Author Archives: sam

All Governments end: the 2024 End of Parliament Smörgåsbord

Everyone deserves privacy, and everyone deserves medical privacy. 

Whomever you are, Princess of Wales or not, you have the right to know where and when your records have been accessed, and in being able to see that those accesses were legitimate – and for action to be taken if they were not. As events have shown, the princess had access to her records monitored for abuses, the NHS won’t let you do that. The ‘Department of Health in England’ (NHS England) could tell you, but they don’t want to; doctors have been struck off for accessing records inappropriately, but abuse is far more common than punishment.

At the start of the 2019-2024 Parliament, we had no idea if mRNA worked at scale, and no real idea how to find out safely. A pandemic intervened, and we figured it out. At the end of the Parliament, trials to detect and cure cancers using mRNA seem promising and could revolutionise treatment (and the NHS budget) over the term of the next Parliament – if done properly. 

The outgoing Government’s choice to implement the recommendations of the Cass Review within hours shows that care choices can and are being politicised, with criminal penalties being created so very quickly. If only the independent Windrush Review, the many safe staffing reports, or conclusions on Grenfell had been so rapidly adopted by Ministers. The Cass Review will now undergo the slow, meticulous process of academic peer review – assessing the choices made, and seeing which parts demonstrate rigour and which show cherry picking, misunderstanding, or simply prior policy beliefs masquerading as independent impartial evidence. 

Whether the HDR / Sudlow Review will ever be published is unclear, but – if it is – any narrow evidence base and distortions that favour HDR UK’s own institutional policies will enter that same process of scrutiny and assessment which HDR does its best to avoid when nudging funding decisions to cronies. It is entirely possible to write a report focussing only on the subset of reality that is convenient to the institutional culture towards which you want to steer cash; permanently attaching your name and reputation to a temporary star is, however, a choice that remains fixed as time moves on, and temporary incongruences have been resolved. Career priorities are political. 

The Department of Health in England would prefer to control a single consolidated record of every health ‘event’ in your entire medical history – including things like copies of readings from the sensors on your smartphone and smartwatch (see Annex 8 of our UC work) – and to make them available not only to anyone in the NHS but to any private provider, to do with as they see fit. 

Pharmacy First” can diagnose you with a UTI, prescribe accordingly, and then write that to your NHS record; DH policy imperatives show they believe a private GP doing the same thing is no different. But if you receive a diagnosis of ADHD or gender dysphoria that fulfils all NHS criteria, why does that not become an NHS diagnosis in the same way? Why does the system oblige your family doctor to follow some non-NHS diagnoses, but seek to criminally punish them for others?

(As an aside, allowing people to write arbitrary diagnoses into arbitrary records provides a system-wide ability for any rogue doctor to write anything they choose into a record – giving the Minister of the day, for example, SNOMED code 247667002 or 247670003. And of course, once entered into an NHS record, “diagnoses” are supposedly impossible to remove…)

The politicisation of care has become utterly incoherent. Things will eventually be resolved, but the real question is how many serious harms there will be in the interim.

Sustainability of data decisions

Sustainable decision structures are those which can exist for the longer term – and in which any individual decision is secondary to the process continuing. Where organisations aren’t disinvited from the process for giving private critiques or briefing Parliamentary Select Committees. (The culture of Paula Vennells is not unique to the Post Office.) And while imposition of a contract or rules is an emergency act, institutional ignorance is a temporary choice. It may feel easier to engage only with those who agree with you – something the ideologies of the outgoing Government made a policy goal – but what is temporary will eventually end. 

Whatever happens with NHS data it must be stable to survive. Every important stakeholder must have what it needs, which may not be what it wants. NHS England wants to do analyses; GPs need confidence and clarity in their responsibilities to all patients; interested patients need trustworthiness and dissent; researchers need to be able to do research ethically.

OpenSAFELY and Palantir are both tools; how the tech will be used remains unclear.

If the Department of Health in England were being honest, the public narrative of the ‘Federated Data Platform’ in Palantir and the NHS App would be that they are, in their view, the future of NHS care. If an algorithm running in Palantir and displayed in the App says No, then you won’t get NHS care – in exactly the same way as when the A-Level algorithm said No in 2020, students didn’t get their University places.

Culture of Coverups

The internal culture of NHS England has barely changed since the care.data debacle in 2014. That shouldn’t be a surprise, as it’s largely the same people doing the same jobs – and their ongoing actions suggest they have learned very little in the past decade. It is a common argument around Government that the civil service does churn too much, but perhaps lack of churn has harms too…

While the faces remain the same, the culture of the current “new NHS England” (aka the Department of Health in England, as NHSE has de facto seniority over policy staff) has degraded to the level of trustworthiness and integrity demonstrated by the Boris Johnson administration, while the current power structures were last defined by Matt Hancock’s DHSC.

The Department of Health in England takes reckless risks on your behalf without you even knowing. And UK Biobank and Our Future Health have evolved in that culture – the NHS England form to buy patient data is around 30 pages long; the biobank form is less than four pages long. There is no way that could cover everything required, but they have made the calculation that investing in PR and bluster will be more successful with Government and the Department of Health in England than offering real substance and evidence. Indeed, that approach clearly has worked for biobank and HDRUK under the outgoing Government. But all Governments end.

No Privacy, No Transparency, No Trust

Information such as service performance, which NHS Digital (RIP) proudly published proactively, is now routinely covered up and FOI requests are only answered after complaints to the ICO about stonewalling and non-response. “Transparency” may be something the new NHS England says – it is demonstrably not what it does.

Since the absorbtion of NHS Digital, the so-called ‘Privacy, Transparency, and Trust’ group is where NHS England dumps these vital issues in order that the rest of the organisation can ignore them, and so that group can focus on how to avoid them. The only outputs are performative statements – rather than building a trustworthy organisation that is worthy of public confidence, by demonstrating trustworthiness.

That this is the case is best demonstrated by the Department of Health in England’s sustained incoherence around a patient’s legal rights to object to unnecessary data processing. And their complete lack of interest in telling you where and when your medical record has been accessed.

Every NHS GP record is now supposed to be accessible in every pharmacy in the country, via a service called “Pharmacy First”. But you will have no idea if someone has accessed your GP record – let alone if that was a legitimate access, or one where your stalker or creepy bad date was ‘going fishing’ – entirely because the Department of Health in England refuses to tell you. Until recently, pharmacy staff could only read records. Now they can write a diagnosis into your record and, if they do, it’s almost impossible for you to know that it happened, or to challenge or have it removed. MPs (rightly) changed the law to allow the removal of malicious child safety reports, but that’s just the tip of the iceberg.

If your GP uses TPP/SystmOnline you may have access to an “online audit”, but this is not available in the supposedly “main” NHS App. Despite this audit trail being a contractual requirement imposed by NHS England, they never implemented it for you. Its actions demonstrate that the Department of Health in England believes they, not your GP, should decide what your GP can tell you about your health, what medical care they can provide, and which organisations can buy the personal data in your health records.

While patients should be able to see the correspondence about them, the reckless imposition of this by the Department of Health in England pushed all of the risks onto the patient and GP. It may be clinically essential for a letter between clinicians about genomics involving family risk to mention that the patient is adopted; but surprise! An entirely benign letter about a child can disclose that an investigation is underway simply by implicit reference to documents a potential abuser can’t see. The Department of Health in England’s view is that ‘This is not our problem’, and they adopt the same approach and attitude time and again – such as with the form that allows anyone to register with a new GP from anywhere, which can be weaponised by abusers.

As time goes on, various “national services” will interpose “national” goals between you and your family doctor, and the care they provide you. Is this really the NHS you want?

Being seen to Respect Patient Choice 

The opt out for secondary uses of your health data exists; the opt out for Shared Care Records is a ‘postcode lottery’ – making promises to patients that others in the NHS believe don’t apply to them when they copy the data again and again. 

When it comes to data use for purposes beyond your direct care, the Department of Health in England still believes that no opt outs should apply to them, even while saying opt outs that clearly do apply in law are via mechanisms that they simultaneously ignore. No process involving NHS England ‘Privacy, Transparency, and Trust’ (PTT) can be considered trustworthy in the current setup. That’s not to say that every outcome is always wrong – but outcomes are self-evidently incoherent, and disconnected from the processes supposedly creating them.

Even the Tony Blair Institute recognises that the current opt out process is punitive and destructive. medConfidential always said that it should be as easy to opt in as it is to opt out (and vice versa) so we agree on that. While the current process may be used to opt both ways, it’s still punitive – especially if you have dependent children living at home. TBI, however, prefers the intrusive power of the state be used to support its goals – and it is notable that Mr Blair’s proposals for the sale of NHS patients’ data don’t appear to have been implemented in any of the dictatorships he advises.

Claims from TBI and from the Department of Health in England about what Palantir will do for direct care – the care that is delivered by hospitals and GPs, not by centralised computer systems – are completely disconnected from the reality of NHS systems that already exist, and that work, and that are both used well and abused badly. Meanwhile, NHS England has covered up the Data Protection Impact Assessment for its Federated Data Platform, allowing FDP to launch without publication during the (local) election period, because the text says that public claims made previously about FDP being ‘for direct care only’ were abandoned before FDP launch.

The (first) Goldacre Review in 2022 was clear that the risks of the current use and misuse of patient data are an “emergency” – and “not a new emergency” – and yet, as back in the Kelsey years, the Department of Health in England is still hoping things will go wrong on someone else’s watch.

The outgoing Government may have had one success in that Review; the new Government could choose to announce in its first weeks that, retroactive to the date of the election, patients will be able to see in the NHS App – or in the TPP/EMIS apps if NHSE can’t get its act together – a list of when and where every patient’s records have been accessed via all national NHS services.

The list should begin with accesses to your Summary Care Record, your Shared Care Record, to GP Connect, and in FDP – all of which are capable of such audit functions. If it is claimed that any aren’t, then those who commissioned them were either grotequely incompetent or wilfully negligible. The ‘trial period’ could begin with digitally-engaged patients who have prospective access to correspondence enabled already. The new Government could then say that the secrecy ends, and patients would from that point forward have a clear evidence base of how data about them is used, and whether it has been misused.

For a new Government wanting more use of technology and more system access, this would have another significant additional benefit. One of the hardest aspects of such systems is getting clinicians to use them. If every patient can see how data about them has been used, they can also see where these new systems have not been used when they should have been – providing an evidence base and empowering patients to ask why these expensive data systems weren’t used to benefit their care.

Rest of Government: UC, Governments and computers

In the last days of the Parliament, the Administration Committee of the House of Commons said:

“Although statisticians and researchers publish a wealth of information on which data sources they hold, and how they are used, very little information is made available about how personal data are being used for the purposes of government analysis.”

“102. We recommend that the analysis function explore options for improving transparency around the use of personal data in official analyses, and that this work be made publicly available.

(paragraphs 100/102, Public Administration and Constitutional Affairs Committee report on Transforming the UK’s evidence base)

We entirely agree.

If you were to hear the description of a computer system whose users are overpowered by the system designers and operators, which tells users how much money they owe without showing any detail on how that figure was created, where staff working for the system designers can change those figures at will, and when figures change there’s no way for the users to know about it unless they keep their own independent records –and where discrepancies result in prosecutions, sometimes deaths – you might think someone was talking about the Post Office Scandal.

The previous paragraph is also a 100% accurate description of the systems of Universal Credit, about which we recently published Annex 8 and the wrap-up report.

The final section of Annex 8 relates to the rest of Government as much as it does DWP, and we’ve written a short note on what GDS / CDDO / CO should choose to do.

After all, all Governments end.


Enclosed new documents:

COVID Passports

Any requirement for an in-country COVID passport after a declaration of “freedom” will be an admission of domestic policy failure by the Government; the greater the requirement for COVID passport mandates, the bigger the failure of Government to manage the pandemic well.

If do you need a domestic COVID passport, we recommend the paper documents made available, but you also have to black out unnecessary information (see below):

  • Once you have been vaccinated in England, we suggest you use this English online form to get your paper certificate. It should arrive within 5 working days. If you prefer, you can ask for a letter by calling 119.
  • In Scotland you can request a copy of your letter online for Scotland here, or you can get a copy of your vaccine status letter by phoning the COVID-19 Status Helpline on 0808 196 8565. NHS Scotland says you should allow at least 14 days for your vaccination status letter to arrive.
  • The only Wales online option requires you to have an NHS Login, or you can request a paper NHS COVID certificate by calling 0300 303 5667 – though it can take up to 10 working days for your certificate to arrive.
  • To get a certificate for Northern Ireland online (which may take 3 days to process) you must have an nidirect account. Or you can request a paper COVID certificate by telephone on 0300 200 7814, though it will take up to 10 working days to arrive. 

The COVID passport apps in each nation are different; they work differently, and require you to prove your identity in different ways. The paper certificates tend to be valid for a longer time than the app versions, and don’t require you to show your logged-in phone to strangers.

Unfortunately the paper versions being sent out currently include information like your address and date of birth – so if you must use one for domestic purposes, make sure you block out any other personal information on it, leaving only your name and the QR code.

In our responses to Michael Gove’s original consultation on ‘Vaccine Passports’, and to the recent call for evidence on ‘Plan B’ in England, medConfidential pointed out many of the risks of app-based COVID passes. As the schemes roll out, we and others are picking up on additional problems – like people whose medical records are already flagged as sensitive not being able to get a pass.

And, as the introduction of the Scottish ‘COVID Status’ app has already demonstrated, the use of international COVID certificates for domestic purposes is unsafe, unwise and potentially unlawful; the QR codes designed for use at borders can ‘leak’ unnecessary personal information when checked at domestic venues.

The inevitable and afterwards – GPDPR Situation Report 7

medConfidential’s GP data grab Situation Reports are a series of updates sent to stakeholders; this one is public.

The long delay was inevitable

The announcement of the short delay in June to 1st September was largely due to NHSx and DHSC thinking they understood their mistakes; as the GPDPR Data Provision Notice has now been withdrawn, and any new DPN will have process to go through, GP data collection can now begin no earlier than the 2nd September.

The next announcement, of a longer delay, will mark the inevitable realisation of the magnitude of these past mistakes – a delay already referred to by the former Secretary of State in his last speech at the despatch box, where he said:

It will take some time to move over to the new system, hence I have delayed its introduction, but we have also made that delay to ensure that more people can hear about it.


Both the Secretary of State and David Davis MP also entirely agreed in that debate on the risks of dissemination. It is therefore clear that the (very welcome) commitments on the use of Trusted Research Environments must apply to hospital data, e.g. HES, as well as GP data.

This realisation may yet come slowly. On HES, it may take a legal opinion quoting the Secretary of State’s speech, next to the ICO’s guidance on UK GDPR and DPA 2018, next to current DHSC policy that requires NHS Digital to disseminate the sensitive, identifiable personal data of every hospital patient in England – even if they have dissented – thousands of times a month. 

We understand it will be difficult to decide today, that from tomorrow HES is identifiable special category personal data, when the data was disseminated yesterday (and for years before).

The best time to have complied with the UK’s 2018 Data Protection Act was in May 2018; the second best time is now.

Sequencing of Events

While the delay was announced so the Trusted Research Environment (TRE) could be built to the satisfaction of research, there is now time to do everything in the right order. Hopefully.

NHSx may have gotten to choose the starting point but, as the Health and Care Bill demonstrates, it missed the boat. The headline focus of the Bill, Clause 1, formally re-names NHS England, but nowhere in the Bill does NHS Digital get a re-name. Perhaps DHSC expects to use its new powers to abolish NHS Digital – thereby abolishing the statutory safe haven? That is untenable.

There is, however, still time for the proposed legislation to be amended to resolve some critical data trust issues. The Bill should, for example, have a hook to put the National Data Opt-out onto a statutory footing – so patients can know and have confidence in what the rules are, so the profession all know what the rules are, and so the various national bodies know what the rules are – and so that everyone knows how those rules can be changed (in either direction) in future.

As the use of GP data evolves, there should be discussion as to whether the National Data Opt-out (NDOO) should apply to data leaving GP systems and going to NHS Digital, or not. If the conclusion is that it will not, then the Type 1 GP data opt-out must live on. If the NDOO were to be clarified in legislation to have the same effect as the current GP opt-outs, then Type 1s could effectively be deprecated for all but the most critical concerns – for a statutory opt-out is much better than a non-statutory one.

Hospital data

All of the examples given in David Davis MP’s adjournment debate were to do with hospital data, and the Secretary of State agreed on the risks of disseminating patients’ identifiable GP data, explicitly stating his intent that “The dangers that come with the dissemination of pseudonymised data are removed.”

So why is NHS hospital data not also being made ‘TRE-only’ from summer 2021 onwards? 

If NHS Digital and NHSEx wish to demonstrate to the GP profession (and to patients and the public at large) that the TRE-only approach will work, the most straightforward way to do so would be to show it working for the hospital data NHS Digital already collects – with a variety of researchers and, say, NHS England’s ‘Data Services for Commissioners’ Regional Offices (DSCROs) demonstrating good use of it. 

Such a transition should also make the DSCROs and other ‘DHSC / NHS family’ users far happier, as they will be getting both a much better data analysis environment for their ongoing work, while increasing safety as well. 

As the Health and Care Bill puts obligations on Integrated Care Systems to ‘use more data’, such patient-level data usage should also all be in formally NHS-accredited Trusted Research Environments – initially NHS Digital’s, also ONS’s or Genomics England’s. (‘Five Safes’ TREs are entirely achievable, but some will claim they meet the standard when they do not. Hence the need for formal, likely mutual, accreditation; trust in all being dependent on the weakest link in the chain.)

Communications

The need to communicate directly to the entire public actually makes other problems easier to resolve; with the data opt-out definitions written down in legislation, what is left for debate (as was the case in 2014) is exactly what text will fit on two sides of A4 – the text for the opt-out / opt-back-in form being derived from the legislation itself. 

This process could start with the last consensus draft of the care.data Advisory Group letter because, as a public advocate of the programme said, GPDPR is care.data.

NHS Digital, NHSx, and the new power to amend legislation

While NHSx may choose how many (NHSx-liveried, crowd pleasing…) elephants are in the ‘tech vision’ parade, it continues to be NHS Digital that has to follow it around with a shovel. And whoever holds the shovel will forever be in tension with those who want more elephants.


Many of the persistent problems around data are the result of such tensions, not necessarily the organisation itself that is making a decision. The same criticisms of NHS Digital would apply to the cancer registry, which learnt the hard way that giving data to a “causes of cancer study” is not such a good idea when the study is run by a tobacco company.

Someone has to enforce the rules that DHSC advertises as “strict”; that is currently NHS Digital.

It is not NHS Digital that decides what data uses there could be – it responds largely to requests. Sometimes it recognises that a request is valid but that an analysis would be better done by someone else. (A “causes of cancer study” is not inherently a bad thing.) But, as a result, NHS Digital gets a reputation for saying no to people – mostly because few notice the thousands of data file releases it does make every month.

It is, and should be, the job of a statutory safe haven to have a deep understanding of what is possible, what is legal, and of the necessity of keeping promises to patients. (Keeping promises not being a recognised strength of this Government.)

Any body fulfilling the role of safe haven must be transparent about where data goes. NHSEx have been actively dishonest in that regard, and – even if that was initially a mistake – have then explicitly refused to correct the record, and have repeated the dishonesty.

Differing interests may not like individual decisions that NHS Digital takes, medConfidential included – but what must be recognised and emulated is that it tells the public what those decisions are and why they were made, and people can know what we don’t know.

With DHSC and NHSEx, however, the cronyism and corruption of the Government’s approvals processes means not only is there no picture of what we don’t know, there appears to be an explicit desire to make sure no-one knows. 


Perhaps we are being unfair on the ‘organisation’ behind the first version of the NHS COVID-19 app that barely made it to pilot stage; the group which pushed GPDPR forward against expert advice, and which vetoed suggested improvements of GPDPR before it collapsed; the outfit that misleads stakeholders on what it publishes; which simultaneously added domestic vaccine passports for users of the NHS app, and which (still) expects NHS patients to hand an unlocked smartphone to the border guards of a hostile nation,  but we believe one’s actions speak for themselves.

(Of course, the person who signed the GPDPR Direction got promoted shortly thereafter. When NHSx is abolished, NHSx policy functions should really revert to DHSC – not because any particular incumbent has any particular talents, more because officials always move on.)

If NHSx – or any actual NHS bodies, for that matter – wish to be seen as trusted, they must show themselves to be trustworthy. Downgrading the statutory safe haven and/or transferring its statutory powers without reference to Parliament is unlikely to help in this regard.

New Secretary of State and Life Sciences 

To push our earlier analogy, some of Sajid Javid’s team will be retracing the path of Matt Hancock’s elephant – with a shovel to clean up those emissions that still litter the building.

And those whose ‘Vision’ is less rose-tinted will recognise the “alignment” claimed in the restated Life Sciences strategy was prompted more by the overwhelming necessity of combating a common enemy than any real change in institutional politics or public attitudes. It is notable also that the stakeholders on whose data the Vision depends, the public, get short shrift in a document whose focus is to “deepen collaboration and trust between Government, the NHS, and the [Life Sciences] Sector”.

Aspirational statements for “the full support of patients, the public and NHS, and must build trust into [the Vision’s] delivery” are hard to square with the far more clearly-defined intent that: “governance and oversight of NHS health data must be simplified to drive research and innovation”.

We welcome the commitment to consensual, safe, and transparent data infrastructure for a 21st century health and care system; as we have been saying for years, a modern TRE for research and all other secondary uses is inevitable. The best time to have started was in 2013; the second best time is now.

Available next steps:

medConfidential Bulletin, 7th September 2018

Once more, a big thank you to everyone who confirmed to us receipt of the letter about the ‘conversion’ of your Type-2 objection to the National Data Opt-out. We are also grateful to those who shared the letter of apology for the appalling TTP error that led to 150,000 patients’ opt-outs not being honoured, and their confidential information being sold for three years.

 

What’s going on with opt-outs?

All of the National Data Opt-out letters should now have gone out. If you have still not received a letter, and believe that you should, we recommend you check your current opt-out status, firstly by using NHS Digital’s online National Data Opt-out process. If they have recorded your opt out, Step 4 will say “Your current choice: you do not allow the use of your confidential patient information” – if it doesn’t, then select the “No” option on that page, and complete the process.

If your objection had not been registered there, we strongly recommend you also contact your GP practice – remembering that most people will have asked for both types of objection to be applied; one nationally, one for your GP. If the opt-out codes you want are not recorded in your GP record, use a copy of our up-to-date opt-out form to re-express your wish that you do not wish your data, whether given to your GP or at a hospital, to be used for purposes beyond your direct care…

If for any reason you encounter any resistance or confusion caused by NHS England’s use of ‘shorthand’ (as a few people have reported) if asked, you can refer your GP practice to the RCGP’s official guidance; the section ‘Transition from the existing Type 1 and Type 2 objections’ clearly states:

The Type 1 objection ‘Dissent from secondary use of general practitioner patient identifiable data’ prevents any identifiable information leaving the GP record for purposes other than individual care.

These objections are coded in the GP record and will continue to be upheld until at least  March 2020. Before a decision is taken to revoke these objections, there will be a consultation with the National Data Guardian. Patients can therefore continue to register a Type 1 objection if they so wish and should be kept aware of this.

 

Signs of progress?

On a more positive note, it was announced in Parliament yesterday that the new National Data Opt-out, previously Type-2, now covers health data released by the Cancer Registry at Public Health England (PHE) in the same way as it covers data released by NHS Digital. An early indication that other health bodies can and will respect your dissent choices – even if what those choices mean in practice must be toughened up in line with new laws, i.e. GDPR and the UK’s new Data Protection Act.

DPA 2018 was led through Parliament by the new Secretary of State for Health, in his former role at DCMS. We thank Matt Hancock for that effort, and look forward to it being fully implemented in and across the NHS. The new Secretary of State brings a notably optimistic approach to technology and web standards. He may soon notice that when the NHS publishes information it doesn’t want patients (or him) to look at, it does so in long, impenetrable spreadsheets rather than readable web pages.

 

What’s happening next?

After the first of October, the Government will require any person wishing to express a dissent choice for their children (or other dependents, such as elderly relatives) to send in for each of them a seven-page form, with at least four forms of ID and documentation proving they are a responsible parent, to an NHS office in Leeds where officials will check the documents for authenticity. Your GP knows who attends appointments with whom – the presence of the child suggesting some degree of responsibility – none of which is known to NHS Digital.

The Department of Health has flat out refused to change their choice of deadline, and NHS Digital has shown no sign of delivering a digital opt-out process for families. They therefore place the burden on you, and every family wishing to make what they feel is the right choice for them.

Not coincidentally, this is also the first step in removing your GP from the ‘decision loop’ on choices about your data – because there’s a new ‘GP data extraction’ coming.

Yes, ‘care.data 2’ is on its way…

Precise details and timings are unclear at this point; NHS England does not even seem able to answer straightforward questions in a timely fashion. (Have you seen any evidence of awareness raising adverts about the National Data Opt-out? If you have, we’d love to see copies – especially as this is the proposed model for changes to organ donation.)

We shall of, course, keep you updated as we learn more – but another “collect once, use many times” assault by NHS England on the nation’s GP records is building.

Watch. This. Space.

 

What can I do?

Given the imminent removal of the Type-2 opt-out via your GP practice, and failure to provide a digital opt-out that families can use, now would be a very good time to write to your MP – expressing your concerns in your own words, maybe citing the thousands of people in your area (details for each CCG are in these “June 2018: Type 2” spreadsheets) who’ve already expressed such a choice, and asking for the Type-2 option at GP practices to be extended at least until any replacement has been shown to work.

Crucially, if you know anyone – friends, relatives, colleagues, or co-workers – who you think may be concerned about the uses beyond their direct care to which the sensitive confidential information in their and their family’s GP records may be put, then please forward this Bulletin to them, or point them directly to medConfidential’s opt-out form. For families, opting out is going to get much harder, in just three weeks’ time.

With activity building towards the next care.data, and given much other necessary ongoing work, medConfidential is in serious need of funds. Our programme of work for the next year is at this point only one-quarter covered, and our grant from JRRT ended this summer. Please, if you can, consider making a donation – a regular gift is most helpful.

 

Thank you.
Phil Booth & Sam Smith
7th September 2018

 

Everyone’s experience in AI decision-making

Institutions that include everyone understand that great benefit comes from seeing complex issues in many different ways.

The most life-changing, rapid, and one-off decisions people must make are those to do with their health, and the health of their loved ones. Here too, the benefits of diversity are well understood. In medicine, there is a culture of “second opinions” – you can always ask another doctor for their opinion on a choice. This is acknowledged as a great strength of the medical community; indeed, the seeking of diverse (even possibly contradictory) opinions is actively supported by professionals realistic and humble enough to accept that there may not be one single right answer.

So why, as technology progresses, should we choose a lower standard for AIs offering diagnostic assistance to doctors?

Necessary variation in clinical Artifical Intelligence ‘opinion’ will arise only from open competition amongst providers, all respecting the consensual, safe, and transparent use of patients’ data, underpinned by medical ethics.

When you are ill and have a care team today, the decision process available to clinicians deciding your treatment comes not from a single view, but from a comprehensive assessment considering diverse perspectives.

The same should apply when AIs join a care team, which could mean one AI’s analysis spotting something another has assessed as less significant – it should only take one finding to prompt a new consideration. And should we not meet the urgent demand for more doctors, it may be appropriately diverse, ‘always on’, clinical AI assistance tools that could help recast the mix of experience required. (Or perhaps, in a future AI world, patients will be sick of experts…)

Diversity in the medical AI ecosystem will result from the choice of different modelling approaches and the use of different training data, the variation in outcomes (i.e. advice) will come about for similar reasons as today: differing opinions arising from different choices made by different ‘cultures’. No training dataset that systematically excludes some or any community should be acceptable, but different datasets in different models will result in different suggestions – reflecting the humanity of everyone.

The consultation of multiple clinical support systems should be as straightforward as the consultation of any single system in every hospital that meets modern standards for interoperability (FHIR, or the NHS goal of being paperless by 2020). Therefore, when requesting an assessment from an AI clinical support system, it will be just as easy to ask three – unless a monopolistic supplier limits your care to that provided by their models.

Diversity has sound economic reasons too: a mandate for multiple opinions would ensure a healthy, competitive market in AIs for clinical support. Such a mandate wouldn’t raise costs, as it would triple the market size – and it would ensure a continual process of innovation. Over time, as AI improves, there would be minimal risks in moving to newer systems; during the testing phase, four opinions are as easy to consolidate as three.

Also, where patients consent to research, over time, the health outcomes of those patients can become a measure of the different approaches. In that way, if AIs’ outputs are measured on their clinical benefit, “best” can become a clinical outcome – not a marketing claim. Which also delivers on the Government’s commitment that patients should know how their records have been used, and what was learnt from those projects.

In short, a mandate for progress through safe innovation is deliverable today, in line with professional practice and medical ethics, if that is what we want.

 

A National Health Service

Markets around the NHS must themselves be sustainable, and the NHS is in a position – as a research and development institution, and as the data controller in multiple clinical environments – to manage rapid development and testing of AI in a way that a recent flagship project did unlawfully.

It is clear, however, that some institutions within the NHS feel they are required to give up their patients’ data to avoid “falling behind”. All they are demonstrating is their own lack of awareness.

Every AI company is dependent upon masses of data; some may try to ‘free ride’ off the NHS infrastructure, hoping to copy some of the patients’ data that flows through it for profit, without even paying the taxes that fund the NHS. Whatever the case, in every ‘deal’ that is made, the original data controller remains the data controller – and there is no result that cannot be replicated (more cheaply) by another hospital with a similar dataset later, building on shared experience and published results.

Simply believing ‘the smartest guys in the room’ is neither wise, nor the only choice. Novelty can indeed be part of the legitimate research and care process, but the sort of innovations we need cannot involve the secret testing of AIs on humans without their knowledge or consent.

Great risk to the NHS comes only from the perverse incentives of commercial monopoly, grounded in the belief that there should be just a few data silos. (Guess whose?)

Google DeepMind’s Health division might be entirely dependent upon a continued supply of NHS data, but the NHS is not dependent upon Google unless it chooses to be; other AI developers – and search engines – are available. The NHS is not in a position to ensure an effective market in search engines, but just as it already does for health information, it has the authority to do so for clinical assistance; assuming there is the political desire to have a functional and sustainable system.


This will form the basis of Part II of medConfidential’s submission the House of Lords Inquiry on AI.  We’d welcome your thoughts at sam@medconfidential.org / @smithsam

Newsletter: medConfidential Summer Roundup, 21 July 2017

Before everyone starts their summer, here are a few ‘tied-up loose ends’ that had previously been left dangling.

Your GP records: If your GP uses TPP or EMIS, you can today begin to see how your data has been accessed. Neither TPP nor EMIS yet cover their research databases, but they will have to shortly because of the findings of the Caldicott Review.

 

Caldicott Review: The Government has finally responded to Dame Fiona Caldicott’s 2016 Review. It has committed that you will be able to see how your records have been used, both for direct care and all other uses. This will be phased in “by 2020”, mostly (we hope) in 2018. If you have opted out, you will be written to about any changes before they happen. Our longer response is now up.

 

Google DeepMind broke the law by copying 1.6 million medical records, according to the Information Commissioner – and the company was rebuked by its own Reviewers. medConfidential’s complaint was found to be true; Google’s statements, not so much.

 

Your DNA: The Chief Medical Officer has opened a “national conversation” about the future of genomics. This starts with patients who have unknown cancers or rare diseases, who may see significant benefits from genomics. But it involves two questions, which boil down to: “Can we do this for your care?” and “If we don’t get an answer now, do you want us to keep your details in a research project which might give you an answer sooner? If not, we’ll run the test again in a year or two.”

There should be no difference to the person’s immediate care, and each patient is given a reasonable choice. If this can be done for cancer genomics, it can clearly be done elsewhere. We would have included a link on how to feed back your thoughts on the CMO’s Report and next steps, but there isn’t one.

 

Patient views on Research: The “Understanding Patient Data” project has run some workshops looking at privacy or research. The blatantly faulty premise of this work is exposed by the Information Commissioner, who has stated: “It’s not privacy or innovation – it’s privacy and innovation.” Had UPD included us in any of their planning, we’d have pointed that out.

 

The GP IT provider TPP: The trial of functionality to allow GPs using TPP’s systems to properly execute their responsibilities to patients should conclude shortly, and – assuming no major problems are found – be rolled out to every GP that uses TPP. With other changes eventually being correctly implemented, this should reassure all sides.

As part of this process, TPP’s notoriously litigious founder instructed lawyers to send us a “reputation management” (defamation) letter, which also said that TPP had no desire to respond to medConfidential.

 

Public Health England is still in denial about its data and consent troubles. Its officials consider themselves part of your cancer care team, despite very few patients having any idea who they are, or why this should be. Beyond the institutional desire to ignore and distrust the Caldicott Consent Choice, what will change?

PHE’s problems are far wider than just consent, but it is a good place to start. Yet another Review is due to be published soon. Will the disease registries move under the NHS umbrella, or will PHE continue to refuse reform – and if so, will you know how your data gets used? Transparency is not the same as respect for confidentiality, but it does make ignoring confidentiality only possible by being dishonest.

 

Funding: We are very grateful indeed to the Joseph Rowntree Reform Trust Ltd for awarding us a further year’s grant, covering 80% of our core funding, that will enable us to continue working towards consensual, safe, and transparent data flows in the NHS – and to defend human rights in the face of your data being copied without your knowledge or approval.

 

Brexit: As Brexit Britain draws closer, and having already introduced measures that try to make NHS staff hassle brown people for documentation, the NHS now faces a three-way stand-off – a ‘Brexit Triangle’: does the Department of Health now direct NHS staff to hassle everyone who looks or sounds ‘foreign, or to hassle absolutely everyone, or do we give in and issue everyone with ID cards?

We may not know the outcome – but we do know that, armed with facts, every patient can speak with the authority of their own lived experience of the NHS. Please do keep informing yourselves, and informing others. Maybe you could share this newsletter with them?

 

What’s next? We hope you enjoy your summer. We have quite a lot to do, getting ready for when Civil Servants and Parliament return in September. Our NHS friends are, of course, working all through the summer. We wish them, and you, well

medConfidential Response to the Government’s Caldicott 3 Response

The foundations on which you build anything are critical. The more complex and interdependent the system, the more vital it is to firmly establish its fundamental principles. As we saw with care.data, when eroded, the whole endeavour can collapse.

The Government’s commitment to transparency is therefore significant. The pressing question is, when it will be delivered – we’ve now been told when it should be delivered, but that’s not quite the same thing. This is important because it is transparency measures that provide the basis for informed consent, a theme we’ll return to at the conclusion.

Regarding each patient opt-out, to prevent data leaving GPs’ systems:

“…we will honour these until 2020 to allow the new national opt-out to be implemented, and for full engagement with primary care professionals and the public.”

Whatever happens in the interim, full engagement has to mean a formal public consultation in 2020, based on the facts as they are known to the public at that point. Anything less would be to break the confidence that the public are being asked to give.

 

The implications of consent

The National Data Guardian, the Department of Health, and NHS Digital have all committed to telling patients how their data is used – both for direct care, and for purposes beyond direct care. This is good. But this is a commitment that must be delivered, consistently and without compromise.

If various dark corners want to continue to grab data in secret, the public will be far less forgiving. care.data may have had a pass, because there was no way for individual patients to know how their data has been used. Under this commitment, they will be able to.

It is doubtful that patients will look kindly on being lied to, again – even if attempts to do so are masked by dodgy definitions of the fence line between one bit of DH and another.

As the NHS begins to understand the implications of confidentiality and consent, medConfidential will be here.

 

Will NHS England and PHE follow the consent model?

In a blatant example of self-important special pleading, page 35 of the Response quotes PHE telling DH and the NDG what they must do, at a point where PHE also refuse to be a part of the solution. (We note also a passive-aggressive defence of Windows XP on page 17.) PHE has repeatedly refused to honour opt outs, dissents, or any other form of objection. The Government has proposed no change to this – why not?

The Government’s Response indicates that, rather than resolve the problem of invoice reconciliation – which has been discussed repeatedly – NHS England has stubbornly dug in its heels, and refused to consider it a problem. So accountants are still to take copies of patients’ identifiable records to check companies aren’t ripping the NHS off – despite there being other, safer, better ways to protect the NHS against fraud. Yet again, NHS England is both part of the problem, and an impediment to the solution – its officials refusing to consider change because they don’t want the effort of having to change the way that CCGs operate.

In a stark illustration of attitudes that still prevail, the day after the Government’s Response was published, the Chief Information Officer of NHS England stood up at a conference and said, “Let’s get away from this distinction between primary and secondary uses of data – it’s just data, let’s start using it”. It appears not only did Mr Smart (like his predecessor) ‘skip medical school’ – he also seems to have skipped reading anything written by the National Data Guardian. Not entirely the lesson you’d hope was understood at the Royal Free…

If the online opt-out process from NHS Digital is discredited from the start by not taking account of PHE’s continued data grab of cancer patients’ records without their consent, medConfidential will run an online opt out process that does.

Of course, Dr Rashbass might continue to ignore those requests too – in the mistaken assumption that just because he thinks of every person who has ever had cancer as his patient, those patients have any idea of who he is or why he’s grabbing their medical history. Clearly, some have yet to learn the important lesson that believing you are a good person, doing a good thing – or even being a good person – is not the same as doing the right thing.

Hopefully the McNeil Review will resolve this outstanding issue, whenever it is published and commenced. However, given the lack of critical engagement, there is still a strong risk that choices may turn out to be a ‘cargo cult’ copy of consensual, safe, and transparent – rather than anything effective. A digital form of the worst of homeopathic quackery.

Whatever U-turns and failures lie ahead, medConfidential will be here.

 

Assuming everybody manages to get this right…

In September 2014 we had a meeting with NHS England, in which the question was asked: “What happens after the care.data problems are resolved?” This was the result (which also looked at backdoor data changes) – at a point where there had already been a commitment that care.data would only be available within a safe setting. Will that commitment be honoured for any and every future dataset?

The principles of that post are sound, and still apply. We don’t yet know what promises will be made about the Data Lake today, only to be broken tomorrow. But what was clear from the Expert Reference Group process was that the data collected will include everything over time – sexual health records, mental health records, abuse records, genomics.

A safe setting means legitimate projects can access the data they need by minimising side effects.

If we were writing on “backdoor changes” today, we’d add PHE and the cancer registry – plus Genomics England, and similarly for other sources of data – but the principles we outline for change remain sound.

Caldicott 3 has delivered something for everyone: whether you wish your data to be used or not, you will be able to see how your wishes have been honoured – and, as the Secretary of State has said: if you don’t want your medical records to be used, they won’t be. All this is capable of being delivered with the Caldicott Consent Choice, implemented properly.

If and when this is delivered, or those patients who are content for their data to be used, the question is what the commitment to transparency will cover. At present, the Hospital Episode Statistics are sent to ~400 different places around the country each month, and NHS Digital hopes none of them has a cyber security accident. It’s only a matter of time.

A safe setting moves data use from “should usually follow” the rules, to “demonstrably always followed” the rules.

The proposed ‘Data Lake’ repeats NHS England’s near-sociopathic disregard of the central fact that in health and care you are  dealing with human beings; people who are usually sick, and often worried. Data is not “the new oil”, nor is it water – and there’s no such thing as a ‘Lake’ of it; there is the collected care episode history of every patient in every UK hospital, for approaching 30 years.

If the current HES are replaced with a more detailed, and even more sensitive, ‘Care Episode Histories’ dataset, that dataset should only ever be available in a safe setting, and all projects – whether for direct care or secondary uses – must be logged for the patient to see. With greater detail, comes some security. It is self-evident that NHS Digital cannot know how data is used once it has left its control, and yet it distributes hundreds of copies of huge numbers of individual-level medical histories that are identifiable (pretending the birth dates of your children are a secret from everyone you know – and others besides…).

Patients will look at accountability trails especially when contentious decisions are made.

 

If Will Smart’s expensive consultants wish to consider themselves as providing Direct Care, then they must appear in the (non-local) direct care – i.e. SCR – access logs made available to patients. The principle of “Hello… my name is…” must apply to all direct care – for, just as a doctor should take the time to explain themselves, real transparency means that NHS England’s micromanagers will be expected to do so as well. When they operate on perverse incentives in a crisis, patients will have the information as to how interventions were handled – which will rarely make a crisis less contentious. It’s not hard to see this won’t end well.

Secondary users, by definition, cannot be expected to introduce themselves to patients – so this applies as much to PHE as it does to NHS England. We assume this separation is why NHS Digital will have two lists of data accesses; the split may  appear odd at first glance, but it is likely better for patients.

If Mr Smart still wants to play about with big databases, with scant regard for human suffering or people’s privacy and dignity, then the Home Office is hiring. But he chose to work in the NHS, which has fundamental values.

Those fundamental values include both confidentiality, and using the data of consenting patients to help other people. Replacing the sale dissemination of data with a better dataset in a safe setting has always been part of the solution the NHS needs. It was deficits in thinking and leadership that led to care.data – and it seems the administrators of NHS England may yet have to learn that in return for changing what they take from us, they may have to change what they themselves do.

Accountability removes possible unwelcome contingencies – which in turn will allow more complex research, in an environment of reduced risk and concern.

A consolidated collection of care episode histories, that are treated as such, could be the basis for a stable data infrastructure in the NHS. A Data Lake cannot.

Whatever promises may be made in order to get hold of the data, it is transparency and accountability to properly-engaged and interested patients that will keep the system honest in the long term. And there will always be competing pressures.

Local councils, for example, will keep funding reports that say local councils should have access to any and all medical records they wish. So we repeat: the Government’s commitment to transparency is significant, for it is transparency that provides accountability in even untrusted systems.

As NHS England moves towards a new, transparent data collection – whatever the plan, and whether it chooses to share it or not – medConfidential will be here.

You shouldn’t pay that – a better approach to invoice reconciliation

Yet again, the Government’s response to Caldicott 3 has decided to ignore the problem of accountants getting masses of identifiable patient information in order to pay some invoices.

A CCG receiving an invoice needs to answer four questions:

  1. Is this a patient we pay for?
  2. Was this care provided to this patient?
  3. Have we already paid for that care?
  4. Has someone else already paid for that care?

The current system ignores question number 4.

As a result of question 2, CCGs expect to get copies of all records on all patients – taking on the burden of keeping them safe – just so as to be able to check anything that they may wish to. The inherent dangers in this are clear, and to do it requires a perpetual ‘temporary’ exception that is only lawful if “necessary or expedient”, and it is unclear whether GDPR will end this in 2018.

All 4 questions, for any particular invoice, are quite straightforward to answer. Given an invoice, the category, and some form of patient identifier, does the data show that there are (some form of) medical records for that treatment, and are those records marked as having been paid by a previous invoice?

Each of the 4 questions needs only a yes or no answer – an answer that won’t reveal any of the contents of the medical records to the accountant doing the check.

The CCG’s accounting needs only the data that is on the invoice (question 2). And even that can be minimised, over time, using the pseudonym system that the Government’s response to Caldicott 3 requires NHS Digital to create for internal use.

While ‘the system’ knows who the patients are, accountants handling bills don’t have to. For corner cases – where there is a question or query – NHS England can adjudicate, based on a “necessary” rather than “expedient” existing process. This also means that any systemic failures or fraud perpetrated against a number of CCGs would be immediately visible, and could then be investigated at a national level. Against one CCG might be a mistake; against many looks criminal.

Even HMRC understands that giving its staff access to the (tax) records of their neighbours will end badly in the public view. Yet NHS England believes the current invoice reconciliation system should continue.

In its reading of Caldicott 3, NHS England would rather remain part of the problem than become part of the solution. Its officials’ flawed obsession with a Data Lake means they cannot politically support anything that doesn’t involve more copying of data.

Whether that approach meets the lawful test of expediency, and GDPR, remains to be seen.

NHS England wants to hear from you — MedConfidential Update – 21 September 2016

 

NHS England wants to hear from you…

The Department of Health’s consultation on the future of secrecy of your medical record closed 2 weeks ago. Thank you for your help and comments on why the privacy of your medical records matter to you.

After that, NHS England has announced public meetings to hear your views on what should happen next.

There are “discussion events” in London, Southampton, and Leeds. If you’re nearby, you might want to go along. They start on Monday afternoon in London.

The Government will respond in around 6 weeks

The Department of Health has said that they will respond to the Caldicott Consultation in about 6 weeks.

Will you be able to see that your wishes have been honoured? Or will there be more secrets?

Meanwhile in the rest of Government…

Meanwhile, the Cabinet Office is passing a new law to share any other data with whoever it wants. The scrutiny of the MPs will be rushed through in 6 days of sessions. The bill has no provisions requiring transparency of data flows – again it can be all secret.

The justifications are few. One is the case of an alcoholic who was given social housing above an off licence. A problem for that person to be sure; but there will be far more problems caused by routinely sharing information with landlords before tenants move in. With the privatisation of most council housing (certainly outside London), the flaws of this should be obvious.

You should decide who can see data about you, rather than decisions being imposed by a guy called Paul sitting in Whitehall.

We’ll have more next time…

“NHS England is closing the much criticised care.data programme”.

According to the Health Service Journal, “NHS England is closing the much criticised care.data programme”.

(Update: A written ministerial statement has now appeared on Parliament’s site)

Responding to the news, Phil Booth, Coordinator of medConfidential said:

Responding to the news, Phil Booth, Coordinator of medConfidential said:

“One toxic brand may have ended, but Government policy continues to be the widest sharing of every patient’s most private data.

“Launched this morning, the Government’s consultation on consent asks the public to comment on how Government should go about ignoring the opt outs that patients requested.

“The programme did exist, and whatever data the Government may wish to continue to sell to their commercial friends, patients dissented from data about them being shared. Their wishes must be honoured.

Notes to editors

q15 of the Consultation on New data security standards for health and social care puts the onus on consultation respondents to work out how Government could implement the policy they wish to follow, irrespective of the consultation: