Author Archives: sam

Data Usage Reports: Data derivation receipts from data processors

[this post will be amended slightly following the release of the Caldicott Review]

Some data processors wish to start getting ready for the introduction of Data Usage Reports. Data controllers will be the subject of a future post. For reporting of new knowledge created, existing reporting processes should be used.

For data processors that make data copying decisions based on instructions, the relevant component is simply the creation of an electronic receipt confirming the instructions, and the individuals whose data was copied.

It should be entirely derivable from audit materials, and require no ongoing extra work where there are audit systems. Below, we show the output manually, via a spreadsheet (excel) and, for the technical implementators, structured form.

The details

There are two parts of the receipt:

  1. The details of the data flow: the what, where, when, why. (these probably don’t change often, so regular updates may omit them)
    Organisation: “recipient organisation”
    Date: 2016-04-01
    Project title: “one line name” optional
    Description: “3 sentences about what/why” optional
    URL: a web link for more information optional
    legal basis for flow: optional
    postcode: (if relevant, for consented direct care access) optional
  2. The individual level identifiers for those individuals (the who). These being the identifiers that the processor was provided with (which in all likelihood should have been changed before the data was passed on)

    Identifiers as received by this processor

Phrased like that, you can see it’s not particularly complicated.

Production of a data usage report is simply the information from receipts, with the existing information on release decisions and publications, transformed for the citizen.

If you’re interested, we’re happy to also talk to you about how to use data usage reporting.

Data use in the rest of Government: Where is the consultation on any ethics?

Where is the consultation on any ethics?

As was in the NHS bureaucracy, this consultation is about doing more of what Government been doing already: Not better sharing, just more copying.

If this wasn’t about databases, the same consultation could be had about buying more filing cabinets, ink, and scribes. Continue reading

Data in the rest of Government: Put data to good use?

{this is a background reference blog post, ahead of more on the Cabinet Office’s data copying consultation. The call to action will be in the next newsletter.}

Let’s make data easy to put to good use” says the Cabinet Office. But good for whom? Good for the civil service? Good for each citizen? Who makes sure the balance is right? was claimed as a “good use” of data. The details showed it to be something radically different. The Cabinet Office consultation launched last week is about bureaucracy as usual. The mantra is reform, but the reform is to bring all the benefits to Government, and the downsides for citizens.

Digital transformation, this is not.

Continue reading

[Press Release] MedConfidential comments on today’s #IPBill Report

EMBARGOED – SAME AS JOINT COMMITTEE REPORT: 09:30 on 11 Feb 2016. Copies will appear at after that time


MedConfidential Comments on Medical Records and the Report of the Joint Committee on the Draft Investigatory Powers Bill.

The more scrutinisation the Bill receives, the less it stands up.

Individuals and information snared within Bulk Personal Datasets[1] “…may include, but is not limited to, personal information such as an individual’s religion, racial or ethnic origin, political views, medical condition, ***, sexual orientation, or any legally privileged, journalistic or otherwise confidential information [2]

Recommendation YY.e of the 2015 ISC report[2] said the bill should contain “Specific safeguards for certain individuals or categories of information – for example, UK nationals, legally privileged information, medical information etc”

It didn’t.

When asked whether medical records should be disavowed, The Home Office responded[3]

“this may provide those that wish to do us harm greater insight as to the limits of the agencies’ capabilities”.

Without a publicly made case, the Joint Committee report states “the lack of that detail makes it hard for Parliament to give the power sufficient scrutiny.”[4]

In contrast, the Intelligence and Security Committee of Parliament, which may read any classified information they require to provide sufficient scrutiny, recommended:[5]
“B. Where additional protection is provided for sensitive professions, these safeguards must be applied consistently, no matter which investigatory power is used to obtain the information. The new legislation should be amended to rectify this inconsistency.
“F… The Committee considers that the acquisition, retention and examination of any Bulk Personal Dataset is sufficiently intrusive that it should require a specific warrant. We therefore recommend that Class Bulk Personal Dataset warrants are removed from the new legislation.”
To meet their recommendations from 2015, the ISC’s first recommendation from 2016 of a “single additional Part that addresses privacy safeguards and clearly sets out universal privacy protections which apply across the full range of investigatory powers” must also protect medical records. A discussion the Home Office has refused to have, and the Department of Health have so far ignored[6].


Phil Booth, coordinator of medConfidential said:

“The Home Office’s bluff has been called by Parliament. The Intelligence and Security Committee of Parliament said in 2015 that there should be security safeguards for medical records, yet Theresa May just ignored them, and let the agencies make up their own rules.

“The ISC has said that if Theresa May wants to grab the entire nation’s medical history, she has to have specific grounds.

“It’s not enough to simply fear those who may wish harm, it is necessary to defend the values of our country. It seems Parliament has had to explain this to the Agencies and the Home Office yet again.

“Theresa May wants secret copies of everything because she’s afraid; Parliament wants privacy and transparency because we are a democracy. Privacy and security don’t have to be opposites, but we’ll see how David Cameron’s Government responds when it comes to the most private of NHS data.


  1. Bulk personal datasets are the Government’s term for large databases of personal information, such as medical records.
  1. Intelligence and Security Committee of Parliament Report ‘Privacy and Security: A modern and transparent legal framework‘. March 2015 para 163(ii), p58.
  1. paragraph 403, Report of the Joint Committee on the Draft Investigatory Powers Bill
  1. Intelligence and Security Committee of Parliament Report on draft Investigatory Powers Bill.
  1. “The Department [of Health] was asked to comment on the Draft Investigatory Powers Bill presented to Parliament in November 2015 and, at that time, did not consider that this would create any new powers that would require or permit the disclosure of confidential personal information by health and care bodies (on the basis that this is consolidating security agencies’ existing powers).”

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

For further information or for immediate or future interview, please contact Sam Smith or Phil Booth, coordinators of medConfidential –

forthcoming “Digital” Legislation in 2016

Will this week’s flawed data grab by DWP be the portent of things to come? (We’ll post something on this in our next newsletter; but if you’re deeply concerned, your consent choice will be honoured). 

The forthcoming digital economy legislation is intended to define how George Osborne and this Government wish to heed Martha Lane Fox’s call to “make Britain brilliant at the Internet”, for everyone. But, those with a wish to be brilliant at using the Internet against people are also rubbing their hands with glee. How this affects medical records, and more, is currently unknown until the consultation.

The NHS apps store, with its panoply of catastrophes was shut down, but silently in a way that they hoped no one would notice. Including any victims. Children’s school records continue to be linked and sold, including to newspapers. Will the sale of pupil records continue in secret? Our concerns about Public Health England grow every time they open their mouths. I haven’t seen data governance this conceited since Tim Kelsey assured the listeners of Radio 4 that there had been no data breaches, and then collapsed with data breaches up to your ears. HSCIC argues it has reformed; PHE still believes that it didn’t need to.

On a positive note, the legislation will be a convenient way to implement any legislative changes required from Dame Fiona Caldicott’s forthcoming consent review, after they have been consulted on. We hope that the Department of Health and all its constituent bodies will accept the principle that in order for people to trust how their medical records are been used, it is necessary for each patient to know every way that their individual level records have been used. Like a bank statement, it’s there for whenever you wish to look, and if things are unaccounted for, you have the information to ask questions.

But the legislation will be much wider than just medical data governance.

While medical records are my day job’s primary concern, there are many other records held by Government and business that are traded in ways as shady, or more so, than what was shown with 2 years ago. What will the legislation do there?

The failed leadership at the Government’s “digital catapult” wants you to be subject to “the UK’s data sharing movement”; will that be following pharmacy2u’s lead in predating on the public in their dark shadows? Is this really how BIS wishes grantees to spend its budget?

The other approach is transparency to citizens of how individual level data about them is used and stored. When a citizen has the option of knowing how data about them has been used, the temptation for secret dodgy deals is far reduced. Of course, there’s less money in that for people whose usual approach is to scam the elderly out of their life savings.

Concerns are not just health, and it’s not just Government.

Which way the Government intends to go will be defined by the legislation. Does this Government want to be secretive and invasive, or will it commit to requiring transparency and consent? Will it do things to citizens and patients, or will it work for citizens and patients?

Where Health or Government lead, enlightened charities businesses can choose to follow and will gain a competitive advantage from doing so. Organisations that wish to act ethically currently have no business or operational incentive to do so, those who consider their customers as potential victims have no incentive not to. (If you’re interested in our demonstrator of this for your business or organisation, please get in touch).

Trust in data increases when transparency to individuals of their own data includes those dark corners – Data usage reporting is good for everyone.

Towards protecting data in secondary uses

Last summer, the Department of Health consulted on a programme called “Accredited Safe Havens” (ASH), an idea by which individual level medical records could be transferred somewhere (an ASH) for certain reasons.

While research needs clear individual level data for some applications (because while researchers research a topic, they don’t know the precise question – if they did, it wouldn’t be research), for the two other main uses, risk stratification, and invoice reconciliation, there are alternate approaches available which don’t need to transfer millions of individual level records.

In our response to the DH consultation, we summarised those approaches rather briefly, with various grey areas.

Updated 2018: The various discussion documents are now available directly:

  1. An introduction to the approach
  2. Risk Stratification
  3. Invoice Reconciliation (2018)
  4. Invoice Reconciliation (2015)
  5. Invoice Reconciliation for A&E (September 2015)

If DH/NHS England were to put any resources into this, there may be no individual level records that need to be transferred under provisional, interim governance, blanket authorisations that have been renewed “temporarily” since 2013.

We’re also giving evidence to the Health Select Committee tomorrow, and put one new idea into our submission as an annex: “CLASSIFIED when completed”: Which needs better protection – official memos, police witness statements, or all our medical records?

A brief Early August update – things not to read on the beach

Question: Did NHS England contact CCGs inviting them to become pathfinders?

It seems all of the NHS England press office are relaxing under a tree, as they wont answer that question. In two other articles also published yesterday, Pulse reports the ICO’s view that responsiblities are “good customer service” and that doctors are getting closer to opting their patients out.

A quote from a GP in that last article says, “opt outs in her surgery currently stood at 20%”, which is a significant amount of the population in that area, when at best only 50% will likely have heard of it. Tim Kelsey may argue “there is no percentage at which this becomes useful or not”, yet the statisticians may begin to have views as more figures are revealed. We’ve previously posted some thoughts on how NHS England can choose to empower GPs and also allow consensual research. Maybe NHS England can read that on their holidays, while figuring out how to be very clear and transparent with everyone on what they’re doing. Secrecy and confusion benefits no one.

The current level of confusion is highlighted by one GP who says patients initially think it a “good idea if the emergency doctors knew about their medical conditions.”. That of course, is unrelated to of, which has no direct care applications at all, but a feature of an entirely different scheme, with a different set of problems and consent questions, the Summary Care Record (as it was known before being rebranded due to it being “toxic”). We can see why even GPs get confused though.

As NHS England recommunicates with GPs, hopefully they wont continue to cross-sell the benefits of other programmes as benefits of NHS England have no excuse for confusion remaining, as they near the end of the 6 month pause that was supposedly to solve all the problems


As everyone’s on holiday, there are a number of open consultations at the moment that may be of interest:

  1. Department of Health on Accredited Safe Havens. We’ve posted our outline replacement proposal here before, and will post a fuller submission when it’s completed. Deadline, this Friday
  2. HSCIC Confidentiality Code of Practice. The long awaited HSCIC Confidentiality Code of Practice is out for consultation. Deadline: Next week
  3. And a new one, which isn’t so much of a formal consultation as asking a bunch of people who have shown some interest, is on the new HSCIC contracts and agreements for data sharing, including rules for sub-licensing. We’ll have quite a lot of questions about these. If you yourself have any comments on either the drafts or documents, the HSCIC would like to receive your comments by August 29th, marked FAO Simon Gray via <>.

Job hunting?

The Department of Health is recruiting 3 lay members, at a day a month, for the “National Information Board”, which was set up in January to try and fix the trainwreck that DH saw coming. This is an important panel with oversight of both DH and NHS England’s overlapping remits and strategies.

[this para added later]: The academicly funded “Administrative Data Research network” is looking for a member of the public willing to give over a day a month, for free, reviewing their applications. The commitment includes relevant reading time, plus a video conference a month, with 4 in person meetings a year. Details now appear here (their website was broken, so here’s the word document they mailed to their existing lists).

NHS England is also trying to hire someone to be Senior Responsible Owner for, having failed to find an internal candidate — we can’t imagine why. If you’re interested, we put together a list of questions that you may wish to ask at inteview. Apparently the risk that they may have to answer them in a binding way has caused some furrowed brows, as an interview board misleading candidates is considered bad form.

I can’t imagine why.

NHS England hiring someone Responsible for

NHS England are hiring for a new Senior Responsible Owner for Care.Data, having  internally failed to find someone willing to be responsible for fixing the mess.

The Senior Responsible Owner is the individual who must sign off on major decisions, and is responsible for project delivery. Heretofore, Tim Kelsey has been in the role, and we can see why he would like to pass responsibility onto others. Whether he’ll remain pulling the strings behind the scenes, is a different matter. It wouldn’t be the first time that Tim has looked for a human shield for his programme, having tried to persuade Geraint Lewis and more junior staff as a press buffer.

Hopefully a new external owner will accept the state of the mess they inherit, and as that new entrant, they may wish to ask some questions at interview:

  1. If individually addressed letters to each patient are sent, will this be financially and politically supported by NHS England?
  2. Are forward looking statements re free text true? How will the public position change over the course of my responsibility?
  3. Are forward looking statements re DNA true? How will the public position change over the course of my responsibility?
  4. What will happen to CPRD, and other research supporting datasets?
  5. What is the state of the implementation of the more sensitive parts of the IGAR review?
  6. What was the process that led to the BMA rejecting these proposals so emphatically? What concessions have NHS England offered to meet those concerns? Why do NHS England believe they failed?
  7. has had many benefits claimed for research, ie beyond the commissioning for which it is currently permitted. What is the current roadmap for consent for those? If they are so vital, why were they dropped in the first instance?

We would hope that any successful applicant understands why people would choose to opt out, and would not demonise them for that choice, nor consider them a “consent fetishist”. We do not believe that the personal choice of any candidate to opt-in or opt-out is relevant to their suitability for the role, but they must be able to demonstrate a human understanding of the range of reasons that an individual may make a different choice to theirs. We hope the interview panel will ensure this is the case.

We look forward to working with the successful applicant for the role when they take office. If you’re interested in applying, details are here, and feel free to ask the the above questions. If you get the job, we’ll be asking you for the answers.

HRRDLs for commissioning: a discussion towards Safe, Consensual and Transparent use of data in commissioning

Yesterday, medConfidential and others attended the HSCIC’s “Driving Positive Change” event, to briefly look back at the Partridge Review, and forward to future work of the HSCIC. The two major topics were communications of various types, and the proposed HSCIC “safe setting” where bona fide research could be conducted on data (currently subject to opt-out). Both of these things are welcome areas, and we seek to be closely involved in what happens next with the first public steps in the next week or so.

The Department for Health is running a consultation on “Accredited Safe Havens” for commissioning purposes, or, as they call it slightly less clearly, “Protecting personal health and care data”. The consultation gives NHS England companionship in terms of public engagement quality, and has led to a great number of puzzled looks by area experts. I’m currently attending a variety of meetings with a variety of organisations, and not only is no one really sure what the answers could be, few people agree on what the questions are intending to ask. This seems less than ideal.

Yet, as we are now in week 5 of a 7 week consultation, and no one really has a solid articulation of what the Department of Health are trying to do, I’ve put together this draft of a substantive paper on a way forward: “HRRDL’s for commissioning”. It’s based on previous work which has been adopted by HSCIC but after DH began their consultation drafting, which was as was imploding around NHS England. If you think that the consultation as drafted takes no account of HSCIC’s progress since February, that’s because it mostly doesn’t. Comments by email are very welcome.

What is a safe setting? A safe setting is a physical venue where (usually remote) data can be accessed under tightly controlled and audited conditions. Restrictions are placed on who and what enters the room, what they do when in there, and what they can take out. This allows for research to be conducted on individual level records which have minimal protections (which, for health data, has other problems). They were previously discussed for legitimate research, along existing models. This paper takes the proposal further. We fully expect, and have no reason to disbelieve, that the optout codes for care data (and beyond) would be fully honoured. We intend that this proposal is fully compatible with the consent mechanisms that are in place, and that should be in place, and does not deny screening to those who have opted out of secondary uses. A safe setting can also restrict which individuals can see which data, which has implications for a granular approach to parity-of-esteem questions.

I don’t think that this is currently a final proposal so can evolve, (it’s dated so you can tell, and we’ll put a note here: when we do), and some may need more explanation, but if you’re interested in how we think commissioning data for invoice reconciliation and risk stratification (neither of which are direct care, so all come under the opt out process) could work in a way that is safe, consensual and transparent, I’d like to hear your comments below or to

Please note that making comments to us is not the same as responding to DH itself, which you can do online