Author Archives: Phil

Expanding the scope of care.data; no “back door” changes

While care.data is still on “pause”, it is clear that NHS England intends to proceed with the programme. Announcement of the ‘pathfinders’ (pilots) in between 100 and 500 GP practices, spread across up to 4 CCGs across England, is expected within the next few weeks.

medConfidential continues to insist that, unlike last time and as an absolute minimum, every patient must be written to and be given an opt out form. It remains to be seen if some practices will run an opt-in, as the BMA voted earlier this summer.

But when patients are written to, what will they be told?

One thing that may have escaped many people’s attention is that the information NHS England intends to extract from the GP records of every man, woman and child in the country is not permanently fixed. It has already been noted that the care.data ‘code set’ [2.3MB Excel spreadsheet] excludes musculoskeletal conditions – a notable absence, given these are amongst the top reasons why people visit their GP.

If care.data (or whatever replaces it) does proceed then, over time, the information it gathers will quite clearly change. This may be to do with ‘missing’ areas such as musculoskeletal conditions, or even new conditions that can be recorded – Read Codes are updated twice annually. And NHS England has already declared in its usual unsubtle fashion that it intends to include “sensitive” conditions in due course.

Setting aside for the moment the inclusion of any particular condition, what is absolutely necessary is that any and all changes to the scope of care.data must have robust and transparent oversight and governance processes, and these processes must be clear before patients are asked for their consent.

Whether patients are asked to opt in or opt out it must be made absolutely clear what data will be used, for what purposes, and the processes by which these decisions can be changed by NHS England.

An open and unambiguous change process is necessary to ensure that NHS England’s promises to patients are meaningful – “We will follow this process” – and that GPs can say to their patients, “We will ensure they do”. To this end, medConfidential has written a short paper outlining the sort of process that we feel would be appropriate.

Any such process must be straightforward and understandable and should not merely be taken on trust, but based on knowledge. Patients or doctors with any concerns should be able to read the document containing the process that NHS England has agreed to follow in advance of them accepting that promise.

If care.data is to proceed, there must be a process in which the public can have confidence – and in which the public can be seen to have confidence – for how the programme changes over the next years, or decades. It’s not just that modifications should not be sneaked through the backdoor; the process must not have a back door.

RCGP Annual Conference in Liverpool, 4 October 2014

care.data – Big Brother watching us?

An expert panel give their views on data and its use, followed by discussion.

Date: 9:30am, Saturday 4th October 2014
Location: Arena and Convention Centre Liverpool, Kings Dock, Liverpool Waterfront, L3 4FP

Chair

  • Prof Nigel Mathers, Honorary Secretary, RCGP

Speakers

  • Tim Kelsey, National Director for Patients and Information, NHS England
  • Dr Chaand Nagpaul, Chair, GPC
  • Phil Booth, Coordinator, medConfidential

More details and full conference programme

EMIS National User Group annual conference, 26 September 2014

EMIS NUG Keynote speech

care.data: consensual, safe and transparent?

Date: 10:00am, Friday 26th September 2014
Location: Main Theatre, East Midland Conference Centre, Nottingham

It’s been over 6 months since NHS England pressed “pause” on care.data, following public and professional outcry. What has changed? How have the scheme and bodies involved addressed the concerns of GPs, patients and providers. And is it enough?

More information and conference registration

medConfidential Bulletin, 5 September 2014

It’s been just over 6 months since NHS England pressed “pause” on care.data, so we thought now would be a good time to provide a round-up of what’s been happening. Some things have changed since you last heard from us, some things unfortunately haven’t.

What just happened?

Minutes published by the revived Data Access Advisory Group (DAAG) at HSCIC earlier this week revealed that an unnamed organisation has been using HES and ONS data “for commercial activity in addition to the purposes they had stated when applying for approval”.

This is deeply concerning, especially given repeated assurances by Ministers and officials that commercial exploitation of NHS patients’ data will not be permitted. We wrote with urgent questions on Tuesday and are waiting for a reply; it seems that while the ‘new world’ detection regime may be beginning to work, we are still stuck with ‘old world’ incident handling.

This is precisely the sort of offence that ‘one strike’ sanctions would address; the perpetrator would have to delete the data, provide proof that it had been deleted, would have their current contract(s) revoked, and would not receive data in future. Merely “asking the data recipient to cease using the data” shows how far we still have to go.

Consensual

A survey by GP magazine Pulse over the summer suggests nearly one third of GPs would opt their patients out of care.data if NHS England ignores the BMA’s vote for the scheme to be opt-in. GPs across the country report that patients are continuing to opt out; one in St Helens confirms that “opt outs in her surgery currently stood at 20%”. And even NHS England’s Deputy Medical Director has called for parts of care.data to be opt-in.

medConfidential proposed a way in which NHS England could empower GPs who want to protect their patients’ confidentiality and also allow consensual research, but it appears the official still pushing the scheme just doesn’t want to.

Safe

We’ve said many times that the nation’s medical records are more valuable than the Crown Jewels; it appears parts of the system have got the message, and the Health Select Committee was given assurances (Q433 & Q504) that – for the ‘pathfinder’ phase at least – care.data extracts will only go into a ‘safe setting’. This is the secure data facility that some have called a “fume cupboard” and which we have previously discussed as ‘HRRDL’, a tightly locked-down Health Remote Research Data Laboratory.

We have to hold them to these assurances, and one of our current tasks is to make all parts of the system understand and respect the promises some parts have now made. Meanwhile, there have been a slew of consultations to respond to – hardly light beach reading! – including the Department of Health’s on ‘Accredited Safe Havens’, HSCIC’s Confidentiality Code of Practice and new data sharing contracts and agreements. And we continue to point out problems and ask difficult questions when attending the care.data advisory group.

Transparent

Unfortunately NHS England’s senior staff are still clueless on this front. They won’t confirm whether every patient will be written to, with an opt out form. We keep asking. They won’t even confirm if they wrote to every Clinical Commissioning Group asking if they’d like to volunteer to be a care.data ‘pathfinder’. So we wrote to the CCGs ourselves, who confirmed that NHS England hadn’t.

Meanwhile, the search for a replacement ‘Senior Responsible Officer’ for care.data continues. It’s the archetypical hot potato. We had some questions for candidates to ask the panel at interview. Things at HSCIC seem a bit more organised, and – with certain unfortunate exceptions – there are real signs they are working to improve their systems and procedures. But ongoing scrutiny is required.

Over the summer, we learnt more about the operations of the ‘National Back Office’ and access by law enforcement agencies – first outed in the Partridge Review, with more detail in July’s Data Release Register. Given the co-location of so much sensitive data at Smedley Hydro, it may be the permanent solution for this would be to move birth, marriage and death registrations out of the Home Office.

Where next?

Details of the care.data ‘pathfinders’ of “between 100 and 500 GP practices in the autumn” are still sketchy. NHS England won’t – or can’t – say where they will be, when they will start, or what exactly they’ll be doing. We’ll update you as soon as we know anything definite.

Meanwhile, Phil will be speaking at a number of events in coming weeks, including:

We are a tiny under-resourced campaign, but if you would like someone from medConfidential to address a meeting of your patient representative group or local HealthWatch please get in touch via coordinator@medconfidential.org. We’ll do our best to provide a speaker.

How can you help?

We still need your help spotting inappropriate consent forms – and this is not just about enforced Subject Access Requests by insurance companies. We’ve seen forms requiring patients to agree to having their data used for purposes other than their medical care or to having their medical information processed overseas. Help us root out these abuses of consent and confidentiality wherever they occur.

And finally

medConfidential’s work continues. For example, we are pushing for patient-level audit trails – not just a quarterly data release register – that would mean you could see exactly how your data, your experiences, your life, had contributed to particular pieces of research, and read the papers from the researchers that advance knowledge.

What we do may not always be headline-hitting, but we believe keeping every use of your medical information consensual, safe and transparent is essential. There are benefits to be had, but only if things are done right.

Please do forward this newsletter to your friends and family. They can receive future editions by joining our mailing list at http://medconfidential.org/contact/

Phil Booth and Sam Smith
Coordinators, medConfidential
5th September 2014

care.data public debate in Oxford, 10 September 2014

Co-hosted by Oxford Health Experiences Institute and Healthwatch Oxfordshire

Date:  5.30pm, Wednesday 10 September 2014

Location: Lecture Theatre 2, Mathematical Institute, University of Oxford, Andrew Wiles Building, Radcliffe Observatory Quarter, Woodstock Road, Oxford OX2 6GG

This event, co-hosted by the Oxford Health Experiences Institute and Healthwatch Oxfordshire, aims to explore the issues associated with sharing health information and the care.data programme.

The debate is being chaired by Dame Fiona Caldicott from Oxford University Hospitals Trust. The panel comprises John Appleby, Chief Economist from the Kings Fund, Phil Booth from medConfidential and John Carvel, the health and social care journalist.

Click here for more details or to book a place

HSCIC fills in some gaps, while DH and NHS England seem to have forgotten something

The Health and Social Care Information Centre has produced its latest data release register, following the Partridge Review. Two lines and one whole section jump out.

Experian, which most people know as a credit reference agency, sell a product called Mosaic; a database which subdivides your and every other neighbourhood in the country into a variety of categories, which are then used for all sorts of purposes – from selling you burgers to insuring your house or car.

We don’t yet know when, but sometime this year HSCIC approved the sale of 3 datasets of hospital episodes (inpatient, outpatient and A&E) to Experian, to help it produce Mosaic “postal sector level” profiles. In the data released, individuals’ diagnoses are linked, via pseudonyms, across events and the various data sets used.

The stated purpose of Mosaic is commercial. Mosaic is used by marketing firms to target people such as “Vulnerable young parents needing substantial state support” (category O69) and  “Childless new owner occupiers in cramped new homes” (H35). Experian, as elsewhere, may offer a figleaf of fragments for researchers to give a fake appearance of legitimacy but we’re not fooled. Whatever the spin, this is commercial exploitation of NHS patients’ data.

We shall have to wait and see how HSCIC will interpret the new rules in the Care Act, which this particular release may predate. Will such uses by Experian and commercial marketers be classified as “promotion of health”? Public trust hangs in the balance.

Despite ongoing concern about selling data to insurers, we see that “General Reinsurance” also appears in the list – requesting a customised extract of inpatient data for the whole country in aggregated form. If properly aggregated as statistics, such as the ones HSCIC routinely produces and releases as open data, then we would expect to see this published as open data as well, but we’ve not found it yet.

If these are genuine statistics, then publishing them shouldn’t be a problem. Selling custom extracts, however, puts HSCIC in the position of providing data for private commercial advantage rather than for the benefit of all. Given the huge sensitivities around use by insurers, we have suggested this is not such a good idea.

(For the 6 studies mentioned which involve DNA and/or genomic data, we’re working with our friends at GeneWatch UK to examine what is already public knowledge, and where further information must be requested.)

Though still lacking in detail – no mention of dates, nor links to official approvals or audited deletions – at least this release of the register shows that HSCIC is trying to be more transparent in its actions. C+ for effort, but let’s see fewer omissions next time.

‘National Back Office’

After repeated denials about police access, one of the big surprises in the Partridge Review was the discovery of a whole department dealing with ‘trace requests’ from law enforcement agencies and the courts. Such requests, if approved, attempt to track down individuals using the national electronic database of NHS patient demographic details.

The latest register shows there was a large spike in requests from the Home Office in 2013. It’s not clear if the UK Border Agency’s absorption into the Home Office explains some or all of this increase, nor if other subsidiary agencies of the Home Office make requests. Police requests are recorded separately – and are broken down in a bit more detail in the press release – but we do wonder which other agencies are using section 29(3) of the Data Protection Act.

Given the number of bodies and agencies working out of Smedley Hydro, these relationships cannot afford to be murky – absolute clarity is required.

Crashing consultations in the ‘IG universe’?

NHS England's "IG universe"

Also in the last week we’ve seen a new consultation from the Department for Health on, amongst other things, “Accredited Safe Havens” (ASHs) for commissioning.

Individual-level patient data is already being passed around for purposes such as invoice reconciliation, using what was supposed to be ‘emergency’ Section 251 support. This consultation is about doing it slightly less badly. Though clearly desperate to avoid the contamination of any association with the toxic care.data scheme, DH appears to be saying that patient-level data gathered under care.data could be passed around Accredited Safe Havens.

Uh oh.

One thing that had begun to generate confidence was HSCIC’s statement that, under care.data, the only place to which any data extracted from GP systems would go was into a safe setting – what medConfidential calls a Health Research Remote Data Laboratory. (We think ‘HRRDL’ sounds better than ‘fume cupboard’.) This was good news, and a necessary step for public confidence in any extraction of their identifiable data.

But despite HSCIC having said this in public statements and directly to Parliament’s Health Select Committee, the Department of Health clearly hasn’t thought through the implications for this consultation, which is on the flows of data for commissioning – the sole use of care.data for which NHS England has at this point received approval.

This isn’t necessarily a complete contradiction, as patient data will be collected from providers other than GPs and be passed around in other ways – but one might hope that DH would have thought through the implication of its own arms length body’s commitments, rather than taking NHS England’s steamroller approach to governance and schedules.

Another notable feature of the DH consultation is the way it contradicts assumptions made in an NHS England consultation on “Priority Issues in Information Governance“, which opened in February 2014 and should have closed at the end of April. As with much of NHS England’s Information Governance, its ‘Priority Issues’ consultation is an ill-considered mess: surely NHS England has shifted its world view since early February? Given all that has come to light, why has the consultation not been withdrawn or re-issued?

So, other than statements by HSCIC, we’re seeing scant evidence that lessons have been learnt.
HSCIC proposes to limit the number of copies of the nation’s medical records that it hands out for various purposes. This is both welcome and achievable, but it requires both DH and NHS England to accept that business as usual is no longer an option.

[PRESS RELEASE] BMA votes for care.data scheme to be opt-in

For immediate release – Wednesday 25th June

The BMA’s Annual Representatives Meeting voted this morning for the controversial care.data scheme to be “an opt-in system rather than an opt-out one”.

All five parts of motion 356 [1] were carried:

* 356. Motion by the Agenda Committee (motion to be proposed by the Suffolk Division)

That this Meeting agrees that the care.data system should not continue in its present form as:

i. it lacks confidentiality and there is a possibility for individual patient data to be identified
ii. it carries the risk of GPs losing the trust of their patients who may feel constrained in confiding in them
iii. the future potential users of the data are not well defined
iv. it should be an opt-in system rather than an opt-out one
v. the data should only be used for its stated purpose for improving patient care and not sold for profit.

This follows polling from Ipsos MORI, commissioned by the Joseph Rowntree Reform Trust Ltd [2], that shows half of the population (51%) say they have never heard of the care.data scheme. The survey also shows that while 27% of the public would support an opt out approach to sharing of their medical records, 40% think it should be opt in (although 10% say that it would be fine to use their data without their knowledge or consent).

Phil Booth, coordinator of medConfidential [3], said:

“The democratic body of the medical profession has voted for the care.data scheme to be opt-in. Will NHS England push on regardless, ignoring the views of the people who know best just how vital confidentiality is for patient care?

“What’s needed now is a full inquiry into how NHS England mishandled patient consent into this mess – decisions taken by officials, repeated failures to properly inform the public and professionals and what looks like a collapse in governance under the quango that’s now running the NHS.

– ends –

Notes for editors

1) Motions on BMA ARM website: http://bma.org.uk/working-for-change/arm-2014-info/agenda/health-information-management-and-it

2) Topline results now published online; care.data-related questions are Q4 – Q7: http://www.ipsos-mori.com/researchpublications/researcharchive/3407/Privacy-and-personal-data.aspx

3) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

– ends –

[PRESS RELEASE] medConfidential welcomes NHS England medical director’s call for care.data to be partially opt-in

For immediate release – Tuesday 24th June

Before the critical care.data vote at the British Medical Association’s Annual Representatives’ Meeting tomorrow [1], patient privacy campaigners today welcomed statements by Dr Mike Bewick, deputy medical director at NHS England, who told GPs at a medical conference that parts of the Government’s controversial care.data scheme should be ‘opt-in’ only [2].

Latest polling figures commissioned by the Joseph Rowntree Reform Trust Ltd from Ipsos MORI [3] show half of the population (51%) say they have never heard of the care.data scheme. And generally amongst the public, while 27% would support an opt out approach to sharing of their medical records, 40% think it should be opt in (although 10% say that it would be fine to use their data without their knowledge or consent).

medConfidential’s proposed hybrid opt-in/opt-out approach – ‘Local Choice’ [4] – would offer GPs and patients straightforward choices that reflect clear public and professional concern while acknowledging the benefits that may be gained from legitimate research use.

Phil Booth, coordinator of medConfidential [5], said:

“The Information Centre has acknowledged how wrong it was and is moving to restore public confidence. We hope Dr Bewick’s statements indicate a similar shift in thinking by the bosses of NHS England.

“While we all may benefit from genuine medical research, commercial exploitation was never part of the NHS social contract. With such low levels of public awareness and high levels of opposition amongst doctors, we think it is time patients were offered choices that reflect their real concerns.”

Notes for editors

1) Composite motion to be voted on at the BMA’s Annual Representatives’ Meeting: http://bma.org.uk/working-for-change/arm-2014-info/agenda/health-information-management-and-it

356. Motion by the Agenda Committee (to be proposed by the Suffolk Division)

That this Meeting agrees that the care.data system should not continue in its present form as:

  1. it lacks confidentiality and there is a possibility for individual patient data to be identified
  2. it carries the risk of GPs losing the trust of their patients who may feel constrained in confiding in them
  3. the future potential users of the data are not well defined
  4. it should be an opt-in system rather than an opt-out one
  5. the data should only be used for its stated purpose for improving patient care and not sold for profit.

2) Reported in Pulse, 20/6/14: http://www.pulsetoday.co.uk/your-practice/practice-topics/it/parts-of-caredata-should-be-opt-in-only-says-nhs-england-director/20007039.article#.U6RsOrHryK4

3) From the Joseph Rowntree Reform Trust Ltd’s ‘Privacy and Personal Data’ poll, conducted face-to-face with British adults aged 15+ by Ipsos MORI from 25/4/14 to 1/5/14. Data are weighted and the base size is 1958. Full data will be published at www.ipsos-mori/caredata on 25/6/14:

Q1   How well, if at all, would you say you know the care.data proposal?

  • Know very well                                      3%
  • Know fairly well                                    9%
  • Know a little                                         19%
  • Heard of but not sure what it is          13%
  • Never heard of                                   51%
  • Don’t know                                           4%
  • Know at least a little (net)                   31%
  • At least heard of (net)                         44%

Q2   Thinking about the care.data proposal, which of the following best represents your view on how, if at all, your GP should be able to share information from your medical records with the care.data programme?

  • My GP should be allowed to share my data automatically without needing my knowledge and consent                                                                                                                10%
  • My GP should be allowed to share my data automatically as long as I know about it and do not object or opt out                                                                                        27%
  • My GP should only be allowed to share my data if I know about it and have given my explicit consent and opt in                                                                             40%
  • My GP should not be allowed to share my data under any circumstances   13%
  •  I would need more information to make a decision                                       7%
  •  Don’t know                                                                                                          4%

4) ‘Local Choice’ devolves the opt-in/opt-out decision to GPs at practice level, with patients written to with the choice of opting out of ethically-approved research or opting in for all secondary uses. All existing consent choices must be respected.

medConfidential note for BMA ARM, 25 June:

https://medconfidential.org/wp-content/uploads/2014/06/2014-06-11-Achieving-local-choice-and-consensual-research-use.pd

medConfidential note for LMC Conference, 23 May:

https://medconfidential.org/wp-content/uploads/2014/05/2014-05-15-Note-for-LMC-conference.pdf

5) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

– ends –

‘Gaming’ consent, and how YOU can help

medConfidential is deeply concerned at the growing use of enforced Subject Access Requests by insurance companies to acquire cut-price back-door copies of an applicant’s entire medical record, while at the same time we are seeing pharmaceutical companies deny researchers access to individual-level detail on clinical trial results for which volunteers’ explicit consent should have been freely granted.

It seems that in both cases companies are taking a position based on corporate self-interest rather than the patient’s or public interest. They are ‘gaming’ consent. Information cannot be both ‘nothing to worry about’ when companies want it to make decisions about you, yet ‘too sensitive to reveal’ when it exposes them and their decisions to scrutiny; mandatory on the one hand, prohibited on the other.

Only last week, the European Medical Agency modified its plans to allow researchers to print and copy clinical trial reports – information necessary for safe, independent evaluations of whether drugs work the way the companies selling them say they do. Meanwhile insurers continue to push patients into handing over their entire medical history via Subject Access Requests. Of course a SAR also gives the insurer far more information than they would receive from a properly paid-for GP report, which they will then keep for later use.

Forms we’ve seen include wording like, “You do not need to give your permission, but if you do not, we will not be able to proceed with your application”and“This will give us permission to obtain a full copy of your health records from your doctor so we can assess your application or any future claims(our emphasis). The language is often understated and companies adopt different ‘nudge’ approaches, e.g. providing applicants with a SAR-only consent form but making them specifically request a GP report form.

We’re hoping you can help build an evidence base, providing a wider range of examples to demonstrate the systematic nature of these problems.

We don’t want your personal information! But if you have a copy of a clinical trial medical record release consent form (from 2010 onwards) or if you have been given a Subject Access Request consent form so an insurer can get records from your GP (again, from any time after 2010) please could you scan or e-mail a digital copy to forms@medconfidential.org?

If all you have is a filled-in copy of your form, please remove or black out all of your personal details before you send anything. If you’re not sure how to do this, or if you have any other questions, please email forms@medconfidential.org – our apologies if it takes us a few days to get back to you, we are busy fighting on a number of fronts at present.

What we are after is the wording of the forms themselves, such as the lines we quoted above. It is these we intend to share with other organisations; language about data re-use will likely be of interest to colleagues on the allTrials.net team and we’re sure the Information Commissioner will pay close attention to the varied forms of coercion used around Subject Access Requests.

If you don’t have a form, you can still help by tweeting or passing on a link to this article. The more examples we can gather, the stronger the case.

[PRESS RELEASE] Patching HSCIC’s holes: medConfidential initial response to the Partridge Review

For immediate release – Tuesday 17 June 2014

The Partridge review of data releases by the NHS Information Centre, published today, indicates systemic failures in the handling of patient information over a period of 8 years. In the 10% sample chosen for closer examination, multiple breaches of proper procedure were discovered, including:

  • improper record-keeping
  • “lack of evidence to support” processes and controls
  • lack of clarity over contractual agreements; confusion over data sharing vs. re-use
  • lack of systematically-applied audit; no audited deletion of data

In at least two instances, HSCIC admits it doesn’t even know who patient data was sent to, or how many years of patient treatment data they sent.

Phil Booth, coordinator of medConfidential [1], said:

“The Information Centre would clearly like to draw a line and move on, and Sir Nick’s recommendations are to be welcomed in that regard, but what about consequences?

“Breaches of several thousand patient records have resulted in massive fines and prosecutions [2]; the serious failings discovered within just the sample chosen will involve millions of people’s medical records. And what about the 9 out of 10 releases that weren’t examined?

Regarding gaps in the information:

“It’s bad enough that patient data was being sold to so many private companies and passed to Government departments. Not being able to say who got their hands on patient data in every instance is astounding. Tim Kelsey’s assertion [3] that there have been ‘no breaches in 25 years’ has been blown out of the water.

As to future action:

“Patients have every right to be appalled at this litany of failures. What this demonstrates is that without end-to-end audit and timely feedback, so patients can know who has their data and what they are doing with it, the system will not be fully trusted.

“HSCIC’s new management says it will set the highest bar for transparency and good practice, but who will oversee them? Good intentions are fine, but an independent watchdog with teeth – such as the government just rejected [4] – would provide public confidence.

“If the government and NHS England want to continue to reassure the public that companies won’t be exploiting their data for profit, then HSCIC must find and close down every last commercial re-use licence.

Notes for editors

1) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

2) List of monetary penalty notices and prosecutions issued by the Information Commissioner’s Office: http://ico.org.uk/enforcement/fines and http://ico.org.uk/enforcement/prosecutions Just yesterday, details emerged of breaches involving 10,000 patients’ records: http://www.bbc.co.uk/news/uk-england-27864798 – by comparison, Hospital Episode Statistics (HES) in any one year amounts to around 100 million patient episodes.

3) On BBC Radio 4’s Today programme, 4/2/14: https://www.lightbluetouchpaper.org/2014/02/04/untrue-claims-by-nhs-it-chief/ which we followed up with a FOI request, which revealed breaches in each year from 2009-2012: https://www.whatdotheyknow.com/request/independent_audits_of_hessus_and#incoming-502600

4) An amendment that would have reinstated independent, overarching information governance for the entire health and care system on a statutory basis – abolished under the Health and Social Care Act – was rejected in the final stages of the Care Bill this May. See medConfidential’s briefing for more detail, including the fact that the ‘McDonald’s clause (“the promotion of health”) will still permit commercial exploitation: https://medconfidential.org/wp-content/uploads/2014/05/medConfidential-briefing-for-Care-Bill-ping-pong_07May.pdf

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

– ends –