Author Archives: Phil

medConfidential Bulletin, 24th March 2017

It has been a while since we last sent a newsletter. Our apologies for that, but we have been kept busy!

We are entering a period where a lot of things are happening – and are likely to happen – in quick succession, so we wanted to provide a perspective and some context that we hope will help explain at least some of what is going on.

For patients whose practices use TPP SystmOne

You may have seen the note on our website last week about TPP SystmOne. TPP has now updated its system with the capacity to allow your GP tell you how your GP-held data has been accessed. However, busy GPs won’t yet know how to turn that function on, as the documentation has not yet appeared (and we’ve not been told either).

If your practice uses TPP SystmOne, also branded SystmOnline, and you are able to log into your GP practice online (i.e. if you have a username/password for online access) then you may be able to see this option – to review the organisations which have accessed your GP data – right now. If not, check back in a week or two. It is coming.

This ability to see who has accessed your GP data matters, as the the hard part of informed consent is actually being informed about how your medical records are used. As the NHS evolves over time, and while you have a range of consent choices, you need to have accurate information to be able to make those choices for yourself and your family; in your situation, according to your concerns.

Problems tend to arise when people other than those directly affected take decisions that do not – indeed, cannot – account for many millions of people’s individual circumstances.

Google Artificial Intelligence (AI) subsidiary DeepMind

When in a hole, it seems some AIs will keep digging.

medConfidential’s complaint against Google DeepMind’s use of 1.2 million patients’ hospital data continues to be investigated. The National Data Guardian appears to have come to a view some time ago – which suggests the question currently under consideration is how badly Google broke the rules.

A long analysis from the University of Cambridge was published last week, which goes through the entire sorry story in a great deal of detail.

We do not know when the Information Commissioner and National Data Guardian will publish their findings, but fully expect Google DeepMind to leak some parts of those findings to sycophantic outlets the day before…

We shall respond, as we always do.

What’s next?  An NHS reorganisation that really matters

Has your area announced the reorganisation of your NHS yet? For several big cities of the North, and some other parts of the country, the picture is getting clearer. The ‘STP shuffle’ will put your local council in partial control of where your medical records get copied – including whether they end up being dumped into a “data lake”.

In hidden meetings, proposals for a “national data lake” continue to be discussed. While NHS England denies it is their current plan, they continue to write regular drafts of an updated document, which they’re sharing with no-one beyond those people who thought a ‘National Data Lake’ was a good idea in the first place…

In our next Bulletin,  we hope to have something for you to do to help your community, and may also give an update on the continuing failures around data at Public Health England.

As ever, we are grateful for your donations. Especially as, right now, we’re being legally threatened (we’re in ‘letters before action’ stage of an attempt to sue us for defamation) for expressing our concerns about a data breach reported as affecting 26 million patients – that’s a lot of new badges.

(We’re aware that, as badges, our button badges in two new designs are ridiculously overpriced. The price point is deliberately chosen so that a donation of £20 to us gets you one, automatically. Or set up a regular subscription for any amount – and we’ll post it to you.)

Thank you.

Phil Booth & Sam Smith
24th March 2017


medConfidential comment on Google DeepMind briefing on an academic paper

We read many academic papers about data projects. It is rare they result in anything at all, let alone anonymous briefings against academic inquiry.

We were therefore intrigued by two points in this Wired article, written with access to Google DeepMind executives:

  1. It reuses a quote from medConfidential that is 9 months old, as if nothing has changed in the last 9 months. If that was true, why did Wired write about it again?
  2. That the quote from the Google DeepMind executive suggests the academic paper to which the article refers has errors.

If, as DeepMind says, “It makes a series of significant factual and analytical errors”, we look forward to DeepMind publishing evidence of any errors as a scientifically rigorous organisation would, rather than hiding behind anonymous briefings from their press office and a hospital. Google claims “ “we’re completely at the mercy and direction” of the Royal Free”, but from the last 2 paragraphs of the same article, that’s obviously not completely true…

medConfidential has confidence in the scientific inquiry process – and we are aware DeepMind also do, given their own authorship of academic articles about their work.

While it is highly unusual, it is not a factual or analytical error to write an academic paper that is readable by all.

We expect that DeepMind was aware of the substance of the paper prior to publication, and didn’t say anything about any of those problems then. This behaviour is entirely consistent with DeepMind’s duplicity regarding our timeline of public facts about their original deal – they claim errors in public, but will say nothing about them when asked.

Colleagues at the Wellcome Trust are right – mistakes were made.

This is how AI will go wrong; good people with good intentions making a mistake and being institutionally incapable of admitting that most human of characteristics, imperfection.

For patients whose doctors use TPP SystmOne

Update 19/3: we understand TPP is due to provide more information on their transparency process. We will update this notice when we have read what TPP provide

There is a problem with the security of GP records held on TPP SystmOne, where your records are protected only by a Code of Conduct:

If you do not receive care from an organisation that uses TPP SystmOne, this issue does not affect you. You can check whether your GP practice does use TPP SystmOne by putting your postcode into this online form; select your GP practice from the list provided, and you should end up on a page which asks you for a username and/or password. If this page has anything other than a SystmOne/SystmOnline logo at the top of the page in big blue letters, then this issue doesn’t affect you. If you see a TPP SystmOne or SystmOnline logo, then you are affected.

(The logo looks like this, but in much bigger letters:  )

Nothing below affects you, unless your doctor uses TPP SystmOne.

Due to a failure by TPP SystmOne, your record may be visible to authorised users in other parts of the NHS that also use TPP SystmOne, unless you (or your GP) have previously taken an active decision to prevent this.

You will know if you took this decision already, because such a decision will affect the care you can receive as it affects who can access your GP record, including for services such as out-of-hours care. While access should be able to be restricted by your GP practice to only those who provide them out-of-hours care, that restriction is not currently offered by TPP. Therefore any authorised user, at any organisation that uses TPP SystmOne, can potentially access at least some of your record.

If you have major urgent concerns about this, and if you only receive care from a single NHS organisation – e.g. your GP, or a single mental health organisation, or a single pharmacy, etc. – you can simply turn off what is called “sharing out” by that organisation using this form BUT please ensure you read the information on the form itself, and the next paragraph, before making that decision.

For many people, turning off “sharing out” is an option that may affect your care, even in the medium term, while TPP fixes the problem.

In the interim: if you are concerned, and turning the “sharing out” feature off would impact your care – which is likely for many people – you can write to your GP practice manager and ask them to (in TPP’s words) “use the Record Sharing node within the patient record to view which other organisations are sharing in the patient’s record and can therefore access the information you have shared out”. In other words, you can ask the practice manager to provide you with a copy of the full list of organisations and the dates on which each one accessed your details for the last 6 months – or around specific dates, if you have a specific concerns.

If there are accesses from institutions you do not recognise, medConfidential will publish more information on this post in the next few days about what happens in those rare cases. In most cases, if the dates of access are around a day in which you were at a different NHS provider nearby, it is highly likely that information will have been shared between your care providers. (We will expand on this shortly.)

TPP are actively working to fix this issue, implementing a change that will let you use your login to your GP’s website so that, in future, you will be able to see the ‘audit trail’ of uses that your GP practice manager can see now. If you don’t already have a login to your GP website, it would probably be helpful to get one in advance – as it will have other features beneficial to you.

We understand that TPP are also taking a number of other steps we’ve not covered here

Longer term outcomes

As medConfidential said when commenting on this issue, “Failures of this sort are exactly why patients must be able to see by which organisations their GP records have been accessed.” We have said this before, when organisations have similarly failed.

We strongly welcome that “TPP will be making amendments to the record audit within SystmOnline, this will show the patient every organisation that has accessed the information you[r doctor] record within their electronic record.” (See the bottom of page 2 of this TPP document.) This work will help reduce the harm of data breaches across the NHS, and not just for TPP.

Such failures have happened before, and will happen again, and again, until – as Dame Fiona Caldicott recommended last summer – Jeremy Hunt commits to ensuring that every patient in the NHS can see how their data has been used.

TPP has now committed to telling patients how their data is used… what about everyone else?


For NHS staff

For GP practices: Please read page 2 of this TPP document linked from your TPP noticeboard, and ask your GPSoC provider to accelerate their work on delivery of the audit trails to patients, and a resolution of the underlying problem. If you have queries, contact your local Caldicott Guardian.

For Caldicott Guardians: please see the (imminent) guidance from the Council of Caldicott Guardians and the National Data Guardian.

Public Health England

“I feel I guess betrayed that 19 months into my partner’s cancer battle we didn’t know about this. I think honesty is the best policy and have no problem with the info being recorded but we should have been told and that the details can be removed at the patients request as not to be made aware at some point seems deceitful”

 patient quoted on p37 of the Macmillan/CRUK report on consent

“Betrayed” and “deceitful” are not words cancer charities quote lightly, but they are right to use them.

medConfidential believes – as we do for all flows of health data – that the cancer registry should be consensual, safe and transparent. Whereas the current data handling practices of Public Health England are coercive, dangerous and dishonest.

PHE’s National Cancer Registration and Analysis Service web page today says: (emphasis added)

“Patients can ask NCRAS to remove all of their details from the cancer registry at any time. Opting out of the cancer registry won’t affect the patient’s immediate treatment at their hospital or GP practice, but there may be occasions in the future when the data that is held by NCRAS can be used to assist in their care or that of a close relative.

“If patients opt-out of the cancer registry, it may not be possible to contact individuals identified as being at risk in future, such as when an increased risk of breast cancer is identified in women treated for Hodgkin’s disease using radiotherapy.”

NHS Digital is solving this problem through medical ethics and hard work; it seems PHE has taken a Board-level decision to ignore the problem and, in effect, blackmail patients instead.

There can be good reasons to override dissent – many of them related to public health. We have asked PHE for a list of the reasons it thinks it needs to routinely ignore the wishes of cancer patients. That list has never been provided, and PHE has published no detailed justification for its demand for data. Scrutiny of what the data is used for shows its existing arguments to be “thin” at best.

The NHS does direct care, Public Health England does not – and PHE is not set up to keep data for both direct care and secondary uses. As a result, to maintain its turf, it has resorted to threatening patients and their families with reduced treatment for cancer both online and in printed literature. We understand “the Director” has called people who opted out, in person, to “encourage” them to rescind their request.

While PHE admits that 150 people have opted out of the registry, it is unclear whether these patients took at face value PHE’s public statements about this not affecting their care, or whether they fully understood any contradictory statements made in private .

This is why direct care and secondary uses must be kept separate – there are sometimes good reasons to have additional copies of data. This is one of them.

The problems of PHE are, however, far wider than just those regarding the cancer registry. While the current review terms are correctly narrowly defined, the solutions may have more general applicability by NHS Digital.

Who is responsible for this mess?

While actual data release decisions remain unpublished, PHE assures us that there is a “reporting line”.

The data release process is apparently managed and supported by an Office of Data Release, decisions are made by the Information Asset Owner, overseen by a Data Release Assurance Board, which does no assurance and which is both chaired by the Chief Knowledge Officer, and supposedly “overseen” by PHE’s Board… via the Chief Knowledge Officer.

While this may – at a glance – seem roughly similar to an HSCIC process, let us add some names to these various posts. For the cancer registry, every single one of those roles is held by the same person: Professor John Newton.

It is clear that PHE has a serious data governance problem.

PHE remains in denial

PHE’s annual report claims (page 119) it has done a “Partridge Review”, as HSCIC did in 2014. However, while the HSCIC process was a model of transparency – it was public, conducted by independent analysts overseen by a HSCIC non-executive board member (Sir Nick Partridge, hence the name) and its outputs were clear and contained both an acceptance of problems and suggested steps to remedy them – by contrast, PHE has chosen to keep its review secret.

It has chosen to hide the process of reform from the public, and chosen to refuse to acknowledge any form of critique. The review was conducted by an in-house consultant, and was delivered to the Information Asset Owner (Professor John Newton), not the Board (on which he sits). PHE has refused FOI requests for that review, and won’t talk publicly about even the topics of the 4 areas of “significant concern”.

This is not a process in which the public can have any confidence at all.  Indeed, it gives every impression of a cover-up by those complicit in a culture of failed priorities. And, as such, through the considered decisions of PHE and decision makers, the vitally important cancer registry (and other datasets) remain one small misstep from a collapse of public confidence.

Implementing dissent

While patients have the legal right to opt out of the cancer registry, as part of its move to NHS Digital, it should come under the broader Caldicott Consent Choice.

As there are direct care purposes for which the registry is used, a separate system for those purposes should be maintained by NHS Digital. As a result, where there is a clear and pressing need to use 100% of the cancer registry, rather than the 98% who have not dissented from processing, then approval can be sought from the Confidentiality Advisory Group at the HRA, using the powers CAG acquired under the Care Act 2014. That may simply be the validation of marginal outputs from the 98% dataset, and would be a very specific question (since it would only be confirmation of the output of a research process).

However, the Cancer Registry is currently releasing details of cancer patients to private contractors for purposes that NHS Digital would not have approved itself, or which would have had to have opt outs honoured. These requests are excluded from the PHE Data Release Register. The cancer registry is therefore a ‘back door’ leak of identifiable data about the patients and their cancers.

Given the role the new chair of DAAG played in creating the above cancer registry consent fiasco, continued lobbying to “use my data”, and his other responsibilities and funding, it would seem the current DAAG/IGARD chair is demonstrably unfit to override dissent for the cancer registry.

Demonstrate to patients who has used the data, and why, and what we learnt

The demand for “more data” is endless, and providing more data will not solve that problem – all we see is more demands for more data. Will doing the same thing over and over again generate a different result?

Showing patients what was said to them, and what happened next, will hopefully focus minds away from hyperbole, improve the quality of layperson explanations of projects, and show what works for better outcomes, and what does not.

The cancer registry is a vital resource, but it should be accountable to the very patients whose data is within it, ensuring that data is used properly, and not used wrongly. Currently, those who release the data are not accountable even inside PHE, and keep their decisions secret from the public.

The details matter

As with the failure to implement type-2 opt outs properly for hospital data, and with PHE’s actions at any step of this process, misleading the public has consequences for public trust and public confidence.

It is entirely possible to have a consensual, safe and transparent cancer registry, delivering benefits to patients who wish their data used legitimately. We must and will move away from a coercive, dangerous and dishonest model – the question is solely the manner, governance, and price of that move.

What else will burn in the Bonfire of the faxes?

“Digital services so good that people prefer to use them”, claim the Government.

“The NHS should go paperless”, says Jeremy Hunt.

But what replaces the fax machine when NHS England builds a ‘Bonfire of the faxes’?

It won’t be e-mail.

Clinicians are very familiar with email; they know how it works, and how it fails, when sending patient details between organisations. Even within, what works in theory doesn’t necessarily work with how clinicians treat patients. If “NHSmail” is NHS England’s suggestion to clinicians as they ban fax machines, doctors may just use stamps.

Don’t subvert the Summary Care Record

A different option, being advocated by pharmacists – not just outfits like Pharmacy2U, but bodies such as the Royal Pharmaceutical Society – is that many different types of organisations should have the ability to edit a patient’s Summary Care Record.

Not only would this immediately exclude all patients who don’t have a Summary Care Record, it would simultaneously destroy any confidence in the integrity of SCR data, which may then be out of sync with clinical systems – fundamentally undermining the data quality in both, and making them untrustworthy for any purpose. As currently designed, multi-party writable SCR is a terrible idea.

What is Slack for the NHS?

If we look at what pharmacists actually need to do, they need to tell the custodian of the patient’s medical record (their GP) what they did. Maybe it was a prescription change, maybe it was a recommendation, maybe it’s other information. This doesn’t require write access to the SCR. It simply requires a reliable mechanism, knowing a patient’s NHS number (which they have), to send a message to the GP or relevant care provider, with the confidence that it has been delivered.

The NHS knows who the care provider is, so the pharmacist doesn’t actually need to. On delivery, it is up to the care provider to act on that information – or, e.g. to make a clinical decision not to act – and to update their records, which then flow through to SCR. So when the pharmacist next looks at the patient’s SCR, the relevant information should all be there. This is not therefore a matter of creating a new system, or breaking a process that works, but about using existing systems better.

Properly designed messaging can be better than fax for clinicians.

We’ve written a draft paper considering how this might be done, in the spirit of building “Digital services so good people choose to use them”. Comments and feedback welcome.

medConfidential Bulletin, 23 October 2015

Quite a lot has happened over the past week. Events are still unfolding, but there has been progress in three key areas.

What just happened?

This week saw the UK’s largest online pharmacy, Pharmacy2U, fined £130,000 for concealing its sale of names and addresses of NHS patients to quacks and charlatans. Quite literally – the companies who bought patients details were selling “alternative” treatments and lottery scams.

Not only did they sell the data; Pharmacy2U has been unable to confirm whether the company kept, or can reconstruct, any records as to whose data they sold. Clearly, the private sector has joined NHS England in ignoring HSCIC’s lessons about data releases, following our work over the past two years.

A blanket, criminal ban on marketing to patients is the only way to prevent these predators, quacks and charlatans buying patients’ names and addresses for 8p a time, and scamming them out of money – or health. For, as the ICO’s Penalty Notice points out:

49. It is possible that some customers, who received marketing material from Woods Supplements, after being prescribed medication by a doctor, may have stopped taking their prescribed medication and spent money on products that were subject to the ASA adjudication in relation to misleading advertising and unauthorised health claims.

In light of the ICO’s determination, in regard of serious breaches of the Data Protection Act, medConfidential has written to the relevant medical regulators and professional bodies, asking for them to consider appropriate action within their various remits.

Given the number of patients who contact medConfidential having been marketed about specific conditions and diagnoses, this is clearly not an isolated incident but a systemic problem – and one that must be addressed at all levels.

We believe this underlines the need for all releases of patient data to be covered by personal Data Usage Reports (each and every secondary use being recorded by HSCIC), and highlights the need for a Data Incident Protocol (so that doctors and medical staff can provide the necessary assurance to patients), grounded in medical ethics not mere DPA compliance.

Apps Library

Last week, NHS England announced that its much-vaunted ‘Health Apps Library’ was being shut down, describing it as “a pilot programme”. Since 2013, it has been endorsing hundreds of apps to patients, now replaced by a set of pages on the NHS Choices website which promote a total of seven “online mental health services”.

Not quite what Jeremy Hunt was saying 6 weeks ago when “the Health Secretary stated his ambition to get a quarter of smartphone users – 15% of all NHS patients – routinely accessing NHS advice, services and medical records through apps by the end of the next financial year.”

Serious concerns have been raised over the past year by medConfidential and others with regard to the security, safety and suitability of dozens of apps which were endorsed in the now withdrawn Apps Library.

While we welcome the closure of this sprawling, unaccredited mess of apps and internet quackery, NHS England must now demonstrate how radically it has changed its approach to innovation if it wants to avoid destroying patient trust. Again.

A ban on marketing to patients

Last Friday saw the Second Reading of Chris Heaton-Harris MP’s Access to Medical Treatments (Innovation) Bill – substantively the same Bill as that previously introduced by marketing magnate Lord Saatchi. Alongside many other issues, the question of marketing to patients was raised. When asked: “Will [the database] be used for marketing to patients?” the Minister for Life Sciences, George Freeman answered: “The Government would oppose this being used as a marketing tool.”

Opposing it doesn’t prevent it happening. The ‘McDonald’s amendment’ in the Care Act last year created a loophole allowing data to be used for the purpose of “the promotion of health”, which clearly includes marketing.

medConfidential will continue to ask for a blanket, criminal ban on marketing to patients: explicit, informed prior consent (i.e. opt in) must be the only acceptable consent mechanism, for those who wish to receive marketing – with criminal penalties for those who refuse to comply.

The Government says it opposes marketing to patients, the Saatchi / Heaton-Harris ‘Medical Innovation’ Bill provides the legislative opportunity to implement this, and Pharmacy2U has shown why it is necessary; the remaining question is, will Jeremy Hunt act?

What’s next?

The Saatchi / Heaton-Harris Bill moves now to Committee stage, which we shall of course continue to monitor closely, revisiting as necessary the amendments we proposed prior to Second Reading.

Companies hiding behind the fig leaf of research regularly complain that “slow and costly access to anonymised patient data impedes academic research”. Quite aside from the continued abuse of the term “anonymised”, medConfidential believes that for privileged access to NHS patients’ medical data, filling in a form honestly shouldn’t be too high a bar.

And finally

We remain a tiny organisation, with minimal funding. If you can help us, please do – every penny received will be used on work you’ve just read about in this newsletter.

Please, if you can, make a donation via our PayPal page so that in future every flow of patient data into, within and out of the NHS and social care system can be consensual, safe and transparent.

Phil Booth and Sam Smith

23rd October 2015

Pharmacy2U kept no records of whose data they sold

Addendum to press release

Pharmacy2U kept no records or audit trail of whose data they sold, stating “we are unable to contact individual patients.”  EMIS Group, a minority shareholder in Pharmacy2U Ltd, stated yesterday, “The decision to sell data was made by the executive day-to-day management team at Pharmacy2U”, while claiming the “highest standards of patient confidentiality and data security”.

The ICO’s judgement states:

49. It is possible that some customers, who received marketing material from Woods Supplements, after being prescribed medication by a doctor, may have stopped taking their prescribed medication and spent money on products that were subject to the ASA adjudication in relation to misleading advertising and unauthorised health claims.

The choice of Pharmacy2U to sell names and addresses of patients to quacks and charlatans must be addressed. “As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable”, say Pharmacy2U, but they still sold data to “spammy” companies that may have encouraged patients not to take medicines prescribed to them (and which they had paid Pharmacy2U for).

medConfidential received the following statement from Pharmacy2U’s media and PR representatives, ‘Intelligent Conversation’ – the new name for the same PR firm that contacted us previously, see the Update from April this year.

We publish Pharmacy2U’s statement in full:

Daniel Lee, Managing Director of Pharmacy2U, said: “This is a regrettable incident for which we sincerely apologise.  

“While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter. As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed.

“We have also confirmed that we will no longer sell customer data.

“We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.

“As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable. There was no publicly available information at the time to suggest that the lottery company was suspected of any wrongdoing and we have confirmed with the relevant authorities that they were validly licensed.  There was no publicly available information at the time that there had been a complaint to the ASA about Healthy Marketing Ltd.

“Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We have also worked with the Plain English Campaign to make our policies as clear as possible to our customers.

“We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level.”

The ICO’s judgement shows, while the data transferred may have been a list of names and addresses, the information received by the companies and charity was far more than that. For example, in the case of the Australian lottery scammers, they would have known that each name and address on that list was of a man (i.e. gender), aged 70 or over (i.e. age), who had made a purchase (financially active) from an online pharmacy in the past 6 months (with certain conditions)

Pharmacy2U’s “substantial remedial action” does not include informing any of the 21,500 patients and customers whose names and address was sold – as for example, the Government did when it lost two CDs containing HMRC Child Benefit data.

So we asked them about it.

This was the response:

A Pharmacy2u spokesman said: “As soon as the issue was brought to our attention, we ordered the certificated destruction of all the names and addresses that had been sold. [Our emphasis] For that reason, we are unable to contact individual patients.

“Anyone with concerns should contact us on 0113 265 0222 or via email,

We are pleased that Pharmacy2U has (finally) provided contact details for patients and customers who may have been affected by them selling their details, though these seem not to have been published in a way concerned members of the public can easily find them. We got them in an email, and P2U’s online statement directs people to their standard customer feedback form.

However, we are astonished to hear that the company retained no record of the people whose details were sold, and is incapable of regenerating those lists from the records it is supposed to keep according to Pharmaceutical Regulators.

This is a serious failure of information governance, which only compounds their original decision to sell people’s details. Pharmacy2U have not confirmed that all the recipients of the data destroyed all of the details.

Once again, predatory quacks and charlatans have targeted those who are most vulnerable. Pharmacies and charities are likely to know who is most at risk, and selling their names and addresses is complicity in the sort of abuse that has cost lives.

Only a criminal ban on marketing to patients will prevent crooks preying on patients.


[PRESS RELEASE] There’s an app for that? NHS Health Apps Library “pilot” is shut down, but will “medical innovation” include marketing to patients?

This morning, the NHS Health Apps Library – a “pilot programme” that has been endorsing hundreds of apps to patients since 2013 – was finally shut down. It is replaced by a set of pages on the NHS Choices website which promote a total of seven “online mental health services”. [1]

Serious concerns have been raised over the past year by researchers at Imperial College London and Ecole Polytechnique CNRS, France [2] and by medConfidential [3] with regard to the security, safety and suitability of dozens of apps which were endorsed in the Apps Library.

A handful of apps – including Kvetch, Doctoralia and My Sex Doctor [4] – were silently withdrawn following complaints, but it is unclear how NHS England intends to notify patients left hanging now that “innovative” apps it has been promoting for up to two years have had their approval pulled.

The closure of the Apps Library coincides with the Second Reading of the Access to Medical Treatments (Innovation) Bill – a Private Members’ Bill by Chris Heaton-Harris MP, a version of which was introduced previously in the Lords by advertising magnate Lord Saatchi.

Apps fall within the Bill’s definition of “innovative treatments”, opening far wider questions as to the use of the database [5] that would be created under Section 2 of the Bill. Minister for Life Sciences, George Freeman MP, tweeted during the debate [6] that he did not intend for the database to be used for marketing to patients, but the Bill itself and existing legislation [7] provide no legal bar.

All of which further calls into question the stated ambition of Secretary of State for Health, Jeremy Hunt, “to get a quarter of smartphone users – 15% of all NHS patients – routinely accessing NHS advice, services and medical records through apps by the end of the next financial year.” [8]

Phil Booth, coordinator of medConfidential said:

“While we welcome the closure of this sprawling, unaccredited mess of apps and internet quackery, NHS England must now demonstrate how radically it has changed its approach to innovation if it wants to avoid destroying patient trust.

“Promoting predatory ‘bait and switch’ apps targeting teenagers, like My Sex Doctor, was certainly an “innovation” for the NHS. Real doctors would have laughed the charlatans out of the surgery and got back to helping patients, but it seems Tim Kelsey’s team welcomed them with open arms.

“Jeremy Hunt and George Freeman may not intend for any of this to be used for marketing to patients, but there’s no legal bar. And as NHS England’s abortive attempt with apps has shown, not thinking this through properly puts patients at risk.”

Notes for editors:

  1. Just three of these “services” are available as apps:
  2. which led to the removal of My Sex Doctor and other apps. Full study published here:
  4. Kvetch app was a self-described “experiment” that proposed to “make sickness social”, with a communally-visible “alcoholism” group it encouraged individuals to “check your friends in for a laugh”. Barcelona-based Doctoralia (still available in UK apps stores) failed to correctly list GPs working in UK practices, listing at least one GP who had died tragically, and had complex DPA issues that failed to meet the Apps Library’s own criteria for inclusion. My Sex Doctor (also still available in commercial apps stores, and still claiming NHS endorsement) targets teenagers with sex advice, with a stated business model: “Once gained their trust we can leverage it for commercial purposes” – see slide 11,
  5. Which Chair of the Health Select Committee, Dr Sarah Wollaston MP, described as “a vast sprawling database of anecdotal treatment for male pattern baldness”. Debate transcript:
  7. See medConfidential’s briefing, following a meeting with Chris Heaton-Harris on 30 Sept:
  8. Official report of Jeremy Hunt’s speech, 2 September 2015: – updated on 18 September following the announcement of the consultation on the role and remit of the statutory National Data Guardian, who will produce “clear guidelines for the protection of personal data against which every NHS and care organisation will be held to account.”

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

– ends –

medConfidential Bulletin, 11 October 2015

We hope you had a good summer. Ours was interesting, to say the least.

Parliament begins sitting again on Monday, and people will wake up to the stack of things we’ve got ready for them. But in the meanwhile, quite a lot has happened: “paused” yet again

Despite NHS England’s announcement in June that the pathfinders would be starting at “the beginning of September”, the Secretary of State on 2 September effectively pushed back the restart to at least the end of January 2016.

The announcement (originally) said:

The National Data Guardian for health and care, Dame Fiona Caldicott, will… provide advice on the wording for a new model of consents and opt-outs to be used by the programme that is so vital for the future of the NHS. The work will be completed in January…

A later “clarification” omits to mention, but confirms that the National Data Guardian will develop “clear guidelines for the protection of personal data against which every NHS and care organisation will be held to account. She will provide advice on the wording for a new model of consents and opt-outs, to enable patients to make an informed decision about how their data will be shared.”

This work – a task NHS England singularly failed to complete in 3 years! – is to be completed in January, “…with recommendations on how the new guidelines can be assured through CQC inspections and NHS England commissioning processes.”  Apparently “no arbitrary deadlines” only applies to NHS England.

Where does this leave the programme itself? Well, for starters…

Tim Kelsey ‘opts out’ of

On 17 September, mastermind Tim Kelsey announced his resignation as National Director for Patients and Information at NHS England. He has taken a job as commercial director for Telstra Health, a division of Australian telecomms provider Telstra Corp, to which in March this year DH sold Dr Foster Intelligence, the company Kelsey co-founded in 2000.

Tim Kelsey leaves the UK for Australia in December – an antipodean departure emulating that of the former NHS Director General of Information and head of Connecting for Health, Richard Granger, some years back – but his departure leaves a number of important issues unresolved.

As we learned from Programme Board papers that were finally published in August, and from subsequent Board meetings of both NHS England (video) and HSCIC (cf. minutes on p10), the Directions still aren’t finalised. Indeed, in responding to the Directions sent by NHS England, HSCIC’s Board identified five key unaddressed issues in addition to matters medConfidential had raised.

There’s also no sign of the CAG Regulations, due since the passage of the Care Act 2014 last summer. This means that promised safeguards such as “one strike and you’re out” sanctions for data abuse or misuse and, crucially, the closure of the commercial re-use loophole – persisted by the over-broad definition, “the promotion of health” – have still not been enacted.

What next?

Dame Fiona Caldicott is rewriting the language on consent for patients, which NHS England previously said was ‘ready to go’; HSCIC appears close to being able to ‘fix’ the 9Nu4 opt-out problem, currently affecting over a million patients, that NHS England dumped on it; and DH is finally drafting the Directions on Patient Objections, required to deliver on the Secretary of State’s 2013 promise to respect patient opt-outs.

Assuming the decision is to replace him, whoever replaces Mr Kelsey has a tough task and problems much wider than just to resolve – the digital public health disaster that is the NHS Health Apps Library, to mention but one.

Patients and Registered Medical Professionals must be fairly represented throughout these processes and on all relevant bodies (the Programme Board, for example, still has no public and patient representative) and both NHS England and DH must ensure that the new ‘worldview’ – drawing on lessons learned the hard way – is consistently applied across the health and care system.

medConfidential believes it is still possible to preserve confidentiality and consent in health and social care, and will continue to work to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. If they want to regain public confidence, it is up to the Government, DH and its arm’s-length bodies to now show they can do so, in a trustworthy way.

Statutory National Data Guardian

The Government has now published its consultation on the remit and functions of the National Data Guardian – the role currently fulfilled by Dame Fiona Caldicott. medConfidential welcomes this consultation, available here, which should lead to legislation that will ensure the strength and the remit of the National Data Guardian into the future.

medConfidential will be responding formally in due course, and we have published some initial observations on some of the significant questions raised.  We strongly encourage anyone with views on this vital statutory reinstatement of overarching, independent governance oversight to make a submission of their own before the 17 December deadline.

Another new database?

The ‘Medical Innovation Bill’, first proposed by advertising magnate Lord Saatchi, will shortly return in the form of a Private Members’ Bill by Chris Heaton-Harris MP, entitled the ‘Access to Medical Treatments (Innovation) Bill 2015-16’ (draft Bill here). The new Bill has its Second Reading in the Commons on 16 October.

medConfidential had some questions for Mr Heaton-Harris on the content of the draft Bill, and had a meeting with him last week. Our comments and suggestions arising from that meeting covered a ban on marketing to patients, Data Usage Reports (including our example of what one might look like) and an alternative approach that might deliver the policy intent of the Bill without creating another new database, or giving DH duplicates of powers it already has.

We shall watch the progress of the Bill with interest.

In other news…

medConfidential continues to draw attention to matters of importance to patients and – in our continued membership of the up-to-now somewhat ignored Advisory Group and engagement with other groups, Boards, panels and processes – providing robust but constructive criticism to those who need it.

However, issues sometimes come up that have a wider impact than in just health and care. (You may remember All But Names, a few months back.) One such issue is Freedom of Information; a vital tool for all those who seek to hold the powerful to account. Sam and Phil have joined with others in the FOI community, including journalists, campaigners and citizens across the country in a project to #saveFOI.

The purpose of #saveFOI is to defend against threatened restrictions to Freedom of Information, proposed in the Terms of Reference for the FOI Commission – and by fees proposed in an earlier consultation affecting FOI appeals, that could mean charges of up to £600 to get information released.

The FOI Commission, already half-way through its appointed time scale, has only just put out a public call for evidence – and #saveFOI needs your help:

  • If you have used FOI to help change the world for better, let us know. #saveFOI is assembling a dossier of FOI requests which led to improvements in the world (precisely which of these is the Government seeking to prevent?) and also examples of the broad and/or eccentric interpretation of the exemptions currently in the Freedom of Information Act. We need YOUR stories.
  • Spread the word – on Twitter, on Facebook, on your blog and wherever else you can; the hashtag is in the name, #saveFOI, and the more people who speak up on the positive effects of FOI the harder it will be for the Government to restrict the transparency that is so vital to public trust.

Apologies for the length of this Bulletin. As we said at the top, a great deal has happened since our last newsletter – keeping us very busy.

We remain hugely grateful for the continuing support you and our other supporters provide, most especially the actions you take when we need you.

Phil Booth and Sam Smith

11th October 2015