For immediate release – Thursday 19 June 2014
In case you missed it, medConfidential’s initial response to the Partridge review is here: https://medconfidential.org/2014/press-release-patching-hscics-holes-medconfidential-initial-response-to-the-partridge-review/
Detailed analysis of the Partridge Review, published earlier this week [1], reveals a more disturbing picture than has yet been reported. While Sir Nick Partridge’s recommendations are to be welcomed and have been accepted, they have yet to be implemented and – more importantly – evidence must be provided that they are working. Such evidence will be essential to public confidence in the handling of NHS patient data.
The fact is that during a period when ministers and officials have been pushing for a massively increased amount of identifiable patient data to be extracted from the GP records of every man, woman and child in England to the Information Centre under the care.data scheme, serious issues at the Centre itself were either unknown or unresolved.
The largest single data breach in NHS history?
One of the more extraordinary revelations is that in at least two instances – as the list of releases cannot be guaranteed complete – the Information Centre cannot say where it sent patient data. Given that the instance involving the release of HES data was in 2010/11, the year after administration of HES releases was taken in-house, the suggestion that this may have been “an internal Northgate request for data” [6] seems inconsistent with the information provided.
Similarly, no evidence is provided to substantiate the assertion that “no identifiable or potentially identifiable data went missing” [7]. Indeed, the PwC report confirms only that the release in question “was not flagged as containing sensitive or identifiable data”; HES data is commonly provided as pseudonymised patient-level information, i.e. in re-identifiable form [8]. As no information has been provided as to the size of each HES release – which could be a partial extract or a year’s-worth of hospital episodes (tens of millions of dated events) – it is impossible to quantify the number of patients’ records involved.
That “no individual ever complained that their confidentiality had been breached as a result of data being shared or lost by the NHS IC” is beside the point. Up until now no-one knew their data had been lost and it is unlikely that most patients could determine the effects of inappropriate sharing or abuse. In fact there are cases, such as that of Helen Wilkinson [9], which show just how difficult it can be to remove stigmatising errors once propagated by central systems.
It is incorrect to state that no complaints have been made to the Information Commissioner’s Office. medConfidential and others made a complaint regarding the inappropriate and possibly unlawful uploading of 10 years’-worth of HES by PA Consulting (entry 1292 in the spreadsheet of 3,059 releases) to Google’s BigQuery servers [10], and a number of other ‘high profile cases’ are currently under investigation.
Insurers / re-insurers and commercial exploitation
The Secretary of State has repeatedly stated that use of NHS patient data “for commercial insurance or other purely commercial purposes” will be prohibited [11]. While it is to be welcomed that the HSCIC’s Chief Executive has written to three of the re-insurers who hold HES data asking them to delete it, we do not know whether those companies have even replied, much less complied with the request.
Assuming that deletion was part of the contract with the five other insurance companies listed [12], and every other release, it is concerning that the Review does not point to a single instance of an audited deletion of data. Specific mention is made of the suspension of research use, but no such action appears to have been taken in the case of commercial users (or re-users) of NHS patient data, which one can only assume still hold and process data [13].
Systemic failure
It has been claimed that failures were “not systemic”, but the evidence suggests otherwise. The clearest example of this is that when one study within the sample tested – 60 out of 591 MRIS releases – proved not to have the required ONS Legal Gateway approval, investigation of the remaining 90% revealed a further eight instances [2]. Sometimes the Information Centre followed policy and procedure, sometimes it didn’t; that is a systemic failing.
PwC confirms it used a “haphazard sampling” methodology [3] and clearly states there are too many “unknowns” to give “formal assurance or opinion” [4]. Because of failures in record keeping, and in some instances destruction of records, it cannot guarantee the “completeness of the data release list” nor whether the data released “has been used for the intended/stated purpose” [5].
We note that other instances of failure identified within chosen samples did not lead to similar investigations as with MRIS releases, or follow-up action. While we accept that time and resources were limited for this Review, it would be unsafe to conclude anything other than in quite a number of cases – certainly more than are listed in the PwC report, possibly ten times more, given the 10% sample – we simply don’t know what has happened to our data.
Phil Booth, coordinator of medConfidential [14], said:
“We welcome Sir Nick Partridge’s recommendations, but patients need to see the evidence that they’ve been acted on. Public confidence depends on actions, not just words.
“If patients are to trust that procedures and audit are working they must be provided proof of who has their own data, what they are using it for and when it has been deleted. If the systems being constructed for a 21st century NHS cannot provide these answers, they are not fit for purpose.
“Research has been a convenient fig leaf for NHS England when proposing the care.data scheme, but a picture is emerging of commercial companies who get preferential treatment at the head of the queue, while academics patiently languish on waiting lists.”
—
Notes for editors
1) Partridge Review documents: http://www.hscic.gov.uk/datareview
2) pp36-39, HSCIC Data Release Review PwC Final Report:http://www.hscic.gov.uk/media/14246/HSCIC-Data-Release-Review-PwC-Final-Report/pdf/HSCIC_Data_Release_Review_PwC_Final_Report.pdf
3) p81, HSCIC Data Release Review PwC Final Report: “Haphazard selection, in which the auditor selects the sample without following a structured technique… Haphazard selection is not appropriate when using statistical sampling.” This is not to suggest that such an approach was inappropriate in the time given for the review, more to indicate that conclusions cannot reliably be drawn since it is not a statistically based sampling methodology. Amongst auditors this form of testing is considered of minimal value since there is no assurance findings are representative.
4) p4, HSCIC Data Release Review PwC Final Report: “Given the number of ‘unknowns’ associated with this review due to the time period in question and the availability of historical records/evidence, no formal assurance or opinion have been provided over the findings that may be used by the HSCIC to publish their overall conclusions.”
5) pp4-5, HSCIC Data Release Review PwC Final Report.
6) p7, HSCIC Data Release Review PwC Final Report: “This left 2 data releases where it was not possible to identify the organisation that received the data based on the information retained by the NHS IC. One release related to HES data post April 2009. Further discussion with Northgate has indicated that this could relate to an internal Northgate request for data; however this could not be confirmed.”
7) Paragraph 15, Sir Nick Partridge’s summary of the Review:http://www.hscic.gov.uk/media/14244/Sir-Nick-Partridges-summary-of-the-review/pdf/Sir_Nick_Partridge%27s_summary_of_the_review.pdf
8) For an illustration of the information contained in HES and what can be done with it, see: https://medconfidential.org/2014/commercial-re-use-licences-for-hes-disappearing-webpages/
9) Helen Wilkinson was stigmatised as an alcoholic due to a coding error:http://www.theguardian.com/society/2006/nov/02/health.epublic And as debated in Parliament: http://www.theyworkforyou.com/debates/?id=2005-06-16b.495.0&s=helen+wilkinson#g495.2
10) medConfidential, FIPR & Big Brother Watch complaint re. upload of HES to Google servers: http://medconfidential.org/wp-content/uploads/2014/03/2014-03-13-ICO-PA-FIPR-complaint.pdf
12) As widely reported in February, e.g. the Guardian on 28/2/14:http://www.theguardian.com/society/2014/feb/28/nhs-data-will-not-be-sold-insurance-companies-jeremy-hunt
11) List of insurers and re-insurers who may still be holding HES and SUS data:
- 143 Actuarial Profession Critical Illness Working Party – HES, 2011/12;
- 602 FirstAssist – HES, 2012/13;
- 603 Foresters Friendly Society – HES, 2007/8;
- 1293 Pacific Life – HES, 2012/13;
- 1339-42 RGA UK Services Limited – HES, 2009-2013 (Reinsurance Group of America);
- 1381 Scottish Re – HES, 2008/9 (re-insurer, headquartered in the Cayman Islands);
- 1517 Scor Global Life UK – HES, 2012/13 (re-insurer);
- 2676 Milliman – SUS, 2012/13
13) Many of the websites of the commercial companies listed indicate that they are still offering services based on NHS data, e.g. Beacon Consulting, CHKS, Harvey Walsh, NHiS, etc.
14) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.
For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 orphil@medconfidential.org
– ends –
Pingback: NHS tries to distance itself from past data lapses (Wired UK) | Information Society
Pingback: NHS tries to distance itself from past data lapses | Techno-Junkie