfully http://ico.org.uk/for_organisations/data_protection/the_guide/principle_1

[9] The Guardian, January 22nd 2014 ‘Lack of Debate on the Sale of Patient Information‘ http://www.theguardian.com/society/2014/jan/22/debate-sale-patient-information?CMP=twt_gu

[10] National Child Measurement Programme data managed by HSCIC http://www.hscic.gov.uk/ncmp

[11] Data use in the USA Memorandum between DH, HSCIC and the US  Dept of Health and Human Services to include exploring secondary stores http://www.healthit.gov/sites/default/files/hhsnhs_mou_final_jan_21.pdf

[12] Personal Demographics Service http://systems.hscic.gov.uk/demographics/pds/contents data already stored at HSCIC

[13] Data Linkage Service at HSCIC to manage the requests for data which is stored in different silos and brought together on request http://www.hscic.gov.uk/dles

Image courtesy of an interesting post on the history of the featured monkeys: http://frontiersofzoology.blogspot.co.uk/2013/04/why-are-three-wise-monkeys-usually-apes.html

Flagship care.data – [2] Commercial use with the Brokers

“If our health records should sail off in the flagship care.data programme, on the sea of commercial Big Data, are we confident that there is consent, fair processing, transparency, accountability, security and good governance? We must know that these basic mainstays are in place, to give it our support.”

“He that filches from me my good name, robs me of that which not enriches him, and makes me poor indeed.”                     William Shakespeare, Othello

I read this Shakespeare quote last week, not in the original but in the statement Data Brokers: A Call for Transparency and Accountability by US Commissioner of the Federal Trade Commission Julie Brill, May 27 2014. [1] . Since then I have tried to piece together a lay consumer understanding, of how this commercial data market works and how our health records fit in. Experts in data markets and many others will undoubtedly see how naïve it is. But by sharing my ordinary understanding as a mother who is thinking about the impacts of my shopping habits and upcoming care.data decision will have on my children’s future, perhaps I can highlight how trusting we are, and why those governing our data need to ensure the processes around our data are worthy of that trust.

The Commissioner begins:

“Data brokers gather massive amounts of data, from online and offline sources, and combine them into profiles about each of us. Data brokers examine each piece of information they hold about us – where we live, where we work and how much we earn, our race, our daily activities (both off line and online), our interests, our health conditions and our overall financial status – to create a narrative about our past, present and even our future lives. Perhaps we are described as “Financially Challenged” or instead as “Bible Lifestyle.”

Perhaps we are also placed in a category of “Diabetes Interest” or “Smoker in Household.” Data brokers’ clients use these profiles to send us advertisements we might be interested in, an activity that can benefit both the advertiser and the consumer. But these profiles can also be used to determine whether and on what terms companies should do business with us as individual consumers, and could result in our being treated differently based on characteristics such as our race, income, or sexual orientation. If data broker profiles are based on inaccurate information or inappropriate classifications, or used for inappropriate purposes, the profiles have the ability to not only rob us of our good name, but also to lead to lost economic opportunities, higher costs, and other significant harm.”
In other words, organisations, which we may not know store our personal, sensitive or confidential data, use it to classify, segment  and label us. In this environment when third parties it seems know more about us than we may know ourselves, it would seem prudent to want to control and understand what data is held by whom and how they use it. Especially, if in her words, “the profiles have the ability to not only rob us of our good name, but also to lead to lost economic opportunities, higher costs, and other significant harm.”

This is why it matters what is being done at break-neck pace to extract and share our health records in England.

I believe we are not yet sufficiently aware of how our data is used by these intermediaries, and if we were, we’d be horrified. We are complicit consumers in how our data is used with minimal understanding. We’re prepared to unwittingly trade a little privacy with the supermarket, to get our discount vouchers through the post. But we don’t look beyond that to understand what price we are paying and how our commercial interests may be harmed, in much more significant ways than £10 discount or a Legoland entry may compensate. Just like our food, the public are complicit [2] in our own downfall, accepting the marketing spin. We don’t understand credit ratings [3] and risk scores, and even if we do, most consumers don’t know data brokers offer companies scores for other purposes unrelated to credit in an onward chain of reselling. Data can be inaccurate, we are unaware of how to manage or correct it, how we are labelled by it, what opportunities it may restrict as highlighted in the report. We should be better informed.

I’ve recently learned how these, “powerful cross-channel consumer classifications help companies understand the demographics, lifestyles, preferences and behaviours of the UK adult population in extraordinary detail.” [4] demonstrated by Experian.

That they understand and track my behaviours probably better than I do, and at such detailed level, I find surprising and invasive. “Within rural areas we are able to pick out the individual households that are likely to be commuting to towns and cities nearby…” I’ll go more into that later.

It has come to the attention of the general public,  only in the last 6 months, that our hospital episode statistics (HES) and data from other secondary care sources, have been on sale in this consumer market. As I said in a previous post [5], a year ago, in April 2013, The ‘Health and Social Care Transparency Panel’ discussion on sharing patient data with information intermediaries stated at that time, there was no legitimate or statutory basis to share at least ONS data [6] in that way for commercial purposes:

“The issues of finding a legitimate basis for sharing ONS death data with information intermediaries for commercial purposes had been a long running problem…The panel identified this as a significant barrier to developing a vibrant market of information intermediaries.”

The HSCIC at that time saw a “vibrant market of information intermediaries, for commercial purposes” using our personal records as desirable and indeed, as Sir Kingsley Manning’s comments to the Health Select Committee demonstrate, in their DH handed-down policy remit.


In this way, companies who process data such as Beacon Dodsworth received data in the last year and offered it for commercial exploitation by others “HES data may be used by pharmaceutical companies “to improve [their] social marketing / media awareness campaigns”. Others included  OmegaSolver [7] and Harvey Walsh [8].


Some of that data goes back into our health market as business intelligence, both for NHS and private use, for benchmarking, comparisons and making commercial decisions. In our commissioning based marketplace [9], now becoming normalised.

Through the press earlier this year, and the first data release register [10] we have come to understand in part, who is using it and at least in part, how. Aside from bone fide public health planners and health researchers, and the intermediaries using data for commissioning support tools, recipients include these commercial companies and third-party intermediaries exploiting the data as a commodity. Organisations which may buy raw data and sell it on, or process it and sell that data mined information onwards. Organisations after which, Chair Kingsley Manning told the Health Select Committee, [11] we have no idea whom all the end users may be. He indicated the progress that is needed and that HSCIC is already working on improvements, stating the view that “the process HSCIC inherited was no longer robust. ” Q285

“Kingsley Manning: I realise that, and may I come back to that? That is why, specifically with regard to the sets of data that are covered by data-sharing agreements, I took the view that the process that we inherited was no longer robust. We have therefore been in the process of changing the management and the processes, and we have voluntarily adopted a process of being much more transparent about the process and about the data releases we have made.

              Q286Barbara Keeley: But what I was trying to get to was the concern.  We are just looking for transparency and honesty here. On all the data that was previously released through these commercial reuse licences where there are end users—the question that the Committee wanted to put to you—you are unable to say what are the uses to which the data release under those licences may be put, what controls are in place and what information is provided—you don’t know. With the whole 13 years of the HES database and however many million records have gone out to one of these providers that then provides on to others—in the United States, this has involved putting up the data on Google cloud, and we are not sure of the security of that—you can’t say. You should admit it now. If you can’t tell us where all that data is and what all its uses are, it seems you can’t. You have already admitted that entirely commercial market uses—

              Kingsley Manning: The control is through both the overriding regulations established within the Data Protection Act and the data-sharing agreements that we enter into with people, which specifically allow the reuse of data with safeguards with regard to anonymity.

              Q287Barbara Keeley: So you have no idea who the end user is. You have no idea if they are using it properly because there is no audit.

              Kingsley Manning: And that is in accordance with the law and the regulations as they stand today.

              Q288Barbara Keeley: So, just to be clear, audit is not going to be possible for all the uses and all the end users. The data is out there. You have licensed people to use it and other people to buy it, and there is no control over that—it is just out there.

              Kingsley Manning: I don’t accept there is no control. There is control established in accordance with law and the regulations as they are today.

              Q289Barbara Keeley: But you are not able to say who is using it and for what reason. You are not able to say that.  There are end users out there.

              Kingsley Manning: No, because we have a large range of organisations that we have been encouraging. Government policy has for a long time been to encourage the use of this data to advance both the health and social care system in this country and the economy. If, for example, we supply pseudonymised data to a drug company to help it to develop a new drug, we do not know the end users beyond that organisation, but that is perceived as being a task and a function that we have. It is done in such a manner that the data is safe and secure, and is not identifiable back to an individual.

              You may wish to change the base upon which we act. We absolutely welcome the suggestion that we should submit these to the confidentiality advisory group. We have identified a number of cases where we think its guidance would be very helpful, including in this area. We would absolutely welcome that, but I am afraid we cannot make up the rules that we act by.”

This is what concerns me, if the purposes and permissions granted for care.data are to be defined by the reason why recipients get data for the “promotion of health ” [12] and that their worthiness to receive data is based on,  a wooly, undefined notion of whether it will improve care or promote health. It cannot be transparently judged if many users of data are intermediaries with re-use licences, if even the HSCIC doesn’t know who all the end users are, and does not routinely audit them. Nor can anyone know how identifiable therefore the accumulated data sets may be.

If HSCIC does not track each release, each time, each recipient receives data, how do they know every time a new request is granted, how much of the jigsaw puzzle for any given individual, is left to complete?

If you don’t know who they are, how can you govern them and what they do with our data? How on earth can anyone judge how they will be for purposes in the Care Bill 2014 of:

(a)the provision of health care or adult social care, or

(b)the promotion of health.

How can the data controllers judge whether that  release, together with all the data these companies already hold, will not do us ‘significant harm’  in the words of Commissioner Brill, of the Federal Trade Commission? Will it not by its nature of labels discriminate against segments of our society, whom the data owners select, based on information beyond our visibility or control? Is society which is segmented and stratified at risk of every increasing inequality? Disability groups for example, may feel at increased risk of stigma or exclusion. David Gillon [13] addresses this in his post here. How can individuals determine if releasing our data to these companies is in our own, or the public interest [14]?

Impossible if we don’t know who they are, and we don’t know what they already hold. A model which is hardly transparent nor conducive to trust.

Dr.Neil Bhatia in Hampshire, a GP who founded the non-commercial website care-data.info, asked HSCIC in an FOI request for the data *about him* which was released to these type of intermediaries. He was told this week, that the data controller, the Health and Information Centre, does not know. We can then only surmise, if our individual data was contained in pseudonymous bulk data transfers in which there remains ‘a latent risk’ of identification. So from the released data register, we should look at what types of companies are using pseudonymous data. We are also told that penalties may be imposed, or even ‘one strike and you’re out’ for misuse of data. Until now at least without robust audit procedures, I believe we’d never know. So how could data be better secured?

There is talk of a ‘fume cupboard’ access, [15] or giving customers data only in query format, instead of giving out raw chunks of the database. But the Care Bill certainly didn’t legislate for any changes in those types or indeed any governance procedures. We can only wait and see if talk becomes reality and how we can trust it becomes a secure policy and stays so, after we entrust our data. There is no delete button after all.

The Secretary of State wrote on April 25th [16], asking to ensure current practices are up to the task, but as polite as it is, a letter is no form of governance. On June 12th, HSJ [17] reported that the HSCIC has ordered a significant number of trusts to “promptly” delete a series of datafields, which it claims could put patients at risk of being identified, because some of the information in “secondary uses service” that they had submitted to the agency had been entered in an incorrect way over ten years. The good news in this, is it would appear progress is being made in audit, and these errors are being addressed.

However, it highlights the issue created when you release raw data beyond your control. It will mean that organisations who should not have received data, did. How now is that data to be removed from information into which it has become? It will now no longer be raw numbers, but be in graphs, comparative studies and have been inexorably merged with other data. Unlike Cinderella’s carriage, it’s not an automatic process that the raw materials, the data, returns to its previous state after it has become enhanced, turned into business intelligence. The raw files may be traced, removed and deleted, but the knowledge it has turned into, will be almost impossible to find and delete. The links between the two may have disappeared into thin air. Harder to find, than the owner of the glass slipper. An impossible audit trail.

An audit process on leaving the trusts and upon arrival at HSCIC and on leaving HSCIC – at least a three place checkpoint – is what I would have  been familiar with in the past for payroll & personal data. It seems that audit procedures for our health records, have just not kept up with the speed at which the data has been sent out on the open seas, and there has been no audit.

Q287Barbara Keeley: So you have no idea who the end user is. You have no idea if they are using it properly because there is no audit.

  Kingsley Manning: And that is in accordance with the law and the regulations as they stand today.”

It’s not to say there are no controls. We are told that data sharing agreements prevent data provided being matched with other data held, which prevents making individuals identifiable. However, as I’ll look at in my next post, I don’t think it even has to get the the person level to be sufficiently identifiable as to be discriminatory. The segmenting of society at group level, at household level, with detailed understanding of our behaviours, is sufficient, aside from the identifiable individual level data these companies hold for identity verification and so on. When companies extract and store raw data, we have no idea where and with whom it lands up. I’ve been completely surprised by what I have learned in the last few weeks how these third parties use our data.

The current controls around and governance of our health data remains unchanged by the Care Bill.  Through policy, law and directions the HSCIC has

…”licensed people to use it and other people to buy it, and there is no control over that.” [12]

As Sir Manning said,

…”because we have a large range of organisations that we have been encouraging. Government policy has for a long time been to encourage the use of this data”

Controls may be in line with policy and the law, but I believe it simply hasn’t kept up with the functional need for a decent governance framework.

Julie Brill’s Statement made a recommendation:

“A second accountability measure that Congress should consider is to require data brokers to take reasonable steps to ensure that their original sources of information obtained appropriate consent from consumers.”

Accountability in the UK of these data brokers seems quite absent in real terms, unknown to the public at large.

The same core issue identified by Julie Brill in the US, lack of informed consent. If we don’t know you have it, how can we ask to check if it’s correct or who uses it? In an era of borderless electronic data transfers, we should seek to put in place the highest standards as common denominators, and in terms of privacy, there are lessons worth learning from the US actions post Snowden which in the UK, we have not yet begun.

If our health records should sail off in the flagship care.data programme, on the sea of commercial Big Data, are we confident that there is consent, fair processing, transparency, accountability, security and good governance? We must know that these basic mainstays are in place, and will stay so in future, to give it our support. Well governed data is more likely to get our trust, therefore our consent and be of better quality for buyers.

We must also not forget to clarify why it is our records are needed in the broad and undefined care.data scope that we still have not seen pinned down. Is the public good really defined for care.data and does it outweigh the private long established rights of consent and confidentiality? Do we trust these commercial company uses to do “no harm” as the US Commissioner of the Federal Trade Commission examined?

…”the profiles have the ability to not only rob us of our good name, but also to lead to lost economic opportunities, higher costs, and other significant harm.”

When we visit a medic we are vulnerable, ill or in need of help. We entrust our knowledge in confidence, and trust it will be used for our care. A whole hotchpotch of other indirect uses, including commercial exploitation is not what we expect. We need to trust the data we give away to local staff,  is processed appropriately all the way up the data chain, when it is stored, when it is released and beyond. For now at least, it appears citizens can only control the one point at which we first give our data up. After that, we have faith that those governing our data ensure the processes around its management are worthy of that trust. The governance processes that go beyond the HSCIC control, will directly influence that trust, and our care.data decision to object, or not.

For citizens to see this still precarious commercial hull, and trust that our innermost confidences should be safe within it, is stretching our trust, just a little too far.  The knowledge of our health and lifestyle should not be commercially exploited in this uncontrollable marketplace by data brokers without our knowledge and consent.  Health data is on the cusp of including more widespread biomedical data. In my children’s lifetime that may be a whole new era of data management to contend with. For now,  all this intensive data mining may be much more than we already imagined and we should carefully consider how society will be affected if it includes every aspect of our health and lifestyle data. It may be yet another aspect of individual surveillance more than society can stand.[18]

The care.data storm may not yet be over.

*****

In part three on commercial uses, I’m going to explore, from my lay perspective, on how some of these intermediaries and data processing companies, use data concretely in practice. As Julie Brill says how these intermediaries, “create a narrative about our past, present and even our future lives.”

******

[1] Data Brokers: A call for transparency and accountability – http://www.ftc.gov/system/files/documents/public_statements/311551/140527databrokerrptbrillstmt.pdf

[2] Food Marketing film by Catsnake with Actress Kate Miles via Upworthy  http://www.upworthy.com/no-one-applauds-this-woman-because-theyre-too-creeped-out-at-themselves-to-put-their-hands-together

[3] Your Credit Ratings explained BBC http://news.bbc.co.uk/1/hi/business/2963580.stm

[4] “Mosaic is Experian’s most comprehensive cross-channel classification system …it helps you understand consumers in extraordinary detail.” http://www.experian.co.uk/marketing-services/products/mosaic/mosaic-in-detail.html

[5] Flagship care.data – Commercial Uses in theory: https://jenpersson.com/flagship-care-data-precious-cargo-1-commercial-uses-in-theory/

[6] Health and Social Care transparency panel:- minutes from 23rd April 2013 –  https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/259828/HSCTP_13-1-mins_23_Apr_13__NewTemp_.pdf

[7] 17th March Omega Solver in the Guardian, by Randeep Ramesh http://www.theguardian.com/technology/2014/mar/17/online-tool-identify-public-figures-medical-care

[8] 16th March Harvey Walsh in the Sunday Times by Jon Ungoed-Thomas  ‘healthcare intelligence company, has paid for a database’ http://www.thesundaytimes.co.uk/sto/news/uk_news/Health/article1388324.ece

[9]  The Privatisation of the NHS Prof.A.Pollock at Tedex event

[10] HSCIC Data Register http://www.hscic.gov.uk/dataregister

[11} Evidence at Parliamentary Health Select Committee April 8th 2014: http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/health-committee/handling-of-nhs-patient-data/oral/8416.html

[12] Care Bill 2014 – Enacted: http://www.legislation.gov.uk/ukpga/2014/23/section/122/enacted

[13] care.data in their own words – D. Gillon Where’s the Benefit? http://wheresthebenefit.blogspot.co.uk/2014/03/caredata-in-their-own-words.htm

[14] Public vs Private interest – Dr. M Taylor, “Information Governance as a Force for Good? Lessons to be Learnt from Care.data”, (2014) 11:1 SCRIPTed

[15] Fume Cupboard access in NHS England stakeholder  letter April 14th 2014

[16] Letter from Jeremy Hunto HSCIC regarding patient confidentiality

[17] Health Service Journal, June 12th, Nick Renaud-Komiya, http://www.hsj.co.uk/news/trusts-ordered-to-delete-incorrect-data/5071902.article?blocktitle=News&contentID=8805

[18] John Naughton, Observer 8th June, http://www.theguardian.com/technology/2014/jun/08/big-data-mined-real-winners-nsa-gchq-surveillance