Author Archives: Phil

medConfidential Bulletin, 1 June 2015

care.data’s big post-election question

Over 700,000 people are still waiting for a public announcement about what has happened to the opt-outs they made in 2014 – an announcement that was delayed “until after the election”.

Now the election is over, the Department of Health and its bodies have two choices. The first option is for them to write to every patient affected by their mistake, and say:

“We are very sorry. There was a mistake on our part, but we’re fixing it, and we will do what you asked: your medical records will not be used beyond your direct care. This process has now begun for hospital records, for maternity records, and for mental health records – including the data releases covering all of last year – and other parts of the NHS will meet the guarantee we made you as soon as possible. But, whatever happens, from today forwards you will be told everywhere your data goes, and why.”

They can make every single part of the above statement true, and (as a bonus) it would cost no more to do than what they’re planning on doing anyway. This would represent the NHS taking ownership of the problem, and promising to do much better in future – and being transparent about what happens to your data. You wouldn’t have to simply trust they got it right; you would be able to know what happened, and could make your own judgements.

The Department’s second option – the choice NHS England would like Jeremy Hunt to pick – is to make their invasion of your privacy your problem, and to transfer the complexity of knowing how the NHS works (this week…) from the Government on to you and every other patient.

They might send a different letter which talks only about your GP records as part of care.data, ignoring the information collected by every other care provider; a letter which offers a different opt-out from what you did last year, where you will have to call up or go to the internet for a second form [PDF] if you want to protect your hospital data; and, even if you already opted out, you will get a letter as if you hadn’t.

So the big question is, will Jeremy Hunt make it your problem that NHS England still wants to allow your medical records to be sold?

What happens next?

The Health and Social Care Information Centre will do whichever of those it is allowed to do. It can do either, but it doesn’t make the decision. That’s up to Mr Hunt, who will take advice from NHS England. So what’s it to be?

NHS England kept the opt-out problem secret for over a year – even while it was sending out the junk-mail leaflets last January / February, saying the choice existed. Then it hid the problem for another 10 months, before passing the buck to HSCIC last November without even telling them the size of the problem. (HSCIC told us they were working it out less than a fortnight later.)

Officials have now admitted the likely scale of the problem; we await news from Ministers on what they’ll do next.

The Directions approved “in principle” by NHS England’s Board last Thursday suggest communications could go out to patients as soon as this month, once HSCIC has published the updated ‘clinical code specification’ for the data that will be extracted from your GP record. So it appears NHS England is expecting to do a number two – making your medical privacy your problem, not theirs. Have they learnt nothing?

Live in Somerset, West Hampshire or Blackburn with Darwen? You’re up first…

The Schedule (p5) to the Directions considered by NHS England’s Board last Thursday excluded the three Leeds CCGs, previously announced to be participating as pathfinders. Presuming this wasn’t just a typing error, GPs and patients in Leeds can relax a bit. For now.

However, if you live in one of the other three pathfinder areas listed above, NHS England has decided you’ll be the first guinea-pigs for its ever-more-complicated zombie data grab.

No list of participating GP practices has been published as yet, but as the summer holidays are rapidly approaching please do let friends, family and colleagues know they should be on the alert, e.g. by forwarding them this newsletter, or encouraging them to subscribe – it’ll take less than a minute.

While medConfidential believes and has said it would be a big mistake for NHS England to start sending out patient communications over the summer, they do have form for ignoring sound advice

We have a couple of questions which would benefit from some local knowledge. If you fancy helping us out, please e-mail coordinator@medconfidential.org and we’ll let you know how you can help.

Unless you live in an affected area, there’s no substantive action for you in this newsletter; there will be next time.

Phil Booth and Sam Smith
medConfidential

1st June 2015

(Apologies to those who received the Bulletin by e-mail – we forgot to update the date in the footer, so it read 1st April, not 1st June as it should have.)

It’s OK to ask

Today, on International Clinical Trials Day 2015, medConfidential welcomes the National Institute for Health Research’s ‘OK to Ask‘ about research campaign.

As an advocate of research patients, NIHR is enabling its primary mission in a safe way. ‘OK to ask’ is entirely compatible with consent – indeed, that’s what the entire campaign is about: asking.

There need be no conflict between patients being interested and wanting to participate in research, but not wishing their sensitive medical records to be sold. That NHS England is choosing to make this more difficult / conflating secondary uses is a barrier to research, not an enabler.

We can’t let the day pass without also mentioning our friends at AllTrials – campaigning for all past and present clinical trials to be registered and for their full methods and summary results to be reported. Clinical trial transparency is vitally important, and it doesn’t mean publishing individual patient data.

Consensual, safe and transparent. Anything less just doesn’t make sense.

Marketing2U: Was your health information sold to direct marketers by Pharmacy2U?

For years, we’ve had credible reports of highly accurate marketing that could only be based on health records. Now reports in the media have revealed “a nice little trade” in your health records – and that’s the Information Commissioner’s description, not ours.

These latest reports reveal two ways in which information about your health may be collected and sold on: from insurance forms you fill in and, in particular instances, from information provided to “the UK’s largest online pharmacy”, Pharmacy2U.

Given the number of people who have contacted us over the past two years about this, it is clear that these are not isolated occurrences. Pharmacy2U may have admitted to selling details to a direct marketing agency on a number of occasions, but it is not the only one.

This trade in people’s personal health information is insidious, and makes it all the more essential that the Government legislates clearly and consistently on the ongoing “commercial re-use” of our medical records.

Senior politicians may say something must be done about these latest incidents, but promises to crack down on dodgy data brokers and those who supply them with data ring hollow while the official trade in NHS patients’ information persists. (We note the promised Regulations under the Care Act 2014 – which should clarify the overly-broad definition,“the promotion of health”, that continues to legitimise commercial re-use of your medical information – were not laid before Parliament was Dissolved for the election.)

medConfidential has submitted a formal complaint to the Information Commissioner on behalf of patients who have contacted us after having been sent direct marketing materials in relation to their specific medical condition, treatment or diagnosis. The Information Commissioner’s Office has already begun an investigation, as has the General Pharmaceutical Council. And, given what the chair of the Health Select Committee has said, we hope Parliament will look into this promptly when it returns.

Your rights; take action

Section 11 of the Data Protection Act provides you with the “right to prevent processing for purposes of direct marketing”. You can issue a notice in writing to a data controller at any time, requiring them to cease – or not begin – using your personal information for marketing.

UPDATE 27/4/15: Given their objection to the way we previously expressed things, we asked Pharmacy2U shareholder EMIS – which has been offering a joint service with Pharmacy2U since trials in 2001 – how a patient might determine, without wasting GP time, if their practice is amongst one of the hundreds that have been using Pharmacy2U to provide postal prescriptions for years. EMIS has replied saying that Pharmacy2U is now an option in all practices that use Electronic Prescription Service Release 2 (EPSR2), and that patients with concerns “should contact Pharmacy2U directly”.

Our advice remains as we state below. If you are unsure whether you’re affected, we hope to have more information in our newsletter due out this Friday.

You may not recall nominating Pharmacy2U at your GP at any point over the last 14 years, but if you do not receive a paper prescription and you have ever received your medicines from a warehouse in Leeds rather than your local pharmacy, then it is likely that you did – and you may wish to take action.

If you are a customer of Pharmacy2U, or if you are concerned that your details may have been sold or passed to third parties by them or any other online pharmacy – or by any company to which you have provided information relating your health – we have created a template Section 11 Notice for you to download, fill in, print and post to the relevant organisation.

For Pharmacy2U only, please add your details where indicated:

For other companies, including insurance companies, please fill in the relevant details where indicated:

You will note that our Section 11 Notice letter ends with a request for information about disclosures of your information for purposes other than marketing. This is because you have a further right, under Section 10 of the Data Protection Act – the “right to prevent processing”, if such processing would cause you “unwarranted and substantial damage or distress”.

At this point it is not absolutely clear whether Pharmacy2U or other companies have disclosed your information for purposes other than marketing; the wording of various Terms and Conditions suggests that they might. Our template letter therefore requests that the company tells you with whom it has already shared your information, and for what reason.

By sending our Section 11 Notice letter first, you should be told exactly what the company has done with your information. You can then follow up with a Section 10 Notice [1] on the basis of what you find out. Were you to send a Section 10 Notice straight away, the company should comply with your wishes – but you might not find out what has already been done with your information.

We would hope that companies will come clean, and take the opportunity to reassure those whose details they haven’t sold that their information has been kept confidential. If for any reason a company refuses to provide this information, please let us know.

medConfidential believes people should always know who has had access to their health-related information, and what it has been used for. As we have said to the Information Commissioner, you simply cannot trust an organisation that buries your consent options and which isn’t completely up front about what it has done or will do with your most sensitive personal information.

1) For your convenience, here is a template Section 10 Notice for you to download, fill in, print and post to the relevant organisation. If you are concerned to know what has been done with your information, we recommend you send this only after receiving a response to your Section 11 Notice.

For Pharmacy2U, please add your details where indicated:

For other companies, including insurance companies, please fill in the relevant details where indicated:

UPDATE 20/4/15: We were contacted late on Friday by Pharmacy2U’s PR representative, who stated Pharmacy2U “has not sold information relating to patients’ medical conditions. Names and postal addresses only were provided.”

The PR firm provided the following statement, which we publish in full:

“We want to reassure our customers that Pharmacy2U does not and has never sold information relating to patients’ medical conditions to anyone.

Between November 2014 and December 2014, we trialled a small-scale project with Alchemy Direct Media (UK) Ltd, a data handling company registered with the Information Commissioner’s Office (ICO). 

This project involved us selling limited information – some customers’ names and postal addresses only – for use in selected marketing activity. No medical information, emails or telephone numbers were sold. In conducting this trial project, we acted in line with current data protection and ICO guidelines.

The sale of customer data for marketing purposes is a widespread practice within business and also government. However, in light of public concern about this issue we have decided not to continue with this trial and we can reassure our customers that Pharmacy2U will no longer share customer data for use in third party marketing. All data that was held by Alchemy Direct Media (UK) Ltd has been destroyed by them and is no longer available for use.

We have asked the Information Commissioner’s Office to work with us to review our privacy policy and have also contacted the General Pharmaceutical Council, our industry regulator, and the NHS, to discuss this matter. We await their follow-up report.”

[PRESS RELEASE] Stop this toxic trade in health information; make it all ‘classified when complete’

Responding to revelations about the disgraceful trade in sensitive health information [1], medConfidential today called for all personal health details to be treated as ‘classified when complete’ [2].

Exemptions in the Data Protection Act are not only exploited by unscrupulous traders; some are routinely used by large commercial organisations [3] and public bodies to legitimise the “sharing” and “re-use” of health information.

Despite promises made by Ministers last year following the care.data fiasco and the exposure of the legalised sale of NHS patients’ medical information for “commercial re-use”, changes to the law remain uncommenced [4]. Indeed, the amended definition of legitimate use – “for the promotion of health” – still permits sale to “information intermediaries” and use by pharmaceutical marketers and other commercial interests.

While medConfidential supports, and last year called for [5], criminal sanctions against those who abuse or misuse people’s health information, the threat of harsher punishment for a few ‘bad apples’ will not address the toxic presumption, perpetuated by Government policy, that people’s most sensitive personal details are tradable assets.

Phil Booth, coordinator of medConfidential [6], said:

“For all its fine words, this last government added no real protection for medical records – its political promises came to nothing.

“To stamp out this toxic trade, politicians must take decisive action and guarantee that all medical reports and data are legally defined as classified. There’s no reason your family’s health details should be treated as any less sensitive than a police witness statement or George Osborne’s lunch order, for that matter.

“Only when medical records are properly protected in law, and people are told everywhere they’re sent, can we truly trust our most sensitive information will be kept confidential.”

Notes for editors

1) http://www.dailymail.co.uk/news/article-3018659/Privacy-sale-s-health-secrets.html

2) More details in medConfidential’s proposal, ‘A modern Lloyd George Envelope: CLASSIFIED when complete’: https://medconfidential.org/wp-content/uploads/2015/02/2015-02-16-A-modern-Lloyd-George-Envelope.pdf

3) medConfidential drew attention last June to some insurance and financial services companies’ abuse of enforced Subject Access Requests: https://medconfidential.org/2014/is-jeremy-hunt-serious-about-shutting-down-insurers-access-to-your-medical-records/

4) Regulations to the Care Act 2014 failed to be laid before Parliament was dissolved. These Regulations were necessary to define the operation of the Confidentiality Advisory Group that advises on the dissemination of NHS patients’ information, to enable “one strike and you’re out” sanctions for those who misuse data, and to define “the promotion of health” – the over-broad purpose by which patients’ information can be made available for commercial “re-use”.

5)  See Q7 of Oral Evidence to Health Select Committee, on Tuesday 25 February 2014: http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/health-committee/handling-of-nhs-patient-data/oral/6788.html

6) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

Lessons learned? Suggestions on writing to a million patients about 9Nu4

The Health and Social Care Information Centre are aware that the number of patients affected by the mistake with the ‘Type 2’ / 9Nu4 objection is indeed much higher than their Chair first stated to Parliament, and they continue to accept – as they did from the start – that they will have to write directly to everyone concerned.

HSCIC’s acceptance that individually-addressed letters are necessary is to be welcomed, not least because it shows some lessons may have been learned from the previous history of NHS England’s care.data fiasco. But to avoid a repeat of previous communications disasters – including the junk mail leaflet and widespread confusion between care.data, the Summary Care Record and local direct care data-sharing initiatives – lessons from 2014 must not only have been learned. They must be seen to be learned.

As last year clearly demonstrated, there can only be one patient communications programme going ahead at a time, and it must be carefully coordinated with any and all other existing data-sharing programmes.

As NHS England Director for Patients and Information and (interim) SRO for care.data, Tim Kelsey, has washed his hands of any responsibility for this latest screw up, this is a clear opportunity for HSCIC to lead and demonstrate itself to be the reformed agency that it is striving to be, absent any interference from NHS England.

What needs to be done?

Dame Fiona Caldicott has articulated a number of tests and questions for the care.data programme as a whole. It would therefore make sense, as a starting point, to apply these to any proposed communications intended to correct the current consent catastrophe. Some tests (e.g. those in section 5, relating specifically to the care.data pathfinders) may not apply directly, and other tests may need to be added, but the as-yet-unanswered questions on the substance of what patients are told – and how it will be made true – continue to apply across the board.

The ‘Type 2’ correction cannot be implemented as a postcode lottery; it must be national, for all affected patients at once. And, unless Mr Kelsey’s promises of “no arbitrary deadline” are untrue, the care.data pathfinder process can happen after the national re-contacting has taken place. (And, if done as we suggest below, at no additional overall cost to DH and the public purse.)

As medConfidential has repeatedly stated, the SRO for the 9Nu4 correction programme – as for all large-scale patient data programmes – must be someone who is subject to GMC regulation.

A process to respect patient choice

A letter must be sent to each affected patient, the content of which should go through a similar consultation process to the one which NHS England stated it would follow for any revision of care.data – though HSCIC should do a better job of actually listening to advice and suggestions.

Given the need to rebuild public confidence, and out of an abundance of caution, letters must be sent to everyone who has expressed a consent preference, whether that was 9Nu4 (‘Type 2’), 9Nu0 (‘Type 1’) or SCR. The bungled communications last year resulted in many patients being given the wrong forms, and it is reasonable to assume that someone who doesn’t want their data to leave their GP practice to be shared for direct care purposes is unlikely to want it sold on for ‘secondary uses’.

Critically, the state of each patient’s ‘consent settings’ immediately before the letter hits their doormat must be as safe as possible. This may involve the introduction of a new code or codes, but the defaults must be set to respect patients’ existing choices.

The communication materials themselves must clearly and accurately reflect what happened, how it has been addressed, and what will happen going forwards. Unambiguous promises must be given to patients around secondary uses, consent and notification. (This may be a good opportunity to introduce personalised data usage reports to a group of data-concerned patients, trialling the process and explanation ahead of a wider communication.)

The letter should provide each patient sufficient information and clear choices to be able to arrive at one of the following 3 outcomes:

  • NO FURTHER ACTION BY PATIENT [DEFAULT] – implement what patients were told would happen last Jan/Feb, i.e. opt out of secondary uses of their data collected from anywhere across the NHS, with no impact on their direct care. This would require our Spine proposal to be implemented.
  • ACTION: Patient has changed their mind – opt them back in for secondary uses of their data collected from places other than their GP. Unless patient gives explicit consent, do not override any other settings, e.g. 9Nu0 or SCR. This would most likely be a subset of those who opted out of SCR, whose decision was inferred as a precaution.
  • ACTION: Patient wants the ‘full 9Nu4 opt out’ – apply the opt out as 9Nu4 was (mistakenly) specified, i.e. HSCIC cannot pass on patient’s data, even for direct care. This is likely to be for a very small number of patients, but the option is clearly important to some people.

“No action” must be the default, and the default must continue to be safe and in the patient’s best interests, i.e. a system-wide consent option on the Spine, respected by all care providers.

It is important these choices are not merely expressions of choice, but immediate and effective realities. Patients whose trust has already been abused should not have to wait a further year for their decisions to be enacted. Ideally, this would be able to be reflected in a personalised data usage report for each patient, so they can see that – this time – their wishes have been properly respected.

Moving forward with care.data (or its successor)

Only once the ‘Type 2’ correction process has been completed – letters have been sent, patients have been given time to act, and their consent choices have been enacted – can the care.data pathfinder process restart.

Those in the pathfinder practices who have not been sent a letter as part of this process, can then be sent a letter and opt-out form for care.data and all secondary uses. (These letters may be modified based on any further lessons learned from the ‘Type 2’ process.) That only those patients who have not already opted out will be written to as part of the ‘new’ opt-out process means that people will not be being asked to opt out of something they’ve already opted out of.

It also means that the cost to the public purse of the programme as a whole should be almost identical to what NHS England currently proposes. The same number of envelopes will be posted (which is the vast majority of the cost) but there will need to be some more meetings to design the two sets of communications, not one – to ensure that what everyone is told is completely consistent. And true.

In the meanwhile, rather than rushing into the extraction of data that may not even provide the benefits claimed, care.data can be revisited, future needs properly identified and the many flaws in the design of the current programme can (hopefully) be corrected. And proposals to reduce the number of individual-level data flows can continue to be applied.

While it looks like the projection of over a million people having opted out will prove correct, it should be remembered that only 29% of people asked at the time had received a leaflet and nearly half the population was still unaware of the scheme at the point it was “paused”. Opt-out rates across the country are likely to be significant, and NHS England cannot afford to cause yet another collapse in public confidence.

This time, there is no option but to do it right.

Will opting out affect the care you receive?

NHS England is very clear, even now: “…this will not affect the care you receive.”

However, displaying their all-too-familiar lack of attention to detail, there currently is a problem – a mess they’re leaving someone else to clean up. That’s no surprise in the ongoing care.data fiasco. The surprise this time is just how badly they cocked it up.

Due to a mistake with one of the objection codes*, everyone who opted out with it will need to be contacted to confirm the details of a new, as yet unspecified, arrangement. Opting out now should mean you are contacted in that group.

If you did opt out last year, NHS England is at least correct in saying that your direct care has not been affected. As of now, none of the opt out codes have been extracted and the care.data programme has taken no information from your GP’s systems.

But because the codes have not been extracted, HSCIC has no way to know whose data to prevent passing on to its customers. Data releases resumed last summer; you can see the organisations which have received data in HSCIC’s quarterly Data Release Register.

Unfortunately at this point no-one, including HSCIC itself, can tell you if your data has been released – which is one example of why we’ve been pushing for personalised Data Usage Reports. With those in place, you would know.

We are working hard to ensure that your opt out is honoured, and that it does what you were told it would do – by us, and by NHS England.

medConfidential believes that wanting to preserve your privacy in the NHS should not exclude you from digital services in the NHS. Anyone who attempts to claim otherwise is blackmailing patients. Again.

*We were shown details in a letter, a couple of minutes before we gave evidence to the Health Select Committee on the 21st January. we suspect NHS England knew some time before then, as the ‘Type 2’ opt out codes had originally been scheduled to be uploaded last autumn.

NHS England posted ‘Important information on data sharing opt out’ at 17:24 on Friday 23rd January. Unfortunately, while the title of its announcement isn’t limited to just the care.data programme, all of the salient bullet points are. Its use of the phrase “the opt out” (not opt outs) is far from reassuring, and signals an imminent attempt to re-write history and break promises.

You will note NHS England’s announcement omits to tell you what you’ve just read in this post. If you want to be kept up to date with comprehensible information and facts you can act on:


Our newsletter is sent using MailChimp.
We will not share your details with anyone else.

We will post more details as we have them on our blog, and in our next newsletter on 30th January.

medConfidential Bulletin, 19 December 2014

What happened in 2014?

In January and February, following NHS England’s catastrophic junk mail leaflet campaign, we helped “stop” the nationwide rollout of the care.data programme – though NHS England denied that word until October – and got the “opt-out” fixed so that no data would leave your GP practice, rather than the fudge NHS England had tried to pull.

In March the government added amendments just as the Care Bill left the Commons for the Lords. Though intended to reassure the public,“the promotion of health” clause introduced a loophole for commercial users that’s yet to be fixed. April saw the publication of HSCIC’s first (incomplete) Data Release Register, revealing dozens of companies – not just insurers – had bought NHS patient data.

In May government rejected Lord Owen’s amendment to the Care Bill that would have reinstated much-needed statutory independent oversight. By November the need for this was so critical that Jeremy Hunt appointed Dame Fiona Caldicott as National Data Guardian, a role to be made statutory “at the earliest opportunity”, barely 53 weeks after the IIGOP was formed.

Sir Nick Partridge’s Review of ‘historic’ releases by the Information Centre was published in June, confirming “significant lapses” – and ongoing use of the ‘National Back Office’ by the police to trace people. June also saw the Annual Representatives Meeting of the BMA vote for care.data to be opt-in. Over the summer, polls showed a serious “data trust deficit”, and suggested almost a third of GPs would opt their patients out.

In October, NHS England began to try to restart the scheme, announcing several ‘pathfinder’ CCG areas – though, as it turned out last week, it still hasn’t signed up GP practices in these areas. And just yesterday, the Independent Information Governance Oversight Panel asked rather a lot of questions, to which answers must be provided before the scheme can proceed.

Some good news

Firstly, and as we first raised back in February to the Health Select Committee, HSCIC is building a “secure data facility”, where those who are content for all their data to be used can have it used safely. A single locked-down source where legitimate, transparent and ethically-approved access can be properly managed and audited – rather than copies of millions of patients’ information being sent out – is also the safest way to ensure people who don’t want their data used can have it excluded. This isn’t just about care.data and your GP records, but about all your medical records, held in trust by the NHS.

 

Secondly, our proposal for Personalised Data Usage Reports are the mechanism for the HSCIC and NHS to report to each individual patient how their data was used, and for each individual to be able to know – rather than just have to trust – that their wishes have been respected. It can also show the good that has come from legitimate uses of data. Even safe and consensual uses of data must be transparent, and we have spoken to no bona fide researchers who ever thought otherwise.

 

These are both a good start. When they are in place, it’s possible a replacement could emerge from the wreckage of NHS England’s care.data debacle. Since the summer, its communications have fallen apart (again), the content has been criticised repeatedly by experts, yet there will (apparently) be “no changes to the specification”. Any attempt to revive care.data before safe and transparent data use has been seen by the public is likely to backfire.

And, in an unexpected footnote to an incredibly busy year, we were deeply honoured to be shortlisted for a prestigious Liberty Human Rights Campaign of the Year Award – a recognition that the work above has begun, but remains unfinished. We offer congratulations to Lord Low for winning the award for his defence of the Human Rights Act, and applaud the fantastic work of our fellow nominee, Police Spies out of Lives, in their fight against injustice. They deserve everyone’s support.

 

What next?

In the New Year, the Shadow Minister for Health has said the “Opposition will table an amendment on Report to ensure that the National Data Guardian is put on a statutory footing”. This clearly must be done right, and we look forward to seeing the detail of what the Opposition proposes.

 

In the same debate on Jeremy Lefroy’s Public Members’ Bill, Under-Secretary of State for Health Dr Dan Poulter told Parliament: “The National Information Board is working towards a whole system consent-based approach, which respects individual’s preferences and objections about how their personal and confidential data is used, with the goal of implementing that approach by 2020.”

2020 is a long way off, so we hope we don’t have to wait too long to see exactly what is being proposed – and what work will commence towards making data use across the NHS safe, consensual and transparent in the near future.

 

It’s Christmas…

We deeply appreciate every donation you give us and especially the messages you include with them, whatever the amount… £5, £50 or more. We know each donation is an expression of individual support for what we are doing and the good wishes that come along with that.

 

medConfidential is a tiny organisation, hitting well above its weight, but to keep going we have to find around £60k per year. If you are – or know – someone who could make a substantial contribution towards our operating costs, please do get in touch: coordinator@medconfidential.org

 

And finally, we wish you and your loved ones a safe, consensual and relaxing festive season.

 

See you next year… expect a busy January!
Phil Booth, Sam Smith and Terri Dowty
Coordinators past and present, medConfidential
19th December 2014

care.data Advisory Group Open Meeting, 26 November, Central Manchester

Date: 26 November 2014, 18:00 to 20:00

Location: Central Manchester location TBC

The Chair of the care.data Advisory Group, Ciarán Devane, invites you to participate in their third public discussion about the work they are developing to inform and assure the programme known as ‘care.data’.

Phil Booth from medConfidential will be attending, and the session will examine some of the proposed responses from NHS England to issues raised by staff, patients and members of the public.

Click here for more information and/or to reserve a place.

medConfidential Bulletin, 10 October 2014

What just happened?

On Tuesday NHS England announced the care.data ‘pathfinder’ areas, but didn’t provide answers to basic questions like “Is it happening in my practice?” and “When will it start?” We await more details on the pathfinders, including exactly what patients (and GPs) will be told.

The four care.data pathfinder areas are:

  • Leeds (3 CCGs: West / North / South and East)
  • Blackburn with Darwen CCG
  • West Hampshire CCG
  • Somerset CCG

We sent out a background briefing on Monday with a list of questions to which we expected answers, but when none were forthcoming there was a bit of a storm in the media.

Where does your data go?

On Monday HSCIC published its latest quarterly data release register, covering the period April – June 2014. No insurers this time, but at least one recipient (Northgate) declares that its “market may also include commercial organisations” which highlights the dodginess of claims by officials that “solely commercial use” will be prohibited. Information intermediaries that service both NHS and commercial customers aren’t solely commercial, after all.

Worryingly, HSCIC’s new contracts don’t yet exclude commercial re-use. And with the over-broad “promotion of health” clause in the Care Act – the ‘McDonalds amendment’ we pointed out would include promotion through advertising, access by pharmaceutical marketers, etc. – there’s still a long way to go before patients can be satisfied that all the loopholes are closed.

Earlier this month, an updated care.data addendum in which NHS England sought to increase the types of uses to which patient data can be put, and the range of organisations and companies that can access it, was considered by the Independent Advisory Group for GPES (the system by which data is extracted from GP practices).

The addendum was approved, with conditions – including clearer definitions of “research” and “health intelligence”, independent oversight and further consideration of the expansion of purposes once the pathfinders are complete. Like us, IAG have significant concerns about the “lack of clarity about the data disclosure” after the pathfinder stage.

If patients are to be promised that all individual-level data extracted and linked during the pathfinders will be kept in HSCIC’s secure data facility, accessible to a small number of approved analysts, what’s the rush to widen future access now?

Opt-in / opt-out

Earlier in the summer, the BMA’s Annual Representatives Meeting voted that care.data should operate on a patient opt-in basis. While it does not appear that NHS England will be testing opt-in vs. opt-out approaches in the pathfinders, a representative of the Information Commissioner’s Office said at a recent conference that GPs could discharge their obligations under the Data Protection Act if they opt out their patients by default, so long as they put equivalent effort into contacting patients offering them an opt-in as they would have done for an opt-out.

What next?

Now the pathfinder areas have been announced, we are pushing to see exactly what patients (and GPs) will be told. In the meanwhile, if you do have concerns about care.data and if you haven’t done so already, our advice continues to be to opt out now. N.B. If you opted out of care.data earlier this year and had the ‘dissent codes’ added to your GP record, these will still work so you should not have to opt out again.

In the next few weeks, we expect Regulations to the Care Act – including further definition of the “promotion of health” clause, sanctions for data misuse and the operation of the Confidentiality Advisory Group (CAG) – to be laid before Parliament. We’ll publish more information as we have it.

Also coming up in Parliament is the Health and Social Care (Safety and Quality) Bill, Jeremy Lefroy MP’s Private Members’ Bill, scheduled for Second Reading on 7th November. No documents have been published as yet, but we intend to pay close attention to a Bill that intends “to make provision about the integration of information relating to users of health and social care services in England” and “to make provision about the sharing of information relating to an individual for the purposes of providing that individual with health or social care services in England”.

How can you help?

If you are registered with a GP in one of the pathfinder areas, we suggest you e-mail or write to your local HealthWatch and ask when the local public meeting will be held to talk about care.data. Please do let us know how you get on.

We are a tiny under-resourced campaign, but if you would like someone from medConfidential to address a meeting of your patient representative group or local HealthWatch please get in touch via coordinator@medconfidential.org. We’ll do our best to provide a speaker, or slides for you to use.

And finally

There is a great deal of confusion about forms relating to the Summary Care Record, local data sharing and care.data – some patients report having three or even four separate opt outs at their GP practice. One even offered a “Summary Care Data” opt out form. To be very clear, the Summary Care Record (SCR) is entirely separate from care.data:

  • a Summary Care Record contains your last 6 months’ prescriptions, any major allergies or adverse drug reactions you may have and any information you have asked your GP to put on it. It is for access by medical staff providing you with direct care, and they should normally ask your permission before viewing it. The official form to opt out of having an SCR is here.
  • There may also be local data-sharing arrangements in your area, usually for direct care purposes such as sharing information between your GP and a local hospital. Your practice should be able to tell you more about these, and provide an opt out form.
  • care.data is all about ‘secondary use’ of your medical information – it has nothing to do with your direct care. No data has yet been extracted under the care.data scheme, so if you have concerns you can opt out now. You can always opt in later. There is no official opt out form, so we have provided a form or a letter for you to send to your GP.

If in doubt, please do talk to your practice staff but be aware that GPs and practice managers have not been told anything more about care.data since February.

Please do also forward this newsletter to your friends and family. They can receive future editions by joining our mailing list at http://medconfidential.org/contact/

Phil Booth and Sam Smith
Coordinators, medConfidential
10th October 2014

care.data ‘pathfinders’ announced – but what don’t we know?

On 7 October, NHS England announced the four areas in which the care.data ‘pathfinders’ (pilots) will go ahead. They are:

The announcement does not say which individual GP practices will be involved, and provides no actual date for when the pathfinders will start.

At this point we still don’t know exactly what GPs and patients in pathfinder practices will be told – or even if every patient will be written to directly with a form. NHS England says practices will send “individual letters, emails or texts” to patients, but that these are amongst “a variety of communications” that will be tested. A text notification is hardly better than a junk mail leaflet.

There are other significant unresolved issues:

  1. Given the widespread confusion between care.data – which is for ‘secondary use’ only, i.e. purposes other than the direct care of the patient – and the Summary Care Record (SCR), will people who were confused between SCR, which may be used in direct care, and care.data, which will not, be made very clear about their existing consent settings?
  2. What will patients who opted out in January or February, or since, be told? Will NHS England require any patients to visit their GP practice to opt out? Will an online opt out be provided?
  3. Patients who opt out should have this respected by the Health and Social Care Information Centre (i.e. no data will be extracted from their GP record) but when will the opt out – currently the gift of the Secretary of State – be put on a statutory basis?
  4. The Government claims to have added legal protections but when will the Care Act Regulations detailing crucial definitions such as use “for the promotion of health” and sanctions for misuse be laid before Parliament?
  5. Who have the Department of Health consulted on the Care Act Regulations, to be implemented by HSCIC and the Health Research Authority, which are the basis for NHS England’s assurances to patients?
  6. Claims to rule out “solely commercial” use look like a loophole; will any company which gets data from the HSCIC still be able to sell it on for ‘re-use’ by third parties? Will “the promotion of health” still permit uses such as marketing?
  7. When will the new contracts and agreements be in place? Drafts on the HSCIC website still appear to permit commercial re-use and make no mention of ‘one strike and you’re out’ sanctions or access via safe settings.
  8. The planned secure data facility (‘safe setting‘) at HSCIC to hold linked GP and hospital data is not yet built. What will patients be told about the use of their data?
  9. Where will NHS patients’ individual-level data go in the longer term? Will their data ever be permitted to leave the secure data facility in any form other than publishable aggregated statistics?
  10. As NHS England doesn’t know what will be effective, what principles will be followed to correct deficiencies in communications for any particular trial? medConfidential supports managed testing of processes, but we have seen no commitments to address trials that go less well.
  11. What will patients and GPs be told about future changes to the care.data programme?

With so many unanswered questions and no detail at all on some of the most obvious – such as “Is my practice involved?” or “When will this happen?” – patients have every right to feel concerned. Unfortunately it seems the Director of Patients and Information still hasn’t provided patients with all the information they need.