Author Archives: Phil

What else will burn in the Bonfire of the faxes?

“Digital services so good that people prefer to use them”, claim the Government.

“The NHS should go paperless”, says Jeremy Hunt.

But what replaces the fax machine when NHS England builds a ‘Bonfire of the faxes’?

It won’t be e-mail.

Clinicians are very familiar with email; they know how it works, and how it fails, when sending patient details between organisations. Even within NHS.net, what works in theory doesn’t necessarily work with how clinicians treat patients. If “NHSmail” is NHS England’s suggestion to clinicians as they ban fax machines, doctors may just use stamps.

Don’t subvert the Summary Care Record

A different option, being advocated by pharmacists – not just outfits like Pharmacy2U, but bodies such as the Royal Pharmaceutical Society – is that many different types of organisations should have the ability to edit a patient’s Summary Care Record.

Not only would this immediately exclude all patients who don’t have a Summary Care Record, it would simultaneously destroy any confidence in the integrity of SCR data, which may then be out of sync with clinical systems – fundamentally undermining the data quality in both, and making them untrustworthy for any purpose. As currently designed, multi-party writable SCR is a terrible idea.

What is Slack for the NHS?

If we look at what pharmacists actually need to do, they need to tell the custodian of the patient’s medical record (their GP) what they did. Maybe it was a prescription change, maybe it was a recommendation, maybe it’s other information. This doesn’t require write access to the SCR. It simply requires a reliable mechanism, knowing a patient’s NHS number (which they have), to send a message to the GP or relevant care provider, with the confidence that it has been delivered.

The NHS knows who the care provider is, so the pharmacist doesn’t actually need to. On delivery, it is up to the care provider to act on that information – or, e.g. to make a clinical decision not to act – and to update their records, which then flow through to SCR. So when the pharmacist next looks at the patient’s SCR, the relevant information should all be there. This is not therefore a matter of creating a new system, or breaking a process that works, but about using existing systems better.

Properly designed messaging can be better than fax for clinicians.

We’ve written a draft paper considering how this might be done, in the spirit of building “Digital services so good people choose to use them”. Comments and feedback welcome.

medConfidential Bulletin, 23 October 2015

Quite a lot has happened over the past week. Events are still unfolding, but there has been progress in three key areas.

What just happened?

This week saw the UK’s largest online pharmacy, Pharmacy2U, fined £130,000 for concealing its sale of names and addresses of NHS patients to quacks and charlatans. Quite literally – the companies who bought patients details were selling “alternative” treatments and lottery scams.

Not only did they sell the data; Pharmacy2U has been unable to confirm whether the company kept, or can reconstruct, any records as to whose data they sold. Clearly, the private sector has joined NHS England in ignoring HSCIC’s lessons about data releases, following our work over the past two years.

A blanket, criminal ban on marketing to patients is the only way to prevent these predators, quacks and charlatans buying patients’ names and addresses for 8p a time, and scamming them out of money – or health. For, as the ICO’s Penalty Notice points out:

49. It is possible that some customers, who received marketing material from Woods Supplements, after being prescribed medication by a doctor, may have stopped taking their prescribed medication and spent money on products that were subject to the ASA adjudication in relation to misleading advertising and unauthorised health claims.

In light of the ICO’s determination, in regard of serious breaches of the Data Protection Act, medConfidential has written to the relevant medical regulators and professional bodies, asking for them to consider appropriate action within their various remits.

Given the number of patients who contact medConfidential having been marketed about specific conditions and diagnoses, this is clearly not an isolated incident but a systemic problem – and one that must be addressed at all levels.

We believe this underlines the need for all releases of patient data to be covered by personal Data Usage Reports (each and every secondary use being recorded by HSCIC), and highlights the need for a Data Incident Protocol (so that doctors and medical staff can provide the necessary assurance to patients), grounded in medical ethics not mere DPA compliance.

Apps Library

Last week, NHS England announced that its much-vaunted ‘Health Apps Library’ was being shut down, describing it as “a pilot programme”. Since 2013, it has been endorsing hundreds of apps to patients, now replaced by a set of pages on the NHS Choices website which promote a total of seven “online mental health services”.

Not quite what Jeremy Hunt was saying 6 weeks ago when “the Health Secretary stated his ambition to get a quarter of smartphone users – 15% of all NHS patients – routinely accessing NHS advice, services and medical records through apps by the end of the next financial year.”

Serious concerns have been raised over the past year by medConfidential and others with regard to the security, safety and suitability of dozens of apps which were endorsed in the now withdrawn Apps Library.

While we welcome the closure of this sprawling, unaccredited mess of apps and internet quackery, NHS England must now demonstrate how radically it has changed its approach to innovation if it wants to avoid destroying patient trust. Again.

A ban on marketing to patients

Last Friday saw the Second Reading of Chris Heaton-Harris MP’s Access to Medical Treatments (Innovation) Bill – substantively the same Bill as that previously introduced by marketing magnate Lord Saatchi. Alongside many other issues, the question of marketing to patients was raised. When asked: “Will [the database] be used for marketing to patients?” the Minister for Life Sciences, George Freeman answered: “The Government would oppose this being used as a marketing tool.”

Opposing it doesn’t prevent it happening. The ‘McDonald’s amendment’ in the Care Act last year created a loophole allowing data to be used for the purpose of “the promotion of health”, which clearly includes marketing.

medConfidential will continue to ask for a blanket, criminal ban on marketing to patients: explicit, informed prior consent (i.e. opt in) must be the only acceptable consent mechanism, for those who wish to receive marketing – with criminal penalties for those who refuse to comply.

The Government says it opposes marketing to patients, the Saatchi / Heaton-Harris ‘Medical Innovation’ Bill provides the legislative opportunity to implement this, and Pharmacy2U has shown why it is necessary; the remaining question is, will Jeremy Hunt act?

What’s next?

The Saatchi / Heaton-Harris Bill moves now to Committee stage, which we shall of course continue to monitor closely, revisiting as necessary the amendments we proposed prior to Second Reading.

Companies hiding behind the fig leaf of research regularly complain that “slow and costly access to anonymised patient data impedes academic research”. Quite aside from the continued abuse of the term “anonymised”, medConfidential believes that for privileged access to NHS patients’ medical data, filling in a form honestly shouldn’t be too high a bar.

And finally

We remain a tiny organisation, with minimal funding. If you can help us, please do – every penny received will be used on work you’ve just read about in this newsletter.

Please, if you can, make a donation via our PayPal page so that in future every flow of patient data into, within and out of the NHS and social care system can be consensual, safe and transparent.

Phil Booth and Sam Smith
medConfidential

23rd October 2015

Pharmacy2U kept no records of whose data they sold

Addendum to press release

Pharmacy2U kept no records or audit trail of whose data they sold, stating “we are unable to contact individual patients.”  EMIS Group, a minority shareholder in Pharmacy2U Ltd, stated yesterday, “The decision to sell data was made by the executive day-to-day management team at Pharmacy2U”, while claiming the “highest standards of patient confidentiality and data security”.

The ICO’s judgement states:

49. It is possible that some customers, who received marketing material from Woods Supplements, after being prescribed medication by a doctor, may have stopped taking their prescribed medication and spent money on products that were subject to the ASA adjudication in relation to misleading advertising and unauthorised health claims.

The choice of Pharmacy2U to sell names and addresses of patients to quacks and charlatans must be addressed. “As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable”, say Pharmacy2U, but they still sold data to “spammy” companies that may have encouraged patients not to take medicines prescribed to them (and which they had paid Pharmacy2U for).

medConfidential received the following statement from Pharmacy2U’s media and PR representatives, ‘Intelligent Conversation’ – the new name for the same PR firm that contacted us previously, see the Update from April this year.

We publish Pharmacy2U’s statement in full:

Daniel Lee, Managing Director of Pharmacy2U, said: “This is a regrettable incident for which we sincerely apologise.  

“While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter. As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed.

“We have also confirmed that we will no longer sell customer data.

“We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.

“As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable. There was no publicly available information at the time to suggest that the lottery company was suspected of any wrongdoing and we have confirmed with the relevant authorities that they were validly licensed.  There was no publicly available information at the time that there had been a complaint to the ASA about Healthy Marketing Ltd.

“Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We have also worked with the Plain English Campaign to make our policies as clear as possible to our customers.

“We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level.”

The ICO’s judgement shows, while the data transferred may have been a list of names and addresses, the information received by the companies and charity was far more than that. For example, in the case of the Australian lottery scammers, they would have known that each name and address on that list was of a man (i.e. gender), aged 70 or over (i.e. age), who had made a purchase (financially active) from an online pharmacy in the past 6 months (with certain conditions)

Pharmacy2U’s “substantial remedial action” does not include informing any of the 21,500 patients and customers whose names and address was sold – as for example, the Government did when it lost two CDs containing HMRC Child Benefit data.

So we asked them about it.

This was the response:

A Pharmacy2u spokesman said: “As soon as the issue was brought to our attention, we ordered the certificated destruction of all the names and addresses that had been sold. [Our emphasis] For that reason, we are unable to contact individual patients.

“Anyone with concerns should contact us on 0113 265 0222 or via email, director@pharmacy2u.co.uk

We are pleased that Pharmacy2U has (finally) provided contact details for patients and customers who may have been affected by them selling their details, though these seem not to have been published in a way concerned members of the public can easily find them. We got them in an email, and P2U’s online statement directs people to their standard customer feedback form.

However, we are astonished to hear that the company retained no record of the people whose details were sold, and is incapable of regenerating those lists from the records it is supposed to keep according to Pharmaceutical Regulators.

This is a serious failure of information governance, which only compounds their original decision to sell people’s details. Pharmacy2U have not confirmed that all the recipients of the data destroyed all of the details.

Once again, predatory quacks and charlatans have targeted those who are most vulnerable. Pharmacies and charities are likely to know who is most at risk, and selling their names and addresses is complicity in the sort of abuse that has cost lives.

Only a criminal ban on marketing to patients will prevent crooks preying on patients.

 

[PRESS RELEASE] There’s an app for that? NHS Health Apps Library “pilot” is shut down, but will “medical innovation” include marketing to patients?

This morning, the NHS Health Apps Library – a “pilot programme” that has been endorsing hundreds of apps to patients since 2013 – was finally shut down. It is replaced by a set of pages on the NHS Choices website which promote a total of seven “online mental health services”. [1]

Serious concerns have been raised over the past year by researchers at Imperial College London and Ecole Polytechnique CNRS, France [2] and by medConfidential [3] with regard to the security, safety and suitability of dozens of apps which were endorsed in the Apps Library.

A handful of apps – including Kvetch, Doctoralia and My Sex Doctor [4] – were silently withdrawn following complaints, but it is unclear how NHS England intends to notify patients left hanging now that “innovative” apps it has been promoting for up to two years have had their approval pulled.

The closure of the Apps Library coincides with the Second Reading of the Access to Medical Treatments (Innovation) Bill – a Private Members’ Bill by Chris Heaton-Harris MP, a version of which was introduced previously in the Lords by advertising magnate Lord Saatchi.

Apps fall within the Bill’s definition of “innovative treatments”, opening far wider questions as to the use of the database [5] that would be created under Section 2 of the Bill. Minister for Life Sciences, George Freeman MP, tweeted during the debate [6] that he did not intend for the database to be used for marketing to patients, but the Bill itself and existing legislation [7] provide no legal bar.

All of which further calls into question the stated ambition of Secretary of State for Health, Jeremy Hunt, “to get a quarter of smartphone users – 15% of all NHS patients – routinely accessing NHS advice, services and medical records through apps by the end of the next financial year.” [8]

Phil Booth, coordinator of medConfidential said:

“While we welcome the closure of this sprawling, unaccredited mess of apps and internet quackery, NHS England must now demonstrate how radically it has changed its approach to innovation if it wants to avoid destroying patient trust.

“Promoting predatory ‘bait and switch’ apps targeting teenagers, like My Sex Doctor, was certainly an “innovation” for the NHS. Real doctors would have laughed the charlatans out of the surgery and got back to helping patients, but it seems Tim Kelsey’s team welcomed them with open arms.

“Jeremy Hunt and George Freeman may not intend for any of this to be used for marketing to patients, but there’s no legal bar. And as NHS England’s abortive attempt with apps has shown, not thinking this through properly puts patients at risk.”

Notes for editors:

  1. Just three of these “services” are available as apps: http://www.nhs.uk/conditions/online-mental-health-services/Pages/introduction.aspx
  2. http://www.theguardian.com/society/2015/sep/25/nhs-accredited-health-apps-putting-users-privacy-at-risk-study-finds which led to the removal of My Sex Doctor and other apps. Full study published here: http://www.biomedcentral.com/1741-7015/13/214
  3. http://www.computing.co.uk/ctg/news/2415698/caredata-nhs-choices-and-now-apps-could-it-be-three-failures-in-a-row-for-tim-kelsey
  4. Kvetch app was a self-described “experiment” that proposed to “make sickness social”, with a communally-visible “alcoholism” group it encouraged individuals to “check your friends in for a laugh”. Barcelona-based Doctoralia (still available in UK apps stores) failed to correctly list GPs working in UK practices, listing at least one GP who had died tragically, and had complex DPA issues that failed to meet the Apps Library’s own criteria for inclusion. My Sex Doctor (also still available in commercial apps stores, and still claiming NHS endorsement) targets teenagers with sex advice, with a stated business model: “Once gained their trust we can leverage it for commercial purposes” – see slide 11, http://www.slideshare.net/FabrizioDolfi/my-sexdoctor-pitch-deck-43296908
  5. Which Chair of the Health Select Committee, Dr Sarah Wollaston MP, described as “a vast sprawling database of anecdotal treatment for male pattern baldness”. Debate transcript: http://www.parliament.uk/business/publications/hansard/commons/todays-commons-debates/read/unknown/12/
  6. https://twitter.com/Freeman_George/status/654976202810269696
  7. See medConfidential’s briefing, following a meeting with Chris Heaton-Harris on 30 Sept: https://medconfidential.org/wp-content/uploads/2015/10/medconfidential-1-Marketingtopatients.pdf
  8. Official report of Jeremy Hunt’s speech, 2 September 2015: https://www.gov.uk/government/news/health-secretary-outlines-vision-for-use-of-technology-across-nhs – updated on 18 September following the announcement of the consultation on the role and remit of the statutory National Data Guardian, who will produce “clear guidelines for the protection of personal data against which every NHS and care organisation will be held to account.”

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

– ends –

medConfidential Bulletin, 11 October 2015

We hope you had a good summer. Ours was interesting, to say the least.

Parliament begins sitting again on Monday, and people will wake up to the stack of things we’ve got ready for them. But in the meanwhile, quite a lot has happened:

care.data “paused” yet again

Despite NHS England’s announcement in June that the care.data pathfinders would be starting at “the beginning of September”, the Secretary of State on 2 September effectively pushed back the restart to at least the end of January 2016.

The announcement (originally) said:

The National Data Guardian for health and care, Dame Fiona Caldicott, will… provide advice on the wording for a new model of consents and opt-outs to be used by the care.data programme that is so vital for the future of the NHS. The work will be completed in January…

A later “clarification” omits to mention care.data, but confirms that the National Data Guardian will develop “clear guidelines for the protection of personal data against which every NHS and care organisation will be held to account. She will provide advice on the wording for a new model of consents and opt-outs, to enable patients to make an informed decision about how their data will be shared.”

This work – a task NHS England singularly failed to complete in 3 years! – is to be completed in January, “…with recommendations on how the new guidelines can be assured through CQC inspections and NHS England commissioning processes.”  Apparently “no arbitrary deadlines” only applies to NHS England.

Where does this leave the care.data programme itself? Well, for starters…

Tim Kelsey ‘opts out’ of care.data

On 17 September, care.data mastermind Tim Kelsey announced his resignation as National Director for Patients and Information at NHS England. He has taken a job as commercial director for Telstra Health, a division of Australian telecomms provider Telstra Corp, to which in March this year DH sold Dr Foster Intelligence, the company Kelsey co-founded in 2000.

Tim Kelsey leaves the UK for Australia in December – an antipodean departure emulating that of the former NHS Director General of Information and head of Connecting for Health, Richard Granger, some years back – but his departure leaves a number of important issues unresolved.

As we learned from care.data Programme Board papers that were finally published in August, and from subsequent Board meetings of both NHS England (video) and HSCIC (cf. minutes on p10), the care.data Directions still aren’t finalised. Indeed, in responding to the Directions sent by NHS England, HSCIC’s Board identified five key unaddressed issues in addition to matters medConfidential had raised.

There’s also no sign of the CAG Regulations, due since the passage of the Care Act 2014 last summer. This means that promised safeguards such as “one strike and you’re out” sanctions for data abuse or misuse and, crucially, the closure of the commercial re-use loophole – persisted by the over-broad definition, “the promotion of health” – have still not been enacted.

What next?

Dame Fiona Caldicott is rewriting the language on consent for patients, which NHS England previously said was ‘ready to go’; HSCIC appears close to being able to ‘fix’ the 9Nu4 opt-out problem, currently affecting over a million patients, that NHS England dumped on it; and DH is finally drafting the Directions on Patient Objections, required to deliver on the Secretary of State’s 2013 promise to respect patient opt-outs.

Assuming the decision is to replace him, whoever replaces Mr Kelsey has a tough task and problems much wider than just care.data to resolve – the digital public health disaster that is the NHS Health Apps Library, to mention but one.

Patients and Registered Medical Professionals must be fairly represented throughout these processes and on all relevant bodies (the care.data Programme Board, for example, still has no public and patient representative) and both NHS England and DH must ensure that the new ‘worldview’ – drawing on lessons learned the hard way – is consistently applied across the health and care system.

medConfidential believes it is still possible to preserve confidentiality and consent in health and social care, and will continue to work to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. If they want to regain public confidence, it is up to the Government, DH and its arm’s-length bodies to now show they can do so, in a trustworthy way.

Statutory National Data Guardian

The Government has now published its consultation on the remit and functions of the National Data Guardian – the role currently fulfilled by Dame Fiona Caldicott. medConfidential welcomes this consultation, available here, which should lead to legislation that will ensure the strength and the remit of the National Data Guardian into the future.

medConfidential will be responding formally in due course, and we have published some initial observations on some of the significant questions raised.  We strongly encourage anyone with views on this vital statutory reinstatement of overarching, independent governance oversight to make a submission of their own before the 17 December deadline.

Another new database?

The ‘Medical Innovation Bill’, first proposed by advertising magnate Lord Saatchi, will shortly return in the form of a Private Members’ Bill by Chris Heaton-Harris MP, entitled the ‘Access to Medical Treatments (Innovation) Bill 2015-16’ (draft Bill here). The new Bill has its Second Reading in the Commons on 16 October.

medConfidential had some questions for Mr Heaton-Harris on the content of the draft Bill, and had a meeting with him last week. Our comments and suggestions arising from that meeting covered a ban on marketing to patients, Data Usage Reports (including our example of what one might look like) and an alternative approach that might deliver the policy intent of the Bill without creating another new database, or giving DH duplicates of powers it already has.

We shall watch the progress of the Bill with interest.

In other news…

medConfidential continues to draw attention to matters of importance to patients and – in our continued membership of the up-to-now somewhat ignored care.data Advisory Group and engagement with other groups, Boards, panels and processes – providing robust but constructive criticism to those who need it.

However, issues sometimes come up that have a wider impact than in just health and care. (You may remember All But Names, a few months back.) One such issue is Freedom of Information; a vital tool for all those who seek to hold the powerful to account. Sam and Phil have joined with others in the FOI community, including journalists, campaigners and citizens across the country in a project to #saveFOI.

The purpose of #saveFOI is to defend against threatened restrictions to Freedom of Information, proposed in the Terms of Reference for the FOI Commission – and by fees proposed in an earlier consultation affecting FOI appeals, that could mean charges of up to £600 to get information released.

The FOI Commission, already half-way through its appointed time scale, has only just put out a public call for evidence – and #saveFOI needs your help:

  • If you have used FOI to help change the world for better, let us know. #saveFOI is assembling a dossier of FOI requests which led to improvements in the world (precisely which of these is the Government seeking to prevent?) and also examples of the broad and/or eccentric interpretation of the exemptions currently in the Freedom of Information Act. We need YOUR stories.
  • Spread the word – on Twitter, on Facebook, on your blog and wherever else you can; the hashtag is in the name, #saveFOI, and the more people who speak up on the positive effects of FOI the harder it will be for the Government to restrict the transparency that is so vital to public trust.

Apologies for the length of this Bulletin. As we said at the top, a great deal has happened since our last newsletter – keeping us very busy.

We remain hugely grateful for the continuing support you and our other supporters provide, most especially the actions you take when we need you.

Phil Booth and Sam Smith
medConfidential

11th October 2015

A first look at the National Data Guardian Consultation

Late last week, the Government published its consultation on the remit of the National Data Guardian. The consultation is available here and closes on the 17th December, just days before Tim Kelsey departs (NHS) England.

We welcome this consultation, which we believe is intended to ensure the strength and the remit of the National Data Guardian into the future, as NHS England reconsiders its failed approach to data, privacy and information governance.

medConfidential will provide a substantive response to the consultation in future weeks, but on first reading, we would make a few initial observations:

1) This is a consultation on the nature of the teeth the NDG will have

It is not consulting on the existence of those teeth, but their shape and constitution, and how they relate to other bodies.

2) There is a question about how the National Data Guardian relates to Non-Medical Professionals

Medical Professionals are regulated by the General Medical Council; however, many decision-makers in the NHS are not Medical Professionals, and hence not subject to GMC rules and sanctions.

care.data and the Prime Minister’s Challenge Fund fiascos, for example, were both conceived and implemented by individuals who are not (Registered Medical) Professionals. There is currently no effective regulation of those individuals. The details of this will matter, and are likely to need multiple diverse discussions which we look forward to having in the coming weeks and months.

3) Covering the use of Health and Social Care Data about Children

Children are a large and vulnerable constituency of the NHS. For the National Data Guardian to lack effective powers in this area would be perverse.

However, Children’s Social Care is entirely separate to Adult Social Care, and so in practice powers will have to be significantly different – if only because the other public bodies are different bodies with different remits.

We greatly welcome the inclusion of this question in the consultation, though we suspect the Government’s response to the consultation will be limited to the principle of whether the NDG should be able to cover all Social Care, with the details of implementing coverage in Child Social Care being covered by a future consultation on that topic.

Since November 2014, the National Data Guardian has interacted with other regulators on the basis of an agreement of standing and respect for overlapping remits. Until the details of similar interactions can be worked out for Children’s Social Care, that is likely to be the way forwards. Any future consultation on this particular matter need not slow down primary legislation to put NDG onto a statutory basis “at the earliest opportunity” – subject to appropriate provision being made for, e.g. (super-)affirmative resolutions mandating the interactions between bodies in an agreed manner.

We will draft and publish a more comprehensive response in due course.

PLEASE NOTE: This consultation is entirely separate and unrelated to the announcement earlier this month that Dame Fiona Caldicott, the National Data Guardian, will review the language around consent for secondary uses of patient data in the NHS. It was that announcement by the Secretary of State that led, yet again, to another suspension of care.data.

NHS England failed to satisfactorily resolve the question of what “opt-out” actually means and does for nearly 3 years – so, as the scheme’s architect and main proponent himself opts out of care.data by leaving the country, those left behind will have to clean up the mess he’s left.

Our press release on the NDG consultation follows:

[PRESS RELEASE] Consultation on National Data Guardian: “no public confidence without Caldicott”

medConfidential today welcomed the long-anticipated consultation on the role of the National Data Guardian [1] as a step in the right direction. medConfidential and others have been pushing for the reinstatement of statutory independent oversight on the use of personal data across the health and care system since late spring 2014 [2].

With care.data put on “pause” yet again [3], Jeremy Hunt has asked Dame Fiona Caldicott to sort out the “fiasco” that Tim Kelsey and NHS England have failed to address for the past two years. Given the tight timing of this consultation, medConfidential hopes the Government will publish its response before Dame Fiona is required to offer her suggestions on resolving NHS England’s incompetence.

Issued by the Department of Health hours after NHS England announced Mr Kelsey’s resignation, the consultation is a positive step towards restoring public trust in the NHS’ handling and use of patient data.

As many, including leading research charities [5], have emphasised, “Patient data must be safeguarded… The stakes are too high to risk any further mistakes.”

Responding to the launch of the consultation, Phil Booth, coordinator of medConfidential said:

“We welcome putting the National Data Guardian role, currently held by Dame Fiona Caldicott, onto a statutory footing as a sensible and necessary step towards restoring public confidence.

“As we have pointed out time and again, there can be little public confidence in the handling of sensitive patient information without overarching, independent oversight – with teeth – of every single body involved.

“NHS England’s continued screw-ups and missteps are toxic to trust. They must improve, but that must be overseen by an independent body that can inspire confidence.”

Notes for editors:

  1. The consultation was published on the evening of 17 September, just hours after care.data SRO, Tim Kelsey, announced his resignation [6]: https://www.gov.uk/government/consultations/the-role-of-the-national-data-guardian-for-health-and-social-care
  2. See, e.g. medConfidential’s briefing and proposed amendments to the Care Bill 2014: https://medconfidential.org/wp-content/uploads/2014/05/medConfidential-briefing-for-Care-Bill-ping-pong_07May.pdf
  3. See announcement by Somerset CCG (one of the care.data ‘pathfinder’ areas), published by Somerset LMC, 4/9/15: https://www.somersetlmc.co.uk/caredatapaused
  4. “Caldicott to oversee care.data pilot”, EHI, 2/7/14: http://www.digitalhealth.net/news/29382/
  5. Research charities’ letter to the Guardian following PM’s Challenge Fund debacle, 27/7/15: http://www.theguardian.com/society/2015/jul/27/patient-data-must-be-safeguarded
  6. medConfidential Press Release,17/9/15, on Tim Kelsey’s resignation: https://medconfidential.org/2015/press-release-kelsey-leaves-england-for-down-under/

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

– ends –

Will High Street Pharmacists use the Summary Care Record to sell you things?

The Telegraph, followed up by the Independent and Daily Mail, reports today that Boots and other pharmacies – including the large supermarket pharmacies – may from this Autumn be granted access to the Summary Care Record*. There are concerns that such access may be used for marketing purposes. Further details will likely follow in due course.

Under current rules, patients should always be asked for their consent – what is called “Permission To View” – before anyone looks at their Summary Care Record. How the high street pharmacies, and their commercial managers with their incentives to cross-sell remedies, will make this work in practice is an open question.

Safeguards that may operate in a hospital context are going to have to be applied to a whole range of other (possibly non-medically registered) people, who must all be properly trained and rigorously audited on an ongoing basis. A considerable investment must be made if pharmacies are to be given access and patient confidentiality and consent is to be maintained. A report of a pilot scheme earlier this year found, for example, that:

The principles around asking patients for permission to view (PTV) their SCR and its practical application for some prevalent patient groups in the pharmacy setting caused confusion and uncertainty.

medConfidential hopes the Department of Health will urgently clarify the rules around using NHS medical records for marketing to patients.

* The Summary Care Record (SCR) was originally intended “for emergency or out-of-hours” access to your last 12 months’ prescriptions and information about any allergies you suffer from and any bad reactions to medicines that you have previously experienced. The SCR also contains your name, address, date of birth and your NHS Number.

What you can do

If you have a Summary Care Record (around 94% of the population do) and you are concerned that your record may be misused or abused, you can opt-out of the scheme. Here’s a link to the official opt-out form, which you need to fill in and give to your GP.

Please note: the Summary Care Record is entirely different from care.data. SCR is intended for use only by those providing you with direct care; care.data (a different scheme, currently on “pause”) is about ‘secondary uses’ of information from your medical record, i.e. purposes like research, commissioning, “healthcare intelligence” and commercial re-use.

N.B. If you do have particular allergies or bad reactions to particular types of medicine, having this information available to emergency responders is directly beneficial to you, so you may wish to look into getting a MedicAlert bracelet or something equivalent.

A long-term solution, which could provide reassurance to all patients, is for every patient to know everywhere their data has been used, by whom, and for what purpose. Such an approach would make any abuse, even by a single Boots store manager looking to hit their targets, highly transparent – not just to officials at NHS England, but to every patient themselves.

“Collect It All” comes to the NHS

It used to be that the different parts of the NHS looked after the data of the patients they treated, and talked to each other when they needed to know something.

Of course that model doesn’t work if you are NHS England, with its egomaniacal urge to micromanage and control everything. From that perspective, NHS England and other bodies each collecting every bulk personal dataset they can, from anywhere in the system is essential – even if the result starts to look like the ‘shadow’ monitoring and embedded political control structures of the Communist Party of China being imposed on the NHS.

From a patient perspective, rather than being ‘confidential’, this starts to feel deeply invasive – and the secretive manner in which some of these bodies expect to be able to act could be considered downright nasty.

From the perspective of NHS staff, it could be the final nail in the coffin of trust.

In the simplest terms, the level of access NHS England is mandating (with Government backing) boils down to managers, commissioners, policy makers and even commercial “re-users” being able to reach into your individual medical record – right down to the level of specific, dated events – and, as we now learn, to check every appointment.

“Collect it all” is the digital approach of the intelligence and security services – the agencies tasked with the prevention of “never events”; those things that must never occur.

“Bulk Personal Datasets” have been defined by Parliament as “large databases containing personal information about a wide range of people”. Parliament’s Intelligence and Security Committee in its 2015 report, ‘Privacy and Security: A modern and transparent legal framework‘, also concluded that as a Dataset of this type “may be highly intrusive and impacts upon large numbers of people, it is essential that it is tightly regulated”.

“Tightly regulated” is clearly not a term that applies to initiatives such as the Prime Minister’s Challenge Fund or toxic schemes like care.data, with its still-missing legal safeguards, ever-diminishing consent options and the “promotion of health” loophole that has legalised the ongoing sale of patient data to commercial re-users – including the data of over a million people who’ve already opted out. Whatever the claimed justification, the collected medical records of every man, woman and child in the country certainly meet every other criteria.

In the NHS, bulk personal datasets that were and are being collected for one purpose – the provision of health care – can now be interrogated for other reasons. These other purposes, all lumped together under the deceptively anodyne term “secondary use”, cover such distinct and broad categories of activity as research (both medical and market), NHS commissioning and “health intelligence”, and include servicing the data demands of commercial third parties. Every single one of these uses being derived from data which had a single primary purpose: the treatment and health of NHS patients.

If other bodies want to extract and use bulk personal datasets for purposes beyond patient care, then the whole process must be consensual, safe, transparent and – most important of all – grounded in trust. However trust, as Baroness Onora O’Neill argues, cannot merely be asserted (“trust us”) nor, as the care.data debacle continues to demonstrate, can it be presumed.

To be trusted, these users of our data must demonstrate they are trustworthy:

“[Those] who want others’ trust have to do two things. First, they have to be trustworthy, which requires competence, honesty and reliability. Second, they have to provide intelligible evidence that they are trustworthy, enabling others to judge intelligently where they should place or refuse their trust.” – Baroness Onora O’Neill

Evidence shows, if given a choice and clear information on what it’ll be used for and by whom, a large majority of patients are quite happy for their medical information to be used for public good purposes, such as ethically-approved research. Limit the choice or information, or re-use the data for something else, and opinion flips – and the majority are not happy at all.

The sale of ‘Hospital Episode Statistics’ (not actually statistics but rather linked, patient-level hospital events) which caused so much public outrage last year, is a case in point. As it turned out, the basis for public confidence amounted to little more than the fact the data had been collected “for years”. When the sale of billions of linked, dated health events – the very definition of a bulk personal dataset – came to people’s attention in 2014, it quickly became apparent that public acceptance was lacking.

The lesson here? Just because you happened to get away with something in 1988 doesn’t make it a good idea.

In a digital world, it is all too easy for bulk personal datasets to be copied and re-used outside of the understood framework, leading to loss of trust (what the Royal Statistical Society calls the “data trust deficit”) in not only the end users, but the original data ‘collectors’ themselves; doctors, nurses and other front-line NHS staff for whom trust is absolutely essential. For if people cannot trust that what they tell their doctor will be kept in confidence, some will simply not say anything – putting their own health, and in some cases the public health, at risk.

There are many predictable, if unintended, consequences of a “Collect it all” strategy; consequences that agencies and institutions which have followed one have now discovered. Public outcry over the secretive extraction and misuse of patients’ medical records and NHS information should be seen as a cautionary tale. Not a guide book.

Discussing the impacts of care.data; some thoughts for Health Conference organisers

With care.data trying to get underway again, we expect to see NHS England on the conference circuit, talking about how this time they’ve got it perfectly right.

Unfortunately, with several significant – indeed fundamental – problems as yet unresolved, such a line suggests that (while HSCIC may soon be in a position to provide a fix for one of the most egregious consent screw-ups of the entire programme thus far) NHS England itself still hasn’t learnt the lessons.

So, if you’re running an event where care.data is going to be a topic – and for the next year, we reckon there should be at least one such session at every conference that wants to be taken seriously by either the public or the profession – medConfidential suggests that, rather than providing a platform for a casuistic monologue from NHS England, care.data-related sessions should take the form of a panel.

A useful panel would probably include at least 3 representatives drawn from these different groups:

  • A GP, psychiatrist or other Registered medical practitioner;
  • A patient representative (not someone funded or employed by a DH body);
  • A research advocate (not currently employed by a DH body);
  • A commercial company that sells products or services based on NHS medical records;
  • A human rights advocate* (not someone funded or employed by a DH body);
  • NHS England (not HSCIC, who can only speak to particular things);
  • And, if it is a local meeting, a representative of the CCG.

*Please note, medConfidential is not angling for an invitation – though we are always happy to provide a speaker, where we can. There are many great people who understand the fundamental necessities of patient privacy / confidentiality and consent.

Conference organisers should take particular care to ensure that DH Arm’s-Length Body staff aren’t banging the drum for the Department line, while claiming to represent research.

The only way to prevent a repeat of the previous care.data debacles is for people to fully appreciate the diverse views and motivations of the various “stakeholders”. The story of care.data from its suspension in February 2014 to the pathfinder ‘relaunch’ in late 2015 (or beyond) has been characterised by various stakeholders talking to each other – mostly quite sensibly – until NHS England had to ‘join the consensus’, having ignored it for over a year.

It would be a disservice to your audience and to your event to allow NHS England to preserve silos that allow it to pretend areas of controversy do not (still) exist.

medConfidential does not seek unanimity of views; we seek a properly-engaged discussion, fully representing the diversity of perspectives from which a solution can be drawn.

As Phil has said, following a panel discussion at the 2015 Sowerby eHealth Symposium, until patients and doctors, commissioning, research, and commercial (re)users are all in the same room, everyone will be talking past each other.

If they’re ‘appy and you’re worried clap your hands…

medConfidential mostly works on issues to do with confidentiality and consent around what the NHS (and wider care system) do with your data beyond your direct care; what are called ‘secondary uses’.

However, the world of ‘health-enabled’ smartphones has slipped into almost everyone’s pocket, and the NHS is beginning to notice. Unfortunately, NHS England is starting from its usual cultural assumption that it can do things by dictat, ignoring the rules – even ones it made up – if they prove less than convenient.

Health apps are quite different to most of what the NHS does; in many ways they are more like a pharmacy than a hospital. Apps are something that patients do for themselves – possibly with professional advice, possibly without. Apps are done by patients, not something the doctor or the system does to, or for, the patient.

Apps are the rough equivalent of a prescription, in that it’s up to patients themselves to ‘take the pills’. Apps are not some sort of “machine doctors” that NHS England can bend to its will. (It rarely turns out well when NHS England tries to do this, but that doesn’t stop it trying again and again and again.)

For the main part, apps exist between a patient and a third party without a medical consent relationship. The Terms and Conditions of some (should you read them) set you up to have your data exploited and sold on – quite legally, under the contract you signed up to when you installed the app and gave it permissions – in ways even Pharmacy2U would never dream of.

Unfortunately, compliance with the Data Protection Act – a legal minimum – offers nothing like the standards of ethics and confidentiality you should expect for your medical records. And consent in the ‘planet of the apps‘ is merely a tick box, or a flick of the finger.

That’s not to say that app providers can’t do “mass participation surveys” properly, ethically and in ways impossible by other means. Some certainly do. It’s just that – as with all innovative but immature markets – there needs to be guidance, and proper oversight, to help members of the public distinguish between legitimate research and profit-seeking charlatans.

Requirements

In a future NHS world, if an app had access to an individual’s details and offered services which could receive that individual’s consent settings from the Spine, then their existing consent choices could, in principle, be honoured (though whether widening access to NHS Spine is a good idea or not is a subject for another blog post). What’s for certain now, though, is that app screw-ups and scams will continue until consent improves.

Most health apps don’t and will not connect to anything in the NHS, other than maybe allowing a patient to e-mail a standardised report to somewhere. In the Apple ecosystem, where health apps have to write data to the protected ‘HealthKit repository’, it’s at least possible that the 4 UK GP IT providers could handle reading and integration of your data with NHS systems, under the control of the patient. [UPDATE 7/8/15: EMIS already does something along these lines – thanks to @theABB for screenshots.] So building something useful doesn’t necessarily require dealing with the idiosyncrasies of the Directorate of Patients and Information at NHS England.

The NHS ‘Health Apps Library’ right now is in a mess. The positive intention may have been to help patients navigate shark-infested waters, the reality in some cases is more like being left up a creek without a paddle.

To be included in the NHS Apps Library, there must be far tighter restrictions on data transfer, sale and exploitation – burying a statement somewhere on page 97 of the terms of use, because “this is part of our business model”, may suffice for the Android Play Store and the Information Commissioner – it cannot be sufficient for an endorsement by the NHS.

If an app is able to connect to the NHS infrastructure, it must honour the consent settings available to whatever NHS service it connects to – which includes providing a complete, patient-accessible audit trail. The vast majority of apps will not be connected, so they must proactively request consent – with informed opt-in (not opt-out) for any and all data transfers to third parties, and a separate opt-in for any sale of data.

In fact, good apps should probably follow Apple’s lead or equivalents that are beginning to emerge in other places: health data stays in a locked silo on your device, in your control, and all transfers and processing must honour your wishes. If you claim to be doing research, and you want to use the NHS brand, then your project must have received ethics approval.

When you walk into a pharmacy, if you look, there’s a sign which tells you the name and registration number of the professional currently responsible for dispensing from that pharmacy. On the page for each app in the NHS Apps Library, the equivalent information should be visible: who is responsible for the quality of this app? NHS England may decide the answer “no-one” is OK as an answer – but patients deserve to know that.

If all these and the existing – and emerging – criteria for apps are not met, NHS England’s Apps Library (which sits on MPA Red-rated NHS Choices) will simply accelerate the race to the bottom for predatory data sale, and public confidence in its recommendations will collapse. Again.

You would hope by now that NHS England has been “listening” and learning enough to realise the very real risks of jumping feet-first into a “visionary” programme; there’s a lot at stake, but it’s your medical data they’re gambling with.