One thing the NHS bureaucracy likes more than anything is having the same acronym to mean two different but similar things. In addition to Summary Care Records (SCR, SuCR?), which have existed since 2007, NHSEx now adds ‘Shared Care Records’ from 2021.

As explained to the Public Accounts Committee on 17 September 2020 by Matthew Gould, CEO of NHSX, Shared Care Records (SCR, ShCR?) should:

“…allow patient data to flow safely and appropriately between different care providers, not just in health but also in social care.”  – Question 46

It is not that NHS England / NHSx have access to data today that is necessarily the problem; it is what they will do with it tomorrow – and whether they will keep their promises (cf. Test & Trace DPIA, transparency court case, ‘contracts for cronies’, etc. , etc.) 

What is needed for Shared Care Records to work?

Patients’ and service users’ data flowing along their care pathway for the purpose of their direct care is a worthy and worthwhile goal, and one that medConfidential has supported since its inception.

If Shared Care Records are to be successful in practice, and not repeat the dead-ends of LHCRs, that success requires they must do an number of things:

1)  The Shared Care Record is claimed to be for direct care only, and a good Shared Care Record will indeed be for direct care. A bad Shared Care Record will be used for lots of other things that it does not tell you about. NHS direct care services are too often seen as a ‘Christmas tree’ off which to hang things; ShCR cannot be a means by which sensitive health records leak out of the NHS via a back door.

• What happens across the boundaries between administrative areas (ICS, ShCR, or other)? Do ShCRs facilitate care for those who live in one area but, e.g. visit A&E in another?

• Do (creepy single) doctors get to look up the records of women they’ve met on dates – or anyone in the country – without disclosure or recourse? Are meaningful measures in place for those who are affected to know that their records were accessed?

2)  Shared Care Records’ existence and purpose(s) must be properly communicated to the public, before they are used, (unlike LHCRs) which means:

• Clearly and publicly stating what they will and won’t do, and explaining the rights and choices people have;

• Writing to all those who will have ShCRs created – including service users – not forgetting or otherwise disadvantaging families with children, and not just to those who may have previously opted out of LHCR sharing and/or SuCR.

3)  Ensure Shared Care Records can be seen as trustworthy, on an ongoing basis. From the point they are introduced, a record of every access of a ShCR must be made available to the patient or service user via their new NHS Login, cf. Data Usage Reports.

• If a provider is capable of connecting to a person’s Shared Care Record, it must also be capable of recognising and respecting that person’s confidentiality and consent choices; if it cannot do both, it must not be permitted to do either. 

• There is no excuse to ‘retrofit’ later; GDPR requires that all data processing is lawful, fair and transparent – and the data flowing through Shared Care records is, by definition, identifiable individual-level special category personal data.

• Confidentiality and consent choices should be managed centrally, ensuring that system-wide rules and IG are applied consistently and effectively. If local areas / ICSs manage their own dissent processes and someone moves to another area, will they have to dissent again? How will anyone know?

4)  To the extent that any data contained within Shared Care Records is extracted, copied or otherwise processed (e.g. ‘anonymised’) for any secondary uses, this must be done either within the statutory Safe Haven (i.e. NHS Digital) or under its Information Governance processes, which confer (joint) data controllership. Anything less than this would be a retrograde step and, as the failings of consent and governance processes around individual LHCRs have demonstrated, will compromise public trust.

• Notably for social care data, the regulator (i.e. CQC) cannot also be the Safe Haven: the incentives would be completely perverse. We understand a reluctance to put a body named ‘NHS Digital’ in charge of (adult) social care data, and share concerns about the ‘medicalisation’ of social care. That challenge is, however, an improvement DHSC and the NHS have to learn if health and social care are ever to be properly integrated.

If Shared Care Records cannot meet these conditions then they will be unfit for purpose, and will have been commissioned badly at huge cost to the taxpayer and to the reputation of the NHS.

LHCRs largely failed; will the lessons be learned?

From NHS Data Day, October 2019

Commercial re-use of data

If there are to be secondary uses of data within the Shared Care Record, then plainly the National Data Opt-out must be made statutory, it must work properly for everyone (including families), and must be made readily available to all before any secondary uses go live.

• The deadline for system-wide implementation of NDOP has been extended repeatedly from the original compliance deadline of 31 March 2020, to 31 September 2021;

• Meanwhile, LHCRs and CCGs have struggled to interpret and in some cases properly apply correct and appropriate Information Governance for NDOP – a situation that cannot be permitted to continue beyond the pandemic.

Even if there were to be zero secondary uses of data flowing through the Shared Care Record (ShCR), there would still be the issue of Summary Care Record (SuCR) opt-outs. For if someone has objected to just a summary of their record being shared, how can it be assumed that they will accept the wider sharing of their ‘whole’ care record?

Where there is legislation, therefore, both the National Data Opt-out (NDOP) and a ShCR opt-out must be made statutory; and these must be made readily available to all, and must be respected by all across the whole health and social care system.

“Selling the benefits” is no longer enough if you are also selling the records.

Details documents

• Data flows of COVID-19
• Post-COVID Landscape
• Available next steps for a trial of a Post-COVID Summary Care Record
• Why a single cloud EPR cannot work
• What’s not in the The NHS Whitepaper, plus:
  • Specific note on the Direction powers in the white paper
  • Specific note on Available uses of the Testing infrastructures

As all of the future emerges, the graphics below from various NHS presentations show the thinking that went into them, and the direction of travel:

‘Shared Care Records’ for secondary use?

Data for direct care doesn’t stay for direct care. A series of slides over years show the embedded view of NHS bodies which all want data to flow beyond direct care to commercial companies, and for planning, policy and commissioning decisions.

• It all begins with a lifelong (“longitudinal”) record and “maximising the use of data”:

from: https://digital.nhs.uk/blog/transformation-blog/2019/so-what-is-a-local-health-and-care-record-anyway

• For the purposes of policy-making, planning, commissioning and near ‘real-time’ surveillance of individual-level patient data, explicitly intended long before COVID:

From: https://hscic.kahootz.com/connect.ti/PubNHSDDTSF/view?objectId=10508916 

• Of course, there is also research and commercial exploitation; discussed well before COVID…

From NHS Data Day, October 2019

• …and during the pandemic as well; here’s the Minister discussing legislation to align with Big Pharma interests:

From Baroness Blackwood’s roundtables with Pharma, June-July 2020

ALL of these interests (and many more, e.g. Big Tech, Big DNA…) will seek the data once it has been created.

Details documents

• Data flows of COVID-19
• Post-COVID Landscape
• Available next steps for a trial of a Post-COVID Summary Care Record
• Why a single cloud EPR cannot work
• What’s not in the The NHS Whitepaper, plus:
  • Specific note on the Direction powers in the white paper
  • Specific note on Available uses of the Testing infrastructures