NHS Digital has published some information on the new “National Data Opt Out Programme”. The information for patients is still missing entirely, and everything else is subject to change.
The new model
The new consent model has the opportunity to do good – and it appears far clearer than the old. But if the loopholes and failures of the past continue to be included in the new model, it will fail in terms of public confidence, just like care.data.
We continue to be promised that every patient who has opted out will get a letter describing the new arrangements, although patients who didn’t opt out may be left in the dark about how their data will be used.
As Dame Fiona Caldicott was asked to create, the new opt out will be a simple question:
“You have the right to opt out of your personal confidential information being used for [these other] purposes beyond your direct care” (Deck A)
While we feared there may be new non-statutory ‘special purposes’ that override the opt out created, there seem to be none. While NHS England, and Public Health England wanted their desire to use data to be more important than any patient’s ability to dissent – the slides currently say that the Department of Health disagrees with them. This is good.
Data ‘anonymised in line with the ICO’s anonymisation Code of Practice’ will be excluded from the opt out, but we’ll come onto that later. The embedding of the list of exclusions in the Deck A list (as above) is probably just going to cause problems for all sides in future years – the language has to work irrespective of how the NHS reorganises next week, and we hope the words in square brackets above are not in the language that patients see.
It was the interactions and nuances between what the public were told, and what public bodies wanted to actually do in practice, which led to the collapses and repeated failure to restart care.data, and which led to its ultimate demise. DH hopes that avoiding sharing details too early will mean no one spots problems until it is too late. That is a theory unlikely to survive contact with the real world – which it has not yet attempted.
A trustworthiness question from medConfidential
What should the response be when a public authority is found to have misled the public about how it used data? What happens when the release register is agreed to be wrong, in a way which is demonstrably misleading? What should a trustworthy organisation do?
The remainder of this blog post is a slightly technical look at various specifics. When the patient information is published, we will write a patient perspective on where things are.
NHS England has started by issuing a tender for suppliers to ACOs and STPs. That doesn’t seem like the ideal place to start.
The loophole that remains
Data that is “anonymised in line with the ICO code” remains outside the dissent from ‘information being used for purposes beyond direct care’.
This is purely a political choice by the Department – while they may feel they have no requirement to cover it, the opt out is a gift of the Secretary of State, and he may decide what it covers, and it is only a minor implementation change to go from one to the other.
Previously, the formulation for the opt out was ‘dissent from data leaving the HSCIC” (or GP) – the focus was on data as it left an institution. And in that, it was possible to argue that it was no longer personal data when it was moving (emphasis on possible).
Now, the formulation is about “use” of data for “purposes beyond direct care”, and is undoubtedly clearer in many ways, but it looks at ‘use’. But someone is going to have to justify to the public how ‘anonymisation’ is a direct care purpose. Less than a week after DH told the Health Select Committee that it believes patients have no privacy right over non-clinical data held by NHS Digital, this looks to be a fundamental flaw, resulting from a fundamental change.
Moving to the formulation to be about use also reduces the scope for the purposes of the “promotion of health”. DH has likely missed (again) the opportunity to explain to patients whether or not “promotion of health” can include promoting McDonald’s salads or alternate tobacco products.
There are clearly cases where 100% of data is needed; but the vast majority of research projects would come to exactly the same answer if they used data for which dissent had been honoured. The Confidentiality Advisory Group was placed on a statutory footing and was deliberately given the ability to give advice to NHS Digital on these questions – but the Government has never got around to even starting that process.
No data recipient is currently asked to justify why receiving 98% of patient data is insufficient – data recipients are not asked whether they wish to receive data on people who dissent from their data being used for purposes beyond direct care. Many academic research projects outsource some of their ethical obligations to the data provider – who in this case, will be ignoring them. Again, the obligations change because of a new focus on ‘use’, and it is unlikely that NHS Digital (and PHE) not asking that question will simply allow ethical researchers to ignore it.
The Department of Health ignoring a problem just means everyone else has to deal with it. That has also not gone well elsewhere (for everyone else, DH may disagree).
The Disease Registries (including cancer)
According to the slide decks, the new opt out will not apply to the cancer registry or other data held by PHE (although after last week, it is expected that this should change – and that has consequences for the system).
If the new opt out model does cover PHE datasets like the cancer registry, this will need to be clearly explained in the letter that goes to patients.
Either way, the ‘cancer charities’ should explain (in a fair way) both the benefits of the new consent model, and the choices that it offers cancer patients (and also what those choices will not protect their community against).
Unlike some other health conditions, those who fundraise for the cancer charities often end up being encouraged to publish sensitive personal data about their diagnosis (such as the type, and date), when fundraising for charities. Where those fields are released unprotected, (whether opt outs are disregarded or not), that may change the institutional conceit around inadequate protection. (But this probably won’t happen until after something goes very badly for a someone to whom they owe a duty of care…).
If the text in the slide decks remains accurate, and there are two divergent dissent systems, it is unlikely that the cancer registry could ever integrate into the NHS and remain a backwater of unlinked and idiosyncratic data sources. That is not a good outcome for those who wish to see a cure for cancer.
We have no information that isn’t public or above – so it may be we’ve misunderstood things. This has happened before. Feel free to get in touch if your reading is different to ours ..