Experian, which most people know as a credit reference agency, sell a product called Mosaic; a database which subdivides your and every other neighbourhood in the country into a variety of categories, which are then used for all sorts of purposes – from selling you burgers to insuring your house or car.
We don’t yet know when, but sometime this year HSCIC approved the sale of 3 datasets of hospital episodes (inpatient, outpatient and A&E) to Experian, to help it produce Mosaic “postal sector level” profiles. In the data released, individuals’ diagnoses are linked, via pseudonyms, across events and the various data sets used.
The stated purpose of Mosaic is commercial. Mosaic is used by marketing firms to target people such as “Vulnerable young parents needing substantial state support” (category O69) and “Childless new owner occupiers in cramped new homes” (H35). Experian, as elsewhere, may offer a figleaf of fragments for researchers to give a fake appearance of legitimacy but we’re not fooled. Whatever the spin, this is commercial exploitation of NHS patients’ data.
We shall have to wait and see how HSCIC will interpret the new rules in the Care Act, which this particular release may predate. Will such uses by Experian and commercial marketers be classified as “promotion of health”? Public trust hangs in the balance.
Despite ongoing concern about selling data to insurers, we see that “General Reinsurance” also appears in the list – requesting a customised extract of inpatient data for the whole country in aggregated form. If properly aggregated as statistics, such as the ones HSCIC routinely produces and releases as open data, then we would expect to see this published as open data as well, but we’ve not found it yet.
If these are genuine statistics, then publishing them shouldn’t be a problem. Selling custom extracts, however, puts HSCIC in the position of providing data for private commercial advantage rather than for the benefit of all. Given the huge sensitivities around use by insurers, we have suggested this is not such a good idea.
(For the 6 studies mentioned which involve DNA and/or genomic data, we’re working with our friends at GeneWatch UK to examine what is already public knowledge, and where further information must be requested.)
Though still lacking in detail – no mention of dates, nor links to official approvals or audited deletions – at least this release of the register shows that HSCIC is trying to be more transparent in its actions. C+ for effort, but let’s see fewer omissions next time.
‘National Back Office’
After repeated denials about police access, one of the big surprises in the Partridge Review was the discovery of a whole department dealing with ‘trace requests’ from law enforcement agencies and the courts. Such requests, if approved, attempt to track down individuals using the national electronic database of NHS patient demographic details.
The latest register shows there was a large spike in requests from the Home Office in 2013. It’s not clear if the UK Border Agency’s absorption into the Home Office explains some or all of this increase, nor if other subsidiary agencies of the Home Office make requests. Police requests are recorded separately – and are broken down in a bit more detail in the press release – but we do wonder which other agencies are using section 29(3) of the Data Protection Act.
Given the number of bodies and agencies working out of Smedley Hydro, these relationships cannot afford to be murky – absolute clarity is required.
Crashing consultations in the ‘IG universe’?
Also in the last week we’ve seen a new consultation from the Department for Health on, amongst other things, “Accredited Safe Havens” (ASHs) for commissioning.
Individual-level patient data is already being passed around for purposes such as invoice reconciliation, using what was supposed to be ‘emergency’ Section 251 support. This consultation is about doing it slightly less badly. Though clearly desperate to avoid the contamination of any association with the toxic care.data scheme, DH appears to be saying that patient-level data gathered under care.data could be passed around Accredited Safe Havens.
One thing that had begun to generate confidence was HSCIC’s statement that, under care.data, the only place to which any data extracted from GP systems would go was into a safe setting – what medConfidential calls a Health Research Remote Data Laboratory. (We think ‘HRRDL’ sounds better than ‘fume cupboard’.) This was good news, and a necessary step for public confidence in any extraction of their identifiable data.
But despite HSCIC having said this in public statements and directly to Parliament’s Health Select Committee, the Department of Health clearly hasn’t thought through the implications for this consultation, which is on the flows of data for commissioning – the sole use of care.data for which NHS England has at this point received approval.
This isn’t necessarily a complete contradiction, as patient data will be collected from providers other than GPs and be passed around in other ways – but one might hope that DH would have thought through the implication of its own arms length body’s commitments, rather than taking NHS England’s steamroller approach to governance and schedules.
Another notable feature of the DH consultation is the way it contradicts assumptions made in an NHS England consultation on “Priority Issues in Information Governance“, which opened in February 2014 and should have closed at the end of April. As with much of NHS England’s Information Governance, its ‘Priority Issues’ consultation is an ill-considered mess: surely NHS England has shifted its world view since early February? Given all that has come to light, why has the consultation not been withdrawn or re-issued?
So, other than statements by HSCIC, we’re seeing scant evidence that lessons have been learnt.
HSCIC proposes to limit the number of copies of the nation’s medical records that it hands out for various purposes. This is both welcome and achievable, but it requires both DH and NHS England to accept that business as usual is no longer an option.