Category Archives: Bulletin

medConfidential Bulletin – 23rd July 2021

If you asked NHS Digital for opt-out forms and the forms didn’t show up, or took ages to arrive, people tell us that happened a lot. You can get forms from us here.

We’d like to be able to tell you that you will have more information on the ‘GPDPR’ data scheme in the future than you have today – but, as you’ll see below, that’s not a promise the Government was willing to make

What just happened

The GP data grab has now been paused for longer than patients were originally given to opt out. This week it has been delayed for a lot longer, almost certainly into 2022. You can read our situation report from 13th July which predicted what would happen, and what is still left to happen. But whenever the scheme restarts, there’s still no promise from Government that you’ll hear anything about it directly.

When medConfidential gave evidence in Parliament on Tuesday, the Government could have committed that you would hear something from the NHS. Instead, the Minister ducked the one remaining big question, leaving the suggestion hanging that the only way you’d hear about it is from medConfidential.

They have tried that approach twice so far – first in 2014, and now in 2021 – and it has failed both times. Not to write to everyone a third time would be a textbook example of doing the same thing over and over again, somehow expecting a different result.

In his last act before becoming mired in scandal, Matt Hancock announced that GP data would only be used in a Trusted Research Environment – we hope this is true. (Similar was said in 2014, but never delivered.) This time, however, all of the examples given were agreed to be dangerous, and all of the examples were from hospital data

The Health and Care Bill that’s now working its way through Parliament does nothing to address this. So, through the rest of the year, there’ll be discussions about the Health and Care Bill, and probably some (late? sneaky?) amendments that affect patients’ data…

What’s next

There will no doubt be a series of sessions in ‘smoke-filled back rooms’, where there’ll be any amount of intense lobbying to water down promises to patients – which is the most likely reason the Government won’t commit now to telling you what it will do, in a letter, when it’s been done.

There is good reason to be sceptical that the promise for Trusted Research Environments (TRE) will be delivered. The “national institute for health data science” refuses to tell us how much money it has spent on its TRE attempts – largely because the only thing it has to show for those attempts appears to be the prize it awarded to its contractors. That team delivered nothing useful for researchers, but got a prize. We have no idea how many millions were wasted, but we will find out.

Many will have heard about the opioid epidemic in the US, where a Pharma company encouraged its sales teams to pay as many doctors as they could to prescribe as many painkillers as they could, disregarding any harms to patients or the public. The details of that scandal are now in a book, and the legal case was settled earlier this month – one of the outcomes being that billions of documents will be made available for public research


One question we may therefore be able to research definitively is the effect of ‘pharmaceutical marketing’ in the US, and possibly beyond – noting that NHS Digital not only makes patients’ data available to third parties (and fourth parties too, via intermediaries) for just such purposes, but also some prescribing data, which the NHS isn’t allowed to let others analyse…

It will be interesting to see how issues like this, which have been brushed under the carpet for years, play out in coming months.

What can you do?

Keep spreading the word! The Minister wrote to GPs but, once again, no-one thought how to inform patients of what’s going on. And GP data extraction is still going to happen, albeit not in quite such a rush.

Promises have been made, but are yet to be delivered – much less be seen to be delivered – so, if people do have concerns, their best option at this point is still to opt out. If and when their concerns are addressed, they can always opt back in.

Other than that, we hope you are able to get both jabs, to enjoy the summer, and that you don’t catch and won’t spread COVID. That the politicians seem to be doing their level best to screw things up doesn’t mean we can’t all get through this, together.

medConfidential Bulletin, 11th June 2021

Hello to all of our new newsletter readers – a lot of people have joined in the last week.

medConfidential only sends out a newsletter when there is something worth saying. There might be a few more of them over the next few months…

What just happened?

On 12 May, NHS Digital quietly announced there would be a new GP data collection, known as ‘GP Data for Planning and Research’, ‘GPDPR’ – or the #GPdataGrab, for clarity. 

NHS Digital and the Secretary of State, who on 6th April had Directed NHS Digital to run the scheme, hoped no-one would notice.

Matt Green did a very good, and funny, explainer of what it was they were planning, which you can also watch (or share) on YouTube:

https://www.youtube.com/watch?v=QqZXH0CJYcM (the deadline date has since changed)

Because it was rushed out, all sorts of issues were missed. Just one being that if you are pregnant, there’s no guidance on what to do for the GP data of babies born shortly after the deadline; there is no digital process for unborn children…

And then, less than a month later – after a media firestorm, a bunch of contradictions and corrections, and huge public outcry – the programme got paused.

Here’s just a sample of some of the media coverage:

Just yesterday, NHS Digital confirmed that its Data Protection Impact Assessment (DPIA) for GPDPR is still not in a publishable state, suggesting that fundamental contradictions within the programme have not been resolved. The DPIA being the one document where everyone has to write down what it is that the programme actually does, why, and the consequences – i.e the ‘impacts’. So, of course, any contradictions become obvious.

The GP data grab programme was clearly not ready, and is still not ready – and looks like it cannot be ready by the 1st September. (At least…)

What’s the new deadline?

Originally, the GPDPR scheme had no official opt-out forms. medConfidential said we would publicise ours (including our logo) and so they created one. As a result, the Government and the GP Profession agreed that it could take up to a week for a GP practice to process their patients’ opt-out forms – they are rather busy at present! – and the 23rd June deadline date was written into a document, one week before the 1st July start (i.e. data upload) date. 

That ‘time lag’ applies equally to any new start date, which is now (no earlier than) 1st September. The September date was entirely up to the Government, and did not need to be agreed with anyone. So Ministers could announce the new start date.

But any deadline has to be agreed with the GPs.

And it is notable that the Government, hiding behind NHS Digital, “wasn’t able to specify” officially what the new deadline is. Ministers and civil servants have calendars like you and us, so they could work it out – but the Government can only announce those actions the GPs have agreed to.

That, at the time of writing, NHS Digital appears to be prohibited from saying exactly when the new deadline is suggests that far more substantive changes to the GP data programme are coming than the Government is currently willing to say.

Having said that, the deadline for opting out to your GP practice relates to the processing time it takes your GP – something that is not within the power of the Government to arbitrarily shorten. (Though it could be made longer, by extending the 1st September arbitrary date; an “artificial deadline” for protecting your GP data.) 

Of course, the correct sequence of actions and deadlines is that no GP agrees to any upload of their patients’ data until each patient has been notified; that patients have been given the opportunity to make a choice, and the information and forms they need, and that those choices have been processed. 

This may be why NHS Digital cannot say what the opt-out deadline is, because it has more work to do on its communications and the opt-out process – especially for dependant children – a process which will likely take months, not days.

Since the Department of Health (DHSC) can’t even announce a deadline that is based simply on being able to read a calendar, medConfidential currently has little expectation that the GPDPR programme will start in 2021. In all likelihood, and as with the previous attempt in 2014, this new GP data scheme will likely drag on until it gets fully reset by the next Secretary of State for Health. 

Of course, we can’t afford to be complacent; we do have a Secretary of State in office who believes in data over everything else. (Apart from start dates, apparently…)

What should be next?

The letter from research funders, “Patient data must be safeguarded”, should still have applied this week – but it seems some on the Euston Road have slid backwards in their approach.

One narrow idea from some within the research community is to try to win a “research boffins vs privacy people” argument. That framing is eternally unstable; whoever is winning that argument this month doesn’t matter, because someone else will be winning it next month. 

Any stable and sustainable patient data programme must take a “research boffins and privacy people” approach – with everyone in the same room, working towards a goal that everyone can stand behind. 


We see no sign of that happening.

The best way for uses of data to be sustainable and trustworthy is for patients and the public to be informed about what data is used and how, what your choices are, and to have safeguards and governance that is both effective (with no loopholes) and seen to be effective – so individual patients and the public at large can have confidence in how the NHS uses data about them.

What can you do?

Spread the word, and please share this link to our ‘How to opt out’ page:

This battle is far from over.

There is still a lot of confusion – even medConfidential is being accused of ‘misinformation’! – though we do our best to always present a clear and accurate picture, and link to the evidence, about an unnecessarily overcomplicated process that is being hustled through by the Government while we are still in a pandemic.

Please do not panic, keep yourself informed. We will send further updates when we know something has changed. And be aware that this is going to run into ‘silly season’ in August, in a year when everyone really deserves a break – or, at the very least, a staycation.

Thank you to all those who have given us support. We really appreciate it, especially right now.

And you can be confident that we will be here when they try again! 

Late October update

At the start of October, the Department of Health took away your ability to opt out via your GP from having information about you, collected by the rest of the NHS, being used for purposes beyond your direct care. (The option to prevent information from your GP record leaving your GP practice remains. For now.) The new process is so ‘hip and digital’ that you also have to use the Royal Mail if you wish to make a consent choice for your children, as well as visiting your GP practice to make a choice for your GP data that the online process tells you nothing about.

Is this Matt Hancock’s view of a digital NHS?

We are testing a new trifold to guide families through expressing their full opt out choices –which is now a three step process: online, post box, and at the GP. This may be simpler for NHS Digital, but it’s a lot harder for you – a choice with which Matt Hancock seems to be entirely happy.

NHS Digital was apparently very proud that more people opted in via the digital service than opted out in its first 2 months – though sending out 1.6 million letters could be said to have stacked the scales somewhat – but that represents at most a few hundred people a month, whereas 5,000-10,000 people a month were still opting out via their GP until the Secretary of State took that choice away from you.

We have previously given a commitment that there will be a functional digital opt-out process for patients, and that if NHS Digital wasn’t going to deliver one, then medConfidential would have to (though this will likely be very analogue on their side…).

Data rights and proper information can together empower every patient and citizen to have more confidence in those who use their data. NHS Digital seems to want to make it more complicated. Though official information is published in various forms, in various places, the only way a patient can currently read how their wishes were respected is to visit TheySoldItAnyway.com

If you didn’t receive a letter from NHS Digital about the new ‘National Data Opt-out’, and since you’re reading this on our website, you should check the online process to see if your choice disappeared somewhere in the machine (and, if so, to set it to what you want). You’ll then need to set it for your children too by post – and at your GP, for your GP data, to ensure that too is set.

 

Consultation Responses, etc.

With the National Data Guardian Bill having its second reading in the Lords this week, medConfidential has published a letter of support for the Bill. Meanwhile, the Organ Donation Bill contains a supposed safeguard that is overly complex and will not provide reassurance to those who wish to see how their organs will be used after death. We have drafted an amendment for the Lords to fix the broken Bill, if the Commons does not.

As part of the next piece of NHS legislation, the National Data Opt-out should be placed on a statutory footing. The next legislation will likely be the result of NHS England’s consultation on “integrated care providers” (our response) and the “long term plan” (our response), which also referenced the need to reform invoice reconciliation.

Our friends at dotEveryone published their views on digital harms and responsible technology, suggesting that data and ethics in Government should be led by someone “relatable … charismatic and imaginative”. Which would be better than the current person, whose company created the problems around commercial abuses of data in the NHS, and which is still causing problems 20 years later. The current  ‘imagination’ at CDEI (the ‘Centre for Data Ethics and Innovation’) seems to be to repeat the sort of data sale scandals in Government they already caused in the NHS. The Information Commissioner also sought views on a ‘regulatory sandbox’, where companies can experiment with personal data – we had views.

Data use across the rest of Government has also been keeping us occupied. Our evidence to the House of Commons Science and Technology Committee contains some new thinking on the failures of agile in public bodies. Some of that thinking was also in our response to the call for evidence ahead of the UK visit of the UN Special Rapporteur on Extreme Poverty and Human Rights, who is looking at algorithms and digital effects around Universal Credit.

 

Data and the rule of law

The data sharing powers under the Digital Economy Act 2017 are still not fully in force. This did not prevent the Ministry of Housing, Communities and Local Government (MHCLG) demanding data on every homeless person in the country, such as in Camden. The secrecy of data use in such cases must be addressed by the UK Statistics Authority / Office for National Statistics – it is doubly disturbing that MHCLG used the research process to evade the scrutiny that would have applied via other routes.

Decisions by public bodies must, today, comply with the standards of the rule of law. As we move towards more automated decision-making, how will those standards be maintained?

The tech companies and their apologists want the approach to be one defined by ‘ethics’ – as if no tyrant ever failed to justify their crimes. “The computer says no” (or “DeepMind says no”) is wholly insufficient for suppliers of data processing functions to government making decisions about citizens.

All reputable companies will be entirely willing to explain how their “AI” systems arrive at the suggestions or decisions they make – including the (sources of) data on which they were trained. Disreputable companies will be evidenced by their failure or inability to do so.

Government Departments should deliver accountability to ‘their’ data subjects (currently they don’t). But beyond accountability to individuals on how data about them is used, there are standards that must be followed by institutions – especially those which govern.

The Venice Commission has produced a ‘Rule of Law checklist’, covering the context of decision-making. We’ll be taking a look at a couple of Government automated processing plans, and seeing how they conform – and how the checklist applies to digital projects, probably starting with Universal Credit and Settled Status, based on past work. We anticipate identifying holes in some of the frameworks currently used by Government, as compared with the standards required by the rule of law and judicial review. Comments are very welcome to sam@medConfidential.org.

medConfidential Bulletin, 7th September 2018

Once more, a big thank you to everyone who confirmed to us receipt of the letter about the ‘conversion’ of your Type-2 objection to the National Data Opt-out. We are also grateful to those who shared the letter of apology for the appalling TTP error that led to 150,000 patients’ opt-outs not being honoured, and their confidential information being sold for three years.

 

What’s going on with opt-outs?

All of the National Data Opt-out letters should now have gone out. If you have still not received a letter, and believe that you should, we recommend you check your current opt-out status, firstly by using NHS Digital’s online National Data Opt-out process. If they have recorded your opt out, Step 4 will say “Your current choice: you do not allow the use of your confidential patient information” – if it doesn’t, then select the “No” option on that page, and complete the process.

If your objection had not been registered there, we strongly recommend you also contact your GP practice – remembering that most people will have asked for both types of objection to be applied; one nationally, one for your GP. If the opt-out codes you want are not recorded in your GP record, use a copy of our up-to-date opt-out form to re-express your wish that you do not wish your data, whether given to your GP or at a hospital, to be used for purposes beyond your direct care…

If for any reason you encounter any resistance or confusion caused by NHS England’s use of ‘shorthand’ (as a few people have reported) if asked, you can refer your GP practice to the RCGP’s official guidance; the section ‘Transition from the existing Type 1 and Type 2 objections’ clearly states:

The Type 1 objection ‘Dissent from secondary use of general practitioner patient identifiable data’ prevents any identifiable information leaving the GP record for purposes other than individual care.

These objections are coded in the GP record and will continue to be upheld until at least  March 2020. Before a decision is taken to revoke these objections, there will be a consultation with the National Data Guardian. Patients can therefore continue to register a Type 1 objection if they so wish and should be kept aware of this.

 

Signs of progress?

On a more positive note, it was announced in Parliament yesterday that the new National Data Opt-out, previously Type-2, now covers health data released by the Cancer Registry at Public Health England (PHE) in the same way as it covers data released by NHS Digital. An early indication that other health bodies can and will respect your dissent choices – even if what those choices mean in practice must be toughened up in line with new laws, i.e. GDPR and the UK’s new Data Protection Act.

DPA 2018 was led through Parliament by the new Secretary of State for Health, in his former role at DCMS. We thank Matt Hancock for that effort, and look forward to it being fully implemented in and across the NHS. The new Secretary of State brings a notably optimistic approach to technology and web standards. He may soon notice that when the NHS publishes information it doesn’t want patients (or him) to look at, it does so in long, impenetrable spreadsheets rather than readable web pages.

 

What’s happening next?

After the first of October, the Government will require any person wishing to express a dissent choice for their children (or other dependents, such as elderly relatives) to send in for each of them a seven-page form, with at least four forms of ID and documentation proving they are a responsible parent, to an NHS office in Leeds where officials will check the documents for authenticity. Your GP knows who attends appointments with whom – the presence of the child suggesting some degree of responsibility – none of which is known to NHS Digital.

The Department of Health has flat out refused to change their choice of deadline, and NHS Digital has shown no sign of delivering a digital opt-out process for families. They therefore place the burden on you, and every family wishing to make what they feel is the right choice for them.

Not coincidentally, this is also the first step in removing your GP from the ‘decision loop’ on choices about your data – because there’s a new ‘GP data extraction’ coming.

Yes, ‘care.data 2’ is on its way…

Precise details and timings are unclear at this point; NHS England does not even seem able to answer straightforward questions in a timely fashion. (Have you seen any evidence of awareness raising adverts about the National Data Opt-out? If you have, we’d love to see copies – especially as this is the proposed model for changes to organ donation.)

We shall of, course, keep you updated as we learn more – but another “collect once, use many times” assault by NHS England on the nation’s GP records is building.

Watch. This. Space.

 

What can I do?

Given the imminent removal of the Type-2 opt-out via your GP practice, and failure to provide a digital opt-out that families can use, now would be a very good time to write to your MP – expressing your concerns in your own words, maybe citing the thousands of people in your area (details for each CCG are in these “June 2018: Type 2” spreadsheets) who’ve already expressed such a choice, and asking for the Type-2 option at GP practices to be extended at least until any replacement has been shown to work.

Crucially, if you know anyone – friends, relatives, colleagues, or co-workers – who you think may be concerned about the uses beyond their direct care to which the sensitive confidential information in their and their family’s GP records may be put, then please forward this Bulletin to them, or point them directly to medConfidential’s opt-out form. For families, opting out is going to get much harder, in just three weeks’ time.

With activity building towards the next care.data, and given much other necessary ongoing work, medConfidential is in serious need of funds. Our programme of work for the next year is at this point only one-quarter covered, and our grant from JRRT ended this summer. Please, if you can, consider making a donation – a regular gift is most helpful.

 

Thank you.
Phil Booth & Sam Smith
7th September 2018

 

medConfidential Bulletin, 9th March 2018

It has been a while since we last sent a newsletter. Our apologies for that – we have been kept busy on a number of fronts, but rather than spam you with speculations we believe it’s better to communicate when there are significant developments.

 

New national opt-out for medical records

An announcement has been delayed for some months and there’s still some time until action is taken, but to quote NHS Digital last week:

The Secretary of State has agreed that the national data opt-out will be introduced alongside the new data protection legislation on 25 May 2018. It has also been agreed to present the national data opt-out as a single question to cover both research and planning. Type 2 opt-outs (which currently prevent identifiable data from leaving NHS Digital) will be converted to the new national data opt-out when it is introduced in May. Patients with type 2 opt-out will be contacted directly about this change.

There are still a number of important questions to be answered, but we’re working on those for you. For example, at this point, the Government has not yet confirmed that every data release that would be covered by the Type 2 opt-out will be covered by the new opt-out.

medConfidential has yet to see the final wording of the question, but this announcement is clear confirmation that if you opted out in 2014 (or subsequently), you will be sent a letter about what happened. We also haven’t yet seen the wording of the letter, as we and the other members of CDAG (the care.data Advisory Group) would previously have done, but apparently we are to be consulted on that too. When we have the ability to cite formal statements on the new process, we will update our website – this is likely to be in May.

So, if you have already opted out, the NHS will write to you about the new opt-out model. Whether anyone will tell other people remains unclear. We do hope the Secretary of State won’t snatch defeat from the jaws of a victory which could improve patient confidentiality and everyone’s confidence in how the NHS uses data.

 

This week: Data Protection Bill

The Data Protection Bill was delayed by political squabbling, but must pass by early May, and is now on a very tight timescale.

medConfidential’s concerns with the Bill relate to something called the “Framework for Data Processing by Government” which, in effect, creates a ‘Data Controller in Chief’ who can ignore the Information Commissioner, and the fact that the Government wishes to deny your ability to access information on how your records are used, if that might be used by someone else at another time in a way which may “prejudice… effective immigration control”.

Thanks to a great deal of work by many concerned groups and organisations, the Government no longer considers this framework above the law, just above enforcement of the law. The Rule of Law requires that justice both be done, and be seen to be done – requiring transparency that Governments and companies often prefer to avoid.

 

What you can do

Many parts of England have local elections in May. The ongoing stealth reorganisation of the NHS in England (into 44 “Sustainability and Transformation Partnerships” and “Integrated Care Systems”) will give your local council more responsibility for data re-use in your area. No details will be given until after the elections – of course! – but if anything does emerge before that, we’ll let you know.

The health and care issues that most burden the NHS differ from place to place, sometimes quite widely. So when local politicians ask for your vote in the next few weeks, you might ask them what their council would do about the biggest issues in your area.

You can see the top three issues most impacting health in your local authority, and those nearby, on this map: http://bit.ly/2FVYVE1

(Created thanks to current data from Public Health England, and with the help of tools provided by Democracy Club whose volunteers collate and share information on elections across the UK.)

 

What’s next?

medConfidential keeps working even when we’re not sending newsletters; we won’t spam you if there’s nothing important to say. As you can see from this Bulletin, we are approaching another critical time for patient confidentiality that we hope can be negotiated with far greater success than in 2014! If you appreciate our ongoing efforts, we accept donations. Thank you for your support.

 

Phil Booth & Sam Smith
9th March 2018

medConfidential Bulletin, 30th June 2017

So, we have a new Government (after a fashion). And, whatever else, there’s some continuity at the Department of Health…

Given this continuity, the completely unambiguous Conservative Manifesto commitment, and cross-party support for the National Data Guardian, it was a bit disappointing that a statutory footing for NDG was absent from the Queen’s Speech.

We can’t help but note – with a Data Protection Bill on its way, arbitrary data-sharing powers available in the Digital Economy Act, and Theresa May threatening to roll back human rights – that it is protections such as these that underpin the privacy of all our medical records.


What just happened?

The election put a lot on hold, but you may remember a dodgy deal with the Royal Free Hospital that got Google DeepMind into a spot of trouble with the ICO and National Data Guardian when we complained about it.

The NDG’s formal view came out during the election period, and we await the ICO’s ruling – due any day now. We are therefore entirely unsurprised that DeepMind’s “Independent” Reviewers’ report is also delayed. One might question “independence” when a whitewash coincidentally comes out a day after the regulator’s critique…

What’s happening next?

We don’t comment on every future project press release from Google DeepMind – their PR flacks cost many times our annual budget. But last week’s announcement that its next project will be to provide a hospital IT system for Taunton is worthy of some attention; the relevant detail is at the bottom of page 2 of this document.

It’s understood that companies will provide the NHS with IT systems – GPs and hospitals buy in systems all the time. But accepting ‘gift horses’ from aggressively data-seeking US info corps already known for not playing by the rules may not necessarily be wise. For one thing, as many have learned, if you’re not a paying customer you tend to end up being the product.

If, however, the decision is that the people of Taunton are most in need of better infrastructure – NHS England certainly felt they were, this area being one of the ‘pathfinders’ for the cancelled care.data scheme (more on its successor below) – then starting in Somerset is as good a place as any.

But this doesn’t mean you can ignore the regulatory implications. Or future cost.

As recently as January, DeepMind assured Regulators that its tools were not used for clinical decision making, yet in June it has signed contracts to run a hospital using it. To be used in direct care, the central IT system of a hospital is a closely regulated system – these are, after all, the systems that run Intensive Care – although Google, chasing the profits rather than patients, probably won’t choose to help those in most acute need.

Has Google started the Regulatory  process to run that system, or is it trying ‘deployment via press release’? Does it want DeepMind to mark its own homework too?

The only way for patients to know if their data was used in such a programme is for everyone to know where, when and why their medical records have been accessed. Google says it won’t use patients’ data for other purposes; our concern is that minds change. After all, the company said it wouldn’t start building this system for 3 years – that was 7 months ago.

For as long as DeepMind Health is led by an entrepreneur – and has no Chief Medical Officer who is bound by the Hippocratic Oath – its position can change, purely for business reasons. Its corporate officers may stand on stage and say they won’t, but they say many things which they change their minds about. One can be an AI visionary, or run a health infrastructure service – but people have every right to be nervous when you try to do both, especially if you claim you aren’t doing so.

It is inevitable that the future model for this service will be ‘AI assistants’ offering hints and references to doctors via the Streams app; the principle of A&E triage, applied hospital-wide.

This being the case, if these AI systems are modular and compartmentalised for the delivery of care, then they can each be regulated separately. If, however, the individual systems are not interoperable and transparent, then the entire infrastructure must be regulated tightly. (Research, i.e. the development of such systems – including the justification, with evidence, of what data they actually need – is already regulated, by MHRA and other bodies.)

Until the situation is clear, questions as to whether DeepMind’s approach to Regulators is the same as Uber’s (they do, after all, share investors) will remain.

We should point out, as DeepMind buried it in the small print, that no money is changing hands here – and neither party is obligated to do anything. This may yet be just another Silicon Valley startup (the TV show, that is – not the place) that puts out a stream of press releases, delivering for investors over patients.

 

What’s happening where you live? And what can you do?

Wherever you live, in England, there are changes coming to your local NHS.

The ever-so-subtly again renamed STPs (now “Sustainability and Transformation Partnerships”, not just Plans) and their further regional reorganisation – over “several years” – into Kaiser Permanente-style Accountable Care Organisations represent the Government’s and NHS England’s view of the future.

Bearing in mind the massive democratic deficit in the NHS, will accountability be to patients or to the analogue administrators?

Given that – most of the time at least – care records follow patients, one of the best ways to see how the NHS works is to look at the data trail that you leave behind you.

So if you have a login for your GP practice’s website, we encourage you to look at the letters that have been scanned into your record, and to simply count the logos. (If you don’t already have a login for online access, here’s how to get one.) Then, as your NHS changes over the next few years, keep count; over time do you see more commercial logos, or fewer?

While you’re at it, you might also want to check who’s accessed your GP record. Both EMIS and TPP have now switched on basic access to your GP record’s ‘audit trail’ – and as more and more people use it, this vital transparency feature should improve over time.

Things are clearly going to stay busy for a good while yet. Four years in, medConfidential exists entirely through your donations and the generosity of the Joseph Rowntree Reform Trust, to whom we are applying for a further grant. We appreciate all donations – and your support helps with other funding.

 

medConfidential Bulletin, 21st April 2017

Though the political focus is on the General Election, the ‘STP shuffle’ remains highly significant. Whatever the result in June, both funding and decision- making for health and care services will be increasingly devolved to local areas.

What’s happened? General Election!

What medConfidential will be looking for in every party’s Manifesto is rather simple:

    Will patients know how their medical records have been used?

A straightforward “Yes, they will” or “No, they will not” will suffice.

Every flow of data into, across and out of the NHS and care system should be consensual, safe, and transparent – there need be no conflict between good research, good ethics and good medical care.

We shall provide more detail on how this relates to current issues like Genomics and AI in due course – but the question to which there must be a clear answer, for whatever the future brings is: Will you know how data about you is used?

Update on DPA Section 10 notices

Last December, NHS Digital and Public Health England (PHE) were sent hundreds of Section 10 Data Protection Act notices by patients who had opted out, insisting that their data should not be sold – even through a loophole.

Though there were some ‘boilerplate’ responses, both bodies effectively ignored every single one of those notices. Patients’ data continues to be sold for commercial re-use, and further problems have emerged:

  • PHE considers itself exempt from existing opt-outs; will it make you opt out again?
  • What about the NHS? Will the Government’s response to Caldicott 3 force yet another opt-out?

It is understood the Caldicott Consent Model should include overrides – and some exceptions, where required by law – but this should not be at the whim of Public Health England, which still copies patient data to companies in secret. PHE said it was becoming transparent, but its own actions give lie to this and still it demands more data.

If you want to know public health information about your area, PHE thinks you should use a site called “fingertips” – which gives you a mountain of statistics, a trowel, and suggests you start digging. If you want to see the biggest public health issues in your area, you may want to try this list instead.

Speaking of digging…

Questions for the elections; what is your lived experience of the NHS?

With STPs and financial devolution on the way, it’s the candidates who are elected in your area who’ll be making decisions that will impact directly on your, your family’s and your community’s health and care services – and the exploitation (or not) of your medical records.

In the run-up to the elections, all you need do is ask the people who canvas you some straightforward questions, share some of what you know from your own experience, and put up a poster to encourage your neighbours to do the same. Here are our suggestions:

  • Does [the candidate] agree that everyone should be told how the council and NHS use their data?
  • Given the political choices that are changing the NHS in your area, how would your own or your family’s past experience of the NHS have been different?
  • What are [the candidate]’s priorities for reducing problems that put a strain on your community’s NHS and care services?

If you get answers, please do post them on facebook and in other appropriate forums, so others can see them too.

Phil Booth & Sam Smith
21st April 2017

medConfidential Bulletin, 9th April 2017

Where does your data go? And do you know? These are questions to which we’ve been getting you answers for three years or so, but now you have an opportunity to ask these questions too… Local elections are coming up, and political parties want your vote…

But first:

What just happened?

In a 280-page PDF from NHS Digital is one item worth noting; “Programme 12: General Practice Data for Secondary Uses” (item C4 on page 56) with a deadline of this Christmas is – as far as medConfidential is aware – the first public sighting of… the return of care.data

So, although the Government has yet to issue the necessary CAG Regulations; or ‘one strike and you’re out’ sanctions for data misuse or abuse; has failed to close the “promotion of health” (i.e. Pharma marketing) and commercial re-use loophole; still hasn’t put the National Data Guardian on a proper statutory footing, let alone responded to the Caldicott 3 review; is mute on whether you will have to opt out again, and whether cancer patients will have their data copied anyway; and wants to copy data to any Government department under the Digital Economy Bill; it seems someone is eager to flood the “National Data Lake” we mentioned in our last bulletin.

What’s happening next?

Unless you pay close attention to NHS internal meetings, you could be forgiven for knowing little about how the NHS talks to itself, but the 44 Sustainability and Transformation Plans (STPs) is the jargon for a new NHS reorganisation that really matters. To you.

The NHS England website describes them as follows:

NHS organisations and local councils are developing shared proposals to improve health and care. Working in 44 geographical areas covering all of England (called ‘footprints’), the plans are led by senior figures from different parts of the local health and care system.

It is this top-down-mandated, bottom-up-driven restructuring into STP “footprints” that has led to the mega-CCG mergers in Manchester, Lancashire, and Liverpool, with more mergers planned in other cities of the North, and across the rest of England (e.g. in Buckinghamshire).

Why you should care is that this ‘STP shuffle’ will put your local council in partial control of where your medical records get copied – including how much of your personal data will end up being dumped into a “national data lake”.

In ducking responsibility, as they have since care.data started, NHS England claim all decisions will get made “locally”, but they can choose to send more cash for more data…

What can you do?

If you have elections in May, some of the candidates will end up choosing who sits on your local Health and Wellbeing Board. That will be the body that chooses how your area’s health budget gets spent – what gets funded, what gets cut, and what medical records they copy to the Data Lake in return for more resources…

Given this, we suggest you ask your council candidates a few questions that might them focus on the issues and evidence, and then help you and your community decide who’s paying proper attention to the impacts on your health and care, and medical confidentiality:

  • Community: Do they agree that you should be told how the council and NHS use your data?
  • Contribution: For the political choices that are changing the NHS in your area, how would your own or your family’s past experience of the NHS have been different??
  • Autonomy: What are their local priorities for reducing problems that put a strain on your local NHS?

If you get answers, please post them on facebook and other appropriate forums, so your neighbours can see them too; here are some ‘localised’ posters you can print out to help you.

If you’d like us to send you some, we’re offering five A3 posters for a £5 donation – when sending us the money, just add a comment with your address and we’ll send you posters for that postcode. (N.B. If you don’t add the comment, we won’t see your address.)

We’re glad to see a number of you are quite happy with our new badges (with text | no text) and are immensely grateful for the £20 donation medConfidential gets every time someone buys one. Thank you.

More next time on who wants to go fishing in the National Data Lake…

Phil Booth & Sam Smith
9th April 2017

medConfidential Bulletin, 24th March 2017

It has been a while since we last sent a newsletter. Our apologies for that, but we have been kept busy!

We are entering a period where a lot of things are happening – and are likely to happen – in quick succession, so we wanted to provide a perspective and some context that we hope will help explain at least some of what is going on.

For patients whose practices use TPP SystmOne

You may have seen the note on our website last week about TPP SystmOne. TPP has now updated its system with the capacity to allow your GP tell you how your GP-held data has been accessed. However, busy GPs won’t yet know how to turn that function on, as the documentation has not yet appeared (and we’ve not been told either).

If your practice uses TPP SystmOne, also branded SystmOnline, and you are able to log into your GP practice online (i.e. if you have a username/password for online access) then you may be able to see this option – to review the organisations which have accessed your GP data – right now. If not, check back in a week or two. It is coming.

This ability to see who has accessed your GP data matters, as the the hard part of informed consent is actually being informed about how your medical records are used. As the NHS evolves over time, and while you have a range of consent choices, you need to have accurate information to be able to make those choices for yourself and your family; in your situation, according to your concerns.

Problems tend to arise when people other than those directly affected take decisions that do not – indeed, cannot – account for many millions of people’s individual circumstances.

Google Artificial Intelligence (AI) subsidiary DeepMind

When in a hole, it seems some AIs will keep digging.

medConfidential’s complaint against Google DeepMind’s use of 1.2 million patients’ hospital data continues to be investigated. The National Data Guardian appears to have come to a view some time ago – which suggests the question currently under consideration is how badly Google broke the rules.

A long analysis from the University of Cambridge was published last week, which goes through the entire sorry story in a great deal of detail.

We do not know when the Information Commissioner and National Data Guardian will publish their findings, but fully expect Google DeepMind to leak some parts of those findings to sycophantic outlets the day before…

We shall respond, as we always do.

What’s next?  An NHS reorganisation that really matters

Has your area announced the reorganisation of your NHS yet? For several big cities of the North, and some other parts of the country, the picture is getting clearer. The ‘STP shuffle’ will put your local council in partial control of where your medical records get copied – including whether they end up being dumped into a “data lake”.

In hidden meetings, proposals for a “national data lake” continue to be discussed. While NHS England denies it is their current plan, they continue to write regular drafts of an updated document, which they’re sharing with no-one beyond those people who thought a ‘National Data Lake’ was a good idea in the first place…

In our next Bulletin,  we hope to have something for you to do to help your community, and may also give an update on the continuing failures around data at Public Health England.

As ever, we are grateful for your donations. Especially as, right now, we’re being legally threatened (we’re in ‘letters before action’ stage of an attempt to sue us for defamation) for expressing our concerns about a data breach reported as affecting 26 million patients – that’s a lot of new badges.

(We’re aware that, as badges, our button badges in two new designs are ridiculously overpriced. The price point is deliberately chosen so that a donation of £20 to us gets you one, automatically. Or set up a regular subscription for any amount – and we’ll post it to you.)

Thank you.

Phil Booth & Sam Smith
24th March 2017