While care.data is still on “pause”, it is clear that NHS England intends to proceed with the programme. Announcement of the ‘pathfinders’ (pilots) in between 100 and 500 GP practices, spread across up to 4 CCGs across England, is expected within the next few weeks.

medConfidential continues to insist that, unlike last time and as an absolute minimum, every patient must be written to and be given an opt out form. It remains to be seen if some practices will run an opt-in, as the BMA voted earlier this summer.

But when patients are written to, what will they be told?

One thing that may have escaped many people’s attention is that the information NHS England intends to extract from the GP records of every man, woman and child in the country is not permanently fixed. It has already been noted that the care.data ‘code set’ [2.3MB Excel spreadsheet] excludes musculoskeletal conditions – a notable absence, given these are amongst the top reasons why people visit their GP.

If care.data (or whatever replaces it) does proceed then, over time, the information it gathers will quite clearly change. This may be to do with ‘missing’ areas such as musculoskeletal conditions, or even new conditions that can be recorded – Read Codes are updated twice annually. And NHS England has already declared in its usual unsubtle fashion that it intends to include “sensitive” conditions in due course.

Setting aside for the moment the inclusion of any particular condition, what is absolutely necessary is that any and all changes to the scope of care.data must have robust and transparent oversight and governance processes, and these processes must be clear before patients are asked for their consent.

Whether patients are asked to opt in or opt out it must be made absolutely clear what data will be used, for what purposes, and the processes by which these decisions can be changed by NHS England.

An open and unambiguous change process is necessary to ensure that NHS England’s promises to patients are meaningful – “We will follow this process” – and that GPs can say to their patients, “We will ensure they do”. To this end, medConfidential has written a short paper outlining the sort of process that we feel would be appropriate.

Any such process must be straightforward and understandable and should not merely be taken on trust, but based on knowledge. Patients or doctors with any concerns should be able to read the document containing the process that NHS England has agreed to follow in advance of them accepting that promise.

If care.data is to proceed, there must be a process in which the public can have confidence – and in which the public can be seen to have confidence – for how the programme changes over the next years, or decades. It’s not just that modifications should not be sneaked through the backdoor; the process must not have a back door.

The Health and Social Care Information Centre has produced its latest data release register, following the Partridge Review. Two lines and one whole section jump out.

Experian, which most people know as a credit reference agency, sell a product called Mosaic; a database which subdivides your and every other neighbourhood in the country into a variety of categories, which are then used for all sorts of purposes – from selling you burgers to insuring your house or car.

We don’t yet know when, but sometime this year HSCIC approved the sale of 3 datasets of hospital episodes (inpatient, outpatient and A&E) to Experian, to help it produce Mosaic “postal sector level” profiles. In the data released, individuals’ diagnoses are linked, via pseudonyms, across events and the various data sets used.

The stated purpose of Mosaic is commercial. Mosaic is used by marketing firms to target people such as “Vulnerable young parents needing substantial state support” (category O69) and  “Childless new owner occupiers in cramped new homes” (H35). Experian, as elsewhere, may offer a figleaf of fragments for researchers to give a fake appearance of legitimacy but we’re not fooled. Whatever the spin, this is commercial exploitation of NHS patients’ data.

We shall have to wait and see how HSCIC will interpret the new rules in the Care Act, which this particular release may predate. Will such uses by Experian and commercial marketers be classified as “promotion of health”? Public trust hangs in the balance.

Despite ongoing concern about selling data to insurers, we see that “General Reinsurance” also appears in the list – requesting a customised extract of inpatient data for the whole country in aggregated form. If properly aggregated as statistics, such as the ones HSCIC routinely produces and releases as open data, then we would expect to see this published as open data as well, but we’ve not found it yet.

If these are genuine statistics, then publishing them shouldn’t be a problem. Selling custom extracts, however, puts HSCIC in the position of providing data for private commercial advantage rather than for the benefit of all. Given the huge sensitivities around use by insurers, we have suggested this is not such a good idea.

(For the 6 studies mentioned which involve DNA and/or genomic data, we’re working with our friends at GeneWatch UK to examine what is already public knowledge, and where further information must be requested.)

Though still lacking in detail – no mention of dates, nor links to official approvals or audited deletions – at least this release of the register shows that HSCIC is trying to be more transparent in its actions. C+ for effort, but let’s see fewer omissions next time.

‘National Back Office’

After repeated denials about police access, one of the big surprises in the Partridge Review was the discovery of a whole department dealing with ‘trace requests’ from law enforcement agencies and the courts. Such requests, if approved, attempt to track down individuals using the national electronic database of NHS patient demographic details.

The latest register shows there was a large spike in requests from the Home Office in 2013. It’s not clear if the UK Border Agency’s absorption into the Home Office explains some or all of this increase, nor if other subsidiary agencies of the Home Office make requests. Police requests are recorded separately – and are broken down in a bit more detail in the press release – but we do wonder which other agencies are using section 29(3) of the Data Protection Act.

Given the number of bodies and agencies working out of Smedley Hydro, these relationships cannot afford to be murky – absolute clarity is required.

Crashing consultations in the ‘IG universe’?

Also in the last week we’ve seen a new consultation from the Department for Health on, amongst other things, “Accredited Safe Havens” (ASHs) for commissioning.

Individual-level patient data is already being passed around for purposes such as invoice reconciliation, using what was supposed to be ‘emergency’ Section 251 support. This consultation is about doing it slightly less badly. Though clearly desperate to avoid the contamination of any association with the toxic care.data scheme, DH appears to be saying that patient-level data gathered under care.data could be passed around Accredited Safe Havens.

Uh oh.

One thing that had begun to generate confidence was HSCIC’s statement that, under care.data, the only place to which any data extracted from GP systems would go was into a safe setting – what medConfidential calls a Health Research Remote Data Laboratory. (We think ‘HRRDL’ sounds better than ‘fume cupboard’.) This was good news, and a necessary step for public confidence in any extraction of their identifiable data.

But despite HSCIC having said this in public statements and directly to Parliament’s Health Select Committee, the Department of Health clearly hasn’t thought through the implications for this consultation, which is on the flows of data for commissioning – the sole use of care.data for which NHS England has at this point received approval.

This isn’t necessarily a complete contradiction, as patient data will be collected from providers other than GPs and be passed around in other ways – but one might hope that DH would have thought through the implication of its own arms length body’s commitments, rather than taking NHS England’s steamroller approach to governance and schedules.

Another notable feature of the DH consultation is the way it contradicts assumptions made in an NHS England consultation on “Priority Issues in Information Governance“, which opened in February 2014 and should have closed at the end of April. As with much of NHS England’s Information Governance, its ‘Priority Issues’ consultation is an ill-considered mess: surely NHS England has shifted its world view since early February? Given all that has come to light, why has the consultation not been withdrawn or re-issued?

So, other than statements by HSCIC, we’re seeing scant evidence that lessons have been learnt.
HSCIC proposes to limit the number of copies of the nation’s medical records that it hands out for various purposes. This is both welcome and achievable, but it requires both DH and NHS England to accept that business as usual is no longer an option.

medConfidential is deeply concerned at the growing use of enforced Subject Access Requests by insurance companies to acquire cut-price back-door copies of an applicant’s entire medical record, while at the same time we are seeing pharmaceutical companies deny researchers access to individual-level detail on clinical trial results for which volunteers’ explicit consent should have been freely granted.

It seems that in both cases companies are taking a position based on corporate self-interest rather than the patient’s or public interest. They are ‘gaming’ consent. Information cannot be both ‘nothing to worry about’ when companies want it to make decisions about you, yet ‘too sensitive to reveal’ when it exposes them and their decisions to scrutiny; mandatory on the one hand, prohibited on the other.

Only last week, the European Medical Agency modified its plans to allow researchers to print and copy clinical trial reports – information necessary for safe, independent evaluations of whether drugs work the way the companies selling them say they do. Meanwhile insurers continue to push patients into handing over their entire medical history via Subject Access Requests. Of course a SAR also gives the insurer far more information than they would receive from a properly paid-for GP report, which they will then keep for later use.

Forms we’ve seen include wording like, “You do not need to give your permission, but if you do not, we will not be able to proceed with your application”and“This will give us permission to obtain a full copy of your health records from your doctor so we can assess your application or any future claims” (our emphasis). The language is often understated and companies adopt different ‘nudge’ approaches, e.g. providing applicants with a SAR-only consent form but making them specifically request a GP report form.

We’re hoping you can help build an evidence base, providing a wider range of examples to demonstrate the systematic nature of these problems.

We don’t want your personal information! But if you have a copy of a clinical trial medical record release consent form (from 2010 onwards) or if you have been given a Subject Access Request consent form so an insurer can get records from your GP (again, from any time after 2010) please could you scan or e-mail a digital copy to forms@medconfidential.org?

If all you have is a filled-in copy of your form, please remove or black out all of your personal details before you send anything. If you’re not sure how to do this, or if you have any other questions, please email forms@medconfidential.org – our apologies if it takes us a few days to get back to you, we are busy fighting on a number of fronts at present.

What we are after is the wording of the forms themselves, such as the lines we quoted above. It is these we intend to share with other organisations; language about data re-use will likely be of interest to colleagues on the allTrials.net team and we’re sure the Information Commissioner will pay close attention to the varied forms of coercion used around Subject Access Requests.

If you don’t have a form, you can still help by tweeting or passing on a link to this article. The more examples we can gather, the stronger the case.