We hope you had a good summer. Ours was interesting, to say the least.

Parliament begins sitting again on Monday, and people will wake up to the stack of things we’ve got ready for them. But in the meanwhile, quite a lot has happened:

care.data “paused” yet again

Despite NHS England’s announcement in June that the care.data pathfinders would be starting at “the beginning of September”, the Secretary of State on 2 September effectively pushed back the restart to at least the end of January 2016.

The announcement (originally) said:

The National Data Guardian for health and care, Dame Fiona Caldicott, will… provide advice on the wording for a new model of consents and opt-outs to be used by the care.data programme that is so vital for the future of the NHS. The work will be completed in January…

A later “clarification” omits to mention care.data, but confirms that the National Data Guardian will develop “clear guidelines for the protection of personal data against which every NHS and care organisation will be held to account. She will provide advice on the wording for a new model of consents and opt-outs, to enable patients to make an informed decision about how their data will be shared.”

This work – a task NHS England singularly failed to complete in 3 years! – is to be completed in January, “…with recommendations on how the new guidelines can be assured through CQC inspections and NHS England commissioning processes.”  Apparently “no arbitrary deadlines” only applies to NHS England.

Where does this leave the care.data programme itself? Well, for starters…

Tim Kelsey ‘opts out’ of care.data

On 17 September, care.data mastermind Tim Kelsey announced his resignation as National Director for Patients and Information at NHS England. He has taken a job as commercial director for Telstra Health, a division of Australian telecomms provider Telstra Corp, to which in March this year DH sold Dr Foster Intelligence, the company Kelsey co-founded in 2000.

Tim Kelsey leaves the UK for Australia in December – an antipodean departure emulating that of the former NHS Director General of Information and head of Connecting for Health, Richard Granger, some years back – but his departure leaves a number of important issues unresolved.

As we learned from care.data Programme Board papers that were finally published in August, and from subsequent Board meetings of both NHS England (video) and HSCIC (cf. minutes on p10), the care.data Directions still aren’t finalised. Indeed, in responding to the Directions sent by NHS England, HSCIC’s Board identified five key unaddressed issues in addition to matters medConfidential had raised.

There’s also no sign of the CAG Regulations, due since the passage of the Care Act 2014 last summer. This means that promised safeguards such as “one strike and you’re out” sanctions for data abuse or misuse and, crucially, the closure of the commercial re-use loophole – persisted by the over-broad definition, “the promotion of health” – have still not been enacted.

What next?

Dame Fiona Caldicott is rewriting the language on consent for patients, which NHS England previously said was ‘ready to go’; HSCIC appears close to being able to ‘fix’ the 9Nu4 opt-out problem, currently affecting over a million patients, that NHS England dumped on it; and DH is finally drafting the Directions on Patient Objections, required to deliver on the Secretary of State’s 2013 promise to respect patient opt-outs.

Assuming the decision is to replace him, whoever replaces Mr Kelsey has a tough task and problems much wider than just care.data to resolve – the digital public health disaster that is the NHS Health Apps Library, to mention but one.

Patients and Registered Medical Professionals must be fairly represented throughout these processes and on all relevant bodies (the care.data Programme Board, for example, still has no public and patient representative) and both NHS England and DH must ensure that the new ‘worldview’ – drawing on lessons learned the hard way – is consistently applied across the health and care system.

medConfidential believes it is still possible to preserve confidentiality and consent in health and social care, and will continue to work to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. If they want to regain public confidence, it is up to the Government, DH and its arm’s-length bodies to now show they can do so, in a trustworthy way.

Statutory National Data Guardian

The Government has now published its consultation on the remit and functions of the National Data Guardian – the role currently fulfilled by Dame Fiona Caldicott. medConfidential welcomes this consultation, available here, which should lead to legislation that will ensure the strength and the remit of the National Data Guardian into the future.

medConfidential will be responding formally in due course, and we have published some initial observations on some of the significant questions raised.  We strongly encourage anyone with views on this vital statutory reinstatement of overarching, independent governance oversight to make a submission of their own before the 17 December deadline.

Another new database?

The ‘Medical Innovation Bill’, first proposed by advertising magnate Lord Saatchi, will shortly return in the form of a Private Members’ Bill by Chris Heaton-Harris MP, entitled the ‘Access to Medical Treatments (Innovation) Bill 2015-16’ (draft Bill here). The new Bill has its Second Reading in the Commons on 16 October.

medConfidential had some questions for Mr Heaton-Harris on the content of the draft Bill, and had a meeting with him last week. Our comments and suggestions arising from that meeting covered a ban on marketing to patients, Data Usage Reports (including our example of what one might look like) and an alternative approach that might deliver the policy intent of the Bill without creating another new database, or giving DH duplicates of powers it already has.

We shall watch the progress of the Bill with interest.

In other news…

medConfidential continues to draw attention to matters of importance to patients and – in our continued membership of the up-to-now somewhat ignored care.data Advisory Group and engagement with other groups, Boards, panels and processes – providing robust but constructive criticism to those who need it.

However, issues sometimes come up that have a wider impact than in just health and care. (You may remember All But Names, a few months back.) One such issue is Freedom of Information; a vital tool for all those who seek to hold the powerful to account. Sam and Phil have joined with others in the FOI community, including journalists, campaigners and citizens across the country in a project to #saveFOI.

The purpose of #saveFOI is to defend against threatened restrictions to Freedom of Information, proposed in the Terms of Reference for the FOI Commission – and by fees proposed in an earlier consultation affecting FOI appeals, that could mean charges of up to £600 to get information released.

The FOI Commission, already half-way through its appointed time scale, has only just put out a public call for evidence – and #saveFOI needs your help:

• If you have used FOI to help change the world for better, let us know. #saveFOI is assembling a dossier of FOI requests which led to improvements in the world (precisely which of these is the Government seeking to prevent?) and also examples of the broad and/or eccentric interpretation of the exemptions currently in the Freedom of Information Act. We need YOUR stories.

• Spread the word – on Twitter, on Facebook, on your blog and wherever else you can; the hashtag is in the name, #saveFOI, and the more people who speak up on the positive effects of FOI the harder it will be for the Government to restrict the transparency that is so vital to public trust.

—

Apologies for the length of this Bulletin. As we said at the top, a great deal has happened since our last newsletter – keeping us very busy.

We remain hugely grateful for the continuing support you and our other supporters provide, most especially the actions you take when we need you.

Phil Booth and Sam Smith
medConfidential

11th October 2015

Are YOU their guinea-pig?

NHS England has finally allowed the lists of chaos.data pathfinder practices to be published. We are unsurprised that in one of the Leeds CCGs, only two GP practices have signed up.

medConfidential has been asking since last October for this information to be published, so that people can know if they and their family are to be guinea-pigs for ‘care.data round 3’. Some patients may also have questions as to why they have been volunteered in this way – so might some GPs – and we hope those supporting this mess have some sensible answers. (The boilerplate from NHS England hasn’t changed much, and isn’t very convincing.)

Now at least, patients who do have concerns can know that they need to make a choice very shortly about whether they trust a scheme that, 18 months after its last attempt, has still not honoured the opt-outs of over a million patients – a fact that NHS England is wilfully ignoring as it tries to push ahead with its still-flawed Directions for the care.data ‘pathfinder phase’.

HSCIC upgrades DAAG

As the now-statutory Confidentiality Advisory Group at the HRA is recruiting new experts, meanwhile, at the Information Centre (HSCIC), there have also been some changes.

HSCIC has listened hard, and apparently learned, and is currently consulting on a replacement for the Data Access Advisory Group (DAAG) which performed so poorly in previous years. The interim DAAG, which is operating at present, foreshadows a much more transparent, independent advisory group for the “release” of data which will be called IGARD.

You can check for yourself what the interim DAAG is doing as – unlike, for example, the care.data Programme Board – they publish their minutes and recommendations in a timely fashion on their webpage. The IGARD proposal is by no means perfect, so we have published medConfidential’s response to the consultation so you can see what we think – and maybe respond yourself. For your information, audits of commercial re-users of your medical records have begun to be published as well.

However the new IGARD will only consider dissemination of patient data, i.e. who gets to use it. The body that will now decide what data is extracted or ‘collected’ from your GP record – and the systems of every other care provider across the NHS – is a sub-committee of the National Information Board; a group called the Standardisation Committee for Care Information (SCCI).

But Who Collects What?

As you will see if you click on the link above, there’s a BIG problem with this; SCCI is not independent. Indeed, it is comprised of the very bodies that are some of the biggest ‘customers’ for data – and it has no equivalent properly transparent, independent advisory function to replace what GPES IAG, the Independent Advisory Group for the GP Extraction Service, used to do.

We say “used to do” because GPES IAG was abolished on 30 June. The one single body that stood up to care.data; the single independent group that pointed out serious problems with the multiple applications that NHS England submitted on care.data. Gone.

So the decision to suck up your data will from now on be taken by a sub-committee of the National Information Board (NIB, chaired by Tim Kelsey) which has just published a slew of ‘roadmaps’ for what it wants to do with your data in the coming years.

There is no sign of a consultation on SCCI, matching the current one for IGARD, and we strongly suspect we won’t see one – because Mr Kelsey and NHS England would far rather keep what they are doing with your data hidden from view.

Southend: “pioneering” intrusion & ignoring consent?

Elsewhere in the country, we are tracking and taking action on a number of ‘mini-care.datas’ – most urgently one in Southend, which we were compelled to report to the Information Commissioner’s Office (ICO) when a patient informed us that their GP had said that their existing opt-out would be ignored by Southend’s new “pioneer” scheme. The scheme apparently aims to use identifiable data from people’s GP-held medical records and other places to identify “high cost” patients, amongst other things.

NHS England is keeping the ICO busy with all its shenanigans; we have outstanding complaints on the million people’s (‘Type 2’ / 9Nu4) opt-outs from 2014 that have yet to be honoured, and have asked for a number of investigations – including flows of data that should be prevented by the ‘Type 1’ / 9Nu0 opt-out, but which don’t appear to be. And, of course, our Pharmacy2U complaint continues to work its way through the process.

What’s next?

Back in April/May, we spotted some serious problems with some of the ‘apps’ in the NHS Health Apps Library. We fed back using the forms provided, but heard nothing until the Major Projects Authority published its Annual Review in late June, which revealed all sorts of problems, and at which point two of the apps were silently removed.

We still have significant concerns about apps that are continuing to be endorsed in the Library right now, and have written to NHS England’s Caldicott Guardian to see what he will do about it.

For the first time, we have had a formal, substantive written reply from NHS England directly addressing concerns we raised in the care.data Advisory Group, on which we sit. We expect the reply to be published shortly. While some of the approaches NHS England has taken are only in its own interests, there is for the first time some extreme clarity and even some seemingly good news in parts.

What you can do?

Following the recent publication of the NIB’s “Personalised Health and Care 2020” Work Streams, a number of public events are being held around the country. medConfidential is attending as many (other) Work Stream meetings as we can cover, so if anyone did feel inclined to go along to one of these – and let us know how it went – we’d be most grateful:

• MANCHESTER Tuesday, 21 July 2015, 10:00 – 15:30
• BRISTOL Friday, 24 July 2015, 10:00 – 15:30
• READING Tuesday, 28 July 2015, 10:00 – 15:30

(The first meeting in Sheffield happened earlier this week.)

In other news, we are very happy to report that medConfidential has been awarded a grant from the Joseph Rowntree Reform Trust Ltd, to help continue our work to defend the confidentiality and rights of the 900,000 – 1,600,000 people who have not had their opt-outs honoured – and, of course, everyone else as well.

We still need your help to ensure that every flow of patient data is made consensual, safe and transparent; it’s a mammoth task, of which care.data is just one component, so your support – including the information that many of you provide to us – is greatly appreciated. Thank you.

It’s shaping up to be a busy September. Phil is trying to persuade Sam to buy some (cheap-ish) ads outside NHS England’s office, but hasn’t had much success. What do you think should be on them?

Enjoy your summer; we’ll still be here.

Phil Booth and Sam Smith
medConfidential

18th July 2015

chaos.data

Over a year ago, Ben Goldacre wrote “Care.data is in chaos. It breaks my heart”.

Absent explicit instruction from the Secretary of State, it is now clear that NHS England is just going to keep on making the chaos worse. 16 months after it was “paused”, care.data is resurfacing in a way that gives some insight into the shambolic mess it is still in.

This Wednesday, after Blackburn with Darwen Healthwatch announced then withdrew (footnote 2) its announcement, Blackburn with Darwen CCG announced it is “ready to start” sending out patient communications “at the end of June”. But NHS England is nowhere near ready; vital preconditions for a restart – not least honouring the choices a million patients made last year – have yet to be met.

NHS England remains mute on Dame Fiona Caldicott’s 27 areas of concern and there’s ‘missing’ legislation: Directions defining how patient opt-outs must now work; Directions fixing the broken 2013 definition of the programme; Regulations to guarantee vital safeguards, including ‘one strike and you’re out’ sanctions for misuse of patient data, and closing the ‘McDonald’s loophole’ (p6) that legitimises a wide range of “commercial re-uses” of patient data. None of them in place.

It’s utter chaos. But to proceed without honouring a million patients’ existing opt-outs – not just to stop their information being extracted from their GP record, but stopping their hospital data from continuing to be sold for uses other than their direct care – would be a breach of trust on an unprecedented scale, breaking supposedly unconditional promises that Jeremy Hunt gave back as far as April 2013: “We will respect them” (timecode 13:30)

If their intention is to “regain public confidence”, the Secretary of State and NHS England are going about it in the strangest way. NHS England might claim to have been “listening” but, if it has, why is it wilfully ignoring a million patients’ concerns and express wishes?

The clock will start ticking again from the moment the first care.data letter is sent out – not the first data extraction, as some officials would have you believe. And at this point, having broken a million promises, what possible basis does NHS England think it has to ask patients to trust it with their most personal information?

What can you do?

medConfidential continues to push hard for everyone’s confidentiality and consent to be respected. Every use of your medical record must be consensual, safe and transparent. And be assured, we are taking this fight to the highest level – but we need your help.

The first thing you can do is tell your friends and family. If you are reading this, you are clearly paying attention – but many others simply won’t know anything about what’s going on. It’s been well over a year since care.data was “paused” and the vast majority of people probably think it was stopped for good. If nothing else, please forward a copy of this newsletter by e-mail to the people you know and care about.

Please keep posting links to medConfidential’s News feed: https://medconfidential.org/news/ on Facebook or Twitter if you use them, or forums and other social media. If you happen to know anyone in one of the four care.data “pathfinder” areas – that’s Blackburn with Darwen, Somerset, West Hampshire or Leeds – or if you know someone who does, please make sure to get in touch and tell them.

N.B. Given news in the medical press and papers this week about a more localised “care.data-like” scheme in Southend, please tell anyone you know in Southend as well. We’ll provide more details as we get them.

And finally, please take the time this evening or this weekend to write to your MP. The quickest and easiest way to do this is via https://www.writetothem.com/ – and it is particularly important to write if your MP was newly elected in May.

medConfidential has already written to all newly-elected MPs to tell them about the issue, but they need to hear about it from their constituents. And the message that needs to come across loud and clear to every MP right now is: “Opt-outs must be honoured. Trust is being actively damaged (again). Don’t let NHS England make any more mistakes.”

We cannot tell you exactly what to say – it’s actually far better if we don’t, and your letter will have far more impact if you write in your own words – but please write as clearly and concisely as you can about your concerns. If you have opted out, do make sure to ask your MP to ask the Secretary of State when he is going to honour his promise and ensure that your opt-outs are actioned and respected. Even if he or she does not agree with you, your MP should pass on a specific question to a Government Minister when asked.

What’s next?

We await answers from the Commissioning Board (i.e. NHS England) about its re-issued care.data Directions, to replace its broken Directions from 2013. We highlighted significant problems before its last board meeting and the Board’s Chair said he will write to us. He hasn’t yet.

We await sight of Directions from the Secretary of State about ‘Patient Objections’ – the legal definition of how the opt-outs must work, on which NHS England’s Directions depend. HSCIC’s Board is scheduled to consider these in July, but that is after Blackburn with Darwen CCG says it could start contacting patients.

We await publication of the CAG (Confidentiality Advisory Group) Regulations, themselves now delayed for almost a year. Will they contain all of the promised safeguards and, crucially, a clearer definition of the deeply controversial “promotion of health” purpose that perpetuates the sale of patient data to Pharma marketers and other commercial interests?

We await public answers to Dame Fiona Caldicott’s 27 areas of concern but, even more importantly, we are still waiting for the Office of the National Data Guardian to be put onto a proper statutory footing “at the earliest opportunity”, to reinstate the independent information governance oversight abolished by the Health and Social Care Act 2012. Dame Fiona’s advice has been ignored by NHS England before.

We await the re-establishment of the Health Select Committee, and (hopefully) the re-opening of its Inquiry into the ‘Handling of NHS patient data’. Questions have already been asked in the Lords; we sincerely hope the Commons will demand answers about the continuing chaos too.

And finally

We are very grateful for all the support we receive – not just money, but the information people provide and the actions you take. Our thanks to all those who got in touch after our last newsletter; we’ve been a bit busy(!) but we will be contacting you shortly, with some specific requests.

medConfidential is still unfunded. We have submitted grant applications, and hope to hear back on the first of them by the end of the month. But for now we are doing this because we have to.

Last year, amongst other things, we helped hundreds of thousands of people opt out, believing no Government or arm’s-length body would be so stupid or arrogant as to break the promises that had already been made. medConfidential’s promise may have been implicit – “We’ll make sure this works” – but we, unlike some, stick to our promises. So we fight on.

If you can afford to make a donation, please do:

Phil Booth and Sam Smith
medConfidential

12th June 2015

care.data’s big post-election question

Over 700,000 people are still waiting for a public announcement about what has happened to the opt-outs they made in 2014 – an announcement that was delayed “until after the election”.

Now the election is over, the Department of Health and its bodies have two choices. The first option is for them to write to every patient affected by their mistake, and say:

“We are very sorry. There was a mistake on our part, but we’re fixing it, and we will do what you asked: your medical records will not be used beyond your direct care. This process has now begun for hospital records, for maternity records, and for mental health records – including the data releases covering all of last year – and other parts of the NHS will meet the guarantee we made you as soon as possible. But, whatever happens, from today forwards you will be told everywhere your data goes, and why.”

They can make every single part of the above statement true, and (as a bonus) it would cost no more to do than what they’re planning on doing anyway. This would represent the NHS taking ownership of the problem, and promising to do much better in future – and being transparent about what happens to your data. You wouldn’t have to simply trust they got it right; you would be able to know what happened, and could make your own judgements.

The Department’s second option – the choice NHS England would like Jeremy Hunt to pick – is to make their invasion of your privacy your problem, and to transfer the complexity of knowing how the NHS works (this week…) from the Government on to you and every other patient.

They might send a different letter which talks only about your GP records as part of care.data, ignoring the information collected by every other care provider; a letter which offers a different opt-out from what you did last year, where you will have to call up or go to the internet for a second form [PDF] if you want to protect your hospital data; and, even if you already opted out, you will get a letter as if you hadn’t.

So the big question is, will Jeremy Hunt make it your problem that NHS England still wants to allow your medical records to be sold?

What happens next?

The Health and Social Care Information Centre will do whichever of those it is allowed to do. It can do either, but it doesn’t make the decision. That’s up to Mr Hunt, who will take advice from NHS England. So what’s it to be?

NHS England kept the opt-out problem secret for over a year – even while it was sending out the junk-mail leaflets last January / February, saying the choice existed. Then it hid the problem for another 10 months, before passing the buck to HSCIC last November without even telling them the size of the problem. (HSCIC told us they were working it out less than a fortnight later.)

Officials have now admitted the likely scale of the problem; we await news from Ministers on what they’ll do next.

The Directions approved “in principle” by NHS England’s Board last Thursday suggest communications could go out to patients as soon as this month, once HSCIC has published the updated ‘clinical code specification’ for the data that will be extracted from your GP record. So it appears NHS England is expecting to do a number two – making your medical privacy your problem, not theirs. Have they learnt nothing?

Live in Somerset, West Hampshire or Blackburn with Darwen? You’re up first…

The Schedule (p5) to the Directions considered by NHS England’s Board last Thursday excluded the three Leeds CCGs, previously announced to be participating as pathfinders. Presuming this wasn’t just a typing error, GPs and patients in Leeds can relax a bit. For now.

However, if you live in one of the other three pathfinder areas listed above, NHS England has decided you’ll be the first guinea-pigs for its ever-more-complicated zombie data grab.

No list of participating GP practices has been published as yet, but as the summer holidays are rapidly approaching please do let friends, family and colleagues know they should be on the alert, e.g. by forwarding them this newsletter, or encouraging them to subscribe – it’ll take less than a minute.

While medConfidential believes and has said it would be a big mistake for NHS England to start sending out patient communications over the summer, they do have form for ignoring sound advice…

We have a couple of questions which would benefit from some local knowledge. If you fancy helping us out, please e-mail coordinator@medconfidential.org and we’ll let you know how you can help.

Unless you live in an affected area, there’s no substantive action for you in this newsletter; there will be next time.

Phil Booth and Sam Smith
medConfidential

1st June 2015

(Apologies to those who received the Bulletin by e-mail – we forgot to update the date in the footer, so it read 1st April, not 1st June as it should have.)

This is just a brief update; we hope to have more substantive (good) news soon, but something else we think you should know about is happening and we wanted to give you the heads-up.

Urgent action – your health data and beyond

While the Government and NHS England still refuse to rule out the commercial re-use of your medical information, their commercial cronies have lobbied the Office of National Statistics to consult on commercial, speculative and secret access to the unprotected data that ONS holds.

This “microdata” is highly sensitive, much of it personal data – which is why the ONS has had to keep it so tightly under lock and key. This isn’t your medical record, but it’s everything else the Government has, including the census and Health Survey; it’s all but your name.

With a general election in the offing and the budget this week, no-one else seems to have noticed. But where does the bulk of the data that the budget depends on come from? That’s right, ONS – and confidential business data is included in these proposals too.

Please act now. With just one week to go before the consultation closes, you can:

1. Sign the open letter opposing the proposals – it’ll just take a minute
2. Tell your friends – more information at www.AllButNames.com
3. Fill in a longer response via the ONS website

There may be just a few of them but, as statisticians can count, your voice really matters.

medConfidential’s attention was drawn to this issue by Methods Insight Analytics’ breach of conditions for using ONS linked data sold by HSCIC last summer. It appears some private companies would rather change fundamental ONS principles than their own business models.

Has nothing been learned from the care.data fiasco? Allowing commercial access to highly detailed, sensitive information for private profit undermines both trust and the public good. Selling access to ONS microdata may make peanuts for companies and their shareholders, compared to the very real damage to public confidence in our National Statistics that will come from these proposals.

What’s happening with care.data?

We’d love to be able to tell you what’s going on with the care.data pathfinders but, depending on who’s asked, they’re both going ahead and not before the election… and now NHS England won’t say either way.

It has been clear for some time that data extractions won’t take place “before the autumn”, but that’s not quite the point. The question is when patients will start being written to, what they’ll be told, and whether it’s actually true.

Though the headlines talk about a delay, when pressed, “Mr Kelsey told HSJ that while the extraction would not take place before the election, pathfinders would send out communications around the data extraction and linkage programme.”

As The Register reports, Tim Kelsey repeated this intention to Roger Godsiff MP, who was prompted to lay an Early Day Motion this Monday.

We sincerely hope that NHS England will do the right thing, and postpone sending anything out to patients in the pathfinders until after the election. Too many questions are still unanswered, and critical elements – such as the CAG regulations, new Directions and fixing the ‘Type 2’ opt-out error* – are still not in place.

Proceeding now, so close to the election, could be seen as an attempt by this Government to constrain the next. And, as Shadow Cabinet Office Minister, Chi Onwurah has said: “I think if we have another care.data, then the public sector is not going to want to touch data, whether it is open or shared and that is a real danger.”

—

* We understand HSCIC is working on a solution to the issue they have taken responsibility for, that will honour your choices and not affect your direct care. We will let you know as soon as anything public is announced, but this is unlikely to be until after the election.

What happened in 2014?

In January and February, following NHS England’s catastrophic junk mail leaflet campaign, we helped “stop” the nationwide rollout of the care.data programme – though NHS England denied that word until October – and got the “opt-out” fixed so that no data would leave your GP practice, rather than the fudge NHS England had tried to pull.

In March the government added amendments just as the Care Bill left the Commons for the Lords. Though intended to reassure the public,“the promotion of health” clause introduced a loophole for commercial users that’s yet to be fixed. April saw the publication of HSCIC’s first (incomplete) Data Release Register, revealing dozens of companies – not just insurers – had bought NHS patient data.

In May government rejected Lord Owen’s amendment to the Care Bill that would have reinstated much-needed statutory independent oversight. By November the need for this was so critical that Jeremy Hunt appointed Dame Fiona Caldicott as National Data Guardian, a role to be made statutory “at the earliest opportunity”, barely 53 weeks after the IIGOP was formed.

Sir Nick Partridge’s Review of ‘historic’ releases by the Information Centre was published in June, confirming “significant lapses” – and ongoing use of the ‘National Back Office’ by the police to trace people. June also saw the Annual Representatives Meeting of the BMA vote for care.data to be opt-in. Over the summer, polls showed a serious “data trust deficit”, and suggested almost a third of GPs would opt their patients out.

In October, NHS England began to try to restart the scheme, announcing several ‘pathfinder’ CCG areas – though, as it turned out last week, it still hasn’t signed up GP practices in these areas. And just yesterday, the Independent Information Governance Oversight Panel asked rather a lot of questions, to which answers must be provided before the scheme can proceed.

Some good news

Firstly, and as we first raised back in February to the Health Select Committee, HSCIC is building a “secure data facility”, where those who are content for all their data to be used can have it used safely. A single locked-down source where legitimate, transparent and ethically-approved access can be properly managed and audited – rather than copies of millions of patients’ information being sent out – is also the safest way to ensure people who don’t want their data used can have it excluded. This isn’t just about care.data and your GP records, but about all your medical records, held in trust by the NHS.

Secondly, our proposal for Personalised Data Usage Reports are the mechanism for the HSCIC and NHS to report to each individual patient how their data was used, and for each individual to be able to know – rather than just have to trust – that their wishes have been respected. It can also show the good that has come from legitimate uses of data. Even safe and consensual uses of data must be transparent, and we have spoken to no bona fide researchers who ever thought otherwise.

These are both a good start. When they are in place, it’s possible a replacement could emerge from the wreckage of NHS England’s care.data debacle. Since the summer, its communications have fallen apart (again), the content has been criticised repeatedly by experts, yet there will (apparently) be “no changes to the specification”. Any attempt to revive care.data before safe and transparent data use has been seen by the public is likely to backfire.

And, in an unexpected footnote to an incredibly busy year, we were deeply honoured to be shortlisted for a prestigious Liberty Human Rights Campaign of the Year Award – a recognition that the work above has begun, but remains unfinished. We offer congratulations to Lord Low for winning the award for his defence of the Human Rights Act, and applaud the fantastic work of our fellow nominee, Police Spies out of Lives, in their fight against injustice. They deserve everyone’s support.

What next?

In the New Year, the Shadow Minister for Health has said the “Opposition will table an amendment on Report to ensure that the National Data Guardian is put on a statutory footing”. This clearly must be done right, and we look forward to seeing the detail of what the Opposition proposes.

In the same debate on Jeremy Lefroy’s Public Members’ Bill, Under-Secretary of State for Health Dr Dan Poulter told Parliament: “The National Information Board is working towards a whole system consent-based approach, which respects individual’s preferences and objections about how their personal and confidential data is used, with the goal of implementing that approach by 2020.”

2020 is a long way off, so we hope we don’t have to wait too long to see exactly what is being proposed – and what work will commence towards making data use across the NHS safe, consensual and transparent in the near future.

It’s Christmas…

We deeply appreciate every donation you give us and especially the messages you include with them, whatever the amount… £5, £50 or more. We know each donation is an expression of individual support for what we are doing and the good wishes that come along with that.

medConfidential is a tiny organisation, hitting well above its weight, but to keep going we have to find around £60k per year. If you are – or know – someone who could make a substantial contribution towards our operating costs, please do get in touch: coordinator@medconfidential.org

And finally, we wish you and your loved ones a safe, consensual and relaxing festive season.

See you next year… expect a busy January!
Phil Booth, Sam Smith and Terri Dowty
Coordinators past and present, medConfidential
19th December 2014

What just happened?

On Tuesday NHS England announced the care.data ‘pathfinder’ areas, but didn’t provide answers to basic questions like “Is it happening in my practice?” and “When will it start?” We await more details on the pathfinders, including exactly what patients (and GPs) will be told.

The four care.data pathfinder areas are:

• Leeds (3 CCGs: West / North / South and East)
• Blackburn with Darwen CCG
• West Hampshire CCG
• Somerset CCG

We sent out a background briefing on Monday with a list of questions to which we expected answers, but when none were forthcoming there was a bit of a storm in the media.

Where does your data go?

On Monday HSCIC published its latest quarterly data release register, covering the period April – June 2014. No insurers this time, but at least one recipient (Northgate) declares that its “market may also include commercial organisations” which highlights the dodginess of claims by officials that “solely commercial use” will be prohibited. Information intermediaries that service both NHS and commercial customers aren’t solely commercial, after all.

Worryingly, HSCIC’s new contracts don’t yet exclude commercial re-use. And with the over-broad “promotion of health” clause in the Care Act – the ‘McDonalds amendment’ we pointed out would include promotion through advertising, access by pharmaceutical marketers, etc. – there’s still a long way to go before patients can be satisfied that all the loopholes are closed.

Earlier this month, an updated care.data addendum in which NHS England sought to increase the types of uses to which patient data can be put, and the range of organisations and companies that can access it, was considered by the Independent Advisory Group for GPES (the system by which data is extracted from GP practices).

The addendum was approved, with conditions – including clearer definitions of “research” and “health intelligence”, independent oversight and further consideration of the expansion of purposes once the pathfinders are complete. Like us, IAG have significant concerns about the “lack of clarity about the data disclosure” after the pathfinder stage.

If patients are to be promised that all individual-level data extracted and linked during the pathfinders will be kept in HSCIC’s secure data facility, accessible to a small number of approved analysts, what’s the rush to widen future access now?

Opt-in / opt-out

Earlier in the summer, the BMA’s Annual Representatives Meeting voted that care.data should operate on a patient opt-in basis. While it does not appear that NHS England will be testing opt-in vs. opt-out approaches in the pathfinders, a representative of the Information Commissioner’s Office said at a recent conference that GPs could discharge their obligations under the Data Protection Act if they opt out their patients by default, so long as they put equivalent effort into contacting patients offering them an opt-in as they would have done for an opt-out.

What next?

Now the pathfinder areas have been announced, we are pushing to see exactly what patients (and GPs) will be told. In the meanwhile, if you do have concerns about care.data and if you haven’t done so already, our advice continues to be to opt out now. N.B. If you opted out of care.data earlier this year and had the ‘dissent codes’ added to your GP record, these will still work so you should not have to opt out again.

In the next few weeks, we expect Regulations to the Care Act – including further definition of the “promotion of health” clause, sanctions for data misuse and the operation of the Confidentiality Advisory Group (CAG) – to be laid before Parliament. We’ll publish more information as we have it.

Also coming up in Parliament is the Health and Social Care (Safety and Quality) Bill, Jeremy Lefroy MP’s Private Members’ Bill, scheduled for Second Reading on 7th November. No documents have been published as yet, but we intend to pay close attention to a Bill that intends “to make provision about the integration of information relating to users of health and social care services in England” and “to make provision about the sharing of information relating to an individual for the purposes of providing that individual with health or social care services in England”.

How can you help?

If you are registered with a GP in one of the pathfinder areas, we suggest you e-mail or write to your local HealthWatch and ask when the local public meeting will be held to talk about care.data. Please do let us know how you get on.

We are a tiny under-resourced campaign, but if you would like someone from medConfidential to address a meeting of your patient representative group or local HealthWatch please get in touch via coordinator@medconfidential.org. We’ll do our best to provide a speaker, or slides for you to use.

And finally

There is a great deal of confusion about forms relating to the Summary Care Record, local data sharing and care.data – some patients report having three or even four separate opt outs at their GP practice. One even offered a “Summary Care Data” opt out form. To be very clear, the Summary Care Record (SCR) is entirely separate from care.data:

• a Summary Care Record contains your last 6 months’ prescriptions, any major allergies or adverse drug reactions you may have and any information you have asked your GP to put on it. It is for access by medical staff providing you with direct care, and they should normally ask your permission before viewing it. The official form to opt out of having an SCR is here.
• There may also be local data-sharing arrangements in your area, usually for direct care purposes such as sharing information between your GP and a local hospital. Your practice should be able to tell you more about these, and provide an opt out form.

• care.data is all about ‘secondary use’ of your medical information – it has nothing to do with your direct care. No data has yet been extracted under the care.data scheme, so if you have concerns you can opt out now. You can always opt in later. There is no official opt out form, so we have provided a form or a letter for you to send to your GP.

If in doubt, please do talk to your practice staff but be aware that GPs and practice managers have not been told anything more about care.data since February.

Please do also forward this newsletter to your friends and family. They can receive future editions by joining our mailing list at http://medconfidential.org/contact/

Phil Booth and Sam Smith
Coordinators, medConfidential
10th October 2014

It’s been just over 6 months since NHS England pressed “pause” on care.data, so we thought now would be a good time to provide a round-up of what’s been happening. Some things have changed since you last heard from us, some things unfortunately haven’t.

What just happened?

Minutes published by the revived Data Access Advisory Group (DAAG) at HSCIC earlier this week revealed that an unnamed organisation has been using HES and ONS data “for commercial activity in addition to the purposes they had stated when applying for approval”.

This is deeply concerning, especially given repeated assurances by Ministers and officials that commercial exploitation of NHS patients’ data will not be permitted. We wrote with urgent questions on Tuesday and are waiting for a reply; it seems that while the ‘new world’ detection regime may be beginning to work, we are still stuck with ‘old world’ incident handling.

This is precisely the sort of offence that ‘one strike’ sanctions would address; the perpetrator would have to delete the data, provide proof that it had been deleted, would have their current contract(s) revoked, and would not receive data in future. Merely “asking the data recipient to cease using the data” shows how far we still have to go.

Consensual

A survey by GP magazine Pulse over the summer suggests nearly one third of GPs would opt their patients out of care.data if NHS England ignores the BMA’s vote for the scheme to be opt-in. GPs across the country report that patients are continuing to opt out; one in St Helens confirms that “opt outs in her surgery currently stood at 20%”. And even NHS England’s Deputy Medical Director has called for parts of care.data to be opt-in.

medConfidential proposed a way in which NHS England could empower GPs who want to protect their patients’ confidentiality and also allow consensual research, but it appears the official still pushing the scheme just doesn’t want to.

Safe

We’ve said many times that the nation’s medical records are more valuable than the Crown Jewels; it appears parts of the system have got the message, and the Health Select Committee was given assurances (Q433 & Q504) that – for the ‘pathfinder’ phase at least – care.data extracts will only go into a ‘safe setting’. This is the secure data facility that some have called a “fume cupboard” and which we have previously discussed as ‘HRRDL’, a tightly locked-down Health Remote Research Data Laboratory.

We have to hold them to these assurances, and one of our current tasks is to make all parts of the system understand and respect the promises some parts have now made. Meanwhile, there have been a slew of consultations to respond to – hardly light beach reading! – including the Department of Health’s on ‘Accredited Safe Havens’, HSCIC’s Confidentiality Code of Practice and new data sharing contracts and agreements. And we continue to point out problems and ask difficult questions when attending the care.data advisory group.

Transparent

Unfortunately NHS England’s senior staff are still clueless on this front. They won’t confirm whether every patient will be written to, with an opt out form. We keep asking. They won’t even confirm if they wrote to every Clinical Commissioning Group asking if they’d like to volunteer to be a care.data ‘pathfinder’. So we wrote to the CCGs ourselves, who confirmed that NHS England hadn’t.

Meanwhile, the search for a replacement ‘Senior Responsible Officer’ for care.data continues. It’s the archetypical hot potato. We had some questions for candidates to ask the panel at interview. Things at HSCIC seem a bit more organised, and – with certain unfortunate exceptions – there are real signs they are working to improve their systems and procedures. But ongoing scrutiny is required.

Over the summer, we learnt more about the operations of the ‘National Back Office’ and access by law enforcement agencies – first outed in the Partridge Review, with more detail in July’s Data Release Register. Given the co-location of so much sensitive data at Smedley Hydro, it may be the permanent solution for this would be to move birth, marriage and death registrations out of the Home Office.

Where next?

Details of the care.data ‘pathfinders’ of “between 100 and 500 GP practices in the autumn” are still sketchy. NHS England won’t – or can’t – say where they will be, when they will start, or what exactly they’ll be doing. We’ll update you as soon as we know anything definite.

Meanwhile, Phil will be speaking at a number of events in coming weeks, including:

• Healthwatch Oxfordshire and Oxford Health Experiences Institute on 10th September
• Health Service Journal roundtable event at the King’s Fund on 15th September
• EMIS National User Group Annual Conference in Nottingham on 26th September
• RCGP Annual Conference in Liverpool on 4th October

We are a tiny under-resourced campaign, but if you would like someone from medConfidential to address a meeting of your patient representative group or local HealthWatch please get in touch via coordinator@medconfidential.org. We’ll do our best to provide a speaker.

How can you help?

We still need your help spotting inappropriate consent forms – and this is not just about enforced Subject Access Requests by insurance companies. We’ve seen forms requiring patients to agree to having their data used for purposes other than their medical care or to having their medical information processed overseas. Help us root out these abuses of consent and confidentiality wherever they occur.

And finally

medConfidential’s work continues. For example, we are pushing for patient-level audit trails – not just a quarterly data release register – that would mean you could see exactly how your data, your experiences, your life, had contributed to particular pieces of research, and read the papers from the researchers that advance knowledge.

What we do may not always be headline-hitting, but we believe keeping every use of your medical information consensual, safe and transparent is essential. There are benefits to be had, but only if things are done right.

Please do forward this newsletter to your friends and family. They can receive future editions by joining our mailing list at http://medconfidential.org/contact/

Phil Booth and Sam Smith
Coordinators, medConfidential
5th September 2014