Category Archives: NHS

care.data programme questions remain unanswered – what should patients do now?

care.data programme questions remain unanswered [1] and opportunities to demonstrate better transparency have to date, been turned down.

For anyone interested in the care.data rollout, professionals, patients and public alike, it is worrying to see the continued secrecy which shrouds the programme. We’ve been told online (but most in the public will still not know) an initial rollout in 4 CCG areas is now planned [2], but at which GP practices remains unclear.

On October 12th I asked that the care.data programme board minutes should be made public. The request is still open.[3]

“They seem hell bent on going ahead. I know they listened, but what did they hear?”

Questions asked by hundreds of people at multiple listening events remain unpublished and unanswered. Risks need resolved.

It is ironic that for a programme whose stated aim is to gather patient information in order to answer open questions about care,  it is so unwilling to give information back to answer the questions we, the ‘data subjects’ have about the programme.

I believe it is important to ensure that the questions are transparent, criticisms addressed and clarified, open issues solved and questions answered ahead of the pathfinder rollout to ensure the greatest success of the programme.

If the programme proceeds on an opt out basis, the risk is increased that it will not meet Data Protection regulation[4], which requires informed use of personal data. This puts GPs at risk. [5]

All the people who made the effort to attend these events for the benefit of the programme and the public good deserve answers. This would minimise the risks the public raised, which remain unresolved.

It is also important for maintaining trust in the integrity and value of user participation and engagement at other NHS events, and in this programme in particular.

Public and Transparent Feedback was Promised

I wrote to Mr. Tim Kelsey, Director, at the Patients and Information Directorate, NHS England today to ask, once again, for the release of public feedback.

Now two months ago, when I spoke with him after the NHS AGM in London on September 18th about care.data, the public questions have still not been put into the public domain.

He agreed that the raw feedback from all the care.data listening events, which included all the open questions asked by participants, would be published, “Shortly.”

This feedback includes questions from the NHS Open Days on June 17th  (4 locations), the stand-alone care.data events since, and those from the care.data advisory sessions hosted in Peterborough and Coin Street, London [6].

NHS England claims there have been hundreds of events. The website says some took place in my county, though I haven’t heard of any and neither has my CCG. Those of which I am aware and six attended, all generated a huge number of participant questions on paper, post-its and electronically, which participants were told would be published and answered, including put on the Open Day website ‘later in the summer'[7]:

“Feedback from this session is being incorporated into the overall report from the care.data listening phase which will be published later in the summer and linked to from this site.”

This is still to happen, and now nearing the end of November, is somewhat overdue.

My own questions at four events were on process and I believe it is important to get these clarified BEFORE the pathfinder:

  • How will you communicate with Gillick competent children [8], whose records may contain information about which their parents are not aware? [note also RCGP online roadmap p.15][9]
  • How will you manage this for elderly or vulnerable patients in care homes and with diminished awareness or responsibility?
  • When things change in scope or use, how will we be informed of changing plans for use or users, on an ongoing basis? [Data protection principle 2] [10]
  • For any future changes, how will we be given the choice to change our opt out or opt in? Consent is not a one-time agreement  but needs managed on a continual, rolling basis – how will this be achieved?

Campaigners have also raised remaining, unresolved issues.

Key legal questions remain, including on Opt Out

I am starting to become concerned that the opt out is STILL not on a statutory footing. Will the Secretary of State make good his verbal agreement in law?

What legal changes will be made that back up the verbal guarantees given since February? If none are forthcoming, then were the statements made to Parliament untrue? [11]

“people should be able to opt out from having their anonymised data used for the purposes of scientific research.”

I am yet to see this legal change and to date, the only publicly stated choice is only for identifiable data [12], not all data, as stated by the Minister.

So too the promised extra governance on a legal basis has not yet happened.

It is worth a note that although the Health and Social Care Act 2012 may have steamrollered the legal position of the patient and GP, and that confidentiality no longer comes first, informed consent even if assumed, is still in other circumstances to be obtained fairly:

“Consent obtained under duress or on the basis of misleading information does not adequately satisfy the condition for processing.” [ICO]

Should this principle not also apply even if GPs are legally obliged to release data without patient consent? [I feel that needs more discussion, so will write about consent in my next post.]

There is much made of ‘new legal protection’ of our data but in fact it is impossible to see it provides any such thing, and yes, I have read it. The Care Act 2014 did not get amended with any binding or truly clear provisions to make data more confidential or secure.

Concerns of many people centre on commercial use, and re-use of data, and these are not addressed by the loose terms for the benefit of adult health and social care’ or the ‘promotion of health’. [part 4 p.120] Data sold all year may have met this criteria, but is this how we expect our health records to be used without our express permission?

“We will use Mosiac, appended to the ICD10 code diagnoses, to create national Mosaic profiles. These estimates and propensities will be sold to public and commercial organisations to enable them to target resources more effectively and efficiently…Other data characteristics that are also linked to Mosiac can then be used to understand broader lifestyle characteristics of those most at risk to ensure that messages and communications are appropriate and well targeted.” [July register]

Question from Leicester: “Are we saying there will be only clinical use of the data – no marketing, no insurance, no profit making? This is our data.”[13]

So I hope it is clear, that these concerns are not only mine, but remain unanswered for the broader participants of listening events, gathered throughout the last year.

Questions from others

I’m publishing here the filtered and NHS England written, summary response of the 26th June event [14], I received as an attendee. (40 people, of whom ca 10 NHS England and HSCIC staff).

I disagreed with one of the statements made at our table at the meeting, and pointed out it was not factual. History as I understand, and has been stated by HSCIC in FOIs, will not be deleted. Yet this was allowed to be included in the notes sent to all:

“communicate that identifiable information can be deleted.”

The workshop was about how to access ‘hard-to-reach’ groups, so focused on communications methods. You will see that many statements are about how to market the programme, and do not clarify questions of substance, although many were asked on the day about scope definition, and future data changes.

Questions have not yet been addressed, such as Gillick, on children in care, young offenders, the forces, avoiding ‘propaganda-ish’ sounding and bias in the materials, to ensure the ‘adequate requirements’ for data processing.

You can see from this, that although the listening events may be deemed to have been a success, the answering part is still missing.

How are NHS England measuring success? What does good look like? I guarantee from a public perspective, it’s not there yet.

Long term benefit must not be harmed in the rush for a pilot tick-box

Since the programme is heralded as so vital for the NHS, I believe we should not be making the best of a bad job, but shaping process, security and communications to be world class, worthy of our NHS.[15]

We also need to see a long-term cost benefit plan – if we don’t know how some of these future processes are to be managed, how will we know what they will cost, and are they worth it?

The project should not aim for a quick and dirty pilot rollout. Perhaps there is a need to tick the ‘on time’ box for an NHS England target or meet a job description appraisal, as I would have had when I was responsible for project implementations in my past commercial industry role?

As it stands it is not NHS England/DoH who has the most to lose if this goes ahead as is. They must look at the big picture and accept their responsibility for this project, decide not to rush it and not expect the public and GPs to carry its risk.

At the weekend, in a speech about TTIP I heard the phrase, it’s “a classic case of socialising the risk and privatising the profit.”

So too it feels for me on care.data. NHS England wants all the benefit of our information, including from its sale, but it is we, individual patients and GPs who will be harmed if its security, commercial use [16], or everyday trust & confidentiality are compromised.

The Department of Health must look beyond party political aims pre-election. This is for the good of the NHS, which belongs to us all.

We must see open questions on process and content openly answered, for professionals and public alike.

Only then, can we trust that the infrastructure and promises made behind the scenes have set the foundation for this scheme to be worthy of our most intimate and confidential data.[17]

What can Patients do now?

“The policy and practical answers we need to ensure success, will not fit on a flyer or SMS.”

I have spoken with some of my fellow attendees since these events, including for example Stan Burridge, the Research Lead on Service User Involvement at Pathway London. (A charity providing healthcare to the homeless and which works with others on policy and best-practice approach sharing. Their recent work on dentistry outreach achieved a 0% no-show rate – getting the vital care needed for their clients and saving ££ for NHS dentist provision.)

His comments are a good summary of what has happened since:

“In the events, opinions could be expressed, questions asked, and I was made to feel they were valid questions, but they’re doing very little to answer them so that it makes a difference.

“I feel I was engaged with the process, but it’s doing nothing for the people on the margins.

“They should be given an informed choice to opt in, an uninformed choice not to opt out is not the same.

It is unclear what patients can now do, to get the answers we have asked for. We want to make a positive difference to make the project better.

The listening events seem to have been a one way process, and participation for PR purposes, rather than real engagement. The policy and practical answers we need to ensure success, will not fit on a flyer or SMS. They can’t be communicated as part of the pilot rollout. We need them published, addressed and ironed out up front.

Stan summed up exactly what I feel and what I have heard from many others:

“They seem hell bent on going ahead. I know they listened, but what did they hear?”

 

****

[1] A patient’s open letter to NHS England

[2] CCG pathfinder announcement

[3] care.data programme board minutes and materials FOI

[4] ICO Guide to Data Protection

[5] Medical Protection and care.data concern

[6] Coin Street care.data advisory group public event, Sept 6th

[7] NHS England Open House event 17th June

[8] Gillick and data protection for children

[9] RCGP Online Roadmap, includes concern on accessing data by those at risk of domestic abuse and children

[10] ICO Data Protection guidelines

[11] Hansard, Parliament 25th February 2014

[12] Parliamentary briefing note on care.data

[13] Questions from the Open House, incl. Leicester

[14] NHS England summary of feedback and statements from public event at Mencap, June 26th 2014

[15] Post from July 21st HSCIC roadmap event, future data use

[16] Commercial use of data with brokers – call for consumer data transparency

[17] Code list prepared by medConfidential and open issues

Deregulation – the UK Bill and the Titanic TTIP

The Deregulation Bill will go to the Lords Committee stage on 6th November. [For ongoing progress, see here.]

Deregulation Bill

 [graphic added Nov 21st: This was the concluding statement by Lord Tunnicliffe on November 20th.]

I write this in follow up to a previous post of because it’s a big bill with one very important little clause, amongst much detail which needs careful review in the public interest:

What is it? Clause 83: Exercise of regulatory functions, economic growth:

(1) A person exercising a regulatory function to which this section applies must,  in the exercise of the function, have regard to the desirability of promoting  economic growth.

(2) In performing the duty under subsection (1), the person must, in particular,  consider the importance for the promotion of economic growth of exercising  the regulatory function in a way which ensures that—

(a) regulatory action is taken only when it is needed,

and

(b) any action taken is proportionate.

This section of the Deregulation Act which is currently passing through Parliament, suggests the removal of any regulation that conflicts with the interests of a profit-maker.

 

There are domestic and regulatory bodies for which we should carefully consider this implication.

The Deregulation Bill surely creates an ethical conflict or at least challenge, when in law it must consider commercial gain on a statutory footing above other factors?

The clause is openly worded, that regulatory action should be taken only when it is needed and that any action taken should be ‘proportionate’.

That suggests that regulatory interventions should be reduced. Who and how will it be decided when and what is proportionate?

The Bill provides that a person exercising a regulatory function specified by the Minister:

In detail, what does that mean? If it’s not important why include it at all? If it is important, why have we heard so little about it?

That Lord Tunnicliffe would make such a forceful statement should not be taken lightly: …”if our fears comes to pass, these three clauses could wreak havoc in a regulatory regime within this country.”

Which bodies will this affect?

Functions to which section 83 applies:

There is a long list of regulatory organisations at the end of this post.
Click on the organisation’s name below to read about each one.

The implications for them are unclear but should be examined for public bodies whose function today is not for profit.

For one area in particular, and close to my heart, we should understand its impact on  regulation of the NHS; Monitor and CQC, the MHRA and HFEA (Fertility and Embryology) and how about the Human Tissue Authority? A body whose purpose is to:

“manage the interests of the public and those we regulate at the centre of our work. It aims to maintain confidence by ensuring that human tissue is used safely and ethically, and with proper consent.” [Ref: HTA]

It is unclear how this profit aim will be helpful for these bodies in healthcare, especially considering some of the issues in state social care .

A different body where others share a concern about the impact of clause 83 is for the EHRC.

 

The Joint Committee Reported on Human Rights, June 14th 2014 has concerns about the impact of this, listed in this report:

The Government intends this economic growth duty to apply to the EHRC. We believe that applying this growth duty to the EHRC poses a significant risk to the EHRC’s independence, and therefore to its compliance with the Paris Principles and the Equal Treatment Directives as implemented by the Equality Act 2010. The Government is therefore risking the possibility of the EHRC’s accredited “A” status being downgraded and of putting the UK in breach of its obligations under EU equality law. Unless the continuing discussions between the Government and the Commission satisfy the Commission that the growth duty will not in any way impact upon its independence, we recommend that this duty not be applied to the EHRC.

[Nov 21st update: this clause was specifically debated >  see Column GC229 < and whilst verbal assurances were made, it appears nothing has changed in the Bill, and that the EHRC said in response:

“While we welcome this undertaking we understand that this doesn’t mean that we’ll be removed on the face of the Bill”.

So what value the assurances from  the Minister who will have left his post long before the Bill may be in effect?]

A large number of organisations play a part in securing compliance with the law. They include national regulators, local authorities, and bodies independent of Government, some of which have statutory regulatory functions.  The list below of the main national regulators is not exhaustive, but long. Clause 83 will have a very wide reach.

We should understand just how wide ranging this apparently small function in the Bill may turn out to be.

I believe this clause will serve to mop up the real or imagined economic leakage that the government seeks to collect from all these bodies. Resources that are as yet, untapped.

How will these regulatory bodies promote economic growth?

I wonder how, in the best public interest at all times, economic interest should come first in bodies responsible for oversight?

Will they be compelled to consider [further] cost cutting, selling assets, or charging for services?  Or how about entering into commercial partnerships?

Will the Drinking Water Inspectorate under DEFRA stay entirely independent?

What about the Gambling Commission – in its remit is ‘to protect children and vulnerable people from being harmed or exploited by gambling’?

How will the Office for Nuclear Regulation (ONR) hope to promote economic growth? Or the Forestry commission?

The consequences of such widespread promotion of deregulation and the requirement to actively promote profit seems ill-thought through and given little public attention.

Could it be that under austerity, and desperate to squeeze every drop of monetary gain from our state bodies, that this clause will open the gateway to increased fees, or the start of fees for some current non-charging access by the public to services?

Or will they be encouraged as schools were once, to sell off land and assets? Many of these bodies hold little land. The assets they both produce and hold, is data. It is clear from current practice and the direction of travel across government departments, that information is seen as a commodity and an untapped resource for sale. Perhaps this is an area each body will look at selling?

What about authorities which charge the public fees for services or could do so – the CAA for airspace regulation, the DVLA or the ICO? Will we see an increase in service charges – it is perhaps almost inevitable if the desirability  to promote economic growth is to be given statutory footing.

In addition to looking at what may actively promote commercial growth by direct sale or raising fees, rather than imaginary direct marketing concepts, in order to promote economic growth, will we simply find it more likely that indirect growth is encouraged through change in regulatory practices?

Most importantly perhaps, will we see regulations slackened which cost money to oversee?

Will the organisations which are to be regulated, permitted to do more which promotes commercial interest over other policies, or ethics?

I wonder if a future state aims to deregulate the market in almost every field of activity to enable profits for private commercial businesses, and if the intent is not desirable economic growth for the state directly, but indirectly?

If so, will the ideology that once deregulated, somehow private business interests will contribute more to the economy than they do today, be realised in practice? How has the deregulation of trains, postal services, water and utilities benefited the public interest over economic growth?

If the benefit is to be state economic growth,  whether through revenue direct or indirect, and whether or not it is achieved in the way it may be hoped, there will be other consequences.

Have we learned lessons from other areas in which oversight of regulation has been slackened in recent times, such as banking?

What happened since Banking was deregulated?

Anyone who can look back at the deregulation of the financial markets and say it was all, without any doubt a good thing, should say subprime mortgage deregulation and wash their mouth out.

“Regulation did not keep pace and became mismatched with the risks building in the economy. The Financial Crisis Inquiry Commission (FCIC) tasked with investigating the causes of the crisis reported in January 2011 that: “We had a 21st-century financial system with 19th-century safeguards.” [FCIC report]

“It found widespread failures in financial regulation; dramatic breakdowns in corporate governance; excessive borrowing and risk-taking by households and Wall Street; policy makers who were ill prepared for the crisis; and systemic breaches in accountability and ethics at all levels.” **[FCIC]

In summary,  has any cost risk benefit analysis has been done on the impact of what this widespread cross-market promotion of deregulation and the desirability of economic growth in a regulatory function will mean?

Why may this be seen as a desirable course of action?

Deregulation is tacking its way to its destination through the Lords in the UK. Whether it will reach it before the end of this parliamentary term is perhaps unclear.  But let’s not forget deregulation is the course on which we are set globally, at full steam ahead.

This UK Bill is simply a sponge on the deck of the Titanic of deregulation, the TTIP.

The purpose of the Transatlantic Trade and Investment Partnership is to remove the regulatory differences between the US and European nations. Its plan to cross the Atlantic at break neck speed has been somewhat slowed. But its purpose remains steadfast. There are effectively no tariff restrictions in place any more, so the barriers left to lift are those of regulatory intervention:

“The US and the European commission, both of which have been captured by the corporations they are supposed to regulate, are pressing for investor-state dispute resolution to be included in the agreement.” [The Guardian, Nov 4 2014]

This peer-reviewed  paper looks at the imagined trade and its consequences, “leaving the investment component of TTIP on the sidelines. Going forward, valuable insights could be drawn by further extending the analysis of TTIP’s financial effects.”

[Update Nov 13, letter today in the FT: quotes the same research paper and notes, “Even the most vocal proponents of free trade admit that there’s nothing irrational about opposing such big issues of public policy being traded off behind closed doors.” Nick Dearden, Director, World Development Movement]

Whilst much is made, with some confusion, around the potential for impact on the NHS, TTIP is indisputably very real for the rest of industry and wider market. And any deregulation as a whole touches many NHS bodies.

Despite wide professional and public criticism the TTIP discussions continue with little transparency. Deregulation appears to have become the UK government’s mantra for achieving economic growth, though in coalition not everyone may agree it is right.

In conclusion:

There should be detailed analysis and an impact assessment made for this Deregulation Bill clause 83 as it stands alone.

It must also be seen in conjunction with proposals for deregulation under TTIP,  and the impact analysed for the vast number of regulatory bodies and functions we have under the State wing, for the public good.

I sincerely hope our legislators in the Lords are taking this into account and not as a stand-alone Bill, but in the wider picture of current TTIP trade negotiations, and that the failures created in part through deregulation twenty years ago in banking, are not recycled now across the board.

Can society afford “dramatic breakdowns in governance, risk taking, learning by mistakes, or systemic breaches in accountability and ethics?” ** as we saw as a consequence in banking?

Oversight serves an important purpose.

It is often to ensure a balance between the needs of people, and search for profit. Whilst it is an accepted practice in our market economy, to seek to  make a profit,  oversight and regulation can ensure it’s not at the expense of the greater good.

Some of these public services that the regulatory bodies oversee in England will be harmed if they are not free to all at the point of their delivery. The independence of their ethical decision making will be challenged if it competes with promoting economic growth.

Who will help the public understand what this Deregulation Bill clause really will mean and complete proper and transparent public analysis of its impact for each regulatory authority?

I hope that those responsible for scrutiny of the Bill see value in maintaining first and foremost, independent oversight and ethics, in the Public Interest.

Or will the band continue to play as TTIP sails on? And will the Deregulation Bill pass as is, to promote the desirability of economic growth at all costs?

———

[Update November 21st:

Significant concerns raised in yesterday’s discussion by Lord Tunnicliffe and others on this Clause 83: The promotion of Economic Growth for Regulatory Bodies.

Social Care:
On a previous day of debate (Nov 18th) it appears regulation of Social Care staff is to be scrapped without proper consultation or scrutiny, in Clause 71.

Column GC116: “This is despite the fact that there was no clear support for removing regulation in the original consultation responses.

“The Government did not consult on this issue as part of the consultation in April 2014 on extending outsourcing in children’s social work. During the debate in Committee in the House of Commons on whether the clause should stand part of the Bill, the Deputy Leader of the Commons, Tom Brake MP, acknowledged that there had been no clear support for removing the registration requirement.”

“The Office of the Children’s Commissioner for England raised concerns and stated: “We consider all delegated social care services should be required to have formal registration with Ofsted in addition to an expectation that they will be held to account by rigorous and expert inspection, just as local authorities currently are”.

Scrutiny and Bill quality and clarity:
In particular concerns are raised in the Lords on lack of proper documentation and new legislation included which has not had scrutiny by the HoC or Scrutiny Committee.

Column GC142 “it is inefficient for Parliament to try to scrutinise line by line material which is obscure and possibly not very well expressed in terms of the material we are given and the notes.”
“One is that without a Keeling schedule relating to the particularities of the Bills being amended, it is almost impossible to work out what they are.”

Column GC144 “… that we are discussing now was not discussed in the Commons. It was not discussed by the Pre-Legislative Scrutiny Committee, as we have heard, and there has been no real opportunity to call those who drafted it to account. A blow for better government.”

Lord Tunnicliffe concluded on November 20th:

“We are all on the same side, but if our fears comes to pass, these three clauses could wreak havoc in a regulatory regime within this country that, generally speaking, is doing pretty well.” [Hansard]

My concerns seem founded, supported by many of these comments in recent debate in the Lords. I feel this Bill is a disaster lying in the future path of the Public Interest.  “Iceberg, right ahead!”

End Nov 21st update.]

Please feel free to comment below or find me on twitter @TheABB

*********

List of The National Regulators

Animal Health and Veterinary Laboratories Agency (AHVLA)

Animals in Science Regulation Unit

Architects Registration Board (ARB)

British Hallmarking Council (BHC)

Care Quality Commission (CQC)

Charity Commission for England and Wales

Civil Aviation Authority (CAA)

Claims Management Regulation Unit

Coal Authority

Companies House

Competition Commission

Professional Standards for Health and Social Care (PSA)

Disclosure and Barring Service (DBS)

Drinking Water Inspectorate (DWI)

Driver and Vehicle Licensing Agency (DVLA)

Driving Standards Agency (DSA)

Employment Agency Standards Inspectorate (EAS)

English Heritage (EH)

Environment Agency

Equality and Human Rights Commission

Financial Reporting Council (FRC)

Fish Health Inspectorate (FHI), Centre for Environment, Fisheries and Aquaculture Science (Cefas)

Food and environment research agency (plant and bee health) and (Plant Variety and Seeds)

Food Standards Agency (FSA)

Forestry Commission

Gambling Commission

Gangmasters Licensing Authority (GLA)

Health and Safety Executive (HSE)

Higher Education Funding Council for England (HEFCE)

Highways Agency (HA)

HM Revenue and Customs (Money Laundering Regulations and National Minimum Wage)

Homes & Communities Agency (HCA)

Human Fertilisation and Embryology Association (HFEA)

Human Tissue Authority (HTA)

Information Commissioner’s Office (ICO)

Insolvency Service including Insolvency Practitioner Unit

Intellectual Property Office (IPO)

Legal Services Board (LSB)

Marine Management Organisaton (MMO)

Maritime and Coastguard Agency (MCA)

Medicines and Healthcare Products Regulatory Agency (MHRA)

Monitor

National Measurement Office (NMO)

Natural England

Office of Communications

Office for Fair Access (OFFA)

Office for Nuclear Regulation (ONR)

Office for Standards in Education, Children’s Services and Skills (OFSTED)

Office of Fair Trading

OFQUAL

Office of Rail Regulation (ORR)

Office of the Regulator of Community Interest Companies

OFGEM

Pensions Regulator

Rural Payments Agency (RPA)

Security Industry Authority (SIA)

Senior Traffic Commissioner

Sports Grounds Safety Authority (SGSA)

Trinity House Lighthouse Service (THLS)

UK Anti-Doping (UKAD)

Vehicle and Operator Services Agency (VOSA)

Vehicle Certification Agency (VCA)

Veterinary Medicines Directorate (VMD)

Water Services Regulation Authority (OFWAT)

The care.data engagement – is it going to jilt citizens after all? A six month summary in twenty-five posts.

[Note update Sept 19th: after the NHS England AGM in the evening of Sept 18th – after this care.data engagement post published 18hrs earlier – I managed to ask Mr.Kelsey, National Director for Patients and Information, in person what was happening with all the engagement feedback and asked why it had not been made publicly available.

He said that the events’ feedback will be published before the pathfinder rollout begins, so that all questions and concerns can be responded to and that they will be taken into account before the pathfinders launch.

When might that be, I asked? ‘Soon’.

Good news? I look forward to seeing that happen. My open questions on commercial uses and more, and those of many others I have heard, have been captured in previous posts, in particular the most recent at the end of this post. – end of update.]

Medical data has huge power to do good, but it presents risks too. When leaked, it cannot be unleaked. When lost, public trust cannot be easily regained. That’s what broken-hearted Ben Goldacre wrote about care.data on February 28th of this year, ten days after the the pause was announced on February 18th [The Guardian] .

Fears and opinions, facts and analysis, with lots and lots of open questions. That’s what I’ve written up in the following posts related to care.data since then, including my own point-of-view and feedback from other citizens, events and discussions. All my care.data posts are listed here below, in one post, to give an overview of the whole story, and any progress in the six months ‘listening’ and ‘engagement’.

So what of that engagement? If there really have been all these events and listening, why has there been not one jot of public feedback published? This is from September 2014, I find it terrifyingly empty of anything but discussing change in communications of the status quo programme.

I was at that workshop, hosted by Mencap on communicating

with vulnerable and excluded groups the article mentions. It was carefully managed, with little open room discussion to share opinions cross groups (as the Senior Policy Adviser at Signature pointed out.) Whilst we got the NHS England compilation of the group feedback afterwards, it was not published. Maybe I should do that and ask how each concern will be addressed? I didn’t want to stand on the NHS England national comms. toes, assuming it would be, but you know, what? If the raw feedback says from all these meetings, these are our concerns and we want these changes, and none are forthcoming, then the public should justifiably question the whole engagement process.

It’s public money, and the public’s data. How both are used and why, is not to be hidden away in some civil service spreadsheet. Publish the business case. Publish the concerns. Publish how they are to be addressed.

From that meeting and the others I have been to, many intelligent questions from the public remain unanswered. The most recent care.data advisory workshop summarised many from the last year, and brought out some minority voices as well.

 

On the day of NHS Citizen, the new flagship of public involvement, people like me who attended the NHS England Open Day on June 17th, or care.data listening events, may be understandably frustrated that there is no publicly available feedback or plan of any next steps.
care.data didn’t make it into the NHS Citizen agenda for discussion for the 18th. [Many equally other worthy subjects did, check them out here if not attending or watch it online.] So from where will we get any answers? Almost all the comment, question and feedback I have heard at events has been constructively critical, and worthy of response. None is forthcoming.

 

Instead, the article above, this reported speech by Mr.Kelsey and its arguments, make me think engagement is going nowhere. No concerns are addressed. PR is repeated. More facts and figures which are a conflation of data use for clinical treatment and all sorts of other uses, are presented as an argument for gathering more data.

Citizens do not need told of the benefits. We need concrete steps taken in policy, process and practice, to demonstrate why we can now trust the new  system.

Only then is it worthwhile to come back to communications.

How valued is patient engagement in reality, if it is ignored?

How will involvement continue to be promoted in NHS Citizen and other platforms, if it is seen to be ineffective?

How might this affect future programmes and our willingness to get involved in clinical research?

I sincerely hope to see the raw feedback published very soon, which NHS England has gathered in their listening events. How that will be incorporated into any programme changes, as well as  communications, will go a long way to assuring the quantity in numbers and quality of cross-population participation.

The current care.data status is in limbo, as we await to see if and when any ‘pathfinder’ CCGs will be announced that will guinea pig the patient records from the GP practices in a trial rollout, in whatever form that may take. The latest official statements from Mr.Kelsey have been on 100-500 practices, but without any indicator of where or when. He suggests ‘shortly’.

What next for care.data? I’ll keep asking the questions and hope we hear some answers from the NHS England Patients and Information Directorate. Otherwise, what was the [&88!@xY!] point of a six month pause and all these efforts and listening?

Publish the business case. Publish the concerns. Publish how they are to be addressed.

What is there to hide?

After this six-month engagement, will there be a happy ending? I feel patients are about to be left jilted at the eleventh hour.
******

You’ll find my more recent posts [last] have more depth and linked document articles if you are looking for more detailed information.

******

March 31st: A mother’s journey – intro

March 31st: Transparency

April 3rd: Communication & Choice

April 4th: Fears & Facts

April 7th: What is care.data? Defined Scope is vital for Trust

April 10th: Raw Highlights from the Health Select Committee

April 12th: care.data Transparency & Truth, Remit & Responsibility

April 15th: No Security Blanket : why consent packages fail our kids

April 18th: care.data : Getting the Ducks in a Row

April 23rd: an Ode to care.data (on Shakespeare’s anniversary)

May 3rd: care.data, riding the curve: Change Management

May 15th: care.data the 4th circle: Empowerment

May 24th: Flagship care.data – commercial uses in theory [1]

June 6th: Reality must take Precedence over Public Relations

June 14th: Flagship care.data – commercial use with brokers [2]

June 20th: The Impact of the Partridge Review on care.data

June 24th: On Trying Again – Project Lessons Learned

July 1st: Communications & Core Concepts [1] Ten Things Learned at the Open House on care.data and part two: Communications and Core Concepts [2] – Open House 17th June Others’ Questions

July 12th: Flagship care.data – commercial use in Practice [3]

July 25th: care.data should be like playing Chopin – review after the HSCIC Data Sharing review ‘Driving Positive Change’ meeting

July 25th: Care.data should be like playing Chopin – but will it be all the right notes, in the wrong order? Looking forwards.

August 9th: care.data and genomics : launching lifeboats [Part One] the press, public reaction and genomics & care.data interaction

August 9th: care.data and genomics : launching lifeboats [Part Two] Where is the Engagement?

September 3rd: care.data – a Six Month Pause, Anniversary round up [Part one] Open questions: What and Who?

September 3rd: care.data – a Six Month Pause, Anniversary round up [Part two] Open questions: How, Why, When?

September 16th: care.data cutouts – Listening to Minority Voices Includes questions from those groups.

September 16th: care.data – “Anticipating Things to Come” means Confidence by Design

October 30th: patient questions on care.data – an open letter

November 19th: questions remain unanswered: what do patients do now?

December 9th: Rebuilding trust in care.data

December 24th: A care.data wish list for 2015

2015 (updated after this post was published, throughout the year)

January 5th 2015: care.data news you may have missed

January 21st 2015: care.data communications – all change or the end of the line?

February 25th 2015: care.data – one of our Business Cases is Missing.

March 14th 2015: The future of care.data in recent discussions

March 26th 2015: Wearables: patients will ‘essentially manage their data as they wish’. What will this mean for diagnostics, treatment and research and why should we care? [#NHSWDP 3]

May 10th 2015: The Economic Value of Data vs the Public Good? [1] care.data, Concerns and the cost of Consent

The Economic Value of Data vs the Public Good? [2] Pay-for-privacy, defining purposes

The Economic Value of Data vs the Public Good? [3] The value of public voice.

May 14th 2015: Public data in private hands – should we know who manages our data?

June 20th 2015: Reputational risk. Is NHS England playing a game of public confidence?

June 25th 2015: Digital revolution by design: building for change and people (1)

July 13th 2015: The nhs.uk digital platform: a personalised gateway to a new NHS?

July 27th 2015: care.data : the economic value of data versus the public interest? (First published in StatsLife)

August 4th 2015: Building Public Trust in care.data sharing [1]: Seven step summary to a new approach

August 5th, 2015: Building Public Trust [2]: a detailed approach to understanding Public Trust in data sharing

August 6th 2015: Building Public Trust in care.data datasharing [3]: three steps to begin to build trust

August 12th 2015: Building Public Trust [4]: “Communicate the Benefits” won’t work for care.data

August 17th 2015: Building Public Trust [5]: Future solutions for health data sharing in care.data

September 12th 2015: care.data: delayed or not delayed? The train wreck that is always on time

****

Questions, ideas, info & other opinions continue to be all welcome. I’ll do my best to provide answers, or point to source sites.

For your reference and to their credit, I’ve found the following three websites useful and kept up to date with news and information:

Dr. Bhatia, GP in Hampshire’s care.data info site

HSCIC’s care.data site

medConfidential – campaign for confidentiality and consent in health and social care – seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent

 

 

 

care.data – the cut-outs: questions from minority voices

“By creating these coloured paper cut-outs, it seems to me that I am happily anticipating things to come…I know that it will only be much later that people will realise to what extent the work I am doing today is in step with the future.” Henri Matisse (1869-1954) [1]

My thoughts on the care.data advisory event Saturday September 6th.  “Minority voices, the need for confidentiality and anticipating the future.”

[Video in full > here. Well worth a viewing.]

After taking part in the care.data advisory group public workshop 10.30-1pm on Saturday Sept 6th in London, I took advantage of a recent, generous gift; membership of the Tate. I went to ‘Matisse – the cut outs’ art exhibition.  Whilst looking around it was hard to switch off the questions from the morning, and it struck me that we still have so many voices not heard in the discussion of benefits, risk and background to the care.data programme. So many ‘cut out’ of any decision making.

Most impressive of the morning, had been the depth and granularity of questions which were asked.  I have heard varying aspects of questions at public events, and the subject can differ a little based on the variety of organisations involved. However, increasingly, there are not new questions, rather I hear deeper versions of the questions which have already been asked, over the last eighteen months. Questions which have been asked intensely in the last 6 months pause, since February 2014 [2] and which remain unanswered. Those from the care.data advisory committee and hosting the event, said the same thing based on a previous care.data advisory event also.

What stood out, were a number of minority group voices.

A representative for the group Friends, Families and Travellers (FFT) raised a number of excellent questions, including that of communications and ‘home’ GP practices for the Traveller community. How will they be informed about care.data and know where their ‘home’ practice is and how to contact them? Whose responsibility will that be?

I spoke with a small group a few weeks ago simply about NHS use in general. One said they feared being tracked down through a government system [which was used for anything other than clinical care]. They register with new names if they need to access A&E. That tells you already how much they trust ‘the system’. For the most part, he said, they would avoid NHS care unless they were really desperately in need and beyond the capability of their own traveller community ‘nurse’. The exception was childbirth when this group said they would encourage expectant mums to go into hospital for delivery. They must continue to do so when they need to and must feel safe to do so. Whether in general they may use primary care or not, many travellers are registered at GPs, and unless their names have been inadvertently cleansed recently, they should be contacted before any data extraction as much as anyone else.

Our NHS is constitutionally there for all. That includes groups who may be cut off from mainstream inclusion in society, through their actions, inaction or others’ prejudice. Is the reality in this national programm actively inclusive? Does it demonstrate an exemplary model in practice of what we hear said the NHS aims to promote?

Transgender and other issues

The question was posed on twitter to the event, whether trans issues would be addressed by care.data. The person suggested, that the data to be extracted would “out us as probably being trans people.” As a result,  she said “I’d want to see all trans ppl excluded from care.data.”

Someone who addressed ‘her complex gender identity’ through her art, was another artist I respect, Fiore de Henriquez. She was ‘shy of publicity.’ One of her former studios is filled with work based on two faces or symbiotic heads, aside from practice pieces for her more famous commissioned work.For her biography she insisted that nothing be concealed. “Put in everything you can find out about me, darling. I am proud to be hermaphrodite, I think I am very lucky, actually.” However, in her lifetime she acknowledged the need for a private retreat and was shy until old age, despite her flamboyant appearance and behaviour. You can see why the tweet suggested excluding any transgender data or people.

‘Transgender issues’ is an upcoming topic to be addressed at the NHS Citizen even on 18th September as well. How are we making sure these groups and the ‘other’ conditions, are not forgotten by care.data and other initiatives? Minorities included by design will be better catered for, and likely to participate if they are not simply tacked on as an afterthought, in tick-box participation

However, another aspect of risk is to be considered – missing minorities 

Any groups who opt themselves out completely, may find that they and their issues are under represented in decision making about them by commissioners and budget planning for example.  If authorities or researchers choose to base decisions only on care.data these discrepancies will need taken into account.

Ciarán Devane highlighted this two-sided coin of discrimination for some people. There are conditions which are excluded from care.data scope. For example HIV. It is included in HARS reporting, but not in care.data. Will the conditions which are excluded from data, be discriminated against somehow? Why are they included in one place, not in another, or where data is duplicated in different collections, where is it necessary, where is the benefit? How can you make sure the system is safe and transparent for minorities’ data to be included,  and not find their trust undermined by taking part in a system, in which they may have fears about being identified?

Missing voices

These are just two examples of groups from whom there had been little involvement or at least public questions asked, until now. The traveller and transgender community. But there are many, notably BME, and many many others not represented at any public meetings I have been at. If they have been well represented elsewhere, any raw feedback, with issues addressed, is yet to be shared publicly.

Missing voices – youth

A further voice from which we hear little at meetings, because these meetings have been attended as far as I have seen so far, mainly by older people, is the voice of our youth.

They are left out of the care.data discussion in my opinion, but should be directly involved. It is after all, for them that we need to think most how consent should work, as once in, our data is never deleted.

Whilst consent is in law overridden by the Health and Social Care Act, it is still the age old and accepted ethical best practice. If care.data is to be used in research in future, it must design best practices now, fit for their future purposes.

How will our under-18s future lives be affected by choices others make now on their behalf?

Both for them as the future society and as individuals. Decisions which will affect research, public health planning and delivering the NHS service provision as well as decisions which will affect the risk of individual discrimination or harm, or simply that others have knowledge about their health and lifestyle which they did not choose to share themselves.

Some people assume that due to social networks, young people don’t care about privacy. This is just not true. In fact, studies show that younger people are more conscious of the potential harm to their reputation, than we may want to give them credit for.

This Royal Academy of Engineering report, [3]” Privacy and Prejudice – Young People’s views on the Development of Electronic Patient Records” produced in conjunction with Wellcome from 2010, examines in some depth, youth opinions of 14-18 year olds.  It tackles questions on medical data use: consent, control and commercialism. The hairy questions are asked about teen access to records, so when does Gillick become applied in practice and who decides?

The summary is a collection of their central questions and its discussion towards the end, which are just as valid for care.data today, as well as for considering in the Patient Online discussion for direct care access. I hope you’ll take time to read it, it’s worth it.

And what about the Children?

Some of our most vulnerable, will have their data and records held at the HSCIC. There are plans for expansion rapidly into social care data management, aligned with the transformation of health and social services. Where’s the discussion of this? Does HSCIC even have the legal capacity to handle children’s social care data?

How will at-risk groups be safer using this system in which their identities are less protected? How will the information gathered be used intelligently in practice to make a difference and bring benefit? What safeguards are in place?

“Future releases of new functionality are planned over the next 12 months, including the introduction of the Child Protection – Information Sharing application which will help to improve the protection of children who have previously been identified as vulnerable by social services.” (ref: HSCIC Spine transition)

“Domestic violence can affect anyone, but women,
transgender people and people from BME groups are at higher risk than the general population.”
(Ref: Islington’s JSNA Executive Summary – 9 – August 2014)

 

We must ask these questions about data sharing and its protection on behalf of others, because these under represented groups and minorities cannot themselves, if they are not in the room.

Where’s the Benefit?

We should also be asking the question raised at the event, about the benefits compared with the data already shared today. “Where’s the benefit?”, asked another blogger some time ago, raising his concerns for those with disabilities. We should be asking this about new dating sharing vs the many existing research databases and registries we already have, with years of history. Ciarán Devane wisely asked this on the 6th, succinctly asking what attendees had expressed.

“It will be interesting to know if they can demonstrate benefits. Not just: ‘Can we technically do this?’ but: ‘If we see primary care data next to HES data, can we see something we didn’t see before’?”

An attendee at the Healthwatch run care.data event in Oxford last week, asked the same thing. NHS England and IT providers would, one would think, be falling over themselves to demonstrate the cost/benefit, to show why this care.data programme is well managed compared with past failures. There is form on having expensive top down programmes go awry at huge public expense and time and effort. On NpfIT “the NAO also noted that “…it was not demonstrated that the financial value of the benefits exceeds the cost of the Programme.”

Where is the benefits case for care.data, to weigh against the risks? I have yet to see a publicly available business case.

The public donation

Like my museum membership, the donation of our data will be a gift. It deserves to be treated with the respect that each individual should deserve if you were to meet them face-to-face in the park.

As I enjoyed early evening sun  leaving the exhibition, the grassy area outside was packed with people. There were families, friends, children, and adults on their own. A woman rested heavily pregnant, her bump against her partner. Children chased wasps and stamped on empty cans. One man came and sold me a copy of the Big Issue, I glimpsed a hearing aid tucked into a young woman’s beehive hair, one amputee, a child with Down Syndrome giggling with a sister. Those glimpses of people gave me images I could label without a second glance. Disabled. Deaf. Downs. There were potentially conditions I could not see in others. Cancer. Crohn’s. Chlamydia. Some were drinking wine, some smoking. A small group possibly high. I know nothing about any of those individuals. I knew no names, no addresses. Yet I could see some familial relationships. Some connections were obvious. It struck me, that they represented part of a care.data population, whom buyers and researchers  may perceive as only data. I hope that we remember them as people. People from whom this programme wants to extract knowledge of their lifestyles and lives, and who have rights to express if, and how they want to share that knowledge. How will that process work?

Pathfinders – the rollout challenges that remain?

At the advisory group led meeting it was confirmed that pathfinders, would be chosen shortly.

[CCGs were subsequently announced here,  see related links, end of page for detail, note added Oct 7th]

But  the care.data programme is “still delivering without a business case”.  Despite this, “between two and four clinical commissioning groups will be selected, “in the coming weeks” to begin the pathfinder stage of the care.data programme, ” reports NIB meeting[8]

It reports what was discussed at the meeting.

“The pathfinders will test different communication strategies before moving forward with the data extraction part of the project.”

I for one would be extremely  disappointed if pathfinders go ahead in the ‘as is’ mode.  It’s not communications which is the underlying issue still. It’s not communications that most people ask about. It’s questions of substance, to which, there appear to be still insufficient information to give sound answers.

Answers would acknowledge the trust in confidentiality owed to the individual men, women, and children whose data this is. The people represented by those in the park. Or by the fifty who gave up their time on a sunny Saturday to come and ask their questions. Many without pay or travel expenses just giving up their time. Bringing their questions in search of some answers.

The pathfinder communications cannot be meaningfully trialled to meet the needs of today and the future design, when the substance of key parts of the message is uncertain. Like scope.

The care.data advisory group and the Health and Social Care Information Centre , based on the open discussion at the workshop both appear to be working, “anticipating things to come…” and to be doing their best to put processes and change in place today, which will be “in step with the future.”

To what extent that is given the right tools, time and support to be successful with all of the public, including our minorities, I don’t know. It will depend largely now on the answers to all the open questions, which need to come from the Patients and Information Directorate at the Commissioning Board, NHS England.

After all, as Mr.Kelsey himself says,

“The NHS should be engaging, empowering and hearing patients and their carers throughout the whole system all the time. The goal is not for patients to be the passive recipients of increased engagement, but rather to achieve a pervasive culture that welcomes authentic patient participation.”

What could be less empowering than to dismiss patient rights?

The challenge is: how will the Directorate at NHS England ensure to meet all these technical, governance and security needs, and yet put the most important factors first in the design; confidentiality and the voice of the empowered patient: the voice of Consent?

*****

This post captured my thoughts on the care.data advisory event Saturday September 6th.  “Minority voices, the need for confidentiality and anticipating the future.” This was about the people side of things. Part two, focuses on the system part of that.

*****

Immediate information and support for women experiencing domestic violence: National Domestic Violence, Freephone Helpline 0808 2000 247

*****

[1] Interested in a glimpse into the Matisse exhibition which has now closed? Check out this film.

[2] Previous post: My six month pause round up [part one] https://jenpersson.com/care-data-pause-six-months-on/

[3] Privacy and Prejudice: http://www.raeng.org.uk/publications/reports/privacy-and-prejudice-views This study was conducted by The Royal Academy of Engineering (the Academy) and Laura Grant Associates and was made possible by a partnership with the YTouring Theatre Company, support from Central YMCA, and funding from the Wellcome Trust and three of the Research Councils (Engineering and Physical and Sciences Research Council; Economic and Social Research Council and Medical Research Council).

[4]  Barbara Hepworth – Pelagos – in Prospect Magazine

[5] Questions remain open on how opt out works with identifiable vs pseudonymous data sharing requirement and what the objection really offers. [ref: Article by Tim Kelsey in Prospect Magazine 2009 “Long Live the Database State.”]
[6] HSCIC current actions published with Board minutes
[8] NIB https://app.box.com/s/aq33ejw29tp34i99moam/1/2236557895/19347602687/1

 

*****

More information about the Advisory Group is here: http://www.england.nhs.uk/ourwork/tsd/ad-grp/

More about the care.data programme here at HSCIC – there is an NHS England site too, but I think the HSCIC is cleaner and more useful: http://www.hscic.gov.uk/article/3525/Caredata

 

Launching genomics, lifeboats, & care.data

On Friday 1st August the media reported the next giant leap in the genomics programme in England, suggesting the 100K Genomics Project news was akin to Kennedy launching the Space Race. [1] [from 2:46.30].

“The UK is set to become the world leader in ground-breaking genetic research into cancer and rare diseases, which will transform how diseases are diagnosed and treated, thanks to a package of investment worth more than £300 million.” [DH press release, August 1 2014. [2] ]

Whilst Mr. Cameron & George Osborne visited the arson-damaged Eastbourne Pier, the lifeboat staff and firemen who attended, back in Downing Street, representatives led by George Freeman MP signed the £300M investment package, the next step in the genomic investment plan, with American Jay Flatley, CEO of Illumina.

Mr. Cameron first announced this research drive shared with commercial pharmaceutical companies on 6th December 2011 and famously said ‘every willing patient should be a research patient'[3] (video) and they would consult to change the NHS Constitution to enable it:

“…with their medical details “opened up” to private healthcare firms, says David Cameron.”

George Freeman_ 100K

This was the next step in the programme, hailed as an historic moment, a giant leap forward for genomics.

The photo call for the symbolic signing included Jay Flatley President, Chief Executive Officer and a member of the Board of Directors of Illumina, Inc, Sir John Chisholm Executive Chair of Genomics England & Chair of Nesta, together with Dame Sally Davies Chief Medical Officer and Mr. George Freeman [George 2] MP for mid-Norfolk, and the newly appointed Life Sciences Minister.

Fewer than twelve months before an election the Government has decided to commit commercially to a US based company, in a programme which Mr.Cameron himself said,  has had controversy. That c-word is one the Conservatives will want to avoid in the coming election campaign.

This Channel 4 [4] film from almost 2 years ago, (December 2012) raises many questions as valid today as then. At that time, in contrast with today’s approach, the programme suggests that consent for research and data use would be assumed for all.

The inestimable Jon Snow asked then, why is the Business Department announcing this [the launch of the pilot programme, when focused then first in rare cancers]? The public may understand that commercial pharma, charities and the State work hand-in-glove (as Mr.Cameron’s 2011 vision stated), but as Jon Snow asks, not yet understand how this commercial venture will benefit the NHS long term as well as individual patients and the public as a whole? Is it concrete on benefits to patients vs benefits to UK plc?

So what was the key press message which came over?

The coverage of the week since August 1st, expounded the belief that through Genomics England Ltd we will do away with  chemotherapy in the future. I believe this should be the source of a raging debate, but it passed by with little more than a few waves.

“We will look back in 20 years’ time and the blockbuster chemotherapy drugs that gave you all those nasty side effects will be a thing of the past,”said Jeremy Farrar Director of the Wellcome Trust, reported Sky. [5]

The original review given last summer to Genomics England including listing the rare diseases which may affect the 6% of the population, suggests one consideration, targeting those with very high likelihood of familial links and therefore success.[6] or Patients selected with a high probability of a single gene disorder. There are obviously great challenges in turnaround time for the genetic processing to be useful in clinical decision making. Considering whether or not it is timely or accurate enough to be of clinical benefit in acute cancer care clinical decision making will be vital. It is also what is being promised to patients who sign up, a faster, more efficient, improved offering on what is available already in the NHS genetic services today.

The interested population and profession would do well to get an independent medical update on the status of this, to understand it better if this is now established and its reliability, so what participants sign up for, is what they get on the tin:

“Results are provided for patients in a timely fashion (e.g. within 8 weeks) and with sufficient clinical accuracy (not yet established for WGS) [whole genome sequencing].” [page 3 of 8]

And what was the press result and public reaction to the news?

As one example, look at lunchtime on Friday August 1st, Radio 2 callers to the Jeremy Vine show. They included two undergoing chemo who felt they had to call  in, to tell others, chemo is not always as bad as it sounds and make sure you don’t give up on it, refuse treatment or wait for this new genetic solution.

The impression was given, there is a new wonder solution within grasp on the horizon. This seemed to me rather reckless and unfairly manipulative on the ill and vulnerable to give them a blanket hope, that their cancer treatment may become so much better, soon. These are real people’s lives, not guinea pigs with which one can feel free to trial hypothesis and hype. If anyone now refuses chemo as a result of the Friday fantasy projections, their health may have been directly impacted. I would like to have heard a DH or Genomics England press manager speaking, not allowing such public free rein, to ensure it was factually accurate. But I’m guessing that Genomics England as an ALB is not really ready for press yet [their public engagement and education programme isn’t ready yet they confirmed when asked in July in an FOI],  and the DH perhaps at arms length, thinks, it’s not their responsibility and outside their remit. Stuck in the middle, we have the commissioning body, NHS England.

How might this involve all of us, our NHS and cross into care.data?

In most recent memory, NHS England tried and so far failed in February 2014, to engage the public and clinicians in the extraction of our GP stored health records, in the care.data initiative. Care.data languishes in some sort of unknown black hole at the moment, with little public engagement and pilots promised ‘for autumn’. Both programmes are run under the auspices of Mr. Kelsey at NHS England Patients and Information Department, and arms length from the Department of Health. Last summer, Tim Kelsey and Sir Bruce Keogh presented a paper to the Board on Genomics and its interaction with NHS patient records. [7]

Given that the Genomics paper indicated that care.data and NHS held patient records were of paramount importance to NHS England I would like to have seen more transparency over this, including informed public and parliamentary debate:

“Issues of data ownership and transparency are of paramount importance to NHS England as set out in the Mandate and given the hugely positive developments in Care.Data. Geraint  Lewis is leading this work, and has begun work to consider how the sequencing data might be held, connected to patient records and subsequently be exploited. It will also look at the connections between this work and the establishment of care data in the NHS. The NHS England data and informatics team will retain oversight of the informatics and data work and discussions continue on how it can best inform and support the implementation of business plan of Genomics England Limited.”

NHS England Board paper, July 2013 [7]

There has been almost no public statement from NHS England on genomics and our data management in the same discussion, until now. George Freeman MP [2] said on BBC Radio 4 (Starting from 2:46.30 in interview with Sarah Montague:

“It’s absolutely not the care.data initiative discussed earlier in the year. This is 100K patients, all volunteering and all providing their consent. It’s completely anonymised data in the data set, the only person who would be able to come back to the patient and make a link with the genomics and the diagnosis, is their doctor. We’re creating a database so that NHS researchers and industry researchers, can look at the broad patterns. 90% of patients with that variation, get that disease, this drug works in 50% of patients…It’s completely anonymised, there is no basis on which you could make the link. The only person who can make the link is the NHS clinician.”

Whilst this is NOT the same initiative, it intends to use some of the same data for those people who actively consent to participate in the 100K Genome Project.

The data will be extracted from care.data [which ‘assumes consent’ or requires active opt OUT, depending how you view it] to include longitudinal, phenotype data across a person’s lifetime. I spoke to the Genomics England media team last autumn, 2013, which confirmed this intent at that time.

The trouble is for Mr. Freeman [2] and these statements, that the public knows ‘anonymous’ in care.data turned out to not be anonymous at all.  ICO and HSCIC [8] are still working this out. [HSCIC has just published its first review of pseudonymisation review 9] It was discovered that far from being released only to clinicians and researchers, our hospital data has been shared with all sort of unexpected third parties, without consent. [see the Partridge Review]. This surprised and shocked many, to public outcry and the resultant loss of trust [15] in the programme has yet to be rebuilt. So some listeners may well and understandably have had concerns that their data may be used for purposes to which they have not agreed.

Some say that genetic data by its very nature, despite stripping data identifiers, cannot be non-identifying, or stay that way:[16]

“It only takes one male,” said Yaniv Erlich, a Whitehead fellow, who led the research team. “With one male, we can find even distant relatives.” [Jan 2013]

“If they choose to share that’s a very admirable thing because by sharing freely, progress for everyone is accelerated, and if someone is not comfortable we should respect that too and find ways for them to still participate in research,” he said.

What are the next steps – or should we expect, one giant leap?

As regards care.data from all,  it is I believe reasonable,  that we should we ask: how we should expect our care.data to be used, and trust for what restricted purposes it will be extracted and stored for the future?  What mechanisms will separate consent for care.data commissioning from this kind of research? How will citizens trust this data sharing now as the Department for Patients and transformation care.data proposals seem still open ended in scope in particular for social care [17], and alongside other ever widening government data sharing? [18] How will the public know where the future boundaries of care.data scope creep lie?

If anything has been learned from care.data to date it must be this: We should  continue to ask for more public involvement in policy and planning,  not just the post-event PR if the state wishes to ensure success and prevent surprises. What happens next for this data programme, and for our national programme of genomics, 100K?

{Part two continues here}

******

[1] “It’s a hugely ambitious project, it’s on a par with the space race how Kennedy launched 40 years ago.” [from 2:46.30 BBC Radio 4 Int. Sarah Montague w/ George Freeman]

[2] Downing Street Press Release 1st August – genomics https://www.gov.uk/government/news/human-genome-uk-to-become-world-numb

[3] 6th December “Transcript of a speech given by Prime Minister at the FT Global Pharmaceutical and Biotechnology Conference” [https://www.gov.uk/government/speeches/pm-speech-on-life-sciences-and-opening-up-the-nhs]

[4] 10th December 2012 DNA Database concerns Channel 4 http://www.channel4.com/news/dna-cancer-database-plan-prompts-major-concerns

[5] Wellcome Trust- comment by Jeremy Farrar http://news.sky.com/story/1311189/pm-hails-300m-project-to-unlock-power-of-dna

[6] Strategic Priorities in Rare Diseases June 2013 http://www.genomicsengland.co.uk/wp-content/uploads/2013/06/GenomicsEngland_ScienceWorkingGroup_App2rarediseases.pdf

[7] NHS England Board paper presentation July 2013 http://www.england.nhs.uk/wp-content/uploads/2013/07/180713-item16.pdf

[8] ICO and HSCIC on anonymous and pseudonymous data in Computing Magazine http://www.computing.co.uk/ctg/news/2337679/ico-says-anonymous-data-not-covered-by-data-protection-act-until-its-de-anonymised

[9] HSCIC Pseudonymisation Review August 2014 http://www.hscic.gov.uk/article/4896/Data-pseudonymisation-review

[10] November 2013 ISCG – political pressure on genomics schedule http://www.england.nhs.uk/iscg/wp-content/uploads/sites/4/2014/01/ISCG-Paper-Ref-ISCG-009-001-ISCG-Meeting-Minutes-and-Actions-26-November-2013-v1.1.pdf

[11] Wellcome Trust August 1st 2014 The Genetic Building Blocks of Future Healthcare

[12] Fenyan – For successful technology reality must take precedence over PR https://jenpersson.com/successful-technology-reality-precedence-public-relations/

[13] Next Steps in the Sequence – the implications for whole genome sequencing in the UK – PHG Foundation, funded by the PHG Foundation, with additional financial support from Illumina. The second expert workshop for the project was supported by the University of Cambridge Centre for Science and Policy (CSaP) and the Wellcome Trust http://www.phgfoundation.org/file/10363

[14] Anti-elderly drugs proposals rejected by NICE: Channel 4 http://www.channel4.com/news/nice-assessment-elderly-health-drugs-rejected-contribution

[15] The Royal Statistical Society identifies a Trust Deficit

 [16] The Whitehead Institute for Biomedical Research in Cambridge, Mass in the WSJ, Jan 2013: “”It only takes one male,” said Yaniv Erlich, a Whitehead fellow, who led the research team. “With one male, we can find even distant relatives.”
[17] Adult Social care ISCG,  2014 http://www.england.nhs.uk/iscg/wp-content/uploads/sites/4/2014/01/ISCG-Paper-Ref-ISCG-009-002-Adult-Social-Care-Informatics.pdf  “Personalisation – citizens should increasingly be empowered to have choice and control over their care; and there will be increasing numbers of people funding their own care and caring for others”

*****

For avoidance of confusion [especially for foreign readership and considering one position is so new], there are two different Ministers mentioned here, both called George:

One. George Osborne [George 1] MP for Tatton, Cheshire and the Chancellor

Two. George Freeman [George 2] MP – The UK’s first-ever Minister for Life Sciences, appointed to this role July 15th 2014 [https://www.gov.uk/government/ministers/parliamentary-under-secretary-of-state–42]

*****

Hear no evil, see no evil, speak no evil – the impact of the Partridge Review on care.data

3wisemonkeysThe Partridge Review came out on Tuesday 17th and everyone should read it. But not just the summary. Both the full version and [1] summary are here.

So what is positive about these massive revelations? At long last it appears that the hands have come off the ears and the real issues are being listened to.

My summary: “NHS England cannot now put a hand over its eyes & hope care.data issues are only about communications.”

I feel somewhat relieved that the issues many have been concerned about for the last ten months, have now been officially recognised.

Amongst them,  it has confirmed the utter lack of clear, publicly transparent and some quite basic, governance procedures.

It’s no surprise then, that our medical records, on at least two occasions in this sample 10% review of the releases, have gone to undocumented destinations. (Let’s ignore the fact of the other 90%!? of which we have no visibility yet).

At least eight insurers or re-insurers were in this 10% sample, so how many times did such companies get it, in the other 90% which has not been reviewed and we haven’t heard about?

How will ‘promotion of health’ purposes exclude them in future? In my opinion, it won’t.

Why would an insurance company be excluded if it requests data in order to provide health care coverage?

This is the wording of the Act, not ‘for the benefits of the NHS’ or any other more ‘friendly’ patient facing framing.

Care Act 2014At the NHS Open Day on Tuesday, the same day as the release, a panel spokesperson stated that commercial information intermediaries [2]  will continue to be approved recipients. Gah – why this is such a bad idea, I wrote about here. [3]

The Partridge review said there had been no complaints.  [4] MedConfidential pointed out an example of those of which they know. Kingsley Manning told the Health Select Committee [5] on 8th April, there had been seventeen opt outs of Hospital Episode Statistics, ever.  Fourteen in 2013 and three prior to 2013.

“Q377Chair: There is not an opt-out rate for care.data yet, presumably.

Kingsley Manning: No, not on that, but in terms of the number of people who have acted to opt out, it is 3 opt-outs up until April 2013 and a further 14 opt outs since 1 April 2013.”

Would I be wrong to suspect each was accompanied by a  complaint? You don’t usually opt out of something you are happy with.

The reason for these low numbers of both complaints and opt out in the wider public? WE DID NOT KNOW. The public didn’t know we had anything to be unhappy about. Many still do not.

As soon as I fully understood the commercial selling of my family’s patient records, this below is the query for advice / complaint I made in January to ICO, before the launch was postponed.

I wanted some guidance from an outside body, because I was being told the law permitted this extraction, so what good would a further complaint to HSCIC do? I had already written to my MP and had a response from the Secretary of State / Department of Health (which tried to tell me patient identifiable data was not shared with third parties), as well as feedback to my concerns raised by email with HSCIC, all of which only tried to reassure me. I had no one to otherwise raise concerns with. The ICO advisor I spoke to told me at that time, that they had had many similar complaints.

I’ll be blunt and say now, especially since the Open Day [more on that later, especially on the content of care.data FAQs we received], I think it’s fair to say I am far better informed about care.data than most in the public. When Mr. Kelsey asked for a show of hands, how many had heard of care.data, all put their hands up. Bearing in mind the rooms were full of highly involved people, NHS England staff, CCG and PPG leaders, and few ‘ordinary patients’ like me, and the agenda contained a section on care.data, it’s unsurprising we had heard of it. When Mr.Kelsey asked, “how many of you understand what it is?” the response was around 50%. I’d dispute also, that all of those 50% truly do.

Some of the comms material we were given is factually incorrect, for example, around research. Currently, GP held data planned for care.data extraction and its merger with HES, into Care Episode Statistics (CES), is approved for commissioning purposes but not for research by the GPES group. It’s not approved for research purposes, so its no good telling us how good it is to have it for the benefit of research. What has already been released for research, and continues to be so, is what was already extracted in the past, with or without consent, and informing patients.

Records will not be deleted which raises all sorts of historical reporting concerns if mistakes are identified in retrosepct.

I have spoken with several NHSE Communications people who genuinely asked me, or left me asking the question for them in my own mind, “If I don’t understand it, then how is the public expected to?”

The concerns I had now almost five months ago, seem vindicated by the report. The actions taken since, the loose wording of the Care Act 2014, and little evidence of intention to make any change which is binding i.e. the opt out is only granted at the whim of the Secretary of State, it’s not statutory and that there is no independent governance to be put in place , have done nothing to bolster my confidence these gaps have been filled.

Simon Denegri, Chair of INVOLVE – the UK’s national advisory group on public involvement – and NIHR National Director for Public Participation and Engagement in Research, wrote a response on his blog [6]. I agree with the spirit of his post, and positivity, [he also writes excellent haiku] but where I disagree I outline below. There is room for positive hope for care.data, but first, let’s properly address the past.

“I am sure that many better informed people than I will pore over the detail. Others will use it to strengthen their case that we should put a stop to any manner of data sharing.”

Perhaps most key, I disagree with his fears the report could be used by ‘others.’ I don’t know anyone who wants to see a stop to ‘any manner’ of data sharing, including me. It’s the *how* and *why*  and *with whom*  that still needs work. Some of us may not want it without active consent, but that is part of the how, not if.  It’s not *any* manner that I object to, it’s *this* manner specifically.

I have read the Review in detail and whilst there is much positive in attitude in the Review, the reality of what difference this will make with any real bite, is hard to find.

For example, “The HSCIC will plan a new ‘data laboratory’ service which will protect the public’s information by allowing access to it in a safe environment with HSCIC managed networks and facilities.”  But this is with caveats, as it’s the “default,” Tim Kelsey said on Tuesday to the NHSE Open House. It does not mean *all* and if global third party intermediaries and business intelligence companies are still to receive data, then I can’t imagine the  global likes of IMS Health, or Experian, or Harvey Walsh will send someone along to Leeds every time they want to extract data. Who will  be given special permissions and how will they be decided and recorded, how will it be documented what data they access, if they get a free pass?

Unknown others have direct access to the HES system now through HDIS. Public Health should rightly use our health data, but a  transparent list of all approved organisations here too, would be a positive step.

Simon’s post continues,

“As you would expect from a previous Chair of INVOLVE, Nick Partridge, has secured fundamental changes in the governance of HSCIC and data releases going forward.  These include patients and the public sitting on the main committees reviewing data releases, open publication of data releases and a programme of ‘active communication’ with the public”.

Patients and public on the DAAG committee. If they are informed about data governance law and good practices, yes, if it’s just ‘representative’, not so useful. But DAAG is HSCIC staffed, and HSCIC has a legal and policy remit from the Department of Health and in its roadmap to distribute data, and will create ‘a vibrant market of data intermediaries’, as it would be wrong to exclude private companies simply on ideological grounds.  So the concept of ‘independent’ is flawed. Where are the teeth needed to reject an application, if it’s in the interest of the reviewing body, to accept it?

“It’s my view that the Partridge review, its recommendations, and the swift response from the Health and Social Care Information Centre (HSCIC), offers us the opportunity of a fresh start with the public on this issue.” [S.D.]

This could be used as an opportunity to brush the past aside and say time for a fresh start, but it can only be so if there is confidence of change.

NHS England cannot now put a hand over its eyes and hope the issues go away or that it’s only about communications.

The past needs fisking, issue by issue, to avoid they happen again. And the real risks need addressed, not glossed over. Why?

Because let’s assume the public all thinks it’s fine, and none of us opt out. Then through these still flawed process holes, a huge data leak. The public loses trust all over again, and the opportunity for the care.data benefits is lost forever.

Get it right now, and you build a trustworthy and seaworthy future, for the future public good.

There are other more detailed questions I would raise, [I previously worked in functional database design amongst other things] and I will believe these recommendations will have an effect, if and when I see the words become actions. The Review by PwC and Sir Nick Partridge is a positive listening and speaking exercise, but the plans must become reality with actions, some under legislation, in my view.

And perhaps the simplest, unspoken point seems to being deliberately ignored as if just not seen, unmentioned, except by data protection gurus [7]. There is legal obligation to provide information to citizens before their data is released, in a transparent way, to whom and for what purpose. What happened to Fair Processing? [8] Past and present?

Sir Kingsley Manning, Chair of HSCIC, asked in the Guardian on 22nd January [9] that we have ‘intelligent, grown up debate’ about data sharing. Well my hand is certainly off my mouth. I wrote a feature in my local paper and I’m still speaking to anyone I can to promote fact-based informed decision making.  But wider Public Debate is still sorely lacking [BBC Question Time anyone?] Through it, I’d like to encourage wider knowledge of the why, who and what of secondary purposes of data sharing and to ensure we can get it done transparently and safely.

Why?

To ensure we, as patients, continue to trust telling our GPs and hospital consultants all the information that we need to, and have no fear it will be held against us by an insurer or others.

We need to trust we will not be penalised whether through disclosure, by stigma and exclusion from policy or care; or whether by opting out, we could be penalised for not participating and not get ‘advantages’ offered to others, just like store loyalty cards.

We may think the insurance debate is irrelevant, if like me, we are not ‘self-payers’ or don’t use a private insurer. With a £30bn gap in planned budget and needed spend over the next five years, someone is still going to be paying for our healthcare.

If it’s not the State, then who? The risk more of us will pay for our own care in future is real. If not for us, for our kids, and their privacy will be a whole different ball game if genomics gets involved.

Meanwhile, we are told for care.data identifiable personal data is crucial for patient safety tracking. In my opinion, patient safety will be harmed if confidence in confidentiality fails. The relationship between clinician and patient will be harmed. And no number of Dr. Foster Intelligence reports by tracking quality or safety, will be able to fix those failures which it has helped create.

Perhaps most tellingly, NHS England is still to make a statement on the Review. There is no news yet here.

It still seems to me the NHS England leadership and its data sharing policy carried out through IC past and present, wants to continue without grown up debate under the PR motto ‘it’s all going jolly well’, and to act with the attitude of a teenager, who with a shrug of the shoulders will tell you:

‘It’s easier to ask for forgiveness than permission.’

***********

January 25th, 2014 – my ICO complaint / guidance request

{abbreviated only to show  issues I feel still need addressed}

Dear ICO
I would like to ask for your urgent advice.

I am a mother of X children under 12. […] Our confidential patient data is being extracted via care.data to the HSCIC. Until my recent research to understand what this was all about, I did not know that HSCIC stored all our patient confidential health data from all sorts of health providers: Hospitals, Mental Health, National Child Measurement Programme, [10] Immunisations and Health visitors.

I have not knowingly given my permission for our data to be stored or transmitted to or from HSCIC in any format in the past. If by signing a consent form for treatment I also signed consent for sharing with this central body, it was without my knowledge and therefore without informed consent.

I have significant concerns over its use, now that I understand how widely our patient data may be used and now even shared abroad. [11] […]

There is no public information on :

1. How long our data will be stored for  – data retention and data deletion and cross border governance
2. There is no opportunity for health record deletion of anything which was simply a mistake i.e.: recorded on the wrong record, or a misinformed opinion on lifestyle entered by the GP, not fact
3. How will future governance be assured that it will not be slackened to allow less strict pseudonymisation, and identifiable releases; for example to US firms who establish themselves in the NHS England healthcare market?

I do not believe that the legal rights created through the Health and Social Care Act are sufficient justification to overrule the Common Law of Confidentiality, and the Data Protection Act 1998. [And the data shared before 2012 was not covered by the Act which did not exist and was not retrospective.] Even if the dissent codes are applied, patient data has been or will be extracted to the HSCIC (without my permission) and it will contain identifiable items such as clinician name, practice and CCG locations, and referral dates which may be used as identifiers to connect with HES data stored at HSCIC – since HSCIC also holds data in the Personal Demographics Service [PDS], [12] I believe they may also link the data [13] then to my personal demographic identifiers. Just an undefined or internal  governance procedure to suggest that they would not, when it is technically possible, is not sufficient oversight. […]

I do not consent for the use of our [hospital HES or other] data in health research – because it has not been explained to me, what that term means and the implications of this assumed consent.

I cannot know what the other future uses will be for our health information stored today. I do not feel that I can apply any fair processing to their health records due to the lack of publicly available information and scope of the full uses of their data today and in future. […]

Sincerely,
Jen Persson
XXXXXXX

———————————

[1] The Partridge Review Summary and Full report http://www.hscic.gov.uk/datareview

[2] On selling data to Intermediaries and the governance which permits it  https://medconfidential.org/category/press-releases/

[3] Commercial users of NHS patient data – third party use – my blog https://jenpersson.com/flagship-care-data-2-commercial-practice/

[4] Complaints and why confidence needs restored https://medconfidential.org/2014/press-release-partridge-review-patients-need-proof-to-restore-confidence/

[5] Health Select Committee 8th April 2014 http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/health-committee/handling-of-nhs-patient-data/oral/8416.html

[6] Simon Denegri’s blog response to the Partridge Review http://simondenegri.com/2014/06/17/partridge-reviews-elegant-demolition-of-past-practice-on-personal-data-offers-opportunity-for-fresh-start-with-the-public/

[7] Information Rights and Wrongs – Jon Baines’ blog http://informationrightsandwrongs.com/2014/06/18/the-partridge-review-reveals-apparently-huge-data-protection-breaches/

[8] ICO Processing Data Fairly and Lawfully http://ico.org.uk/for_organisations/data_protection/the_guide/principle_1

[9] The Guardian, January 22nd 2014 ‘Lack of Debate on the Sale of Patient Information‘ http://www.theguardian.com/society/2014/jan/22/debate-sale-patient-information?CMP=twt_gu

[10] National Child Measurement Programme data managed by HSCIC http://www.hscic.gov.uk/ncmp

[11] Data use in the USA Memorandum between DH, HSCIC and the US  Dept of Health and Human Services to include exploring secondary stores http://www.healthit.gov/sites/default/files/hhsnhs_mou_final_jan_21.pdf

[12] Personal Demographics Service http://systems.hscic.gov.uk/demographics/pds/contents data already stored at HSCIC

[13] Data Linkage Service at HSCIC to manage the requests for data which is stored in different silos and brought together on request http://www.hscic.gov.uk/dles

Image courtesy of an interesting post on the history of the featured monkeys: http://frontiersofzoology.blogspot.co.uk/2013/04/why-are-three-wise-monkeys-usually-apes.html

No Security Blanket – why consent packages fail our children – care.data and more

As a mother, I want to know that my children’s personal data, when it is collected by any organisation, will be kept safe and used in ways I would expect. I see it as my responsibility safeguarding my children today, to also think of their future.

We should seek to protect the fundamentals in the Universal Declaration of human rights for all:

Everyone in the community should find the free and full development of his personality is possible. Everyone has the right to work, to free choice of employment.

In effect, these basic human rights seek to prevent discrimination and interference.

But it feels as though the world around us in England has gone mad. Risking stigma, discrimination, giving our kids’ personal information quite freely away and with it, their future autonomy.

Here’s five recent case studies and why they fail our young people.

The Department of Education’s National Pupil Database & Personal Demographics Service

What About Youth is reportedly using contact details directly from the Personal Demographic Service (PDS) data stored at HSCIC and the schools’ database, the Department of Education’s National Pupil Database, and giving them to IPSOS Mori, the poll research organisation to carry out the What About Youth? study on behalf of the Health and Social Care Information Centre, funded by the Department of Health. To contact our 14-16yr olds directly.

“Your contact details were taken from NHS Registration data, held by the Health and Social Care Information Centre and the Department of Education’s National Pupil Database, which contains details of every pupil in England. The NHS Registration data has been used as it is a reliable source of details such as name, address, date of birth and NHS Number. It does not include any medical data so we don’t know anything about any illnesses or conditions you have had or received treatment for.

We have received approval to use your contact details only for this study. We won’t be using them for any other purpose, nor will we share them with anyone else. “

I don’t know that any parent would find that an expected use of their personal contact details to be contacted by the third party directly.

How is the questionnaire coded I wonder, whilst “the answers will not have the child’s name and address on, so no-one who sees them will know whose they are,” the “aim of the study is to make it easier for doctors, nurses and local authorities to help young people.” So it would appear Local Authority is going to be coded at least. And your individual postcode. And child’s age and gender and ethnicity and more.

If the child (14-16yr olds) agrees to being re-contacted, I would want to know as a parent exactly how, when and for what. But parents are encouraged not to influence the child completing the form, so we may never know. The survey asks about all sorts of insecurities, not all of which I believe every 14 year old will have yet considered. Is it right that the State should intrude with these topics into my child’s private time and thoughts? The content deserves scrutiny from parents before the children are involved. At least, not done in school, we get a letter and know about it at home.

But how can the project ethically ask my child to give their consent to share intimate details not only about themselves but about our whole household and potentially agree to future contact, whilst expressly asking me not to be involved in the decision?

I wonder how pupils will feel whose parents suggest they would prefer their child does not complete it?

Surely if the Department of Education’s National Pupil Database is obligatory it should not assume OK to give out personal contact details to anyone? Some families choose to be ex-directory. Does the cross-purposes use of the Personal Demographics Service make that now impossible?

Should our children and parents, who trust that their personal details are used for registering for the basic rights of health and education, not be allowed to trust those contact details are held in confidence, rather than shared with third parties?

What is the government thinking about, as it manages our young people’s data privacy?

The National Citizen Service and Health Data stored at the Health and Information Centre

While I was looking more closely at the DAAG (HSCIC) minutes this week as related to care.data, I looked at the approval for consent advice and request for future data linkage with the National Citizen Service (NCS) project, open to all 16 and 17-year-olds in England. The request checked that the consent was appropriate for future sharing of Mental health and Hospital Records with the Cabinet Office.

While I was at it, I took a look a close look at the NCS sign up process. At the bottom of the online register in small print was the required check box to proceed:

I agree to my personal data being stored, shared and used by the NCS Trust and other organisations to inform me of NCS and graduate opportunities and to support the delivery of NCS and its graduate programme. I agree to the NCS Terms & Conditions and Privacy Policy.

Then you need to click down twice, to the T&C and Privacy Policy.
From the Terms&Conditions we need to take another step:

Information about you : We will never pass any details you provide to us on to anyone other than those specified in our privacy policy.

You also need to go to the separate Privacy Policy. which turns out stating there is virtually nothing private about managing your personal data after you enquire at all – but is in fact a  ‘Data Sharing Policy’:

 “By submitting the Expression of Interest form you agree to your personal data being stored, shared and used by the NCS Trust (the data controller) and the following organisations: NCS contractors and their sub-contractors, government bodies, strategic partners of NCS, fraud detection organisations, organisations supporting the delivery of NCS or other organisations (including any organisation running or supporting all or part of NCS in the future).”

You must agree or cannot proceed with the application.

Where does the consent to link to a child’s medical Mental Health and Hospital records get asked I wonder? Does it get expressly asked later in the project or on paper because it does not get asked online in the Young Person nor the Adult/Guardian’s sign up. Is this the consent process the DAAG approved? Is it just meant to be included in the blanket “government bodies”? Perhaps the wording is still to be amended?

Sign the child (and your own ‘Guardian’ details) up for NCS and there is no choice but to accept that data sharing agreement. You must accept it to sign up for the programme but there is an open ended who, when and for what in the blanket consent …”supporting all or part of NCS in the future.” The NCS sign-up and consent doesn’t explicitly mention sharing data with named sub-contractors anywhere either.

The charities involved may do great work. But why Serco? Is this the organisation that we would wish to be managing our young people’s personal data? Think I agree with Navca on this one. By signing away rights …”in the future,” we have no idea WHO will own the data  later.

Should our children who need this NCS programme most, not be allowed to particpate unless their personal and potentially medical details go to all these unknown future places?

UCAS and student applications – further education

When I read recently in the Guardian about Ucas selling student records of our under 18s applying to university I was equally surprised.

At a time when teen deaths from alcohol consumption often mixed with energy drinks appear regularly in the news, it is highly irresponsible to me as a parent, to know that a commercial company promoted new energy drinks by sending cans to 17,500 selected students in order to create a “social media buzz”. I know from my own experience, university is often the place we are first exposed to a regular bar life. And so does business.

This goes far beyond the scope of what our teens signing up should expect their data to be used for. Who will decide what products and what uses of data will be acceptable in future?

I am fed up of these blanket consent approaches which deny a service unless we also sign away the knowledge of our personal habits and preferences for others to commercially exploit.

This mixing of purposes in which data privacy is to one’s disadvantage, is an abuse of trust. And it is the importance of trust and exploiting mixed purposes, which for me, has been so starkly highlighted in the management of our medical records.

Dental Service – the NHS Business Service Authority


When I signed the form to pay for my recent dental treatment I read the small print. The Dental Admin Assistant shared my surprise to find that the data processing takes place outside the UK, and requires data sharing with processors in ‘India or Sri Lanka.” WHO WILL USE IT WHERE and FOR WHAT PURPOSES? I am required to sign the form to agree to pay for my treatment. It gives permission to share with Dept of Work and Pensions, HM Revenue and Customs, local authorities and CCGS (then PCTs). But why should the one signature to bind them all, mean sending my personal confidential data abroad, outwith EU data laws even?

Is there fair processing on this form, does it indicate properly for what purposes the wide ranging bodies will be given access? Surely they don’t all need it for “fraud prevention and to ensure correctness” about my dental check up?

If the government bodies are all working together and can share data at will under these blanket assumptions, without our explicit consent or knowledge, then a great number of people will be rightly concerned. I am concerned by powers this Memorandum gives NHS Protect and the Border Agency from 2011 and I am a legitimate resident. ” To provide a centre of excellence for NHS anti-crime work by applying a strategic, coordinated and intelligence led approach.”  I only went for a scale-and-polish!

This default to wide sharing seems to be increasingly seen as the norm. Surely it should be assumed that the minimum data should be shared with the minimum necessary recipients? Current policies seem to have confused a drive for Open Data with giving away our privacy.

How could it be done differently?

If I sign a form to pay for my dental treatment, surely it should be only that. If you want other permissions, ask in other check boxes. I believe our NHS should be managing our NHS data within our borders, but that is a separate debate.

This blanket consent approach excludes the service unless you are happy to give open ended access to your personal data to Government and its contractors.

Should I not be allowed to have NHS dental treatment, for which I pay on completion, unless my personal details go to all these other places?

Let’s consider an alternative. Enable the ability to say yes to paying for my treatment, without sharing fully identifiable data with other government bodies or sending it abroad.

It is one thing to share truly anonymised data. And quite another to extract identifiable personal details for at minimum ten years or longer. Time limit the consent.

If the 14-16yr old on the What About Youth questionnaire agrees to ‘future contact’ they presumably are agreeing to  having identifiable data and contact data kept with their answers, to enable that future contact.

If children agree to the NCS blanket sign up, they are signed up for an unspecified time. These sign ups remove our children’s autonomy later in life, and they can never get it back.

Right now, I wouldn’t let my children’s personal data anywhere near any of these systems if I wanted to retain any future control of it at all. But do I have a choice? My children are in school, and that will mean in the Department of Education’s National Pupil Database. And they will have NHS records. I see some subject access requests ahead.

Given past historical purposes of the ONSET project at the Home Office, Contact Point and DWP I would want to keep my kids’ data free from all of these.

Some may ask, why does it matter?

Because this joining up of services is interweaving systems whose aim is on the one hand compassion and care, with those on the other which are punitive and controlling. Their aims are not aligned. And inevitably it is the systems which shout loudest, under any government of the day, whose opinion tips the balance of purpose and decision making. And recent claims of micro managing in Health show, top down control usually wins.

Because I believe the earlier we label our children the harder it is for them to become anything more.  Inevitably labels shape expectations. Not only for the individual but those who interact with them. It is only the very best educators and social care staff or police or medics who manage to put those aside and see the individual in each episode of contact. The future intent for care.data is integration of data sharing between medical contact, social care and education, under local authorities, health and wellbeing boards and more. How far would the impact of one wrong label spread in a child’s lifetime, in different places?

Because our children should enter adulthood with as few restrictions placed upon their development and self-determination as possible. Even, I would argue, those children who need the contact with all those organisations. I could argue, all the more so, precisely because they have those extra needs and contact. They may need excellent care and transition between youth and adult services. They need it facilitated first and foremost by qualified individuals who are trusted to do the job they trained for and have a vocational passion to complete. Yes the staff need data, but proportionate to the individual need, for the time period it is needed. We need to protect the extra vulnerable in many extra ways.

And we also need to protect the fundamentals in the Universal Declaration of human rights for all. Everyone in the community should find the free and full development of his personality is possible. Everyone has the right to work, to free choice of employment. In effect, these basic human rights seek to prevent discrimination and interference.

Our young people don’t care about the risks of personal data sharing?

Our young people are more savvy than we give them credit for. In a world of shared selfies and social media, it can be wrongly assumed that they are careless with their own privacy. This  Electronic Patient Records work run by the Academy of Engineering in 2010, with support from the Wellcome Trust, came out with a report and seven key questions p.39 which are very pertinent today. The young people identified themselves the risks of prejudice and discrimination. The concerns they raise are no different from concerned adults. Our young people are switched on to the risks of personal data sharing.

When it comes to our children’s data, organisations should be going the extra mile to be transparent. I believe they should carefully consider how the public will perceive anything that looks hidden. Consents should be all up front on the top layer of sign up forms. One consent per sentence. If you want to contact my children, ask me first. And if you offer a public service, would you consider first not piggy-backing a commitment to sharing with other bodies or commercial companies on to the consent package?

Why these blanket consents fail our children

These blanket consents are ubiquitous in modern data sharing, from the obvious supermarket sign ups, to which even David Cameron does not consent, to the totally surprising in education and health. Yet he happily signed us up under a blanket assumed opt in to be ‘willing research patients.’ This mixing of purposes under one blanket consent, in which looking after your data privacy is to one’s disadvantage, or criticised as selfish, is an abuse of trust. And an abuse of our children’s future freedoms. They fail to give proper governance of who will own the data once shared. They fail to give proper information of what it may be used for. And they fail to clearly limit the time period for which the consent is given, and after which data will be destroyed.

Not only trust, but the needs of genuine purposes in the public interest are undermined by mixing all these purposes into one consent. Worse still, assuming yes for all these conflated uses unless you opt out.

If there had been singular purpose, care.data would have been easier to understand and less likely to have failed to win our support.

I for one, am fed up with blanket consent. We can do it differently. We can do better for our children.

 

{cartoon: From Al.com via Scott Stantis 2007}

care.data – Transparency and Remit vs Truth and Responsibility

A year ago Big Brother Watch wrote that an opt out right had been won from the original plan to extract all our GP records without any choice. Caught trying to avoid the DPA and Fair processing, ICO recommended the need for a public awareness campaign.

At that time, I was a merry mother unaware of the machinations of our civil society. Then the powers-at-be closed my local mini blood mobile (I had just started as a donor) and decided to sell off our plasma supply, which was considered a rather poor idea so I read all the Annual Reports and asked questions about it. And I started to pay rather more close attention to what was going on in health. Now I listen to Radio 4 not 2, I buy papers (actual, printed versions) and would you believe, watch Parliamentary TV. And if you want more scandal which actually matters more than your average soap, you should too.

On the 8th April the Health Select Committee (at least part of it) interviewed Sir Kingsley Manning and Max Jones from the Health and Social Care Information Centre. The hope for us, as citizens and patients whose data this current debate is about, is that we will gain insight and understanding into how our medical records have been used in the past and are being so now. This will enable us to trust in the intent of how HSCIC will handle our patient data in the future, whether under the care.data or any other label.

If HSCIC and Government wants to achieve this, they seem to be going a backwards way about it.

Stop talking transparency and remit, and start talking truth and responsibility.

The question was asked how decisions are made within HSCIC by their Data Access Advisory Group about our patient data management. Specifically, it discussed the subject of an application from last summer by the Cabinet Office OC/HES/030 – Project National Citizen Service Data Linkage Project. It was included only 6 months later in the January 2014 minutes.

The very application title, reveals its intent, to link the mental health and hospital records of our young people who take part in the National Citizen Service together with their NCS project gathered data.

Caught with this concrete ‘Out of Committee’ governance approach, the HSCIC staff were both adamant in response to the MP’s question in insisting that no data was shared. 

“Q230 Barbara Keeley: What was requested was linkage of data, wasn’t it? It was linkage to medical data.
Kingsley Manning: No, he was asked by the Cabinet Office to give professional advice on the consent model they were considering. He gave that advice, which was a perfectly sensible thing for him to do. That was the end of the matter.”

Well, I’m sorry but I’ve read the document, And the DAAG minutes say clearly “The intention was to link to HES/MHMDS in the future.” I paste it below.

So, that was not the end of the matter, but is in fact the beginning. The intent is for future data sharing. Our young people at the start of their adult lives, by the very fact of taking the initiative and enquiring to take part in the Activities / Community Project-based work of the NCS, will find their intimate health records linked with the project data, with an unspecified end date.This is a real and active request which was approved, not some past mistake to dismiss. It was and still is approved,for future data sharing.”

Whilst I may believe HSCIC that no data was shared last summer,  and I might believe you were trying to be factual in answering the question, I do not believe that even you could think that consent advice was the sole intent of the DAAG approval, had you read the minutes of your own DAAG meeting. And clearly you had or would not have been so adamant in the answers.

The Guardian article Mrs. Keeley MP mentions, also had their own opinion of the relationships between the parties involved.

Bizarrely almost, we are repeatedly told as reassurance that any organisation with access to pseudonymous health data, which tries to re-identify the individuals whose data it was, would be doing so illegally. Yet the Cabinet Office wants to take medical records and match it to known individuals on their youth programme and keep and share those enriched records without it seems, any qualms at all?

Our trust needs to be based on absolute truth, not manufactured transparency. Truth is bigger and complete with background intent. Not just scraping out the minimum facts in carefully worded language to be legally compliant.

To increase our public trust, we have been told we will know who has had our data in the past, when and for what purposes. In Parliament on March 25th Dan Poulter Health Minister said,  “a report detailing all data released by the HSCIC from April 2013, (including the legal basis under which data was released and the purpose to which the data are being put), will be published by HSCIC on April 2.”

It didn’t happen. HSCIC made available only some. Those made under some sort of data agreement. What of those with direct access to HES at their site, or the police, others have asked?

The Commissioning Board NHS England, tells us repeatedly that they contacted every household in England by leaflet to tell us about care.data and our ‘choice’ to object.

It didn’t happen. Many did not get a leaflet, not just those who opted out of junk mail. Tim Kelsey said he was looking into it. With urgency. Two months later, not a cheep!

So far, we have no report or indication there will be any. Why there were not enough or not delivered leaflets? What they are doing to fix that? It cost the equivalent of at least 50 nurses’ annual salary and the best publicly avaialble information we have from the Information Commissioner’s Office, is that it should never have gone ahead at all. 

So who is taking responsibility for that? Over £1M of public money junked through some letter boxes for the dog to eat. Which no one could understand because it was deliberately obtuse.

And so we come to our future Data Controllers HSCIC. Who seem to have no control at all.

Based on their own admission they have no idea where our medical records are being used, by whom today, and yet we are expected to trust them to use care.data wisely in future?

Barbara Keeley: So have you got the information because I have asked for it twice, but not been given it? For all those 249 organisations with a commercial reuse licence, can we know who all the end users of our data are?

Kingsley Manning: No, because they are using it and putting it into additional services. So, for example, a company such as McKinsey or KPMG would have used it to support Monitor or the NHS TDA in advising on the transformation of health care services.

The Chair of the Heath and Social Care Information Centre has no idea know who has our medical and personal confidential data or what they are using it for.

You get the feeling now, that they are only looking into all of this because they got caught having had no audits in the past of data recipients. Sir Nick Patridge is now leading a review due in a couple of weeks. I sincerely and respectfully hope that his review is more transparent than the last.

Who has taken responsibility for where we have got to in the last year?

Government? Mr. Poulter, Hunt or Cameron, whose plan is this anyway? There has been nothing but dismissive comment which fails to address serious issues and party political point scoring, or no comment at all but how “fantastic for humanity” it will be. Yet care.data is meant ‘only for commissioning.’ See why we’re confused Mr. Hunt and Poulter when you both claim care.data has entirely different purposes? Where is the truth we can trust?

NHS England? Mr. Kelsey now seems to be hiding behind a tree. Or perhaps playing jazz as he tweeted the night before the Public Health Select Committee the last time. Whilst I appreciate it was at a health conference, Nero and Rome sprang to mind. I’ve asked nicely and been ignored, what happened and who is fixing it? Will there be some sort of public progress announcement from NHS England, perhaps from Ciarán Devane, who is on NHS England Board and now chairing the Care.data Advisory Committee trying to latch the stable door? There’s just been stunning silence since the pause announcement.

HSCIC? Clearly nothing to expect from them. Because Kingsley Manning and Max Jones seemed to believe everything was in their remit, legal, and not their fault if the directions from government and NHS England allowed sharing data with all comers. And their Get-Out-of-Jail-Free-Card, they shared concern with the Department of Health about the publicity campaign. (Admittedly, 3 months after the GPES advisory group and others had done so).

Amazingly, Kingsley Manning seemed to thrust the opt out rate from HES into the arena as some sort of achievement. in terms of the number of people who have acted to opt out, it is 14 over the past four years.”

Which only confirms how few of us knew HSCIC stored it and could link Secondary Uses data with Personal Demographic data on demand. (Compared with how many are opting out now we know, of care.data).

And whilst until this whole debacle I and most of the public did not know our hospital records were shared with any other organisations, beyond the NHS and legitimate public research, we now find the gradually closing net around our health data uses, means understanding it has gone to all sorts of commercial organisations. And clearly HSCIC has been caught doing something which now feels wrong even if legal, the HSCIC defended not the action, but their legitimacy for doing so:

Kingsley Manning: We operate according to the Act as it has been passed. We make decisions on the basis of the current regulations. It is not our job to make a judgment on whether we agree or disagree with the nature of a commercial organisation. That is not a criterion on which we act.

Q270 Barbara Keeley: So you are prepared to release even sensitive data out to organisations that just want to do a price comparison website on different pay procedures between different hospital consultants. That was what you did.
Kingsley Manning: I am terribly sorry, but we are bound by the law and the regulations. Under the current regulations that is perfectly legal and legitimate. Indeed, it is arguable that it is a benefit to the health and social care system as a totality. That is an argument that you, Parliament and the public will have to consider.

As part of the public, I have considered it. Too often in the last 8 months. Even whilst making yellow pea soup today, I was thinking how wrong it is for the government to sell our confidential data without having asked us if they could have it in the first place. To take something without asking, we teach our children, is wrong.

Not one person responsible for their part in the execution of the care.data rollout has yet said they are sorry as an apology. I am terribly sorry here, was interchangeable with ‘well, pardon me.’ 

But a true apology for such an almighty mess (Ben Goldacre said so on twitter in better words on February 22nd, but I try and keep readable above a PG rating), would at least be an admission that there is room for improvement. Improvement we can hope to build trust upon. Right now, we have vital Public Health research which it appears, is now on hold and costing money, because it is lumped in with all these commercial uses.

People are opting out of clinical research. And withholding information from their GPs.

Between the three of your organisations, Government, NHS England and HSCIC, if you want us to trust your intentions for the handling of our NHS patient data in future, try harder. Try to seem truthful and seem like you care. And mean it.

Because right now, it only looks like you’re sorry you got caught. You’re playing pass-the-parcel with responsibility. And using our public money to do so.

Kingsley Manning said previously, we should have “intelligent grown up debate” around care.data. Please, lead the way. For right now, it feels like kids squabbling in the back of the car, hoping we’ll just muddle though to get to October and they can ask, “are we there yet?”

As anyone with kids will know, that doesn’t make for happy parents.


********* For reference, the Health Select Committee extract about the Cabinet Office OC/HES/030 – Project National Citizen Service Data Linkage Project *********

Barbara Keeley: There was a lot of saying, “It’s nothing to do with us, guv; this all happened in the past.” You answered the question in that way when this person was a very senior manager, to the extent that he accompanied the Secretary of State on a trip to the United States to sign a data-sharing memorandum of understanding, and, to me, it is astonishing that you should say that the person who had been the chair of the DAAG did not have that responsibility and that you are still wriggling to try to get out of that now. I am not happy with that answer, Chair; I just do not think that is acceptable. 

Kingsley Manning: I am sorry. We are trying to be as transparent as possible.

Barbara Keeley: I don’t think so. I really don’t think so.
Kingsley Manning: May I just talk you through the history of this so that you can get a sense of it? [see full text for history] At that point, we knew that Dr Davies was redundant. He had been made redundant on the abolition of the information centre, and we put in place a plan to deal with that. He was in post. We were not in a position—
Q222 Barbara Keeley: Sorry—you had a plan to make him redundant last year?
Kingsley Manning: No, no. He was made redundant by virtue of the abolition of the NHS IC. It was not our decision.
Q223 Barbara Keeley: So you kept him on for eight or nine months?
Kingsley Manning: We kept him on because we needed to have cover on clinical governance and on clinical advice.
Q224 Barbara Keeley: In fact, he was a very senior manager, and he did accompany the Secretary of State on the visit when they shared the memorandum of understanding. And—
Kingsley Manning: He did. I was there also.
Q225 Barbara Keeley: Let me say a bit more. This is the person that you were making redundant, but you let him chair the DAAG, and he made a number of controversial decisions, including the decision out of committee to release the sensitive medical records of individual teenagers—
Kingsley Manning: I am sorry; that is not true, I am afraid.
Q226 Barbara Keeley: It was reported to be true—
Kingsley Manning: I think you are referring to the fact that he was asked to give advice by the Cabinet Office. He had actually worked for the Cabinet Office on the matter. He gave advice on the consent model that they were going to use. We never released any data and we have not been asked for any data by the Cabinet Office on this matter.
Q227 Barbara Keeley: This was reported last summer by The Guardian newspaper that the sensitive medical records of teenagers on the National Citizen Service were released. That was apparently “an out-of-committee decision” by the chair. Dr Mark Davies was allowed to make decisions out of committee as the chair, and that decision was apparently taken last summer.
Max Jones: I can clarify that Mark Davies did provide advice, as is one of DAAG’s functions, on the consent model, which was being considered by the Cabinet Office, but we have not received a request for that data, nor have we provided any data. The discussion that Mark had was referenced and recorded in the January—I think it was January; I’ll check in a minute—DAAG minutes.
Q228 Barbara Keeley: At least six months after the discussions took place.
Max Jones: That may be the case.
Q229 Barbara Keeley: So this is the person that you are going to make redundant—
Max Jones: No data was requested nor shared. Advice was requested on the consent model, which was given.
Q230 Barbara Keeley: What was requested was linkage of data, wasn’t it? It was linkage to medical data.
Kingsley Manning: No, he was asked by the Cabinet Office to give professional advice on the consent model they were considering. He gave that advice, which was a perfectly sensible thing for him to do. That was the end of the matter.
 Max Jones: And that was recorded in the minutes of DAAG held—
Q231 Barbara Keeley: Yes, I have a copy of that in front of me. You talked earlier, and it is quite important, about transparency. To have recorded this six months after it happened and to then be trying to change something—I am not aware that The Guardian was challenged on the fact that data had been released. It seems there is a very hurried after-the-event style of things happening here, and that is not good for transparency. This is being talked about quite a bit. People’s confidence in what you do has been really undermined by this and the fact that there could have been any suggestion of linkage to medical records for those people taking part in the National Citizen Service. For heaven’s sake, there are all kinds of undertakings made to them as they sign up to that service, and quite rightly. They even have an opt-in for their personal data, so to even consider that, and not to have documented what was happening until six months after the event, just makes you look shady.
 Kingsley Manning: I agree, but we did not have a data request. I absolutely agree, by the way, with your essential point, which is the sensitivity of linking these data in any way with receipt of data—benefits and all the rest of it.

What is Care.data? Defined scope is vital for trust.

It seems impossible to date, to get an official simple line drawn around ‘what is care.data’. And therefore scope creep is inevitable and fair processing almost impossible. There is much misunderstanding, seeing it as exclusively this one-time GP load to merge with HES. Or even confusion with the Summary Care Record and its overlap, if it will be used in read-only environments such as Proactive care and Out-of-hours, or by 111 and A&E services.  The best unofficial summary is here from a Hampshire GP, Dr. Bhatia.

Care.data is an umbrella initiative, which is planned over many years.

Care.data seems to be a vision. An ethereal concept of how all Secondary Uses (ref.p28) health and social care data will be extracted and made available to share in the cloud for all manner of customers. A global standard allowing extract, query and reporting for top down control by the men behind the curtains, with intangible benefits for England’s inhabitants whose data it is. Each data set puts another brick in the path towards a perfect, all-knowing, care.data dream. And the data sets continue to be added to and plans made for evermore future flows. (Community Services make up 10 per cent of the NHS budget and the standards that will mandate the national submission of the revised CIDS data is now not due until 2015.)

Whilst offering insight opportunity for top down cost control, planning, and ‘quality’ measures, right down to the low level basics of invoice validation, it will not offer clinicians on the ground access to use data between hospitals for direct care. HES data is too clunky, or too detailed with the wrong kinds of data, or incomplete and inaccurate to benefit patients in care of their individual consultants. Prof Jonathan Kay at the Westminster Health Forum on 1st April telling hospitals, to do their own thing and go away and make local hospital IT systems work. Totally at odds with the mantra of Beverley Bryant, NHS England of, ‘interoperability’ earlier the same day. An audience question asked, how can we ensure patients can transfer successfully between hospitals without a set of standards? It is impossible to see good value for patients here.

Without a controlled scope I do not wish to release my children’s personal data for research purposes. But at the moment we have no choice. Our data is used in pseudonymous format and we have no known publicly communicated way to restrict that use. The patient leaflet, “better data means better care” certainly gives no indication that pseudonymous data is obligatory nor states clearly that only the identifiable data would be restricted if one objected.

Data extracted now, offers no possibility to time limit its use. I hope my children will have a long and happy lifetime, and can choose themselves if they are ‘a willing research patient’ as David Cameron stated in 2010 he would change the NHS Constitution for. We just don’t know to what use those purposes will be put in their lifetime.

The scope of an opt-in assumption should surely be reasonably expected only to be used for our care and nothing else, unless there is a proven patient need & benefit for otherwise? All other secondary uses cannot be assumed without any sort of fair processing, but they already are.

The general public can now see for the first time, the scope of how the HSCIC quango and its predecessors have been giving away our hospital records at arms-length, with commercial re-use licenses.

The scope of sharing and its security is clearly dependent on whether it is fully identifiable (red),  truly anonymous and aggregated (green, Open data) or so-called amber. This  pseudonymous data is re-identifiable if you know what you’re doing, according to anyone who knows about these things, and is easy when paired with other data. It’s illegal? Well so was phone hacking, and we know that didn’t happen either of course.  Knowledge once leaked, is lost. The bigger the data, the bigger the possible loss, as Target will testify. So for those who fear it falling into the wrong hands, it’s a risk which we just have to trust is well secured. This scope of what can be legitimately shared for what purposes must be reined in.

Otherwise, how can we possibly consent to something which may be entirely different purposes down the line?

If we need different data for real uses of commissioning, various aspects of research and the commercial ‘health purposes,’ why then are they conflated in the one cauldron? The Caldicott 2 review questioned many of these uses of identifiable data, notably for invoice validation and risk stratification.

Parents should be able to support research without that meaning our kids’ health data is given freely for every kind of research, for eternity, and to commercial intermediaries or other government departments. Whilst I have no qualms about Public Health research, I do about pushing today’s boundaries of predictive medicine. Our NHS belongs to us all, free-at-the-point-of-service for all, not as some sort of patient-care trade deal.

Where is the clear definition of scope and purposes for either the existing HES data or future care.data? Data extractions demand fair processing.

Data is not just a set of statistics. It is the knowledge of our bodies, minds and lifestyle choices. Sometimes it will provide knowledge to others, we don’t even yet have ourselves.

Who am I to assume today, a choice which determines my children have none forevermore? Why does the Government make that choice on our behalf and had originally decided not to even tell us at all?  It is very uncomfortable feeling like it is Mother vs Big Brother on this, but that is how it feels. You have taken my children’s hospital health records and are using them without my permission for purposes I cannot control. That is not fair processing. It was not in the past and it continues not to be now.  You want to do the same with their GP records, and planned not to ask us. And still have not explained why many had no communications leaflet. Where is my trust now?

We need to be very careful to ensure that all the right steps are put in place to safeguard patient data for the vital places which need it, public health, ethical and approved research purposes, planning and delivery of care. NHS England must surely step up publicly soon and explain what is going on. And ideally, that they will take as long as necessary to get all the right steps in the right order. Autumn is awfully close, if nothing is yet changed.

The longer trust is eroded, the greater chance there is long term damage to data quality and its flawed use by those who need it. But it would be fatal to rush and fail again.

If we set the right framework now, we should build a method that all future changes to scope ensure communication and future fair processing.

We need to be told transparently, to what purposes our data is being used today, so we can trust those who want to use it tomorrow. Each time purposes change, the right to revoke consent should change. And not just going forward, but from all records use. Historic and future.

How have we got here? Secondary Uses (SUS) is the big data cloud from which Hospital Episode Statistics (HES) is a subset. HES was originally extracted and managed as an admin tool. From the early days of the Open Exeter system GP patient data was used for our clinical care and its management. When did that change? Scope seems not so much to have crept, but skipped along a path to being OK to share the data, linked on demand even with Personal Demographics or from QOF data too, with pharma, all manner of research institutions and third party commercial intermediaries, but no one thought to tell the public. Oops says ICO.

Without scope definition, there can be no fair processing. We don’t know who will access which data for what purposes. Future trust can only be built if we know what we have been signed up to, stays what we were signed up to, across all purposes, across all classes of data. Scope creep must be addressed for all patient data handling and will be vital if we are to trust care.data extraction.

***

 

care.data – 2. A mother’s journey in Oz: communication & choice

David Aaronovitch’s Times’ opinion article on March 27th stated data privacy fears have made health-data sharing “toxic” and that campaigners are nothing but a ‘man with a megaphone’, like the Wizard of Oz. My response, part two. Communications & Choice.

1939 – The Wizard of Oz – MGM

Honesty, clarity and real communication, not PR, is fundamental to a renewal of trust across these areas.

The announcement via HSJ today comes, that the HSCIC Chair had concerns over the impact of the care.data leaflet drop, and asked the Department of Health to intervene. One wonders then, who made the decision to go ahead? 

On care.data communications, the Times commentator said HSCIC has probably thought, “Stick out a leaflet, bish, bash, bosh.” The result seems to be more ding, dong. The balloon upped and left before anyone was ready to go  and ICO, GPs, representatives from the BMA and others, including the campaign group, had well founded, and serious concerns.

I spoke with HSCIC communications and managers directly last October, as well as my MP and the Department of Health, to flag how misleading I felt it was for patients to say ‘your name is not extracted’ when it is held at HSCIC already but most of us did not know that. Many of the same leaflet concerns were, much more significantly than by little ol’ me, raised by both GPES advisory group in September and ICO before the launch. So now, despite the £1-2M state funded doormat drop leaflet & cartoon, it’s all up in the air.

(Whilst I know for HSCIC with its own budget of £220M and control of a £1BN annual spend, it may be peanuts, but what a waste of money. At a conservative estimate of £1M for the leaflet drop, at least 50 nurses could have been employed for a year on that. That makes me cross.) We still have no explanation of why so many did not get delivered, what they did when they heard they had not been nor any plans to clarify that. It was our money spent. We deserve to know.

I received a reply to my October letter, from the Secretary of State to assure me that ‘patient identifiable data was not and will not be shared with third parties’. I think with subsequent information coming out about releases, that is at best, may I say, questionable? It has been shown that patient data at individual level has been shared, and we know with researchers for sure. They are not my clinicians, they are not the only third party who may have access. It’s clearly documented by CAG and releases by DAAG from 2013 have just been released in detail for the first time today.

Through the campaign groups’ and ICO intervention that demanded a national communications programme and the subsequent ICO FOI release about the leaflet review and its shortcomings, we go a significant step forwards towards transparency why the leaflet failed to work for patients. It shows that all the issues we found after the event; junk mail vs letter, hard to reach groups, unclear language, missing opt out form, lack of internal communication and the Information Commissioner’s concerns were clearly known but ignored in advance. Why it happened, who made the decision to go ahead anyway and what follow up will be, remains to be seen. With all the past experience and tools at the disposal of NHS England it is stretching my credulity to believe it was simply poorly executed. Let’s not forget, the original plan was to not tell us at all.

We need to stop hearing we need a fix to communications. I’m trying to understand why, with everything at their disposal, they could want or have allowed to let such a thing happen? It was no surprise the leaflet drop was a disaster. HSCIC communications, leaders and now it seems the Department of Health knew clearly. So why go ahead?

The point of the communication should have been to give us fair processing and the leaflet said, ‘you have a choice.’ I have a duty to my children to safeguard their own health, its provision in a safe State health service and to safeguard their autonomy for future. As it stands, it seems an impossibility to choose all three.

Whilst the leaflet nominally gives us a choice, I struggle to see what value it is. It is some, but limited. The only choice we have truly, is before the extraction happens. A GP in Hampshire devised this flow chart to try to help his patients understand it. Anyone can object now and opt in later. But once opted in, there is no get out clause.

If I don’t opt my children out now, they are in for life whether they later want to exercise their Right to be be Forgotton, or not. If I change my mind later and want to opt out (after a media scandal huge breach, for example. Or perhaps my child grows to become a public figure, or contracts a rare condition and we worry about discrimination), it is impossible. Records will just be re-labelled as pseudonymous. Really?

So, if I share their data for secondary purposes by doing nothing, by allowing their data sharing with even health purposed non-NHS intermediaries who sign up to care.data, it feels like I may as well flog it on ebay myself. But although I want to share it, under good governance only for their care and its commissioning, that is impossible.

Surely we should be able to have their health records used only for their care and its direct management, in all forms? Pseudonymous is not anonymous. But we’ve been given a very limited choice. We can only restrict fully ‘identifiable’ data flows according to the leaflet.
The data that HSCIC already holds, is simply given a new label, the HES ID instead of my NHS number, and linked depending on the bespoke request design, I don’t know what else modified, and then exchanged for cash with buyers from commercial health analysts to medical researchers to intermediaries. Amendment to the Care Bill changes nothing, because as long as ‘health purposes’ are served, the customers are deemed acceptable.

What real kind of patient choice is that? Is my hospital data in pseudonymous, potentially re-identifiable form required from all, for all purposes, for all time whether I like it or not? They haven’t given us that choice in the only communication which we were meant to have received (but no one in my area did), the leaflet ‘Better information, means better care‘.

Right now, the only options are to restrict fully identifiable patient confidential data sharing. The leaflet says this means 1) you can restrict a flow between GP and HSCIC of the NHS Number, DOB, Postcode and Ethnicity, and/or 2) flowing out from the HSCIC, for anything other than commissioning to the regional DSCRO (One of 11 Data processing Centres at regional level). The second option also prevents researchers, even with Regulation 5, Section 251 approval, from obtaining red, fully identifiable data.

However, the objection code is not yet operational, so right now, our fully identifiable hospital data may be released without our knowledge or consent. Other data, considered non-personal, diagnoses, GP practice code, other local IDs from our records can still be shared. And according to September meeting minutes, there is no need to respect an objection for pseudonymous data.

To restrict identifiable flow for care.data from the GP record, we need to apply the code 9Nu0 to our record. 9Nu4 restricts the identifiable HES data flow. But NHS number is extracted with anonymous and aggregated data to identify who opts out. Since that must be matched with HES data to find the record we want restricted already at HSCIC, I don’t see how that can  work without landing, matching and being pseudonymised for all of us. I await to be corrected.

We cannot restrict pseudonymous, potentially identifiable data sharing from HES at all. Patients were not told us before HES was extracted, that it would have all these secondary uses, and now they tell us, tough luck? Without fair processing, it’s not even legal. The Health and Social Care Act, the Secretary of State’s direction of Section 251, and waiving the common law of confidentiality all still require us to be informed before the event.

There is no clarity on the options offered in the leaflet or mention of sharing pseudonymous data even if you opt out. That is not choice. The only publicly loud supporters of real choice are campaigners who provided an opt out form, that official channels still have not.

Six weeks into the six month pause, there has been no public communication to give us any clue what is going on to improve the situation, neither by NHS England nor the Secretary of State for Health.  This is not good communication. And knowing that many parents, including friends, have no idea about the initiative I just feel this is wrong.

I’ve written to my MP for the second time. I found in the whirlwind of information and my frustration, that Twitter #caredata and #datasharing offers an informed group of interested individuals. Thank goodness for their support, insights & banter in this tumultuous journey trying to understand what is going on. Until the ‘pause’, HSCIC and NHS England staff would engage and answer questions, too. Now they seem to have gone very quiet.

Like Dorothy, after seeing behind the curtain of how political and state decisions are made and executed, I have been surprised that so much happens ‘about us, without us,’ and will now never be quite as naive. We all deserve the full story, as patients and citizens. According to Jeremy Hunt at frequent presentations, and Tim Kelsey at Strata and other events, we are on the cusp of a brave new world of health data use and its wide ranging impact in our future healthcare provision of personalised medicine. If they expect to use me in that, I want to know how. So right now, there is no way I’m going home, until we know how the story ends.

Now, all this is not very constructive. Not like me at all. But what is past cannot be brushed away without clear answers. That would effectively say, ‘we don’t care we wasted your state money. We don’t care we misled you. We don’t care what you think.’ Get out the broomstick and clear up what went wrong and why. Then we can start fresh and see if together we can find solutions which fit the needs.

We are more than a cohort, and we are not a commodity. We need change.

If we should be Cameron’s ‘willing research patients’, then tell us precisely what that involves. Give me a definition with a limited scope. I support appropriate research use. Aside from the fact that we didn’t know about this either, research approved by CPRD, Thin, QResearch all have a different approach however, from the commercial and apparently limitless dynamic of care.data. It is quite one thing for researchers to access data and contact us for trials. Quite another to find without our knowledge our data may have been exchanged for cash and I want to know it has not been used in research abroad nor with projects with which my ethics may fundamentally disagree.

Data is not just a collection of codes and academic algorithims. It is the detailed knowledge of the inner workings of our mind, bodies and lifestyle which we entrusted to our medical guardians. Of individual people who did not ask nor sign up to become part of Big Data.Treat my children’s data with the respect that it deserves.

No number of animations, leaflets or letters with ‘improved communication’ is going to gloss over the fundamental fixes needed in handling patient data. Show us the flaw and what you have done to fix it. Along the lines of, ‘you said’, ‘we did’. Real communication.

And if you do decide to give us real choice, then make it statutory for life. Choice will only be worth having if we know that what we choose today, does not get transformed into something else tomorrow. It needs more than a magic wand to wave away the issues. Let’s hope the new care.data advisory group, can make it happen.