In short, you should know where your medical records have gone, and why.
Whether you have opted in or out of care.data, there are a whole host of other data flows that relate both to direct care and to all the other things that happen around the NHS. You may have a Summary Care Record (SCR), and your hospital (HES) records may – or may not – be sent to various places depending on your consent where it is applied, and irrespective of your consent where it isn’t.
Some of these data flows are routine; for example, the NHS Business Services Authority sorts out paying prescriptions, so it gets a copy of that data so it can do its statutory job. But if you’re treated in a hospital the various organisations, both private and public, who provide services to that hospital may also get a copy of (some of) your medical record for various reasons.
Why does this matter for you?
If you don’t know where your data has gone, there’s no way to know whether your wishes are being respected. And when there is a problem, there’s no way to know whether you personally were affected.
Most SCR records will not be accessed or viewed when they shouldn’t have been, but without you knowing when your SCR was accessed and by which organisation, you have no way to know whether or not your confidential details have been protected. NHS bodies have that information, and can tell the Health and Social Care Information Centre.
Since the debacle in February, the HSCIC has undertaken a process of significant internal procedural change. In March 2014, it couldn’t say to whom it had sent data that month. By February 2015, it should be possible for HSCIC to tell each individual patient exactly where their medical record went, and why – both for their direct care and for the variety of other uses around the system.
There is, for example, a broad base of support for medical research. The UK wins more than its fair share of Nobel prizes and other measures of esteem, not to mention the development of new treatments to help all. As a patient, your medical records will have been used in a variety of these studies for decades, but until things began to change this summer there has been no way for you – as a patient who contributed – to receive the knowledge of the outcome of these research programmes, even though many years may have passed since your records were used.
HSCIC should remember, and can tell you. Academics and researchers are already required to tell their funders (and hence the public) of the outcomes of their research – in academic papers or other published outputs – so if they tell HSCIC, then HSCIC can tell you about the projects in which your data was involved, however small or large its contribution.
A data usage report (that covers all uses) means you won’t merely have to trust that your data was treated properly by the NHS. You can read your report, and know for yourself.
There are some parts of the health and care system that won’t and shouldn’t ask for NHS numbers, so these will not be included in the report – but if your NHS number is used, then it should be included.
If there are good reasons why something shouldn’t be included in the data usage report, then maybe the NHS number shouldn’t be used. If data can be linked then it likely will be linked at some point, and if this shouldn’t happen then there may be better measures that can be used to prevent linkage, such as not using the NHS number.
Why is a data usage report so important?
Data ‘wants’ to be copied. Without a full commitment to individuals knowing where their data goes – and this must be for everyone, not just those who don’t choose to opt out – there will continue to be mistakes caused by secrecy that are catastrophic to public trust in the handling of NHS patients’ data.
What might a data usage report look like?
In September, medConfidential produced an example of a personalised data usage report [278 kB PDF file] (edit – there’s a 2021 updated example now too). We understand that discussions have moved on and that some of the sections may be slightly different, but this is an active discussion we look forward to seeing happen.
Only with a data usage report, available to every patient, can care.data go forwards. With the emerging details of where patients’ data goes, and on what basis, this cannot be mishandled as so much of the care.data programme has been up to now.