medConfidential Bulletin, 5 September 2014

It’s been just over 6 months since NHS England pressed “pause” on, so we thought now would be a good time to provide a round-up of what’s been happening. Some things have changed since you last heard from us, some things unfortunately haven’t.

What just happened?

Minutes published by the revived Data Access Advisory Group (DAAG) at HSCIC earlier this week revealed that an unnamed organisation has been using HES and ONS data “for commercial activity in addition to the purposes they had stated when applying for approval”.

This is deeply concerning, especially given repeated assurances by Ministers and officials that commercial exploitation of NHS patients’ data will not be permitted. We wrote with urgent questions on Tuesday and are waiting for a reply; it seems that while the ‘new world’ detection regime may be beginning to work, we are still stuck with ‘old world’ incident handling.

This is precisely the sort of offence that ‘one strike’ sanctions would address; the perpetrator would have to delete the data, provide proof that it had been deleted, would have their current contract(s) revoked, and would not receive data in future. Merely “asking the data recipient to cease using the data” shows how far we still have to go.


A survey by GP magazine Pulse over the summer suggests nearly one third of GPs would opt their patients out of if NHS England ignores the BMA’s vote for the scheme to be opt-in. GPs across the country report that patients are continuing to opt out; one in St Helens confirms that “opt outs in her surgery currently stood at 20%”. And even NHS England’s Deputy Medical Director has called for parts of to be opt-in.

medConfidential proposed a way in which NHS England could empower GPs who want to protect their patients’ confidentiality and also allow consensual research, but it appears the official still pushing the scheme just doesn’t want to.


We’ve said many times that the nation’s medical records are more valuable than the Crown Jewels; it appears parts of the system have got the message, and the Health Select Committee was given assurances (Q433 & Q504) that – for the ‘pathfinder’ phase at least – extracts will only go into a ‘safe setting’. This is the secure data facility that some have called a “fume cupboard” and which we have previously discussed as ‘HRRDL’, a tightly locked-down Health Remote Research Data Laboratory.

We have to hold them to these assurances, and one of our current tasks is to make all parts of the system understand and respect the promises some parts have now made. Meanwhile, there have been a slew of consultations to respond to – hardly light beach reading! – including the Department of Health’s on ‘Accredited Safe Havens’, HSCIC’s Confidentiality Code of Practice and new data sharing contracts and agreements. And we continue to point out problems and ask difficult questions when attending the advisory group.


Unfortunately NHS England’s senior staff are still clueless on this front. They won’t confirm whether every patient will be written to, with an opt out form. We keep asking. They won’t even confirm if they wrote to every Clinical Commissioning Group asking if they’d like to volunteer to be a ‘pathfinder’. So we wrote to the CCGs ourselves, who confirmed that NHS England hadn’t.

Meanwhile, the search for a replacement ‘Senior Responsible Officer’ for continues. It’s the archetypical hot potato. We had some questions for candidates to ask the panel at interview. Things at HSCIC seem a bit more organised, and – with certain unfortunate exceptions – there are real signs they are working to improve their systems and procedures. But ongoing scrutiny is required.

Over the summer, we learnt more about the operations of the ‘National Back Office’ and access by law enforcement agencies – first outed in the Partridge Review, with more detail in July’s Data Release Register. Given the co-location of so much sensitive data at Smedley Hydro, it may be the permanent solution for this would be to move birth, marriage and death registrations out of the Home Office.

Where next?

Details of the ‘pathfinders’ of “between 100 and 500 GP practices in the autumn” are still sketchy. NHS England won’t – or can’t – say where they will be, when they will start, or what exactly they’ll be doing. We’ll update you as soon as we know anything definite.

Meanwhile, Phil will be speaking at a number of events in coming weeks, including:

We are a tiny under-resourced campaign, but if you would like someone from medConfidential to address a meeting of your patient representative group or local HealthWatch please get in touch via We’ll do our best to provide a speaker.

How can you help?

We still need your help spotting inappropriate consent forms – and this is not just about enforced Subject Access Requests by insurance companies. We’ve seen forms requiring patients to agree to having their data used for purposes other than their medical care or to having their medical information processed overseas. Help us root out these abuses of consent and confidentiality wherever they occur.

And finally

medConfidential’s work continues. For example, we are pushing for patient-level audit trails – not just a quarterly data release register – that would mean you could see exactly how your data, your experiences, your life, had contributed to particular pieces of research, and read the papers from the researchers that advance knowledge.

What we do may not always be headline-hitting, but we believe keeping every use of your medical information consensual, safe and transparent is essential. There are benefits to be had, but only if things are done right.

Please do forward this newsletter to your friends and family. They can receive future editions by joining our mailing list at

Phil Booth and Sam Smith
Coordinators, medConfidential
5th September 2014