Author Archives: Phil

PRESS RELEASE: medConfidential responds to announcement of a 6 month delay to care.data uploads

For immediate release – Tuesday, 18 February 2014

In response to the announcement by Tim Kelsey that NHS England will be postponing the uploading of confidential patient data under the care.data scheme for 6 months [1], Phil Booth, coordinator of medConfidential [2] said:

“Finally, officials at NHS England have seen reason. To upload millions of patients’ confidential data without providing full and proper information or seeking consent would have been the largest breach of confidence in NHS history.

“It still could be, if NHS England does not now write to each patient in England individually by name, explaining the risks it has acknowledged as well as the claimed benefits. And this time they’d better not forget to include an opt out form.

“This delay will mean nothing if the care.data programme is not overhauled to provide patients with a clear and constantly updated picture of exactly who will have access to their data, why and what for. The entire scheme could do with a radical dose of transparency.”

– ends –

Notes for editors

1)      See, e.g. http://www.bbc.co.uk/news/health-26239532

2)    medConfidential campaigns for confidentiality and consent in health and social care. Our goal is to see that every flow of data into, within and out of the NHS is consensual, safe and transparent. Founded in January 2013 in response to the imminent and serious threat posed by radical changes in the way patient health information is to be collected and passed on, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals. Opt out forms and letters available here: www.medconfidential.org/how-to-opt-out/

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org 

Keep My Secrets

A short film to make you think:

It’s not right to take things without permission.

So why does the government think it’s OK to suck up confidential information to a giant new central database from the medical records of every man, woman and child in England? Or to sell our data to private companies or maybe even let the police have access?

And why does the arms-length body in charge of the NHS in England think a junk mail leaflet is sufficient ‘notice’ to start extracting 50 million people’s most private information from their GP? That’s not permission.

Opt out NOW… and don’t forget your children!

Video produced by WPL
Thanks to Martin Gibbs (teacher) and the girls of Torquay Girls’ Grammar School
Simon Lambros ‘Journeying’ from Audio Network with permission

Public meeting in London, 7:30pm, 17/3/14: Threats to your medical confidentiality

Hosted by ORG London – meetup page

WHEN: Monday, March 17, 2014 from 7:30pm

WHERE: The Open Data Institute, 3rd Flood, 65 Clifton St, London

SPEAKER: Phil Booth, coordinator of medConfidential­ and former National Coordinator of NO2ID will be giving month’s talk on care.data.

Significant changes to how your medical data is handled are happening now. Medical data that was previously under the control of your GP is going to be uploaded to a central database at the Health and Social Care Information Centre, from where it will be shared with companies and organisations inside and outside the NHS for a range of purposes, none of which are to with your direct medical care.

Phil will be explaining more about what’s happening and how you can opt out of the changes. Talk starts at 7.30pm

formFix: help protect your GP from NHS England’s data protection fines

[This blog post now has its own page in the ‘For patients’ section.]

While brave GPs are being bullied into handing over your family’s medical records, we’re hearing from a growing stream of people that their GP practice hasn’t even known what to do when they asked or went in to opt out of care.data.

We’ve been sent scans and photos of Summary Care Record opt out forms that people have been given, forms for opting out of local data sharing arrangements, and who knows what. We can point individual patients who contact us at the right form, but that doesn’t help everyone else in the practice.

If you have gone to your GP practice and they haven’t clearly understood and acted upon your request to opt out of care.data, you can let us know which practice it was through our new tool:

http://formFix.medConfidential.org

Just enter your postcode, tell us which surgery, and we’ll send them some details.

The formFix site is not for you to opt out online, but it lets us know where the confusion is and helps us to help GPs avoid breaching the Data Protection Act because of the impossible position NHS England has put them in.

NHS England has no way of knowing this information, so blithely continues assuring people that everything is fine. This should provide some data on how badly their communications campaign is actually going on the ground, for the next time Tim Kelsey joins us on the radio.

It would really help if you told friends and family who live in different parts of England – care.data does not affect Scotland, Wales or Northern Ireland – about this; send them the link, Tweet it, post it on Facebook.

Spread the word.

Public meeting in Brighton, 6:30pm, 17/2/14: Threats to your medical confidentiality

Techno-activism 3rd Mondays

Hosted by ORG Brighton – Meetup page

TA3M are monthly meetups that happen simultaneously in cities throughout the world. It brings together a diversity of people interested in surveillance, censorship and open technology.

Format: Short talks followed by discussion, drinks and networking

WHEN: Monday, February 17, 2014 from 6:30pm

WHERE: Emporium Brighton, 88 London Road, Brighton BN1 4JF (map)

SPEAKERS:

Phil Booth, medConfidential – Threats to your medical confidentiality: care.data

Significant changes to how your medical data is handled are happening now. Medical data that was previously under the control of your GP is going to be uploaded to a central database at the Health and Social Care Information Centre, from where it will be shared with companies and organisations inside and outside the NHS for a range of purposes none of which are to with your direct medical care.

Double Blink, theatre against surveillence

Public meeting in Manchester, 7pm, 25/2/14: Threats to your medical confidentiality

Threats to your medical confidentiality: care.data

Significant changes to how your medical data is handled are happening now. Medical data that was previously under the control of your GP is going to be uploaded to a central database at the Health and Social Care Information Centre, from where it will be shared with companies and  organisations inside and outside the NHS for a range of purposes NONE of which are to with your direct medical care.

WHEN: Tuesday, February 25, 2014 from to

WHERE: Friends Meeting House, Mount Street, behind Central Library, Manchester M2 5NS (map)

Hosted by ORG ManchesterMeetup page

Phil Booth, coordinator of medConfidential, will be on hand to answer all your questions.

PRESS RELEASE: NHS England “not clear enough” to patients about opt out

For immediate release – Tuesday, 4th Feb 2014

Tim Kelsey, NHS England Director of Patients and Information, this morning admitted that NHS England had ‘not been clear enough’ [1] about patients’ right to opt out of the new ‘care.data’ scheme.

The scheme will extract identifiable medical information from the GP-held record of every man, woman and child in England, store and process it in a central database and pass it in various forms to companies and organisations inside and outside the NHS [2].

medConfidential [3] today called on the Information Commissioner to rule that NHS England’s public communications campaign – involving a mail drop of 26 million junk mail leaflets, media stories and engagement with charities and community organisations – was a failure, and to halt the monthly extraction of confidential patient information from GP systems scheduled to begin in March.

Phil Booth, coordinator of medConfidential, said:

“Millions of people still don’t have a clue that their family’s medical records are about to be uploaded in identifiable form to a body they’ve never heard of, to be used for things other than their medical care – including being passed to companies outside the NHS.

“Now the head of the whole scheme has admitted they haven’t been clear enough about what patients must do to opt out, the game is up. No-one, least of all the Information Commissioner, can reasonably claim that patients have been properly notified. These uploads cannot go ahead with so many patients still being kept in the dark.”

Notes for editors

1) BBC Radio 4 Today, 4/2/14: http://www.bbc.co.uk/programmes/p01rmpdy (Timecode 10:54)

Tim Kelsey: I think, that, maybe we haven’t been clear enough about the opt-out. I agree with that. Let me be absolutely clear now, that people who don’t trust the NHS to manage their data securely now have a new right, to opt out of this scheme.  To be honest, all they need to do is contact their GP to opt out.

2) In its application to extend the types of organisations who can apply for access to care.data, NHS England wrote: “This addendum proposes that applications may be considered by the HSCIC from all organisations, subject to their eligibility as determined through the HSCIC’s governance processes. Such organisations may include research bodies, information intermediaries, companies, charities, and others.” – care.data Addendum Papers, http://bit.ly/1cVvXAL

3) medConfidential campaigns for confidentiality and consent in health and social care. It was founded in January 2013 in response to the imminent and serious threat posed by radical changes in the way patient health information is to be collected and passed on. medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals. Opt out forms and letters: www.medconfidential.org/how-to-opt-out/

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org 

ends –

Section 251 to be amended

Buried deep in the new Care Bill is the first amendment we recall seeing to what is commonly referred to as ‘Section 251’ – the power of the Secretary of State to set aside the common law duty of confidentiality in order that identifiable patient information can be passed on without individuals’ consent.

The history is hellishly convoluted but Section 251 of the NHS Act 2006 re-enacted Section 60 of the Health and Social Care Act 2001, drawing on powers in the Health Service (Control of Patient Information) Regulations 2002. Officials now seem to want to drop “Section 251” and use “Regulation 5” instead, but they are basically referring to the same thing.

The restructuring of the NHS under the Health and Social Care Act 2012 has already caused quite a few problems, for which Section 251 exemptions were used to paper over the cracks.

But now we see in Clause 115 of the Care Bill 2013-14, entitled ‘Approval for processing confidential patient information’, amendments to Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 which would make it read as follows: [changes in red]

Approval for processing information [why drop the words “confidential” and “patient” from the title of the Regulation?]

5. (1)  Subject to regulation 7, confidential patient information may be processed for medical purposes in the circumstances set out in the Schedule to these Regulations provided that the processing has been approved—

(a)    in the case of medical research, by the Health Research Authority, and

(b)   in any other case, by the Secretary of State.

(2) The Health Research Authority may not give an approval under paragraph (1)(a) unless a research ethics committee has approved the medical research concerned.

(3) The Health Research Authority shall put in place and operate a system for reviewing decisions it makes under paragraph (1)(a).

And Regulation 6 would change as follows:

Registration

6.  (1)  Where an approval granted by the Health Research Authority or the Secretary of State under regulation 5 permits the transfer of confidential patient information between persons who may determine the purposes for which, and the manner in which, the information may be processed, it or he shall record in a register the name and address of each of those persons together with the particulars specified in paragraph (2).

(2) The following particulars are specified for inclusion in each entry in the register—

(a)    a description of the confidential patient information to which the approval relates;

(b)   the medical purposes for which the information may be processed;

(c)    the provisions in the Schedule to these Regulations under which the information may be processed; and

(d)   such other particulars as the Health Research Authority or (as the case may be) the Secretary of State may consider appropriate to enter in the register.

(3) The Health Research Authority shall retain the particulars of each entry it records in the register, and the Secretary of State shall retain the particulars of each entry he records in the register, for so long as confidential patient information may be processed under an approval and for not less than 12 months after the termination of an approval.

(4) The Health Research Authority shall, in such manner and to such extent as it considers appropriate, publish entries it records in the register; and the Secretary of State shall, in such manner and to such extent as he considers appropriate, publish entries he records in the register.

While paragraph 6(4) may represent a relatively minor change from the old wording, which was “in such manner and to the extent to which he considers it appropriate”, both wordings mean that the register(s) will not necessarily be published in full. This means that in some instances – how many we would never know – there may be no public record of the setting aside of the common law duty of confidentiality for identifiable patient data to be used.

The main effect of clause 155 of the Care Bill is that approval for research access to patient confidential data – i.e. identifiable information about patients or from patients’ medical records – will essentially be made arms-length, a role of the Health Research Authority (HRA).

The Secretary of State meanwhile splits off a separate register of non-research ‘customers’ for patient data, which he may or may not decide to publish in full. (N.B. The Confidentiality Advisory Group (CAG) at HRA split the register of approved applications into research and non-research categories at its latest publication.)

Paragraph 5(2) of the amended Regulations may tend to weaken ethical approval with regard to confidentiality: as drafted, any HRA-recognised research ethics committee would suffice for approval, so HRA CAG could be cut out of the equation altogether.

For example, an potential customer could come to the HRA and say, “Our own ethics committee that has been recognised by you [under clause 112 of the Care Bill] has passed this already. Under Regulation 5(2) this doesn’t need to go past CAG – they’re busy enough already with all those other care.data related applications. All we need is the green light from you, as we’ve fulfilled the requirements.”

Unfortunately history has shown that if something can happen, it almost certainly will.

The amendments to Regulations 5 and 6 in clause 115 also highlight that it is the Secretary of State alone who approves the release of patient confidential data for uses other than research. It is therefore vital to keep an eye out for any amendments that replace or remove the word “medical” in 5(1) and/or 6(2)(b) and/or the Schedule.

As this is a Care Bill, not a Health Bill, it may appear strange that the Secretary of State’s powers should remain limited to medical purposes. Is all of social care to be redefined as a “medical purpose”?

Assuming some sort of last minute amendment were to be laid in order to ‘fix’ this, then depending on the exact wording used, the last constraint could be removed from preventing any use of confidential patient data [1].

There are amendments that might look relatively benign, e.g. adding “and care” to “health professional” in Regulation 7(2) or a consequential amendment to DPA 69(1), adding a list of others – but anything that changed or removed “medical” or “medical purposes” should be scrutinised very carefully.

As the merging of health and social care systems continues, we feel these words are almost certain to be changed at some point – with intended and unintended consequences, and some potentially devastating effects – not least the corrosion of trust in NHS confidentiality.



[1] In much the same way as NHS England’s care.data addendum, ostensibly to extend access to patient data for researchers, will in matter of fact open it up to all organisations while simultaneously broadening the uses to which patient data could be put – including for non-research purposes.

Furthermore, while some of the information extracted from GP-held patient records under the care.data programme is intended to be passed on in ‘pseudonymised’ – i.e. potentially re-identifiable – form, the clear intention is for Section 251 / Regulation 5 approval to be used to pass on other patient information in identifiable form – which should make Clause 115’s amendments to Regulations 5 and 6 of particular interest.

 

Refuting NHS England’s response to Guardian story “NHS patient data to be made available for sale”

When medConfidential refutes something, we provide proof or evidence. We don’t use weasel words or mere assertion, we provide you the links to check out for yourself that what we say is correct.

Following the front page story in the Guardian today, NHS patient data to be made available for sale to drug and insurance firms, NHS England have posted a terse but incredibly carefully-worded response on their website.

In it, NHS England’s Chief Data Officer, Dr Geraint Lewis says:

“It is vital, however, that this debate is based on facts, and that the complexities of how we handle different types of data are properly understood. Patients and their carers should know that no data will be made available for the purposes of selling or administering any kind of insurance and that the NHS and the HSCIC never profit from providing data to outside organisations.”

You will note that Dr Lewis has not – because he cannot – refute the fact that insurers will be able to get hold of patient information extracted by the care.data scheme. And there are plenty of ways an insurer could profit from care.data without “selling or administering” insurance – tuning its premiums, for instance.

NHS England’s own ongoing application to the Health and Social Care Information Centre (HSCIC) to massively expand the uses and users of care.data makes it quite clear that “Examples of additional customer organisations may include:

  • Universities and other academic research organisations
  • Commercial companies
  • Think-tanks
  • Medical charities
  • Medical Royal Colleges
  • Information intermediaries

And the Information Governance assessment of this ‘care.data addendum’ quite clearly states, at the bottom of page 5:

“Access to such data can stimulate ground-breaking research, generate employment in the nation’s biotechnology industry, and enable insurance companies to accurately calculate actuarial risk so as to offer fair premiums to its customers.”

(We’ll leave it up to you to decide how “fair” the insurance companies are likely to be.)

And to Dr Lewis’ point about the NHS and HSCIC ‘not profiting’ from providing our data to companies outside the NHS, we can only say… why then do you publish a price list for accessing our medical information?

NHS England and HSCIC can call it ‘cost recovery’ or whatever they like; sophistry seems to be their standard approach. But most normal people’s understanding of the word ‘sell’ involves money changing hands in a transaction, which is clearly what’s happening here.

Whatever the value these extremely powerful bodies are putting on our medical information – and in this case it’s clearly not much – this is not the sort of behaviour that patients expect of the people and institutions that should be guardians of our data. Not by a long way.

PRESS RELEASE: Research organisations promote medical record data grab

Patient privacy campaign medConfidential [1] today strongly criticised the launch of a media campaign by 42 research organisations and medical charities [2] promoting NHS England’s new care.data scheme [3].

The advertising campaign, funded by organisations some of which have lobbied to access information held in patients’ medical records [4], uses blatant appeal to emotion to encourage people not to opt out of having confidential medical details from their GP record uploaded to central servers in identifiable form.

Information provided on the campaign website [5] focuses on research uses but makes only passing mention of other ‘secondary uses’ to which people’s medical information may be put and the non-medical, non-research organisations outside the NHS which will also be given access [6].

Evidence consistently shows that while many may be quite happy for their personal health information to be used for medical research with their permission, around a quarter of people are not [7] – with concerns ranging from disclosure and misuse to fraud, discrimination, breaching rights, commercial use, inaccuracy and private information becoming known to friends, family or acquaintances.

Phil Booth, coordinator of medConfidential, said:

“Promoting a scheme that is based on dodgy ‘presumed’ consent is bad enough, but trying to convince people not to protect their family’s medical confidentiality using such overtly manipulative imagery borders on unethical. The money would have been better spent building ways for people to express a positive choice to participate in research.

“The Wellcome Trust’s and MRC’s own studies show that around a quarter of the population don’t want their sensitive health details being shared, even for medical research. And this is their absolute right. So if opt out rates turn out significantly lower than 25% this Spring, it won’t be an indication of success. It’ll point more to a massive whitewash.”

Notes for editors

1) medConfidential campaigns for patient privacy, confidentiality and consent in health and social care. It was founded in January 2013 in response to the imminent and serious threat posed by radical changes in the way patient health information is to be collected and passed on. medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals to defend and enhance confidentiality across health and social care: www.medconfidential.org

2) The campaign website is at www.patientrecords.org.uk

3) The care.data scheme will begin uploading confidential medical information in identifiable form from the GP record of every man, woman and child in England from Spring 2014. For more information on the scheme, see http://care-data.info – written by Hampshire GP, Dr Neil Bhatia, this site provides a more comprehensive description than is provided by NHS England at www.nhs.uk/caredata

4) From ‘care.data Addendum papers’, September 2013:

“Although the care.data Customer Requirement Summary [March 2013] makes reference to data for research purposes, it was subsequently clarified by NHS England, and confirmed to the GPES Independent Advisory Group, that the research community was not included at that time.

In the meantime, NHS England and the HSCIC have been approached by a number of organisations that use the HSCIC’s Hospital Episode Statistics (HES) managed extract service to express their disappointment that the original submission only requested access to the data for commissioners. These organisations include Diabetes UK, the Nuffield Trust, Cancer Research UK, University Hospitals Birmingham NHS Foundation Trust, Caspe Healthcare Knowledge Systems (CHKS), the National Cancer Registration Service, and Arthritis Research UK.

Therefore, this addendum requests that access now be granted by the HSCIC to a wider audience, including researchers, on a case by case basis.”

5) The campaign website unfortunately repeats the assertion, also made in the junk mail leaflet currently being sent out by NHS England that “you will need to speak to your GP” to opt out. This is potentially misleading. Patients do not have to speak with their GP and they most certainly do not need to book an appointment. If they are concerned in any way for the confidentiality of their and their family’s medical records, people can simply write to their doctor or drop a form such as the one provided here: www.medconfidential.org/how-to-opt-out/ into their GP practice, instructing their doctor to opt them out.

4) From ‘care.data Addendum papers’, September 2013:

“Examples of additional customer organisations may include:
• Universities and other academic research organisations
• Commercial companies
• Think-tanks
• Medical charities
• Medical Royal Colleges
• Information intermediaries”

And NHS England has already, e.g. received Section 251 exemption to pass identifiable patient data around a range of bodies at national and local level, for commissioning and other purposes not to do with patients’ medical care.

5) Studies such as the Wellcome Trust Monitor, 2009 & 2012 – see table on p119 of Wave 1 study: http://www.wellcome.ac.uk/stellent/groups/corporatesite/@msh_grants/documents/web_document/wtp040713.pdf which shows that 28% of people are concerned (and a further 10% may be concerned) about allowing access to their medical records for medical research.

This figure is reflected in MRC’s ‘The Use of Personal Health Information in Medical Research’ report, 2007:

“The most common reason for being unlikely or certain not to allow personal health information to be used for medical research purposes is concern over privacy (28%). Other common concerns focus on potential abuse and loss of control. Around one in ten are anxious about such information ‘falling into the wrong hands’ (13%), and similarly over the perception that individuals can not control who uses their information (13%), or for what purpose (12%).”

– page 8, http://www.mrc.ac.uk/Utilities/Documentrecord/index.htm?d=MRC003810, see also pie chart on page 40 which indicates that 25% are unlikely to allow their personal health information to be used for the purposes of medical research. Table on page 38 lists perceived ‘Disadvantages of Collecting Personal Health Information’.

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

– ends –