Author Archives: Phil

Public Health England

“I feel I guess betrayed that 19 months into my partner’s cancer battle we didn’t know about this. I think honesty is the best policy and have no problem with the info being recorded but we should have been told and that the details can be removed at the patients request as not to be made aware at some point seems deceitful”

 patient quoted on p37 of the Macmillan/CRUK report on consent

“Betrayed” and “deceitful” are not words cancer charities quote lightly, but they are right to use them.

medConfidential believes – as we do for all flows of health data – that the cancer registry should be consensual, safe and transparent. Whereas the current data handling practices of Public Health England are coercive, dangerous and dishonest.

PHE’s National Cancer Registration and Analysis Service web page today says: (emphasis added)

“Patients can ask NCRAS to remove all of their details from the cancer registry at any time. Opting out of the cancer registry won’t affect the patient’s immediate treatment at their hospital or GP practice, but there may be occasions in the future when the data that is held by NCRAS can be used to assist in their care or that of a close relative.

“If patients opt-out of the cancer registry, it may not be possible to contact individuals identified as being at risk in future, such as when an increased risk of breast cancer is identified in women treated for Hodgkin’s disease using radiotherapy.”

NHS Digital is solving this problem through medical ethics and hard work; it seems PHE has taken a Board-level decision to ignore the problem and, in effect, blackmail patients instead.

There can be good reasons to override dissent – many of them related to public health. We have asked PHE for a list of the reasons it thinks it needs to routinely ignore the wishes of cancer patients. That list has never been provided, and PHE has published no detailed justification for its demand for data. Scrutiny of what the data is used for shows its existing arguments to be “thin” at best.

The NHS does direct care, Public Health England does not – and PHE is not set up to keep data for both direct care and secondary uses. As a result, to maintain its turf, it has resorted to threatening patients and their families with reduced treatment for cancer both online and in printed literature. We understand “the Director” has called people who opted out, in person, to “encourage” them to rescind their request.

While PHE admits that 150 people have opted out of the registry, it is unclear whether these patients took at face value PHE’s public statements about this not affecting their care, or whether they fully understood any contradictory statements made in private .

This is why direct care and secondary uses must be kept separate – there are sometimes good reasons to have additional copies of data. This is one of them.

The problems of PHE are, however, far wider than just those regarding the cancer registry. While the current review terms are correctly narrowly defined, the solutions may have more general applicability by NHS Digital.

Who is responsible for this mess?

While actual data release decisions remain unpublished, PHE assures us that there is a “reporting line”.

The data release process is apparently managed and supported by an Office of Data Release, decisions are made by the Information Asset Owner, overseen by a Data Release Assurance Board, which does no assurance and which is both chaired by the Chief Knowledge Officer, and supposedly “overseen” by PHE’s Board… via the Chief Knowledge Officer.

While this may – at a glance – seem roughly similar to an HSCIC process, let us add some names to these various posts. For the cancer registry, every single one of those roles is held by the same person: Professor John Newton.

It is clear that PHE has a serious data governance problem.

PHE remains in denial

PHE’s annual report claims (page 119) it has done a “Partridge Review”, as HSCIC did in 2014. However, while the HSCIC process was a model of transparency – it was public, conducted by independent analysts overseen by a HSCIC non-executive board member (Sir Nick Partridge, hence the name) and its outputs were clear and contained both an acceptance of problems and suggested steps to remedy them – by contrast, PHE has chosen to keep its review secret.

It has chosen to hide the process of reform from the public, and chosen to refuse to acknowledge any form of critique. The review was conducted by an in-house consultant, and was delivered to the Information Asset Owner (Professor John Newton), not the Board (on which he sits). PHE has refused FOI requests for that review, and won’t talk publicly about even the topics of the 4 areas of “significant concern”.

This is not a process in which the public can have any confidence at all.  Indeed, it gives every impression of a cover-up by those complicit in a culture of failed priorities. And, as such, through the considered decisions of PHE and decision makers, the vitally important cancer registry (and other datasets) remain one small misstep from a collapse of public confidence.

Implementing dissent

While patients have the legal right to opt out of the cancer registry, as part of its move to NHS Digital, it should come under the broader Caldicott Consent Choice.

As there are direct care purposes for which the registry is used, a separate system for those purposes should be maintained by NHS Digital. As a result, where there is a clear and pressing need to use 100% of the cancer registry, rather than the 98% who have not dissented from processing, then approval can be sought from the Confidentiality Advisory Group at the HRA, using the powers CAG acquired under the Care Act 2014. That may simply be the validation of marginal outputs from the 98% dataset, and would be a very specific question (since it would only be confirmation of the output of a research process).

However, the Cancer Registry is currently releasing details of cancer patients to private contractors for purposes that NHS Digital would not have approved itself, or which would have had to have opt outs honoured. These requests are excluded from the PHE Data Release Register. The cancer registry is therefore a ‘back door’ leak of identifiable data about the patients and their cancers.

Given the role the new chair of DAAG played in creating the above cancer registry consent fiasco, continued lobbying to “use my data”, and his other responsibilities and funding, it would seem the current DAAG/IGARD chair is demonstrably unfit to override dissent for the cancer registry.

Demonstrate to patients who has used the data, and why, and what we learnt

The demand for “more data” is endless, and providing more data will not solve that problem – all we see is more demands for more data. Will doing the same thing over and over again generate a different result?

Showing patients what was said to them, and what happened next, will hopefully focus minds away from hyperbole, improve the quality of layperson explanations of projects, and show what works for better outcomes, and what does not.

The cancer registry is a vital resource, but it should be accountable to the very patients whose data is within it, ensuring that data is used properly, and not used wrongly. Currently, those who release the data are not accountable even inside PHE, and keep their decisions secret from the public.

The details matter

As with the failure to implement type-2 opt outs properly for hospital data, and with PHE’s actions at any step of this process, misleading the public has consequences for public trust and public confidence.

It is entirely possible to have a consensual, safe and transparent cancer registry, delivering benefits to patients who wish their data used legitimately. We must and will move away from a coercive, dangerous and dishonest model – the question is solely the manner, governance, and price of that move.

What else will burn in the Bonfire of the faxes?

“Digital services so good that people prefer to use them”, claim the Government.

“The NHS should go paperless”, says Jeremy Hunt.

But what replaces the fax machine when NHS England builds a ‘Bonfire of the faxes’?

It won’t be e-mail.

Clinicians are very familiar with email; they know how it works, and how it fails, when sending patient details between organisations. Even within, what works in theory doesn’t necessarily work with how clinicians treat patients. If “NHSmail” is NHS England’s suggestion to clinicians as they ban fax machines, doctors may just use stamps.

Don’t subvert the Summary Care Record

A different option, being advocated by pharmacists – not just outfits like Pharmacy2U, but bodies such as the Royal Pharmaceutical Society – is that many different types of organisations should have the ability to edit a patient’s Summary Care Record.

Not only would this immediately exclude all patients who don’t have a Summary Care Record, it would simultaneously destroy any confidence in the integrity of SCR data, which may then be out of sync with clinical systems – fundamentally undermining the data quality in both, and making them untrustworthy for any purpose. As currently designed, multi-party writable SCR is a terrible idea.

What is Slack for the NHS?

If we look at what pharmacists actually need to do, they need to tell the custodian of the patient’s medical record (their GP) what they did. Maybe it was a prescription change, maybe it was a recommendation, maybe it’s other information. This doesn’t require write access to the SCR. It simply requires a reliable mechanism, knowing a patient’s NHS number (which they have), to send a message to the GP or relevant care provider, with the confidence that it has been delivered.

The NHS knows who the care provider is, so the pharmacist doesn’t actually need to. On delivery, it is up to the care provider to act on that information – or, e.g. to make a clinical decision not to act – and to update their records, which then flow through to SCR. So when the pharmacist next looks at the patient’s SCR, the relevant information should all be there. This is not therefore a matter of creating a new system, or breaking a process that works, but about using existing systems better.

Properly designed messaging can be better than fax for clinicians.

We’ve written a draft paper considering how this might be done, in the spirit of building “Digital services so good people choose to use them”. Comments and feedback welcome.

medConfidential Bulletin, 23 October 2015

Quite a lot has happened over the past week. Events are still unfolding, but there has been progress in three key areas.

What just happened?

This week saw the UK’s largest online pharmacy, Pharmacy2U, fined £130,000 for concealing its sale of names and addresses of NHS patients to quacks and charlatans. Quite literally – the companies who bought patients details were selling “alternative” treatments and lottery scams.

Not only did they sell the data; Pharmacy2U has been unable to confirm whether the company kept, or can reconstruct, any records as to whose data they sold. Clearly, the private sector has joined NHS England in ignoring HSCIC’s lessons about data releases, following our work over the past two years.

A blanket, criminal ban on marketing to patients is the only way to prevent these predators, quacks and charlatans buying patients’ names and addresses for 8p a time, and scamming them out of money – or health. For, as the ICO’s Penalty Notice points out:

49. It is possible that some customers, who received marketing material from Woods Supplements, after being prescribed medication by a doctor, may have stopped taking their prescribed medication and spent money on products that were subject to the ASA adjudication in relation to misleading advertising and unauthorised health claims.

In light of the ICO’s determination, in regard of serious breaches of the Data Protection Act, medConfidential has written to the relevant medical regulators and professional bodies, asking for them to consider appropriate action within their various remits.

Given the number of patients who contact medConfidential having been marketed about specific conditions and diagnoses, this is clearly not an isolated incident but a systemic problem – and one that must be addressed at all levels.

We believe this underlines the need for all releases of patient data to be covered by personal Data Usage Reports (each and every secondary use being recorded by HSCIC), and highlights the need for a Data Incident Protocol (so that doctors and medical staff can provide the necessary assurance to patients), grounded in medical ethics not mere DPA compliance.

Apps Library

Last week, NHS England announced that its much-vaunted ‘Health Apps Library’ was being shut down, describing it as “a pilot programme”. Since 2013, it has been endorsing hundreds of apps to patients, now replaced by a set of pages on the NHS Choices website which promote a total of seven “online mental health services”.

Not quite what Jeremy Hunt was saying 6 weeks ago when “the Health Secretary stated his ambition to get a quarter of smartphone users – 15% of all NHS patients – routinely accessing NHS advice, services and medical records through apps by the end of the next financial year.”

Serious concerns have been raised over the past year by medConfidential and others with regard to the security, safety and suitability of dozens of apps which were endorsed in the now withdrawn Apps Library.

While we welcome the closure of this sprawling, unaccredited mess of apps and internet quackery, NHS England must now demonstrate how radically it has changed its approach to innovation if it wants to avoid destroying patient trust. Again.

A ban on marketing to patients

Last Friday saw the Second Reading of Chris Heaton-Harris MP’s Access to Medical Treatments (Innovation) Bill – substantively the same Bill as that previously introduced by marketing magnate Lord Saatchi. Alongside many other issues, the question of marketing to patients was raised. When asked: “Will [the database] be used for marketing to patients?” the Minister for Life Sciences, George Freeman answered: “The Government would oppose this being used as a marketing tool.”

Opposing it doesn’t prevent it happening. The ‘McDonald’s amendment’ in the Care Act last year created a loophole allowing data to be used for the purpose of “the promotion of health”, which clearly includes marketing.

medConfidential will continue to ask for a blanket, criminal ban on marketing to patients: explicit, informed prior consent (i.e. opt in) must be the only acceptable consent mechanism, for those who wish to receive marketing – with criminal penalties for those who refuse to comply.

The Government says it opposes marketing to patients, the Saatchi / Heaton-Harris ‘Medical Innovation’ Bill provides the legislative opportunity to implement this, and Pharmacy2U has shown why it is necessary; the remaining question is, will Jeremy Hunt act?

What’s next?

The Saatchi / Heaton-Harris Bill moves now to Committee stage, which we shall of course continue to monitor closely, revisiting as necessary the amendments we proposed prior to Second Reading.

Companies hiding behind the fig leaf of research regularly complain that “slow and costly access to anonymised patient data impedes academic research”. Quite aside from the continued abuse of the term “anonymised”, medConfidential believes that for privileged access to NHS patients’ medical data, filling in a form honestly shouldn’t be too high a bar.

And finally

We remain a tiny organisation, with minimal funding. If you can help us, please do – every penny received will be used on work you’ve just read about in this newsletter.

Please, if you can, make a donation via our PayPal page so that in future every flow of patient data into, within and out of the NHS and social care system can be consensual, safe and transparent.

Phil Booth and Sam Smith

23rd October 2015

Pharmacy2U kept no records of whose data they sold

Addendum to press release

Pharmacy2U kept no records or audit trail of whose data they sold, stating “we are unable to contact individual patients.”  EMIS Group, a minority shareholder in Pharmacy2U Ltd, stated yesterday, “The decision to sell data was made by the executive day-to-day management team at Pharmacy2U”, while claiming the “highest standards of patient confidentiality and data security”.

The ICO’s judgement states:

49. It is possible that some customers, who received marketing material from Woods Supplements, after being prescribed medication by a doctor, may have stopped taking their prescribed medication and spent money on products that were subject to the ASA adjudication in relation to misleading advertising and unauthorised health claims.

The choice of Pharmacy2U to sell names and addresses of patients to quacks and charlatans must be addressed. “As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable”, say Pharmacy2U, but they still sold data to “spammy” companies that may have encouraged patients not to take medicines prescribed to them (and which they had paid Pharmacy2U for).

medConfidential received the following statement from Pharmacy2U’s media and PR representatives, ‘Intelligent Conversation’ – the new name for the same PR firm that contacted us previously, see the Update from April this year.

We publish Pharmacy2U’s statement in full:

Daniel Lee, Managing Director of Pharmacy2U, said: “This is a regrettable incident for which we sincerely apologise.  

“While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter. As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed.

“We have also confirmed that we will no longer sell customer data.

“We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.

“As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable. There was no publicly available information at the time to suggest that the lottery company was suspected of any wrongdoing and we have confirmed with the relevant authorities that they were validly licensed.  There was no publicly available information at the time that there had been a complaint to the ASA about Healthy Marketing Ltd.

“Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We have also worked with the Plain English Campaign to make our policies as clear as possible to our customers.

“We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level.”

The ICO’s judgement shows, while the data transferred may have been a list of names and addresses, the information received by the companies and charity was far more than that. For example, in the case of the Australian lottery scammers, they would have known that each name and address on that list was of a man (i.e. gender), aged 70 or over (i.e. age), who had made a purchase (financially active) from an online pharmacy in the past 6 months (with certain conditions)

Pharmacy2U’s “substantial remedial action” does not include informing any of the 21,500 patients and customers whose names and address was sold – as for example, the Government did when it lost two CDs containing HMRC Child Benefit data.

So we asked them about it.

This was the response:

A Pharmacy2u spokesman said: “As soon as the issue was brought to our attention, we ordered the certificated destruction of all the names and addresses that had been sold. [Our emphasis] For that reason, we are unable to contact individual patients.

“Anyone with concerns should contact us on 0113 265 0222 or via email,

We are pleased that Pharmacy2U has (finally) provided contact details for patients and customers who may have been affected by them selling their details, though these seem not to have been published in a way concerned members of the public can easily find them. We got them in an email, and P2U’s online statement directs people to their standard customer feedback form.

However, we are astonished to hear that the company retained no record of the people whose details were sold, and is incapable of regenerating those lists from the records it is supposed to keep according to Pharmaceutical Regulators.

This is a serious failure of information governance, which only compounds their original decision to sell people’s details. Pharmacy2U have not confirmed that all the recipients of the data destroyed all of the details.

Once again, predatory quacks and charlatans have targeted those who are most vulnerable. Pharmacies and charities are likely to know who is most at risk, and selling their names and addresses is complicity in the sort of abuse that has cost lives.

Only a criminal ban on marketing to patients will prevent crooks preying on patients.


[PRESS RELEASE] There’s an app for that? NHS Health Apps Library “pilot” is shut down, but will “medical innovation” include marketing to patients?

This morning, the NHS Health Apps Library – a “pilot programme” that has been endorsing hundreds of apps to patients since 2013 – was finally shut down. It is replaced by a set of pages on the NHS Choices website which promote a total of seven “online mental health services”. [1]

Serious concerns have been raised over the past year by researchers at Imperial College London and Ecole Polytechnique CNRS, France [2] and by medConfidential [3] with regard to the security, safety and suitability of dozens of apps which were endorsed in the Apps Library.

A handful of apps – including Kvetch, Doctoralia and My Sex Doctor [4] – were silently withdrawn following complaints, but it is unclear how NHS England intends to notify patients left hanging now that “innovative” apps it has been promoting for up to two years have had their approval pulled.

The closure of the Apps Library coincides with the Second Reading of the Access to Medical Treatments (Innovation) Bill – a Private Members’ Bill by Chris Heaton-Harris MP, a version of which was introduced previously in the Lords by advertising magnate Lord Saatchi.

Apps fall within the Bill’s definition of “innovative treatments”, opening far wider questions as to the use of the database [5] that would be created under Section 2 of the Bill. Minister for Life Sciences, George Freeman MP, tweeted during the debate [6] that he did not intend for the database to be used for marketing to patients, but the Bill itself and existing legislation [7] provide no legal bar.

All of which further calls into question the stated ambition of Secretary of State for Health, Jeremy Hunt, “to get a quarter of smartphone users – 15% of all NHS patients – routinely accessing NHS advice, services and medical records through apps by the end of the next financial year.” [8]

Phil Booth, coordinator of medConfidential said:

“While we welcome the closure of this sprawling, unaccredited mess of apps and internet quackery, NHS England must now demonstrate how radically it has changed its approach to innovation if it wants to avoid destroying patient trust.

“Promoting predatory ‘bait and switch’ apps targeting teenagers, like My Sex Doctor, was certainly an “innovation” for the NHS. Real doctors would have laughed the charlatans out of the surgery and got back to helping patients, but it seems Tim Kelsey’s team welcomed them with open arms.

“Jeremy Hunt and George Freeman may not intend for any of this to be used for marketing to patients, but there’s no legal bar. And as NHS England’s abortive attempt with apps has shown, not thinking this through properly puts patients at risk.”

Notes for editors:

  1. Just three of these “services” are available as apps:
  2. which led to the removal of My Sex Doctor and other apps. Full study published here:
  4. Kvetch app was a self-described “experiment” that proposed to “make sickness social”, with a communally-visible “alcoholism” group it encouraged individuals to “check your friends in for a laugh”. Barcelona-based Doctoralia (still available in UK apps stores) failed to correctly list GPs working in UK practices, listing at least one GP who had died tragically, and had complex DPA issues that failed to meet the Apps Library’s own criteria for inclusion. My Sex Doctor (also still available in commercial apps stores, and still claiming NHS endorsement) targets teenagers with sex advice, with a stated business model: “Once gained their trust we can leverage it for commercial purposes” – see slide 11,
  5. Which Chair of the Health Select Committee, Dr Sarah Wollaston MP, described as “a vast sprawling database of anecdotal treatment for male pattern baldness”. Debate transcript:
  7. See medConfidential’s briefing, following a meeting with Chris Heaton-Harris on 30 Sept:
  8. Official report of Jeremy Hunt’s speech, 2 September 2015: – updated on 18 September following the announcement of the consultation on the role and remit of the statutory National Data Guardian, who will produce “clear guidelines for the protection of personal data against which every NHS and care organisation will be held to account.”

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

– ends –

medConfidential Bulletin, 11 October 2015

We hope you had a good summer. Ours was interesting, to say the least.

Parliament begins sitting again on Monday, and people will wake up to the stack of things we’ve got ready for them. But in the meanwhile, quite a lot has happened: “paused” yet again

Despite NHS England’s announcement in June that the pathfinders would be starting at “the beginning of September”, the Secretary of State on 2 September effectively pushed back the restart to at least the end of January 2016.

The announcement (originally) said:

The National Data Guardian for health and care, Dame Fiona Caldicott, will… provide advice on the wording for a new model of consents and opt-outs to be used by the programme that is so vital for the future of the NHS. The work will be completed in January…

A later “clarification” omits to mention, but confirms that the National Data Guardian will develop “clear guidelines for the protection of personal data against which every NHS and care organisation will be held to account. She will provide advice on the wording for a new model of consents and opt-outs, to enable patients to make an informed decision about how their data will be shared.”

This work – a task NHS England singularly failed to complete in 3 years! – is to be completed in January, “…with recommendations on how the new guidelines can be assured through CQC inspections and NHS England commissioning processes.”  Apparently “no arbitrary deadlines” only applies to NHS England.

Where does this leave the programme itself? Well, for starters…

Tim Kelsey ‘opts out’ of

On 17 September, mastermind Tim Kelsey announced his resignation as National Director for Patients and Information at NHS England. He has taken a job as commercial director for Telstra Health, a division of Australian telecomms provider Telstra Corp, to which in March this year DH sold Dr Foster Intelligence, the company Kelsey co-founded in 2000.

Tim Kelsey leaves the UK for Australia in December – an antipodean departure emulating that of the former NHS Director General of Information and head of Connecting for Health, Richard Granger, some years back – but his departure leaves a number of important issues unresolved.

As we learned from Programme Board papers that were finally published in August, and from subsequent Board meetings of both NHS England (video) and HSCIC (cf. minutes on p10), the Directions still aren’t finalised. Indeed, in responding to the Directions sent by NHS England, HSCIC’s Board identified five key unaddressed issues in addition to matters medConfidential had raised.

There’s also no sign of the CAG Regulations, due since the passage of the Care Act 2014 last summer. This means that promised safeguards such as “one strike and you’re out” sanctions for data abuse or misuse and, crucially, the closure of the commercial re-use loophole – persisted by the over-broad definition, “the promotion of health” – have still not been enacted.

What next?

Dame Fiona Caldicott is rewriting the language on consent for patients, which NHS England previously said was ‘ready to go’; HSCIC appears close to being able to ‘fix’ the 9Nu4 opt-out problem, currently affecting over a million patients, that NHS England dumped on it; and DH is finally drafting the Directions on Patient Objections, required to deliver on the Secretary of State’s 2013 promise to respect patient opt-outs.

Assuming the decision is to replace him, whoever replaces Mr Kelsey has a tough task and problems much wider than just to resolve – the digital public health disaster that is the NHS Health Apps Library, to mention but one.

Patients and Registered Medical Professionals must be fairly represented throughout these processes and on all relevant bodies (the Programme Board, for example, still has no public and patient representative) and both NHS England and DH must ensure that the new ‘worldview’ – drawing on lessons learned the hard way – is consistently applied across the health and care system.

medConfidential believes it is still possible to preserve confidentiality and consent in health and social care, and will continue to work to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. If they want to regain public confidence, it is up to the Government, DH and its arm’s-length bodies to now show they can do so, in a trustworthy way.

Statutory National Data Guardian

The Government has now published its consultation on the remit and functions of the National Data Guardian – the role currently fulfilled by Dame Fiona Caldicott. medConfidential welcomes this consultation, available here, which should lead to legislation that will ensure the strength and the remit of the National Data Guardian into the future.

medConfidential will be responding formally in due course, and we have published some initial observations on some of the significant questions raised.  We strongly encourage anyone with views on this vital statutory reinstatement of overarching, independent governance oversight to make a submission of their own before the 17 December deadline.

Another new database?

The ‘Medical Innovation Bill’, first proposed by advertising magnate Lord Saatchi, will shortly return in the form of a Private Members’ Bill by Chris Heaton-Harris MP, entitled the ‘Access to Medical Treatments (Innovation) Bill 2015-16’ (draft Bill here). The new Bill has its Second Reading in the Commons on 16 October.

medConfidential had some questions for Mr Heaton-Harris on the content of the draft Bill, and had a meeting with him last week. Our comments and suggestions arising from that meeting covered a ban on marketing to patients, Data Usage Reports (including our example of what one might look like) and an alternative approach that might deliver the policy intent of the Bill without creating another new database, or giving DH duplicates of powers it already has.

We shall watch the progress of the Bill with interest.

In other news…

medConfidential continues to draw attention to matters of importance to patients and – in our continued membership of the up-to-now somewhat ignored Advisory Group and engagement with other groups, Boards, panels and processes – providing robust but constructive criticism to those who need it.

However, issues sometimes come up that have a wider impact than in just health and care. (You may remember All But Names, a few months back.) One such issue is Freedom of Information; a vital tool for all those who seek to hold the powerful to account. Sam and Phil have joined with others in the FOI community, including journalists, campaigners and citizens across the country in a project to #saveFOI.

The purpose of #saveFOI is to defend against threatened restrictions to Freedom of Information, proposed in the Terms of Reference for the FOI Commission – and by fees proposed in an earlier consultation affecting FOI appeals, that could mean charges of up to £600 to get information released.

The FOI Commission, already half-way through its appointed time scale, has only just put out a public call for evidence – and #saveFOI needs your help:

  • If you have used FOI to help change the world for better, let us know. #saveFOI is assembling a dossier of FOI requests which led to improvements in the world (precisely which of these is the Government seeking to prevent?) and also examples of the broad and/or eccentric interpretation of the exemptions currently in the Freedom of Information Act. We need YOUR stories.
  • Spread the word – on Twitter, on Facebook, on your blog and wherever else you can; the hashtag is in the name, #saveFOI, and the more people who speak up on the positive effects of FOI the harder it will be for the Government to restrict the transparency that is so vital to public trust.

Apologies for the length of this Bulletin. As we said at the top, a great deal has happened since our last newsletter – keeping us very busy.

We remain hugely grateful for the continuing support you and our other supporters provide, most especially the actions you take when we need you.

Phil Booth and Sam Smith

11th October 2015

A first look at the National Data Guardian Consultation

Late last week, the Government published its consultation on the remit of the National Data Guardian. The consultation is available here and closes on the 17th December, just days before Tim Kelsey departs (NHS) England.

We welcome this consultation, which we believe is intended to ensure the strength and the remit of the National Data Guardian into the future, as NHS England reconsiders its failed approach to data, privacy and information governance.

medConfidential will provide a substantive response to the consultation in future weeks, but on first reading, we would make a few initial observations:

1) This is a consultation on the nature of the teeth the NDG will have

It is not consulting on the existence of those teeth, but their shape and constitution, and how they relate to other bodies.

2) There is a question about how the National Data Guardian relates to Non-Medical Professionals

Medical Professionals are regulated by the General Medical Council; however, many decision-makers in the NHS are not Medical Professionals, and hence not subject to GMC rules and sanctions. and the Prime Minister’s Challenge Fund fiascos, for example, were both conceived and implemented by individuals who are not (Registered Medical) Professionals. There is currently no effective regulation of those individuals. The details of this will matter, and are likely to need multiple diverse discussions which we look forward to having in the coming weeks and months.

3) Covering the use of Health and Social Care Data about Children

Children are a large and vulnerable constituency of the NHS. For the National Data Guardian to lack effective powers in this area would be perverse.

However, Children’s Social Care is entirely separate to Adult Social Care, and so in practice powers will have to be significantly different – if only because the other public bodies are different bodies with different remits.

We greatly welcome the inclusion of this question in the consultation, though we suspect the Government’s response to the consultation will be limited to the principle of whether the NDG should be able to cover all Social Care, with the details of implementing coverage in Child Social Care being covered by a future consultation on that topic.

Since November 2014, the National Data Guardian has interacted with other regulators on the basis of an agreement of standing and respect for overlapping remits. Until the details of similar interactions can be worked out for Children’s Social Care, that is likely to be the way forwards. Any future consultation on this particular matter need not slow down primary legislation to put NDG onto a statutory basis “at the earliest opportunity” – subject to appropriate provision being made for, e.g. (super-)affirmative resolutions mandating the interactions between bodies in an agreed manner.

We will draft and publish a more comprehensive response in due course.

PLEASE NOTE: This consultation is entirely separate and unrelated to the announcement earlier this month that Dame Fiona Caldicott, the National Data Guardian, will review the language around consent for secondary uses of patient data in the NHS. It was that announcement by the Secretary of State that led, yet again, to another suspension of

NHS England failed to satisfactorily resolve the question of what “opt-out” actually means and does for nearly 3 years – so, as the scheme’s architect and main proponent himself opts out of by leaving the country, those left behind will have to clean up the mess he’s left.

Our press release on the NDG consultation follows:

[PRESS RELEASE] Consultation on National Data Guardian: “no public confidence without Caldicott”

medConfidential today welcomed the long-anticipated consultation on the role of the National Data Guardian [1] as a step in the right direction. medConfidential and others have been pushing for the reinstatement of statutory independent oversight on the use of personal data across the health and care system since late spring 2014 [2].

With put on “pause” yet again [3], Jeremy Hunt has asked Dame Fiona Caldicott to sort out the “fiasco” that Tim Kelsey and NHS England have failed to address for the past two years. Given the tight timing of this consultation, medConfidential hopes the Government will publish its response before Dame Fiona is required to offer her suggestions on resolving NHS England’s incompetence.

Issued by the Department of Health hours after NHS England announced Mr Kelsey’s resignation, the consultation is a positive step towards restoring public trust in the NHS’ handling and use of patient data.

As many, including leading research charities [5], have emphasised, “Patient data must be safeguarded… The stakes are too high to risk any further mistakes.”

Responding to the launch of the consultation, Phil Booth, coordinator of medConfidential said:

“We welcome putting the National Data Guardian role, currently held by Dame Fiona Caldicott, onto a statutory footing as a sensible and necessary step towards restoring public confidence.

“As we have pointed out time and again, there can be little public confidence in the handling of sensitive patient information without overarching, independent oversight – with teeth – of every single body involved.

“NHS England’s continued screw-ups and missteps are toxic to trust. They must improve, but that must be overseen by an independent body that can inspire confidence.”

Notes for editors:

  1. The consultation was published on the evening of 17 September, just hours after SRO, Tim Kelsey, announced his resignation [6]:
  2. See, e.g. medConfidential’s briefing and proposed amendments to the Care Bill 2014:
  3. See announcement by Somerset CCG (one of the ‘pathfinder’ areas), published by Somerset LMC, 4/9/15:
  4. “Caldicott to oversee pilot”, EHI, 2/7/14:
  5. Research charities’ letter to the Guardian following PM’s Challenge Fund debacle, 27/7/15:
  6. medConfidential Press Release,17/9/15, on Tim Kelsey’s resignation:

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

– ends –

Will High Street Pharmacists use the Summary Care Record to sell you things?

The Telegraph, followed up by the Independent and Daily Mail, reports today that Boots and other pharmacies – including the large supermarket pharmacies – may from this Autumn be granted access to the Summary Care Record*. There are concerns that such access may be used for marketing purposes. Further details will likely follow in due course.

Under current rules, patients should always be asked for their consent – what is called “Permission To View” – before anyone looks at their Summary Care Record. How the high street pharmacies, and their commercial managers with their incentives to cross-sell remedies, will make this work in practice is an open question.

Safeguards that may operate in a hospital context are going to have to be applied to a whole range of other (possibly non-medically registered) people, who must all be properly trained and rigorously audited on an ongoing basis. A considerable investment must be made if pharmacies are to be given access and patient confidentiality and consent is to be maintained. A report of a pilot scheme earlier this year found, for example, that:

The principles around asking patients for permission to view (PTV) their SCR and its practical application for some prevalent patient groups in the pharmacy setting caused confusion and uncertainty.

medConfidential hopes the Department of Health will urgently clarify the rules around using NHS medical records for marketing to patients.

* The Summary Care Record (SCR) was originally intended “for emergency or out-of-hours” access to your last 12 months’ prescriptions and information about any allergies you suffer from and any bad reactions to medicines that you have previously experienced. The SCR also contains your name, address, date of birth and your NHS Number.

What you can do

If you have a Summary Care Record (around 94% of the population do) and you are concerned that your record may be misused or abused, you can opt-out of the scheme. Here’s a link to the official opt-out form, which you need to fill in and give to your GP.

Please note: the Summary Care Record is entirely different from SCR is intended for use only by those providing you with direct care; (a different scheme, currently on “pause”) is about ‘secondary uses’ of information from your medical record, i.e. purposes like research, commissioning, “healthcare intelligence” and commercial re-use.

N.B. If you do have particular allergies or bad reactions to particular types of medicine, having this information available to emergency responders is directly beneficial to you, so you may wish to look into getting a MedicAlert bracelet or something equivalent.

A long-term solution, which could provide reassurance to all patients, is for every patient to know everywhere their data has been used, by whom, and for what purpose. Such an approach would make any abuse, even by a single Boots store manager looking to hit their targets, highly transparent – not just to officials at NHS England, but to every patient themselves.

“Collect It All” comes to the NHS

It used to be that the different parts of the NHS looked after the data of the patients they treated, and talked to each other when they needed to know something.

Of course that model doesn’t work if you are NHS England, with its egomaniacal urge to micromanage and control everything. From that perspective, NHS England and other bodies each collecting every bulk personal dataset they can, from anywhere in the system is essential – even if the result starts to look like the ‘shadow’ monitoring and embedded political control structures of the Communist Party of China being imposed on the NHS.

From a patient perspective, rather than being ‘confidential’, this starts to feel deeply invasive – and the secretive manner in which some of these bodies expect to be able to act could be considered downright nasty.

From the perspective of NHS staff, it could be the final nail in the coffin of trust.

In the simplest terms, the level of access NHS England is mandating (with Government backing) boils down to managers, commissioners, policy makers and even commercial “re-users” being able to reach into your individual medical record – right down to the level of specific, dated events – and, as we now learn, to check every appointment.

“Collect it all” is the digital approach of the intelligence and security services – the agencies tasked with the prevention of “never events”; those things that must never occur.

“Bulk Personal Datasets” have been defined by Parliament as “large databases containing personal information about a wide range of people”. Parliament’s Intelligence and Security Committee in its 2015 report, ‘Privacy and Security: A modern and transparent legal framework‘, also concluded that as a Dataset of this type “may be highly intrusive and impacts upon large numbers of people, it is essential that it is tightly regulated”.

“Tightly regulated” is clearly not a term that applies to initiatives such as the Prime Minister’s Challenge Fund or toxic schemes like, with its still-missing legal safeguards, ever-diminishing consent options and the “promotion of health” loophole that has legalised the ongoing sale of patient data to commercial re-users – including the data of over a million people who’ve already opted out. Whatever the claimed justification, the collected medical records of every man, woman and child in the country certainly meet every other criteria.

In the NHS, bulk personal datasets that were and are being collected for one purpose – the provision of health care – can now be interrogated for other reasons. These other purposes, all lumped together under the deceptively anodyne term “secondary use”, cover such distinct and broad categories of activity as research (both medical and market), NHS commissioning and “health intelligence”, and include servicing the data demands of commercial third parties. Every single one of these uses being derived from data which had a single primary purpose: the treatment and health of NHS patients.

If other bodies want to extract and use bulk personal datasets for purposes beyond patient care, then the whole process must be consensual, safe, transparent and – most important of all – grounded in trust. However trust, as Baroness Onora O’Neill argues, cannot merely be asserted (“trust us”) nor, as the debacle continues to demonstrate, can it be presumed.

To be trusted, these users of our data must demonstrate they are trustworthy:

“[Those] who want others’ trust have to do two things. First, they have to be trustworthy, which requires competence, honesty and reliability. Second, they have to provide intelligible evidence that they are trustworthy, enabling others to judge intelligently where they should place or refuse their trust.” – Baroness Onora O’Neill

Evidence shows, if given a choice and clear information on what it’ll be used for and by whom, a large majority of patients are quite happy for their medical information to be used for public good purposes, such as ethically-approved research. Limit the choice or information, or re-use the data for something else, and opinion flips – and the majority are not happy at all.

The sale of ‘Hospital Episode Statistics’ (not actually statistics but rather linked, patient-level hospital events) which caused so much public outrage last year, is a case in point. As it turned out, the basis for public confidence amounted to little more than the fact the data had been collected “for years”. When the sale of billions of linked, dated health events – the very definition of a bulk personal dataset – came to people’s attention in 2014, it quickly became apparent that public acceptance was lacking.

The lesson here? Just because you happened to get away with something in 1988 doesn’t make it a good idea.

In a digital world, it is all too easy for bulk personal datasets to be copied and re-used outside of the understood framework, leading to loss of trust (what the Royal Statistical Society calls the “data trust deficit”) in not only the end users, but the original data ‘collectors’ themselves; doctors, nurses and other front-line NHS staff for whom trust is absolutely essential. For if people cannot trust that what they tell their doctor will be kept in confidence, some will simply not say anything – putting their own health, and in some cases the public health, at risk.

There are many predictable, if unintended, consequences of a “Collect it all” strategy; consequences that agencies and institutions which have followed one have now discovered. Public outcry over the secretive extraction and misuse of patients’ medical records and NHS information should be seen as a cautionary tale. Not a guide book.