For immediate release – Tuesday 17 June 2014
The Partridge review of data releases by the NHS Information Centre, published today, indicates systemic failures in the handling of patient information over a period of 8 years. In the 10% sample chosen for closer examination, multiple breaches of proper procedure were discovered, including:
- improper record-keeping
- “lack of evidence to support” processes and controls
- lack of clarity over contractual agreements; confusion over data sharing vs. re-use
- lack of systematically-applied audit; no audited deletion of data
In at least two instances, HSCIC admits it doesn’t even know who patient data was sent to, or how many years of patient treatment data they sent.
Phil Booth, coordinator of medConfidential , said:
“The Information Centre would clearly like to draw a line and move on, and Sir Nick’s recommendations are to be welcomed in that regard, but what about consequences?
“Breaches of several thousand patient records have resulted in massive fines and prosecutions ; the serious failings discovered within just the sample chosen will involve millions of people’s medical records. And what about the 9 out of 10 releases that weren’t examined?
Regarding gaps in the information:
“It’s bad enough that patient data was being sold to so many private companies and passed to Government departments. Not being able to say who got their hands on patient data in every instance is astounding. Tim Kelsey’s assertion  that there have been ‘no breaches in 25 years’ has been blown out of the water.
As to future action:
“Patients have every right to be appalled at this litany of failures. What this demonstrates is that without end-to-end audit and timely feedback, so patients can know who has their data and what they are doing with it, the system will not be fully trusted.
“HSCIC’s new management says it will set the highest bar for transparency and good practice, but who will oversee them? Good intentions are fine, but an independent watchdog with teeth – such as the government just rejected  – would provide public confidence.
“If the government and NHS England want to continue to reassure the public that companies won’t be exploiting their data for profit, then HSCIC must find and close down every last commercial re-use licence.
Notes for editors
1) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.
2) List of monetary penalty notices and prosecutions issued by the Information Commissioner’s Office: http://ico.org.uk/enforcement/fines and http://ico.org.uk/enforcement/prosecutions Just yesterday, details emerged of breaches involving 10,000 patients’ records: http://www.bbc.co.uk/news/uk-england-27864798 – by comparison, Hospital Episode Statistics (HES) in any one year amounts to around 100 million patient episodes.
3) On BBC Radio 4’s Today programme, 4/2/14: https://www.lightbluetouchpaper.org/2014/02/04/untrue-claims-by-nhs-it-chief/ which we followed up with a FOI request, which revealed breaches in each year from 2009-2012: https://www.whatdotheyknow.com/request/independent_audits_of_hessus_and#incoming-502600
4) An amendment that would have reinstated independent, overarching information governance for the entire health and care system on a statutory basis – abolished under the Health and Social Care Act – was rejected in the final stages of the Care Bill this May. See medConfidential’s briefing for more detail, including the fact that the ‘McDonald’s clause (“the promotion of health”) will still permit commercial exploitation: https://medconfidential.org/wp-content/uploads/2014/05/medConfidential-briefing-for-Care-Bill-ping-pong_07May.pdf
For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or firstname.lastname@example.org
– ends –