“I feel I guess betrayed that 19 months into my partner’s cancer battle we didn’t know about this. I think honesty is the best policy and have no problem with the info being recorded but we should have been told and that the details can be removed at the patients request as not to be made aware at some point seems deceitful”

– patient quoted on p37 of the Macmillan/CRUK report on consent

“Betrayed” and “deceitful” are not words cancer charities quote lightly, but they are right to use them.

medConfidential believes – as we do for all flows of health data – that the cancer registry should be consensual, safe and transparent. Whereas the current data handling practices of Public Health England are coercive, dangerous and dishonest.

PHE’s National Cancer Registration and Analysis Service web page today says: (emphasis added)

“Patients can ask NCRAS to remove all of their details from the cancer registry at any time. Opting out of the cancer registry won’t affect the patient’s immediate treatment at their hospital or GP practice, but there may be occasions in the future when the data that is held by NCRAS can be used to assist in their care or that of a close relative.”

“If patients opt-out of the cancer registry, it may not be possible to contact individuals identified as being at risk in future, such as when an increased risk of breast cancer is identified in women treated for Hodgkin’s disease using radiotherapy.”

NHS Digital is solving this problem through medical ethics and hard work; it seems PHE has taken a Board-level decision to ignore the problem and, in effect, blackmail patients instead.

There can be good reasons to override dissent – many of them related to public health. We have asked PHE for a list of the reasons it thinks it needs to routinely ignore the wishes of cancer patients. That list has never been provided, and PHE has published no detailed justification for its demand for data. Scrutiny of what the data is used for shows its existing arguments to be “thin” at best.

The NHS does direct care, Public Health England does not – and PHE is not set up to keep data for both direct care and secondary uses. As a result, to maintain its turf, it has resorted to threatening patients and their families with reduced treatment for cancer both online and in printed literature. We understand “the Director” has called people who opted out, in person, to “encourage” them to rescind their request.

While PHE admits that 150 people have opted out of the registry, it is unclear whether these patients took at face value PHE’s public statements about this not affecting their care, or whether they fully understood any contradictory statements made in private .

This is why direct care and secondary uses must be kept separate – there are sometimes good reasons to have additional copies of data. This is one of them.

The problems of PHE are, however, far wider than just those regarding the cancer registry. While the current review terms are correctly narrowly defined, the solutions may have more general applicability by NHS Digital.

Who is responsible for this mess?

While actual data release decisions remain unpublished, PHE assures us that there is a “reporting line”.

The data release process is apparently managed and supported by an Office of Data Release, decisions are made by the Information Asset Owner, overseen by a Data Release Assurance Board, which does no assurance and which is both chaired by the Chief Knowledge Officer, and supposedly “overseen” by PHE’s Board… via the Chief Knowledge Officer.

While this may – at a glance – seem roughly similar to an HSCIC process, let us add some names to these various posts. For the cancer registry, every single one of those roles is held by the same person: Professor John Newton.

It is clear that PHE has a serious data governance problem.

PHE remains in denial

PHE’s annual report claims (page 119) it has done a “Partridge Review”, as HSCIC did in 2014. However, while the HSCIC process was a model of transparency – it was public, conducted by independent analysts overseen by a HSCIC non-executive board member (Sir Nick Partridge, hence the name) and its outputs were clear and contained both an acceptance of problems and suggested steps to remedy them – by contrast, PHE has chosen to keep its review secret.

It has chosen to hide the process of reform from the public, and chosen to refuse to acknowledge any form of critique. The review was conducted by an in-house consultant, and was delivered to the Information Asset Owner (Professor John Newton), not the Board (on which he sits). PHE has refused FOI requests for that review, and won’t talk publicly about even the topics of the 4 areas of “significant concern”.

This is not a process in which the public can have any confidence at all.  Indeed, it gives every impression of a cover-up by those complicit in a culture of failed priorities. And, as such, through the considered decisions of PHE and decision makers, the vitally important cancer registry (and other datasets) remain one small misstep from a collapse of public confidence.

Implementing dissent

While patients have the legal right to opt out of the cancer registry, as part of its move to NHS Digital, it should come under the broader Caldicott Consent Choice.

As there are direct care purposes for which the registry is used, a separate system for those purposes should be maintained by NHS Digital. As a result, where there is a clear and pressing need to use 100% of the cancer registry, rather than the 98% who have not dissented from processing, then approval can be sought from the Confidentiality Advisory Group at the HRA, using the powers CAG acquired under the Care Act 2014. That may simply be the validation of marginal outputs from the 98% dataset, and would be a very specific question (since it would only be confirmation of the output of a research process).

However, the Cancer Registry is currently releasing details of cancer patients to private contractors for purposes that NHS Digital would not have approved itself, or which would have had to have opt outs honoured. These requests are excluded from the PHE Data Release Register. The cancer registry is therefore a ‘back door’ leak of identifiable data about the patients and their cancers.

Given the role the new chair of DAAG played in creating the above cancer registry consent fiasco, continued lobbying to “use my data”, and his other responsibilities and funding, it would seem the current DAAG/IGARD chair is demonstrably unfit to override dissent for the cancer registry.

Demonstrate to patients who has used the data, and why, and what we learnt

The demand for “more data” is endless, and providing more data will not solve that problem – all we see is more demands for more data. Will doing the same thing over and over again generate a different result?

Showing patients what was said to them, and what happened next, will hopefully focus minds away from hyperbole, improve the quality of layperson explanations of projects, and show what works for better outcomes, and what does not.

The cancer registry is a vital resource, but it should be accountable to the very patients whose data is within it, ensuring that data is used properly, and not used wrongly. Currently, those who release the data are not accountable even inside PHE, and keep their decisions secret from the public.

The details matter

As with the failure to implement type-2 opt outs properly for hospital data, and with PHE’s actions at any step of this process, misleading the public has consequences for public trust and public confidence.

It is entirely possible to have a consensual, safe and transparent cancer registry, delivering benefits to patients who wish their data used legitimately. We must and will move away from a coercive, dangerous and dishonest model – the question is solely the manner, governance, and price of that move.

“Digital services so good that people prefer to use them”, claim the Government.

“The NHS should go paperless”, says Jeremy Hunt.

But what replaces the fax machine when NHS England builds a ‘Bonfire of the faxes’?

It won’t be e-mail.

Clinicians are very familiar with email; they know how it works, and how it fails, when sending patient details between organisations. Even within NHS.net, what works in theory doesn’t necessarily work with how clinicians treat patients. If “NHSmail” is NHS England’s suggestion to clinicians as they ban fax machines, doctors may just use stamps.

Don’t subvert the Summary Care Record

A different option, being advocated by pharmacists – not just outfits like Pharmacy2U, but bodies such as the Royal Pharmaceutical Society – is that many different types of organisations should have the ability to edit a patient’s Summary Care Record.

Not only would this immediately exclude all patients who don’t have a Summary Care Record, it would simultaneously destroy any confidence in the integrity of SCR data, which may then be out of sync with clinical systems – fundamentally undermining the data quality in both, and making them untrustworthy for any purpose. As currently designed, multi-party writable SCR is a terrible idea.

What is Slack for the NHS?

If we look at what pharmacists actually need to do, they need to tell the custodian of the patient’s medical record (their GP) what they did. Maybe it was a prescription change, maybe it was a recommendation, maybe it’s other information. This doesn’t require write access to the SCR. It simply requires a reliable mechanism, knowing a patient’s NHS number (which they have), to send a message to the GP or relevant care provider, with the confidence that it has been delivered.

The NHS knows who the care provider is, so the pharmacist doesn’t actually need to. On delivery, it is up to the care provider to act on that information – or, e.g. to make a clinical decision not to act – and to update their records, which then flow through to SCR. So when the pharmacist next looks at the patient’s SCR, the relevant information should all be there. This is not therefore a matter of creating a new system, or breaking a process that works, but about using existing systems better.

Properly designed messaging can be better than fax for clinicians.

We’ve written a draft paper considering how this might be done, in the spirit of building “Digital services so good people choose to use them”. Comments and feedback welcome.

The Telegraph, followed up by the Independent and Daily Mail, reports today that Boots and other pharmacies – including the large supermarket pharmacies – may from this Autumn be granted access to the Summary Care Record*. There are concerns that such access may be used for marketing purposes. Further details will likely follow in due course.

Under current rules, patients should always be asked for their consent – what is called “Permission To View” – before anyone looks at their Summary Care Record. How the high street pharmacies, and their commercial managers with their incentives to cross-sell remedies, will make this work in practice is an open question.

Safeguards that may operate in a hospital context are going to have to be applied to a whole range of other (possibly non-medically registered) people, who must all be properly trained and rigorously audited on an ongoing basis. A considerable investment must be made if pharmacies are to be given access and patient confidentiality and consent is to be maintained. A report of a pilot scheme earlier this year found, for example, that:

The principles around asking patients for permission to view (PTV) their SCR and its practical application for some prevalent patient groups in the pharmacy setting caused confusion and uncertainty.

medConfidential hopes the Department of Health will urgently clarify the rules around using NHS medical records for marketing to patients.

* The Summary Care Record (SCR) was originally intended “for emergency or out-of-hours” access to your last 12 months’ prescriptions and information about any allergies you suffer from and any bad reactions to medicines that you have previously experienced. The SCR also contains your name, address, date of birth and your NHS Number.

What you can do

If you have a Summary Care Record (around 94% of the population do) and you are concerned that your record may be misused or abused, you can opt-out of the scheme. Here’s a link to the official opt-out form, which you need to fill in and give to your GP.

Please note: the Summary Care Record is entirely different from care.data. SCR is intended for use only by those providing you with direct care; care.data (a different scheme, currently on “pause”) is about ‘secondary uses’ of information from your medical record, i.e. purposes like research, commissioning, “healthcare intelligence” and commercial re-use.

N.B. If you do have particular allergies or bad reactions to particular types of medicine, having this information available to emergency responders is directly beneficial to you, so you may wish to look into getting a MedicAlert bracelet or something equivalent.

A long-term solution, which could provide reassurance to all patients, is for every patient to know everywhere their data has been used, by whom, and for what purpose. Such an approach would make any abuse, even by a single Boots store manager looking to hit their targets, highly transparent – not just to officials at NHS England, but to every patient themselves.

It used to be that the different parts of the NHS looked after the data of the patients they treated, and talked to each other when they needed to know something.

Of course that model doesn’t work if you are NHS England, with its egomaniacal urge to micromanage and control everything. From that perspective, NHS England and other bodies each collecting every bulk personal dataset they can, from anywhere in the system is essential – even if the result starts to look like the ‘shadow’ monitoring and embedded political control structures of the Communist Party of China being imposed on the NHS.

From a patient perspective, rather than being ‘confidential’, this starts to feel deeply invasive – and the secretive manner in which some of these bodies expect to be able to act could be considered downright nasty.

From the perspective of NHS staff, it could be the final nail in the coffin of trust.

In the simplest terms, the level of access NHS England is mandating (with Government backing) boils down to managers, commissioners, policy makers and even commercial “re-users” being able to reach into your individual medical record – right down to the level of specific, dated events – and, as we now learn, to check every appointment.

“Collect it all” is the digital approach of the intelligence and security services – the agencies tasked with the prevention of “never events”; those things that must never occur.

“Bulk Personal Datasets” have been defined by Parliament as “large databases containing personal information about a wide range of people”. Parliament’s Intelligence and Security Committee in its 2015 report, ‘Privacy and Security: A modern and transparent legal framework‘, also concluded that as a Dataset of this type “may be highly intrusive and impacts upon large numbers of people, it is essential that it is tightly regulated”.

“Tightly regulated” is clearly not a term that applies to initiatives such as the Prime Minister’s Challenge Fund or toxic schemes like care.data, with its still-missing legal safeguards, ever-diminishing consent options and the “promotion of health” loophole that has legalised the ongoing sale of patient data to commercial re-users – including the data of over a million people who’ve already opted out. Whatever the claimed justification, the collected medical records of every man, woman and child in the country certainly meet every other criteria.

In the NHS, bulk personal datasets that were and are being collected for one purpose – the provision of health care – can now be interrogated for other reasons. These other purposes, all lumped together under the deceptively anodyne term “secondary use”, cover such distinct and broad categories of activity as research (both medical and market), NHS commissioning and “health intelligence”, and include servicing the data demands of commercial third parties. Every single one of these uses being derived from data which had a single primary purpose: the treatment and health of NHS patients.

If other bodies want to extract and use bulk personal datasets for purposes beyond patient care, then the whole process must be consensual, safe, transparent and – most important of all – grounded in trust. However trust, as Baroness Onora O’Neill argues, cannot merely be asserted (“trust us”) nor, as the care.data debacle continues to demonstrate, can it be presumed.

To be trusted, these users of our data must demonstrate they are trustworthy:

“[Those] who want others’ trust have to do two things. First, they have to be trustworthy, which requires competence, honesty and reliability. Second, they have to provide intelligible evidence that they are trustworthy, enabling others to judge intelligently where they should place or refuse their trust.” – Baroness Onora O’Neill

Evidence shows, if given a choice and clear information on what it’ll be used for and by whom, a large majority of patients are quite happy for their medical information to be used for public good purposes, such as ethically-approved research. Limit the choice or information, or re-use the data for something else, and opinion flips – and the majority are not happy at all.

The sale of ‘Hospital Episode Statistics’ (not actually statistics but rather linked, patient-level hospital events) which caused so much public outrage last year, is a case in point. As it turned out, the basis for public confidence amounted to little more than the fact the data had been collected “for years”. When the sale of billions of linked, dated health events – the very definition of a bulk personal dataset – came to people’s attention in 2014, it quickly became apparent that public acceptance was lacking.

The lesson here? Just because you happened to get away with something in 1988 doesn’t make it a good idea.

In a digital world, it is all too easy for bulk personal datasets to be copied and re-used outside of the understood framework, leading to loss of trust (what the Royal Statistical Society calls the “data trust deficit”) in not only the end users, but the original data ‘collectors’ themselves; doctors, nurses and other front-line NHS staff for whom trust is absolutely essential. For if people cannot trust that what they tell their doctor will be kept in confidence, some will simply not say anything – putting their own health, and in some cases the public health, at risk.

There are many predictable, if unintended, consequences of a “Collect it all” strategy; consequences that agencies and institutions which have followed one have now discovered. Public outcry over the secretive extraction and misuse of patients’ medical records and NHS information should be seen as a cautionary tale. Not a guide book.