Today, on International Clinical Trials Day 2015, medConfidential welcomes the National Institute for Health Research’s ‘OK to Ask‘ about research campaign.

As an advocate of research patients, NIHR is enabling its primary mission in a safe way. ‘OK to ask’ is entirely compatible with consent – indeed, that’s what the entire campaign is about: asking.

There need be no conflict between patients being interested and wanting to participate in research, but not wishing their sensitive medical records to be sold. That NHS England is choosing to make this more difficult / conflating secondary uses is a barrier to research, not an enabler.

We can’t let the day pass without also mentioning our friends at AllTrials – campaigning for all past and present clinical trials to be registered and for their full methods and summary results to be reported. Clinical trial transparency is vitally important, and it doesn’t mean publishing individual patient data.

Consensual, safe and transparent. Anything less just doesn’t make sense.

For years, we’ve had credible reports of highly accurate marketing that could only be based on health records. Now reports in the media have revealed “a nice little trade” in your health records – and that’s the Information Commissioner’s description, not ours.

These latest reports reveal two ways in which information about your health may be collected and sold on: from insurance forms you fill in and, in particular instances, from information provided to “the UK’s largest online pharmacy”, Pharmacy2U.

Given the number of people who have contacted us over the past two years about this, it is clear that these are not isolated occurrences. Pharmacy2U may have admitted to selling details to a direct marketing agency on a number of occasions, but it is not the only one.

This trade in people’s personal health information is insidious, and makes it all the more essential that the Government legislates clearly and consistently on the ongoing “commercial re-use” of our medical records.

Senior politicians may say something must be done about these latest incidents, but promises to crack down on dodgy data brokers and those who supply them with data ring hollow while the official trade in NHS patients’ information persists. (We note the promised Regulations under the Care Act 2014 – which should clarify the overly-broad definition,“the promotion of health”, that continues to legitimise commercial re-use of your medical information – were not laid before Parliament was Dissolved for the election.)

medConfidential has submitted a formal complaint to the Information Commissioner on behalf of patients who have contacted us after having been sent direct marketing materials in relation to their specific medical condition, treatment or diagnosis. The Information Commissioner’s Office has already begun an investigation, as has the General Pharmaceutical Council. And, given what the chair of the Health Select Committee has said, we hope Parliament will look into this promptly when it returns.

Your rights; take action

Section 11 of the Data Protection Act provides you with the “right to prevent processing for purposes of direct marketing”. You can issue a notice in writing to a data controller at any time, requiring them to cease – or not begin – using your personal information for marketing.

UPDATE 27/4/15: Given their objection to the way we previously expressed things, we asked Pharmacy2U shareholder EMIS – which has been offering a joint service with Pharmacy2U since trials in 2001 – how a patient might determine, without wasting GP time, if their practice is amongst one of the hundreds that have been using Pharmacy2U to provide postal prescriptions for years. EMIS has replied saying that Pharmacy2U is now an option in all practices that use Electronic Prescription Service Release 2 (EPSR2), and that patients with concerns “should contact Pharmacy2U directly”.

Our advice remains as we state below. If you are unsure whether you’re affected, we hope to have more information in our newsletter due out this Friday.

You may not recall nominating Pharmacy2U at your GP at any point over the last 14 years, but if you do not receive a paper prescription and you have ever received your medicines from a warehouse in Leeds rather than your local pharmacy, then it is likely that you did – and you may wish to take action.

If you are a customer of Pharmacy2U, or if you are concerned that your details may have been sold or passed to third parties by them or any other online pharmacy – or by any company to which you have provided information relating your health – we have created a template Section 11 Notice for you to download, fill in, print and post to the relevant organisation.

For Pharmacy2U only, please add your details where indicated:

• Pharmacy2U Section 11 Notice – MS Word (.doc) version / Rich Text (.rtf) alternate

For other companies, including insurance companies, please fill in the relevant details where indicated:

• Generic Section 11 Notice – MS Word (.doc) version / Rich Text (.rtf) alternate

You will note that our Section 11 Notice letter ends with a request for information about disclosures of your information for purposes other than marketing. This is because you have a further right, under Section 10 of the Data Protection Act – the “right to prevent processing”, if such processing would cause you “unwarranted and substantial damage or distress”.

At this point it is not absolutely clear whether Pharmacy2U or other companies have disclosed your information for purposes other than marketing; the wording of various Terms and Conditions suggests that they might. Our template letter therefore requests that the company tells you with whom it has already shared your information, and for what reason.

By sending our Section 11 Notice letter first, you should be told exactly what the company has done with your information. You can then follow up with a Section 10 Notice [1] on the basis of what you find out. Were you to send a Section 10 Notice straight away, the company should comply with your wishes – but you might not find out what has already been done with your information.

We would hope that companies will come clean, and take the opportunity to reassure those whose details they haven’t sold that their information has been kept confidential. If for any reason a company refuses to provide this information, please let us know.

medConfidential believes people should always know who has had access to their health-related information, and what it has been used for. As we have said to the Information Commissioner, you simply cannot trust an organisation that buries your consent options and which isn’t completely up front about what it has done or will do with your most sensitive personal information.

—

1) For your convenience, here is a template Section 10 Notice for you to download, fill in, print and post to the relevant organisation. If you are concerned to know what has been done with your information, we recommend you send this only after receiving a response to your Section 11 Notice.

For Pharmacy2U, please add your details where indicated:

• Pharmacy2U Section 10 Notice – MS Word (.doc) version / Rich Text (.rtf) alternate

For other companies, including insurance companies, please fill in the relevant details where indicated:

• Generic Section 10 Notice – MS Word (.doc) version / Rich Text (.rtf) alternate

—

UPDATE 20/4/15: We were contacted late on Friday by Pharmacy2U’s PR representative, who stated Pharmacy2U “has not sold information relating to patients’ medical conditions. Names and postal addresses only were provided.”

The PR firm provided the following statement, which we publish in full:

“We want to reassure our customers that Pharmacy2U does not and has never sold information relating to patients’ medical conditions to anyone.

Between November 2014 and December 2014, we trialled a small-scale project with Alchemy Direct Media (UK) Ltd, a data handling company registered with the Information Commissioner’s Office (ICO). 

This project involved us selling limited information – some customers’ names and postal addresses only – for use in selected marketing activity. No medical information, emails or telephone numbers were sold. In conducting this trial project, we acted in line with current data protection and ICO guidelines.

The sale of customer data for marketing purposes is a widespread practice within business and also government. However, in light of public concern about this issue we have decided not to continue with this trial and we can reassure our customers that Pharmacy2U will no longer share customer data for use in third party marketing. All data that was held by Alchemy Direct Media (UK) Ltd has been destroyed by them and is no longer available for use.

We have asked the Information Commissioner’s Office to work with us to review our privacy policy and have also contacted the General Pharmaceutical Council, our industry regulator, and the NHS, to discuss this matter. We await their follow-up report.”

The Health and Social Care Information Centre are aware that the number of patients affected by the mistake with the ‘Type 2’ / 9Nu4 objection is indeed much higher than their Chair first stated to Parliament, and they continue to accept – as they did from the start – that they will have to write directly to everyone concerned.

HSCIC’s acceptance that individually-addressed letters are necessary is to be welcomed, not least because it shows some lessons may have been learned from the previous history of NHS England’s care.data fiasco. But to avoid a repeat of previous communications disasters – including the junk mail leaflet and widespread confusion between care.data, the Summary Care Record and local direct care data-sharing initiatives – lessons from 2014 must not only have been learned. They must be seen to be learned.

As last year clearly demonstrated, there can only be one patient communications programme going ahead at a time, and it must be carefully coordinated with any and all other existing data-sharing programmes.

As NHS England Director for Patients and Information and (interim) SRO for care.data, Tim Kelsey, has washed his hands of any responsibility for this latest screw up, this is a clear opportunity for HSCIC to lead and demonstrate itself to be the reformed agency that it is striving to be, absent any interference from NHS England.

What needs to be done?

Dame Fiona Caldicott has articulated a number of tests and questions for the care.data programme as a whole. It would therefore make sense, as a starting point, to apply these to any proposed communications intended to correct the current consent catastrophe. Some tests (e.g. those in section 5, relating specifically to the care.data pathfinders) may not apply directly, and other tests may need to be added, but the as-yet-unanswered questions on the substance of what patients are told – and how it will be made true – continue to apply across the board.

The ‘Type 2’ correction cannot be implemented as a postcode lottery; it must be national, for all affected patients at once. And, unless Mr Kelsey’s promises of “no arbitrary deadline” are untrue, the care.data pathfinder process can happen after the national re-contacting has taken place. (And, if done as we suggest below, at no additional overall cost to DH and the public purse.)

As medConfidential has repeatedly stated, the SRO for the 9Nu4 correction programme – as for all large-scale patient data programmes – must be someone who is subject to GMC regulation.

A process to respect patient choice

A letter must be sent to each affected patient, the content of which should go through a similar consultation process to the one which NHS England stated it would follow for any revision of care.data – though HSCIC should do a better job of actually listening to advice and suggestions.

Given the need to rebuild public confidence, and out of an abundance of caution, letters must be sent to everyone who has expressed a consent preference, whether that was 9Nu4 (‘Type 2’), 9Nu0 (‘Type 1’) or SCR. The bungled communications last year resulted in many patients being given the wrong forms, and it is reasonable to assume that someone who doesn’t want their data to leave their GP practice to be shared for direct care purposes is unlikely to want it sold on for ‘secondary uses’.

Critically, the state of each patient’s ‘consent settings’ immediately before the letter hits their doormat must be as safe as possible. This may involve the introduction of a new code or codes, but the defaults must be set to respect patients’ existing choices.

The communication materials themselves must clearly and accurately reflect what happened, how it has been addressed, and what will happen going forwards. Unambiguous promises must be given to patients around secondary uses, consent and notification. (This may be a good opportunity to introduce personalised data usage reports to a group of data-concerned patients, trialling the process and explanation ahead of a wider communication.)

The letter should provide each patient sufficient information and clear choices to be able to arrive at one of the following 3 outcomes:

• NO FURTHER ACTION BY PATIENT [DEFAULT] – implement what patients were told would happen last Jan/Feb, i.e. opt out of secondary uses of their data collected from anywhere across the NHS, with no impact on their direct care. This would require our Spine proposal to be implemented.
• ACTION: Patient has changed their mind – opt them back in for secondary uses of their data collected from places other than their GP. Unless patient gives explicit consent, do not override any other settings, e.g. 9Nu0 or SCR. This would most likely be a subset of those who opted out of SCR, whose decision was inferred as a precaution.
• ACTION: Patient wants the ‘full 9Nu4 opt out’ – apply the opt out as 9Nu4 was (mistakenly) specified, i.e. HSCIC cannot pass on patient’s data, even for direct care. This is likely to be for a very small number of patients, but the option is clearly important to some people.

“No action” must be the default, and the default must continue to be safe and in the patient’s best interests, i.e. a system-wide consent option on the Spine, respected by all care providers.

It is important these choices are not merely expressions of choice, but immediate and effective realities. Patients whose trust has already been abused should not have to wait a further year for their decisions to be enacted. Ideally, this would be able to be reflected in a personalised data usage report for each patient, so they can see that – this time – their wishes have been properly respected.

Moving forward with care.data (or its successor)

Only once the ‘Type 2’ correction process has been completed – letters have been sent, patients have been given time to act, and their consent choices have been enacted – can the care.data pathfinder process restart.

Those in the pathfinder practices who have not been sent a letter as part of this process, can then be sent a letter and opt-out form for care.data and all secondary uses. (These letters may be modified based on any further lessons learned from the ‘Type 2’ process.) That only those patients who have not already opted out will be written to as part of the ‘new’ opt-out process means that people will not be being asked to opt out of something they’ve already opted out of.

It also means that the cost to the public purse of the programme as a whole should be almost identical to what NHS England currently proposes. The same number of envelopes will be posted (which is the vast majority of the cost) but there will need to be some more meetings to design the two sets of communications, not one – to ensure that what everyone is told is completely consistent. And true.

In the meanwhile, rather than rushing into the extraction of data that may not even provide the benefits claimed, care.data can be revisited, future needs properly identified and the many flaws in the design of the current programme can (hopefully) be corrected. And proposals to reduce the number of individual-level data flows can continue to be applied.

While it looks like the projection of over a million people having opted out will prove correct, it should be remembered that only 29% of people asked at the time had received a leaflet and nearly half the population was still unaware of the scheme at the point it was “paused”. Opt-out rates across the country are likely to be significant, and NHS England cannot afford to cause yet another collapse in public confidence.

This time, there is no option but to do it right.

NHS England is very clear, even now: “…this will not affect the care you receive.”

However, displaying their all-too-familiar lack of attention to detail, there currently is a problem – a mess they’re leaving someone else to clean up. That’s no surprise in the ongoing care.data fiasco. The surprise this time is just how badly they cocked it up.

Due to a mistake with one of the objection codes*, everyone who opted out with it will need to be contacted to confirm the details of a new, as yet unspecified, arrangement. Opting out now should mean you are contacted in that group.

If you did opt out last year, NHS England is at least correct in saying that your direct care has not been affected. As of now, none of the opt out codes have been extracted and the care.data programme has taken no information from your GP’s systems.

But because the codes have not been extracted, HSCIC has no way to know whose data to prevent passing on to its customers. Data releases resumed last summer; you can see the organisations which have received data in HSCIC’s quarterly Data Release Register.

Unfortunately at this point no-one, including HSCIC itself, can tell you if your data has been released – which is one example of why we’ve been pushing for personalised Data Usage Reports. With those in place, you would know.

We are working hard to ensure that your opt out is honoured, and that it does what you were told it would do – by us, and by NHS England.

medConfidential believes that wanting to preserve your privacy in the NHS should not exclude you from digital services in the NHS. Anyone who attempts to claim otherwise is blackmailing patients. Again.

—

*We were shown details in a letter, a couple of minutes before we gave evidence to the Health Select Committee on the 21st January. we suspect NHS England knew some time before then, as the ‘Type 2’ opt out codes had originally been scheduled to be uploaded last autumn.

NHS England posted ‘Important information on data sharing opt out’ at 17:24 on Friday 23rd January. Unfortunately, while the title of its announcement isn’t limited to just the care.data programme, all of the salient bullet points are. Its use of the phrase “the opt out” (not opt outs) is far from reassuring, and signals an imminent attempt to re-write history and break promises.

You will note NHS England’s announcement omits to tell you what you’ve just read in this post. If you want to be kept up to date with comprehensible information and facts you can act on:

We will post more details as we have them on our blog, and in our next newsletter on 30th January.

On 7 October, NHS England announced the four areas in which the care.data ‘pathfinders’ (pilots) will go ahead. They are:

• Leeds (3 CCGs: West / North / South and East)
• Blackburn with Darwen CCG
• West Hampshire CCG
• Somerset CCG

The announcement does not say which individual GP practices will be involved, and provides no actual date for when the pathfinders will start.

At this point we still don’t know exactly what GPs and patients in pathfinder practices will be told – or even if every patient will be written to directly with a form. NHS England says practices will send “individual letters, emails or texts” to patients, but that these are amongst “a variety of communications” that will be tested. A text notification is hardly better than a junk mail leaflet.

There are other significant unresolved issues:

1. Given the widespread confusion between care.data – which is for ‘secondary use’ only, i.e. purposes other than the direct care of the patient – and the Summary Care Record (SCR), will people who were confused between SCR, which may be used in direct care, and care.data, which will not, be made very clear about their existing consent settings?
2. What will patients who opted out in January or February, or since, be told? Will NHS England require any patients to visit their GP practice to opt out? Will an online opt out be provided?
3. Patients who opt out should have this respected by the Health and Social Care Information Centre (i.e. no data will be extracted from their GP record) but when will the opt out – currently the gift of the Secretary of State – be put on a statutory basis?
4. The Government claims to have added legal protections but when will the Care Act Regulations detailing crucial definitions such as use “for the promotion of health” and sanctions for misuse be laid before Parliament?
5. Who have the Department of Health consulted on the Care Act Regulations, to be implemented by HSCIC and the Health Research Authority, which are the basis for NHS England’s assurances to patients?
6. Claims to rule out “solely commercial” use look like a loophole; will any company which gets data from the HSCIC still be able to sell it on for ‘re-use’ by third parties? Will “the promotion of health” still permit uses such as marketing?
7. When will the new contracts and agreements be in place? Drafts on the HSCIC website still appear to permit commercial re-use and make no mention of ‘one strike and you’re out’ sanctions or access via safe settings.
8. The planned secure data facility (‘safe setting‘) at HSCIC to hold linked GP and hospital data is not yet built. What will patients be told about the use of their data?
9. Where will NHS patients’ individual-level data go in the longer term? Will their data ever be permitted to leave the secure data facility in any form other than publishable aggregated statistics?
10. As NHS England doesn’t know what will be effective, what principles will be followed to correct deficiencies in communications for any particular trial? medConfidential supports managed testing of processes, but we have seen no commitments to address trials that go less well.
11. What will patients and GPs be told about future changes to the care.data programme?

With so many unanswered questions and no detail at all on some of the most obvious – such as “Is my practice involved?” or “When will this happen?” – patients have every right to feel concerned. Unfortunately it seems the Director of Patients and Information still hasn’t provided patients with all the information they need.