Category Archives: trust

Flagship care.data – precious cargo [1] & commercial uses in theory

“The challenge is that if many users of data are intermediaries with re-use licences and even the HSCIC doesn’t know who all the end users are, how on earth can anyone judge how they will be for purposes of ‘improving NHS care’?”

Commercial and third party use is one of the most damaging aspects of the rollout which is wrecking the care.data programme.

I’ve cut my opinion on this care.data topic into two parts, theory and practice, to address the outcomes of the LMC conf of yesterday from a patient POV. From my lay perspective, the result of the debate and votes was partly due to the failure to shore up the policy theory around commercial uses to make any perceivable improvement to trust for the future. And partly based on proven failures in practice to protect our data in the past. Failures around commercial use of care.data in theory and practice.

The theme of making money, is a recurring topic for women in literature, and graced or should I say, grubbied  our screens in recent weeks in the adaptation of Dame Daphne Du Maurier’s Jamaica Inn.

Mary Yellan, orphaned and without means, seeks the only family she has and lands among the smugglers and muddy marsh of the Cornish moors. It’s not only set against a backdrop  of smuggling, but wrecking. The heroine struggles between moral conflict and practical necessity, whether to join in their activities, against her ethical principles.  She gets used to it but ultimately can’t live with it.

Given that the real inn is in the middle of a very bleak moor, with no outlook except the rough shorn grass, you need to really see unmet potential to want to be its new owner. For that, you need to see strong commercial opportunities or be a committed hard core Du Maurier fan. Or both.

So it can appear, from a patient point of view on care.data. Either the driving parties promoting the release of patient data see unmet potential [1] which needs commercial harnessing [1b], have direct commercial interests[1c], or they have another personal interest in its extraction and access. Or perhaps they are just hard core fans of data sharing, to the point that we should support mashing our health data up with commercial retail loyalty cards as Mr. Tim Kelsey suggested in November 2013 at Strata [from 16:00] [2].

Are the same people and organisations driving the programme and calling for ‘data for patients’ not also the same who will benefit most from having access to the data? The measurable benefits to us patients remain unclear, at best. The cost, our confidentiality and GP trust, is however clearly non-refundable. Consent, the age old pillar of medical ethics is to be waived aside. The LMC Conf obviously see value in protecting confidentiality at source if it cannot be guaranteed by others, whether the HSCIC or the data users.

Who will all the end users of our data be? They remain somewhat undefined, because the care.data addendum including Think Tanks, commercial companies and information intermediaries was not approved [3] and because future users are undefined in social care, for example. Future scope will entail additional future users. But then perhaps this should not surprise us that NHS England and the HSCIC expect us to acquiesce to this fair processing failure although we don’t yet know all the future end users, because Sir Kingsley Manning admitted that HSCIC does not know who all the current end users are either (Q272) [4a] at the  Health Select Committee hearing. So, were the GPs at LMC Conf just expected to trust ‘on spec’ to whom their approval of care.data would entitle its sharing?

Information intermediaries in particular, seem to still be on the key stakeholders list[5] in January 2014. But only a year ago, in April 2013, The ‘Health and Social Care Transparency Panel’ discussion on sharing patient data with information intermediaries clearly stated there was no legitimate or statutory basis to share at least ONS data with them. [6]

“The issues of finding a legitimate basis for sharing ONS death data with information intermediaries for commercial purposes had been a long running problem. A number of possible approaches had been considered but advice from the relevant Government legal teams was that there did not appear to be a statutory basis for doing so. The panel identified this as a significant barrier to developing a vibrant market of information intermediaries (IIs). It also limited the ability of IIs to support NHS organisations with business intelligence to evaluate and benchmark the quality of their services.

It was agreed that this issue needed to be resolved, and if necessary changes to the relevant legislation should be considered. ” 

I would love to know whether the law changed in the last year, how was the issue resolved, or has HSCIC and have we just through use, acknowledged that this sharing with intermediaries is acceptable and legal? The meeting later in July should have given clarity, but I can’t see minutes beyond April. They are no doubt somewhere, and someone cleverer than me, can help find them and clarify how the decision was reached I expect. I did find notes in the recent HSCIC audit of past data releases [4b], that ONS data was granted under existing law after all:

“The ONS data are supplied under the Statistics and Registration Service Act 2007 section 42(4) as amended by s287 of the Health and Social Care Act 2012, for the purpose of assisting the Secretary of State for Health, or the Welsh Ministers, in the performance of his, or their functions in relation to the health service.”

Since the Health and Social Care Act revoked the Secretary of State’s duty of care to provide a national health service, I wonder what functions it relates to as pertains to third party intermediaries? The ONS application form is detailed but no more enlightening for commercial intermediary use. I can’t help feeling we’re seeking justifications rather than good cause as the starting point for widening data releases. That we are starting to accept that our hospital records have been shared without our consent and sold. (Let’s give up the recouping costs word play, call a spade a spade. Data and cash change hands.). ‘What can we do about it anyway? we may well ask. As time has gone on in the care.data debacle, and in the three months since the delay, it appears from the leadership comments of NHS England from Mr. Kelsey in Pulse that, we’re not to worry, “now we are working to make care.data safe.” [free registration required] Still no one has said, we made a mistake of its handling in the past.

This acknowledgement however that work needs done to make the data safe, underlines exactly what so many saw months ago including the GPES advisory group which had concerns [17] in Sept 2013 on commercial uses and its communication, governance and patient trust. Care.data was launched regardless. Now it’s grounded.  What has improved since then? What remains to fix?

How well exactly did HES storage and sharing work so far, with breaches identified as well as the basic legal fair processing failing to inform us of its extraction? What has been done to prevent it happening again? I have seen no concrete steps which give me faith the past flaws have been fixed enough to now trust it in future.

In February, before the pause Jeremy Taylor of National Voices wrote a very sound 12 point plan of what needed to change.  Since then, what has actually  changed [7] as far as I can see, is only the introduction of a delay, and that his words were listened to, that there should be no artificial deadline:

‘”the timescale for launching Care.Data was entirely artificial, as is the six month “pause”.

Three months into the delay, nothing of substance other than agreeing there is no artificial deadline, appears to have changed.

The most significant past let downs have all been commercial or third party uses. OmegaSolver, Beacon Dodsworth, PA ConsultingEarthware.

The Care Bill amendment touted as a change in the legal protection of our care.data, does not block commercial Third party intermediaries sharing care.datauses of our data, only stating that it should be used ‘for the promotion of health’ which is open to all sorts of interpretation. Not least I imagine, those similar to ‘fight against obesity’ campaigns by marketing masters of commercialism.

So with little transparent change on policy, since we have become aware of data breaches, misuse and patient anger about commercial use, it should come therefore as no surprise that the BMA Local Medical Committees (LMCs) yesterday voted to state a preference for opt in not opt out, pseudo or anonymisation at source and insists that care.data should only be used for its stated purpose of improving health care delivery, and not sold for profit.

Simply: the public don’t trust that our identifiable data is protected and we object to all our data being traded commercially.

This is in direct conflict with HSCICs stated purpose in the HSCIC 2013-15 roadmap [8]:

“Help stimulate the market through dynamic relationships with commercial organisations, especially those who expect to use its data and outputs to design new information-based services.”

And in statements by both Sir Manning at the Health Select Committee and Dr. Geraint Lewis [9]:

…”we think it would be wrong to exclude private companies simply on ideological grounds; instead, the test should be how the company wants to use the data to improve NHS care. And, as Polly Toynbee put it, if “it aids economic growth too, that’s to the good.”

The challenge is that if many users of data are intermediaries with re-use licences and we don’t even know who all the end users are, how on earth can the HSCIC judge how they will benefit ‘improving NHS care’?

As regards economic growth, if the aim is to give away data for free, as Mr. Kelsey told the September 13th NHS England board (from 26:10)[10], how is the NHS to make profit from it? It’s not. Commercial companies are to buy at prices only to help HSCIC recoup costs [11], so that is not technically opposed in wording to ‘ not making a profit.’ Citizens, GPs and others can be aligned with that on paper. But not in spirit. For now commercial companies profit from our state funded records, paid for by NHS DoH money.  They profit intermediaries with re-use licences beyond which we have no visibility or control of where our data goes or why. And the fact that the wider profiting third parties from the whole scheme,  ATOS paid zero tax in the UK in 2012,[12] really grates. How does the cash given to ATOS benefit economic growth in the country?

Therefore, for the LMCs to have voted now any differently, would have expected them be soothsayers, knowing that the care.data work-in-progress and any future changes will make both the future scope purposes and future users clearly defined, in order to fulfil their duty as data controller, ensuring patients have a reasonable expectation of how their data will be used. It asks GPs to betray their age old fundamental principle of medicine, to betray patient confidentiality, for commissioning. They are being told to betray the good ethics of consent.  They are being asked to betray patients’ trust and even to use that trust to ‘sell’ the idea in which they may not believe.

And care.data current processes betray the best practices of data collection – seek to collect the minimum data required, for a specific purpose and delete it when that is completed.

“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes’ consistent with the Data Protection Act principle 5. [13]

Instead HSCIC’s remit over the coming years of care.data is to fill in all the remaining gaps with any health and social care information not already collected [14], and keep it linkable from cradle to grave – or even from “germ to worm” for everyone with an NHS number in England. Purposes are non-specific and unlimited because they’ll change over time and the end users are not all defined for it plans to be opened up increasingly widely for use in social care and we don’t know what else.

caredatatimeline

 

In my lay view, the BMA LCs had no choice in the interests of their patients but to call for a rejection of assumed consent and commercial uses. The two do not go together. Opt out for uses of our data purely for NHS care and its planning would be much more palatable. But add in commercial uses, which is what has both been the main source of patient objection and data breaches, and it’s a deal breaker.

They can’t stake their support and reputation on a best guess of what might be. They can only base their judgement on what they know now. And no one supports care.data exactly as she is right now, which is why it is postponed and work in progress. Shore up trust, governance and axe these commercial uses and perhaps an assumed consent would seem more palatable. For example, Cross border governance needs documented when the application form gives non UK options. Scope and users need defined to ensure proper fair processing to meet DPA ICO requirements [16]. But so far, nothing has visibly changed.

It’s no different from when Ben Goldacre was telling us public trust cannot be easily regained and it broke his heart [15]. I know why, there are expected benefits to public research amongst others to access primary care data more than they already have in CPRD or pseudonymous data in QResearch and others, but we need to act based on today’s approved uses for care.data, not what might be remain in an undefined future. Right now, we’ve seen no changes of substance since the delay was announced.

NHS England can’t therefore genuinely expect to see a shift in trust in citizens or GPs based on nothing more than lines in the sand.

I believe GPs at the LMC Conf took the best decisions they could with the programme in its current form, with knowledge of past problems and lack of future clarity over scope and users.

They voted for how they feel best protects, respects and empowers their patients.

If our current Data Controllers and  guardians of confidentiality don’t stand up for patients to get the build of the infrastructure right before they agree to release our data to fill it, who will? The question will be whether the Secretary of State and NHS England will force their legal right of extraction through regardless, or will respect the medical profession’s representatives and the rights of citizens they care for?

There is an opportunity to fix things. The LMC Conf after all have no legal efficacy, they stated their opinion and stance which commands respect and attention. Flagship care.data is not washed up, yet. But it can’t sail without addressing governance and professional support. Commercial exploitation and assumed opt in are not going to work comfortably together. Transparency of who has access to what data for what purposes and how it is released needs sharpened up. And regardless of whether opt in ever comes onto the table or not, if care.data keeps her strongly  commercial heading many, many more will jump ship to opt out. The damage of bias will be done, either way.

She needs some new directions, helmsmanship that we trust and sound repairs.

********

If you have missed the background to this saga, I’d recommend the Julia Powles article in WIRED – what to save when the care.data ship goes down.

I’m going to look at some more of the commercial uses of care.data in practice another time. And clarify the communication of the opt out codes and why research purposes is a misnomer in the GP patient record sharing part of care.data purposes – it’s not (yet at least) an approved use.

********

[1] MOU between AstraZeneca and the HSCIC, December 2012

[1b]  ABPI Vision for harnessing Real World Data 2011

[1c] Hansard, Nov 2010 George Freeman ‘I know from my own experience that we are sitting on billions of pounds-worth of patient data. Let us think about how we can unlock the value of those data around the world.’

[2] Strata November 2013, Tim Kelsey keynote ‘mash it up with other data sources to get their local retailers to tell them about their purchasing habits so they can mash that up with their health data’

[3] care.data addendum Sept 2013

[4] Written Hansard of the Health Select Committee , 8th April

[4b] The HSCIC data release register issued on April 3rd 2013

[5] Oversight panel with input from Dame Fiona Caldicott, January 2014, with stakeholders’ list

[6] Health and Social Care Transparency Overview Panel April 2013

[7] National Voices – Jeremy Taylor, an excellent overview of 12 points which needed fixed from February 2014

[8] HSCIC 2013-15 Roadmap

[9] NHS England comments by Dr.Lewis on commercial principle

[10] September 13th 2013, care.data directions approved by the NHS England Board – care.data from 25:40 – 39:00 – note identifiable, not anonymous data is extracted and stored with the DLES at HSCIC, and GP objections to date on care.data opt-in seem not to have been respected in contrast to the claim ‘GPs make a decision’ from 31:00. There is to date, no communicated way to prevent HES data extraction and its sharing in pseudonymous form.

[11] The HSCIC Data Linkage price list

[12] The Independent, November 2013 Atos & G4 pay no corporation tax in 2012, National Audit Office stats via Adam Withnall, The Independent

[13] Data Protection Standards – retention, principle 5

[14] care.data programme overview April 2013

[15] the Guardian, 28th February 2014 – care.data is in chaos – Ben Goldacre

[16] Blog from the Information Commissioner’s Office on care.data Data Protection and Fair processing

[17]The GPES Advisory Group meeting minutes Sept 12th 2013

{updated 28th May – looks like past uses of our health data are now also under scrutiny by ICO which is investigating claims that insurers have accessed full medical records using subject access requests.}

By [email protected]

Care.data – Getting the ducks in a row

Good Friday has different meanings and traditions across the cultures. For some the most sombre day of their church calendar. For others, another Bank Holiday and start of the long weekend in spring. For Mr.Cameron this year, getting stung by a jelly fish abroad.

For me, visiting family in a small nordic village, it’s the day of the annual duck race fundraiser.

2,000 numbered plastic ducks are thrown into fast moving water high upstream, and the public waits and watches anxiously as the toys approach the central village bridge and race beyond. The first to hit the finish line net at the weir after an arduous course, is the winner.

There are lots of obstacles along the route and some ducks get stuck. Children are allowed to pick up those off-track in side eddies and hurl them back into the main channel. As a parent, you inevitably lose your child at some point in the crowd, fret they may have joined the ducks for a swim, and the whole race always takes longer than we expect.

So, it feels, as a citizen and patient, is the current progress of care.data.

There was a misjudged start. There’s lots of obstacles still to overcome. It looks like the finish line is getting clearer. And some believe it might take longer than first thought.

Whilst on holiday I’ve taken time to read over the recent letter, to colleagues, from Tim Kelsey & NHS England. It’s addressed to colleagues, which I’m not, so perhaps it feels a little like looking over someone’s shoulder on the train, but hey, It’s the only update we’ve got.

Looks like some positive acknowledgements and steps are in progress:

  • We will work with stakeholders to produce support materials, such as an optional template letter for patients and ways of making opting-out more straightforward
  • We need to do more to ensure that patients and the public have a clear understanding of the care.data programme
  • This work is continuing and we will update you on these changes separately 
  • We want to hear your views and suggestions so we can take action to improve and build confidence in the care.data programme. We will also be engaging with patient groups, GPs and other stakeholders through local and regional engagement events

Notably, it’s the first time NHS England has said opt out. In the past it has only ever been an objection. As a linguist, language is important to me. And the two are not synonymous no matter how often I may be told by NHS England that they are to be used interchangeably.

It’s the first time there really feels like more give, and less we’ll take without asking you first.

And it’s the first mention towards offering local and regional engagement.

There are some new hints which need explanation, such as a change towards who may use the data – described always as for secondary uses, clinicians and patients using it is new:

“Care.data is an initiative to ensure more joined-up data is made available to clinicians, commissioners, researchers, charities and patients.”
And there are some ideas which are making progress, but seem a little stuck.
“In addition, steps have already been taken in making changes to the law”…

Whilst changes have been put into the Care Bill, other rather sensible ones, such as legal penalties for data misuse were rejected. And the purposes are still so loose as to be possible to give data for a wide range of ‘health purposed’ clients. That was the day in which it appeared fewer than 50 MPs were in the chamber to hear the Care Bill debate in which nearly 500 came in to vote. (How they can reasonably and effectively vote on something in which they did not hear the debate, I don’t understand.) These are legal changes I believe which need hurled back to Parliament to get them on track again.

Experts much wiser than me, have made a proposal of comprehensive amendments, and seem, from my lay understanding, both really positive and practical.

The “optional template letter for patients” may be something GP practices could consider using to contact individuals where they know that leaflets were not delivered. Even Dame Fiona Caldicott did not receive hers. (BBC PM listen from 33:30)

If centrally, it is known where they did not reach patients, it would be helpful for GP practices to then be able to evaluate if there is an additional need to contact their patients. For example, in my area, no one I have spoken to received a leaflet.

Perhaps that might seem trivial now, and in the past, but for trusting the scheme I believe it is really important to know why that was. Because since no opt out was originally planned I want to know that the intention was truly to tell us all. Did they print enough? Distribute enough? Follow up at all? I’ve asked to find out.  After all, it was our state money that paid for it. A previous Freedom of Information request, on the status of its distribution with Royal Mail, from Phil Booth of MedConfidential appears to contradict ministerial mutterings that said an exception was invoked. I know that for myself, I had not opted out of junk mail, yet I still didn’t get one. I knew to look out for it and inspected my pizza flyers and dog walking leaflets in every post in January. No leaflet and all of my friends were the same.

If the experts such as Dame Fiona, the GPES advisory group which in September had:

major concerns about the process for making most patients aware of the contents of the leaflets before data extraction for care.data commenced”

and ICO felt the leaflet went out with the wrong content and was rushed then I want to know why, so that the same people are not making the same decisions, and will cost us time and trust again. Why it went ahead against every expert’s better advice is important to understand. “Regrettable that you are not now able to take any of our comments into account” was ICOs comment and the sentiment seems echoed by Dame Fiona on today’s radio broadcast.

Even a lay person like me, could see it was a disaster about to happen.

My suggestion, was that role-based patient communication would be much more understandable. Take some stereotypical sample citizens, map their ‘day-in-the-life’ using HSCIC data systems, show how these interactions send data to HSCIC and map them to show what data is extracted and where it goes, is stored and may be viewed and distributed by whom. There are an awful lot of individual scenarios so no model may match any real patient experience, but looking at it backwards, take all the HSCIC systems and extract a situation which would send the data up. A&E, School nurse, Electronic Prescription Service, Choose&Book, GP screening. Mental health call centre. It would be possible.

People should know what data, is extracted when, why and who will use it. Visuals are better than words. The leaflet failed in the case of care.data, but would an individual letter have achieved more, in just a few sentences?

More has been achieved to raise our awareness of the Health and Social Care Information Centre and Government uses of our health data, through all the hoo-ha in the press, and the re-tweet by David Nicholson of the care.data downfall parody, than by the original leaflet. Perhaps the leaflet’s measure of success was not intended to be a 100% reach at all. I hope we’ll understand more soon.

(** for updated thought 19th April see note below.) Should we presume an ‘optional template’ means that no paid letter will be provided from NHS England to all? GP practices may decide to use the ‘optional’ template to send out letters now. Professor Mathers had called for one. But I wonder if GPs themselves will be expected to bear the cost, of an imposed central initiative for which there is no choice to participate and yet the GPs are legally liable Data Controllers for complaints? If no funding is offered, and GP practices decide not to send letters out, it would seem a risk trade off. The risk of a patient complaining or indeed legal action, if they did not know their data was going to be extracted and and potential risk for harm ensued. Yet fair processing should be a Data Protection Act requirement. But is it for care.data?

This week also saw the list of number of patients published by GP practice. Helpfully with postcode. So if my practice were to want to post a letter to every patient in my area, at 53p second class, it would cost around four thousand pounds. I don’t know if they get any bulk discounts and one per household might reduce numbers. But that’s a lot of money – but perhaps (**) it may be covered centrally after all, though the letter does not indicate that? (I now also know how few over 90 yr old men are registered, if interested).

It seems like there is much positive going on in the undercurrents of the care.data developments, which the general public cannot see, such as the care.data advisory group work-in-progress.

There would seem much which needs work in a very short space of time for relaunch in autumn. But if Dame Fiona Caldicott, Chair of the panel set up to advise NHS and Ministers on the use and governance of patient information, said she thinks we need longer, then I am sure she is right. To take as long as is needed to get it right would seem sensible. To rush and fail a second time, would be irretrievable. Surely, her advice would not be ignored again?

The HSCIC this week also released the Framework Agreement between the Department of Health and HSCIC. 

It will be interesting to see if this affects and changes the HSCIC roadmap. In my opinion, it should. The care.data addendum to widen commercial uses was pushed back but is still to resurface. There is still no clarity around commercial re-use licenses. These commercial drivers should come out if Mr.Hunt’s rock solid assurance is to be believed which, “puts beyond any doubt that the HSCIC cannot release identifiable, or potentially identifiable, patient data for commercial insurance or other purely commercial purposes.”

At the moment I would hope the HSCIC roadmap would change in its commercial focus:

“especially in relation to the potential sale of data”. 

“Help stimulate the market through dynamic relationships with commercial organisations, especially those who expect to use its data and outputs to design new information-based services.”

It remains to see if it does.

That framework is a good read with a hot coffee (and a short snaps if you are where I am). What’s missing for me, is any reassurance at all that the HSCIC will remain public. There is a large chapter on what process would need to be followed if it were to change structure or be merged. And therefore does not rule out a private owner of the single central repository for our health, social care, research and recipient of integrated ONS data in future.

“Any change to its core functions or duties, including mergers, significant restructuring or abolition would therefore require further primary legislation. If this were to happen, the Department would then be responsible for putting in place arrangements to ensure a smooth and orderly transition, with the protection of patients being paramount.”

It would appear to me, that a future intent to privatise the ownership of care.data and more could remain open. Certain aspects of the day-to-day functions were potentially to be outsourced in a past ISCG roadmap. I would hope the core will remain firmly State owned.

Bizarrely, duck races are not treated equally across the globe. Wisconsin recently repealed their ban. It seems almost as bizarre, as the idea of selling our taxpayer financial and VAT data. Or our school pupils personal details. I wish I could say, one of these stories were not true.

What the duck is going on with Government’s attitude to our personal data?  The Cabinet Office seems to be failing to give out legally required Freedom of Information responses, and yet happily selling the knowledge of our health, wealth and our children?

“These regulations also allow the department to disclose individual pupil information, subject to the Data Protection Act 1998, to named bodies and persons who, for the purpose of promoting the education or well-being of children in England are conducting research or analysis; producing statistics; or providing information, advice or guidance. The department may decide to share pupil and children’s information with third parties on a case by case basis where it is satisfied that to do so would be in accordance with the law and the Data Protection Act, and where it considers that such disclosure would promote the education or well-being of children.”

So if McDonalds wants to run a healthy eating campaign, would they qualify?

Open Data does not equate (must read) with being open with all of our data. Tables and summaries at aggregated level of statistics are nothing to do with individual level data. Before any Government body considers if they should enable private and other organisations to use data more freely and effectively, and their stance on charging and profit from use of data, they should think twice.

Remember the daft Deregulation Bill 162? It revokes the need to sell pre-packed knitting yarn by net weight and other nonsense. Perhaps it is the ‘Exercise of regulatory functions’ which is the root cause of much of these  issues on the monetisation of our data:

Clause 63 provides a power for a Minister of the Crown to issue guidance on: how regulatory functions can be exercised so as to promote economic growth;

Sections 60-67 of the Deregulation Act currently passing through Parliament allow the removal of any regulation that conflicts with the interests of a profit-maker. If your body manages data, there’s really only going to be one way to meet the obligations of Bill 162. Sell it.

Someone needs to tell all the departments, if you have any chance at all of getting care.data through to the finish line, stop giving away or selling any of our personal data which we trusted you with for an entirely different original purpose.

Whilst there are many people working on many manoeuvres to get all the ducks ready to relaunch for care.data, the Government has to pay attention to the whole race. If we lose faith in the Government to make wise decisions on what will be done with all data we share for a given purpose and find later it is given to others without our knowledge, we won’t trust it with our health data. If the data warehouse may one day be sold off, then all the gameplanning and rules in between will appear to have been pointless.

This is not a race to the finish with the least bad option. Care.data needs to be exemplary if it is to have any chance of reaching the podium as the world leader in patient data-sharing management. It’s got one second chance to get a relaunch.

Without public trust it will flounder. Without GPs to patient communications thoroughly thought out it and funded, it is destined for a rough ride. Without further legislative changes, it’s not going far enough to be convincing of real commitment to change.  Without these three, it will not reach the finish line.

The best summary of why we need still much work and how to respect so many of these under good governance, came out this week, from the Chair of CAG. However, we cannot expect to have all of the answers in six months time. The commitment must be an ongoing one to continue to consult with people, to continue to work to optimally protect both privacy and the public interest in the uses of health data.”

So between Dr. Taylor and Dame Caldicott the wise seem to indicate more than 6 months is needed.

There are encouraging signs, but many issues don’t seem to be addressed yet at all, from the recent NHS England letter nor Framework Agreement. Above all, in common with the tax data sharing, pseudonymous is not equal to anonymous. It’s not only what HSCIC currently determines as identifiable, which we need vital improved governance to protect.

In any upcoming public communications, I pray don’t patronise the public saying that ‘name and address will not be extracted’ as the last FAQs and poster did. Explain instead what the Personal Demographics Service stores already, educate us how the PDS and linkage works and why. Details like this must not get lost in any rushed relaunch.

And other departments’ decisions must not put it in jeopardy.

Whilst care.data is getting its ducks in a row, the wider Government approach to data management seems to have gone, I can’t help but say, absolutely quackers.

——-

** 19th April Update: This via twitter comment says, if GPs get patient letters made available they only have to address them to send to their patient list. Will this happen in this case? Good news for informed communications? Let’s hope so.

care.data – Transparency and Remit vs Truth and Responsibility

A year ago Big Brother Watch wrote that an opt out right had been won from the original plan to extract all our GP records without any choice. Caught trying to avoid the DPA and Fair processing, ICO recommended the need for a public awareness campaign.

At that time, I was a merry mother unaware of the machinations of our civil society. Then the powers-at-be closed my local mini blood mobile (I had just started as a donor) and decided to sell off our plasma supply, which was considered a rather poor idea so I read all the Annual Reports and asked questions about it. And I started to pay rather more close attention to what was going on in health. Now I listen to Radio 4 not 2, I buy papers (actual, printed versions) and would you believe, watch Parliamentary TV. And if you want more scandal which actually matters more than your average soap, you should too.

On the 8th April the Health Select Committee (at least part of it) interviewed Sir Kingsley Manning and Max Jones from the Health and Social Care Information Centre. The hope for us, as citizens and patients whose data this current debate is about, is that we will gain insight and understanding into how our medical records have been used in the past and are being so now. This will enable us to trust in the intent of how HSCIC will handle our patient data in the future, whether under the care.data or any other label.

If HSCIC and Government wants to achieve this, they seem to be going a backwards way about it.

Stop talking transparency and remit, and start talking truth and responsibility.

The question was asked how decisions are made within HSCIC by their Data Access Advisory Group about our patient data management. Specifically, it discussed the subject of an application from last summer by the Cabinet Office OC/HES/030 – Project National Citizen Service Data Linkage Project. It was included only 6 months later in the January 2014 minutes.

The very application title, reveals its intent, to link the mental health and hospital records of our young people who take part in the National Citizen Service together with their NCS project gathered data.

Caught with this concrete ‘Out of Committee’ governance approach, the HSCIC staff were both adamant in response to the MP’s question in insisting that no data was shared. 

“Q230 Barbara Keeley: What was requested was linkage of data, wasn’t it? It was linkage to medical data.
Kingsley Manning: No, he was asked by the Cabinet Office to give professional advice on the consent model they were considering. He gave that advice, which was a perfectly sensible thing for him to do. That was the end of the matter.”

Well, I’m sorry but I’ve read the document, And the DAAG minutes say clearly “The intention was to link to HES/MHMDS in the future.” I paste it below.

So, that was not the end of the matter, but is in fact the beginning. The intent is for future data sharing. Our young people at the start of their adult lives, by the very fact of taking the initiative and enquiring to take part in the Activities / Community Project-based work of the NCS, will find their intimate health records linked with the project data, with an unspecified end date.This is a real and active request which was approved, not some past mistake to dismiss. It was and still is approved,for future data sharing.”

Whilst I may believe HSCIC that no data was shared last summer,  and I might believe you were trying to be factual in answering the question, I do not believe that even you could think that consent advice was the sole intent of the DAAG approval, had you read the minutes of your own DAAG meeting. And clearly you had or would not have been so adamant in the answers.

The Guardian article Mrs. Keeley MP mentions, also had their own opinion of the relationships between the parties involved.

Bizarrely almost, we are repeatedly told as reassurance that any organisation with access to pseudonymous health data, which tries to re-identify the individuals whose data it was, would be doing so illegally. Yet the Cabinet Office wants to take medical records and match it to known individuals on their youth programme and keep and share those enriched records without it seems, any qualms at all?

Our trust needs to be based on absolute truth, not manufactured transparency. Truth is bigger and complete with background intent. Not just scraping out the minimum facts in carefully worded language to be legally compliant.

To increase our public trust, we have been told we will know who has had our data in the past, when and for what purposes. In Parliament on March 25th Dan Poulter Health Minister said,  “a report detailing all data released by the HSCIC from April 2013, (including the legal basis under which data was released and the purpose to which the data are being put), will be published by HSCIC on April 2.”

It didn’t happen. HSCIC made available only some. Those made under some sort of data agreement. What of those with direct access to HES at their site, or the police, others have asked?

The Commissioning Board NHS England, tells us repeatedly that they contacted every household in England by leaflet to tell us about care.data and our ‘choice’ to object.

It didn’t happen. Many did not get a leaflet, not just those who opted out of junk mail. Tim Kelsey said he was looking into it. With urgency. Two months later, not a cheep!

So far, we have no report or indication there will be any. Why there were not enough or not delivered leaflets? What they are doing to fix that? It cost the equivalent of at least 50 nurses’ annual salary and the best publicly avaialble information we have from the Information Commissioner’s Office, is that it should never have gone ahead at all. 

So who is taking responsibility for that? Over £1M of public money junked through some letter boxes for the dog to eat. Which no one could understand because it was deliberately obtuse.

And so we come to our future Data Controllers HSCIC. Who seem to have no control at all.

Based on their own admission they have no idea where our medical records are being used, by whom today, and yet we are expected to trust them to use care.data wisely in future?

Barbara Keeley: So have you got the information because I have asked for it twice, but not been given it? For all those 249 organisations with a commercial reuse licence, can we know who all the end users of our data are?

Kingsley Manning: No, because they are using it and putting it into additional services. So, for example, a company such as McKinsey or KPMG would have used it to support Monitor or the NHS TDA in advising on the transformation of health care services.

The Chair of the Heath and Social Care Information Centre has no idea know who has our medical and personal confidential data or what they are using it for.

You get the feeling now, that they are only looking into all of this because they got caught having had no audits in the past of data recipients. Sir Nick Patridge is now leading a review due in a couple of weeks. I sincerely and respectfully hope that his review is more transparent than the last.

Who has taken responsibility for where we have got to in the last year?

Government? Mr. Poulter, Hunt or Cameron, whose plan is this anyway? There has been nothing but dismissive comment which fails to address serious issues and party political point scoring, or no comment at all but how “fantastic for humanity” it will be. Yet care.data is meant ‘only for commissioning.’ See why we’re confused Mr. Hunt and Poulter when you both claim care.data has entirely different purposes? Where is the truth we can trust?

NHS England? Mr. Kelsey now seems to be hiding behind a tree. Or perhaps playing jazz as he tweeted the night before the Public Health Select Committee the last time. Whilst I appreciate it was at a health conference, Nero and Rome sprang to mind. I’ve asked nicely and been ignored, what happened and who is fixing it? Will there be some sort of public progress announcement from NHS England, perhaps from Ciarán Devane, who is on NHS England Board and now chairing the Care.data Advisory Committee trying to latch the stable door? There’s just been stunning silence since the pause announcement.

HSCIC? Clearly nothing to expect from them. Because Kingsley Manning and Max Jones seemed to believe everything was in their remit, legal, and not their fault if the directions from government and NHS England allowed sharing data with all comers. And their Get-Out-of-Jail-Free-Card, they shared concern with the Department of Health about the publicity campaign. (Admittedly, 3 months after the GPES advisory group and others had done so).

Amazingly, Kingsley Manning seemed to thrust the opt out rate from HES into the arena as some sort of achievement. in terms of the number of people who have acted to opt out, it is 14 over the past four years.”

Which only confirms how few of us knew HSCIC stored it and could link Secondary Uses data with Personal Demographic data on demand. (Compared with how many are opting out now we know, of care.data).

And whilst until this whole debacle I and most of the public did not know our hospital records were shared with any other organisations, beyond the NHS and legitimate public research, we now find the gradually closing net around our health data uses, means understanding it has gone to all sorts of commercial organisations. And clearly HSCIC has been caught doing something which now feels wrong even if legal, the HSCIC defended not the action, but their legitimacy for doing so:

Kingsley Manning: We operate according to the Act as it has been passed. We make decisions on the basis of the current regulations. It is not our job to make a judgment on whether we agree or disagree with the nature of a commercial organisation. That is not a criterion on which we act.

Q270 Barbara Keeley: So you are prepared to release even sensitive data out to organisations that just want to do a price comparison website on different pay procedures between different hospital consultants. That was what you did.
Kingsley Manning: I am terribly sorry, but we are bound by the law and the regulations. Under the current regulations that is perfectly legal and legitimate. Indeed, it is arguable that it is a benefit to the health and social care system as a totality. That is an argument that you, Parliament and the public will have to consider.

As part of the public, I have considered it. Too often in the last 8 months. Even whilst making yellow pea soup today, I was thinking how wrong it is for the government to sell our confidential data without having asked us if they could have it in the first place. To take something without asking, we teach our children, is wrong.

Not one person responsible for their part in the execution of the care.data rollout has yet said they are sorry as an apology. I am terribly sorry here, was interchangeable with ‘well, pardon me.’ 

But a true apology for such an almighty mess (Ben Goldacre said so on twitter in better words on February 22nd, but I try and keep readable above a PG rating), would at least be an admission that there is room for improvement. Improvement we can hope to build trust upon. Right now, we have vital Public Health research which it appears, is now on hold and costing money, because it is lumped in with all these commercial uses.

People are opting out of clinical research. And withholding information from their GPs.

Between the three of your organisations, Government, NHS England and HSCIC, if you want us to trust your intentions for the handling of our NHS patient data in future, try harder. Try to seem truthful and seem like you care. And mean it.

Because right now, it only looks like you’re sorry you got caught. You’re playing pass-the-parcel with responsibility. And using our public money to do so.

Kingsley Manning said previously, we should have “intelligent grown up debate” around care.data. Please, lead the way. For right now, it feels like kids squabbling in the back of the car, hoping we’ll just muddle though to get to October and they can ask, “are we there yet?”

As anyone with kids will know, that doesn’t make for happy parents.


********* For reference, the Health Select Committee extract about the Cabinet Office OC/HES/030 – Project National Citizen Service Data Linkage Project *********

Barbara Keeley: There was a lot of saying, “It’s nothing to do with us, guv; this all happened in the past.” You answered the question in that way when this person was a very senior manager, to the extent that he accompanied the Secretary of State on a trip to the United States to sign a data-sharing memorandum of understanding, and, to me, it is astonishing that you should say that the person who had been the chair of the DAAG did not have that responsibility and that you are still wriggling to try to get out of that now. I am not happy with that answer, Chair; I just do not think that is acceptable. 

Kingsley Manning: I am sorry. We are trying to be as transparent as possible.

Barbara Keeley: I don’t think so. I really don’t think so.
Kingsley Manning: May I just talk you through the history of this so that you can get a sense of it? [see full text for history] At that point, we knew that Dr Davies was redundant. He had been made redundant on the abolition of the information centre, and we put in place a plan to deal with that. He was in post. We were not in a position—
Q222 Barbara Keeley: Sorry—you had a plan to make him redundant last year?
Kingsley Manning: No, no. He was made redundant by virtue of the abolition of the NHS IC. It was not our decision.
Q223 Barbara Keeley: So you kept him on for eight or nine months?
Kingsley Manning: We kept him on because we needed to have cover on clinical governance and on clinical advice.
Q224 Barbara Keeley: In fact, he was a very senior manager, and he did accompany the Secretary of State on the visit when they shared the memorandum of understanding. And—
Kingsley Manning: He did. I was there also.
Q225 Barbara Keeley: Let me say a bit more. This is the person that you were making redundant, but you let him chair the DAAG, and he made a number of controversial decisions, including the decision out of committee to release the sensitive medical records of individual teenagers—
Kingsley Manning: I am sorry; that is not true, I am afraid.
Q226 Barbara Keeley: It was reported to be true—
Kingsley Manning: I think you are referring to the fact that he was asked to give advice by the Cabinet Office. He had actually worked for the Cabinet Office on the matter. He gave advice on the consent model that they were going to use. We never released any data and we have not been asked for any data by the Cabinet Office on this matter.
Q227 Barbara Keeley: This was reported last summer by The Guardian newspaper that the sensitive medical records of teenagers on the National Citizen Service were released. That was apparently “an out-of-committee decision” by the chair. Dr Mark Davies was allowed to make decisions out of committee as the chair, and that decision was apparently taken last summer.
Max Jones: I can clarify that Mark Davies did provide advice, as is one of DAAG’s functions, on the consent model, which was being considered by the Cabinet Office, but we have not received a request for that data, nor have we provided any data. The discussion that Mark had was referenced and recorded in the January—I think it was January; I’ll check in a minute—DAAG minutes.
Q228 Barbara Keeley: At least six months after the discussions took place.
Max Jones: That may be the case.
Q229 Barbara Keeley: So this is the person that you are going to make redundant—
Max Jones: No data was requested nor shared. Advice was requested on the consent model, which was given.
Q230 Barbara Keeley: What was requested was linkage of data, wasn’t it? It was linkage to medical data.
Kingsley Manning: No, he was asked by the Cabinet Office to give professional advice on the consent model they were considering. He gave that advice, which was a perfectly sensible thing for him to do. That was the end of the matter.
 Max Jones: And that was recorded in the minutes of DAAG held—
Q231 Barbara Keeley: Yes, I have a copy of that in front of me. You talked earlier, and it is quite important, about transparency. To have recorded this six months after it happened and to then be trying to change something—I am not aware that The Guardian was challenged on the fact that data had been released. It seems there is a very hurried after-the-event style of things happening here, and that is not good for transparency. This is being talked about quite a bit. People’s confidence in what you do has been really undermined by this and the fact that there could have been any suggestion of linkage to medical records for those people taking part in the National Citizen Service. For heaven’s sake, there are all kinds of undertakings made to them as they sign up to that service, and quite rightly. They even have an opt-in for their personal data, so to even consider that, and not to have documented what was happening until six months after the event, just makes you look shady.
 Kingsley Manning: I agree, but we did not have a data request. I absolutely agree, by the way, with your essential point, which is the sensitivity of linking these data in any way with receipt of data—benefits and all the rest of it.