Questions were raised at two health events this week, on the status of the care.data programme.
The most recent NHS England announcement about the care.data rollout progress, was made in October 2014.
What’s the current status of Public Information?
The IIGOP review in December 2014 [1], set 27 criteria for the programme to address.
The public has not yet seen a response, but according to the GPES minutes one was made at the end of January.
Will it be released in the public domain?
An updated privacy impact assessment “was approved by the care.data programme board and will be published in February 2015.” It has not yet been made public.
Limited and redacted programme board materials were released and the public awaits to see if a business case or more will be released in the public interest.
Risks and issues have been redacted or not released at all, such as the risk register.
There is no business case in place, confirmed page 6 of the October 2014 board minutes – I find that astonishing.
It is hard to know if more material will be made public as recommended in their own transparency agenda.
What is the current state of open questions?
Professionals and public are still interested in the current plan, and discussions this week at the Roy Lilley chat with Dr. Sarah Wollaston MP, again raised some open questions.
1. What happened to penalties for misuse and ‘one strike and out’ ?
Promised in Parliament by Dr. Dan Poulter, Parliamentary Under Secretary of State at the Department of Health, a year ago – questions on penalties are still being asked and without a clear public answer of all that has changed since then and what remains to be done:
Some changes are being worked on [written evidence to HSC]*[7] planned for autumn 2015 – but does it clarify what has happened concretely to date and how it will protect patients in the pathfinder?
“The department is working to table these regulations in Parliament in 2015, to come into force in the autumn.”
Did this happen? Are the penalties proportionate for big multi-nationals, or will other safeguards be introduced, such as making misuse a criminal offence, as suggested?
2. What about promises made on opt out?
One year on the public still has no fair processing of personal data released by existing health providers. It was extracted in the past twenty-five years, the use of which by third parties was not public knowledge. (Data from hospital visits (HES), mental health, maternity data etc).
The opt out of all data sharing from secondary care such as A&E, stored at the HSCIC, was promised by Jeremy Hunt, Secretary of State for Health, a year ago, on February 25th 2014.
It has still not come into effect and been communicated:
[Hansard February 25 2014, col 148] [3]
In fact the latest news reported in the media was that opt out ‘type 2’ was not working, as expected. [4]
Many in the public have not been informed at all that they can request opt out, as the last public communication attempt failed to reach all households, yet their data continues to be released.
3. What about clarifying the purposes of the Programme?
The public remains unclear about the purpose of the whole programme and data sharing, noted at the Roy Lilley event:
A business case, and a risk benefit analysis would improve this.
Flimsy assurances based on how data may be used in the initial extraction will not be enough to assure the public how their data will be used in future and by whom, not just the next six months or so.
Once released, data is not deleted, so a digital health footprint is not just released for care.data, it is given up for life. How much patients trust the anonymous, pseudonymous, and what is ‘de-identified’ data depends on the individual, but in a world where state-held data matching form multiple sources is becoming the norm, many in the public are skeptical.[5]
The controls over future use and assurances that are ‘rock solid’, will only be trustworthy if what was promised, happens.
To date, that is not the case or has not been communicated.
What actions have been taken recently?
Instead of protecting the body, which in my opinion has over the last two years achieved external scrutiny of care.data and ensuring promises made were kept, the independent assurance committee, the IAG, is to be scrapped.
The data extraction and data release functions are to be separated.
This could give the impression that data is no longer to be extracted only when needed for a specific purpose, but lends weight to the impression that all data is to be “sucked up” and purposes defined later. If care.data is purposed to replace SUS, it would not be a surprise.
It would however contravene fair processing data protection which requires the purposes of use to be generally clear before extraction. Should use change, it must be fair. [For example, to have had consent for data sharing for direct care, but then use the data for secondary uses by third parties, is such a significant change, one can question whether that falls under ‘fair’ looking at ICOs examples.]
So, what now, I asked Dr. Poulter after the Guardian healthcare debate on Tuesday evening this week on giving opt out legal weight?
(I would have asked during the main session, but there was not enough time for all questions).
He was not able to give any concrete commitment to the opt out for HES data, or care.data, and simply did not give any answer at all.
What will happen next? Will the pathfinders be going live before the election in May? I asked.
Without any precise commitment, he said that everything was now dependent on Dame Fiona’s IIGOP response to the proposals [made by NHS England].
What has happened to Transparency?
The public has not been given access to see what the NHS England response to the IIGOP/ Caldicott December review was.
The public has no visibility of what the risks are, as seen by the programme board.
The public is still unclear on what the expected benefits are, to measure those risks against.
And without a business case, the public does not know how much it is costing.
Without these, the public cannot see how the care.data board and DH is effectively planning, measuring progress, and spending public money, or how they will be accountable for its outcomes.
The sad thing about this, is that transparency and “intelligent grown up debate” as Sir Manning called for last year, would move this programme positively ahead.
Instead it seems secretive, which is not building trust. The deficit of that trust is widely recognised and still needs solidly rebuilt.
Little seems to have been done since last year to make it so.
“Hetan Shah, executive director of the Royal Statistical Society said, ‘Our research shows a “data trust deficit”. In this data-rich world, companies and government have to earn citizens’ trust in how they manage and use data – and those that get it wrong will pay the price.” [Royal Statistical Society, 22 July 2014][6]
Shame.
Care.data is after all, meant to be for the public good.
It would be in the public interest to get answers to these questions from recent events.
refs:
1. IIGOP care.data report December 2014 https://www.gov.uk/government/publications/iigop-report-on-caredata
2. Hansard March 25th 2014: http://www.publications.parliament.uk/pa/cm201314/cmhansrd/cm140325/halltext/140325h0002.htm
3. Hansard February 25th 2014: http://www.publications.parliament.uk/pa/cm201314/cmhansrd/cm140225/debtext/140225-0001.htm
4. NHS England statement on Type 2 opt out http://www.england.nhs.uk/2015/01/23/data-opt-out/
5. Ipsos MORI June 2014 survey: https://www.ipsos-mori.com/researchpublications/researcharchive/3407/Privacy-and-personal-data.aspx
6. Royal Statistical Society on the ‘trust deficit’ http://www.statslife.org.uk/news/1672-new-rss-research-finds-data-trust-deficit-with-lessons-for-policymakers
7. *additional note made, Sun 15th incl. reference HSC Letter from HSCIC