Category Archives: News

Jeremy Hunt has changed his mind

Welcome to another newsletter from medConfidential.

Jeremy Hunt changed his mind and is still selling your medical records

If you opted out of your hospital records being sold, Jeremy Hunt has changed his mind about your choice.

At the time, he said in Parliament (emphasis added):

“…this Government decided that people should be able to opt out from having their anonymised data used for the purposes of scientific research, which the previous Labour Government refused to do? When they extended the programme to out-patient data in 2003 and to A and E data in 2008, at no point did they give people the right to opt out. We have introduced that right”

The right Jeremy Hunt was so publicly proud of introducing, he has secretly taken away again. He was right to give it you – his election manifesto promised it would be there.

Over 1.2 million people, just like you, opted out of their hospital records being sold. The opt out has begun to work, but NHS confirms hospital records are still being sold.

The opt out process you followed in 2014 was the easiest way to opt out, but was not the only way. It was what the Government said would work. They have now changed their minds. We complained to the ICO, and they agreed with the Government.

As a result, we will have more details on what you can do to protect yourself in the new year. The Government had to perform a pirouette to pull this off, and may still have fallen flat on their face.

For now, you may wish to write to your MP and ask about this change. Ask your MP why the Government has gone back on its manifesto promise to let you opt out. Tell them why confidence in the privacy of your medical records matters to you. More details of the change are on our website.

Other steps you may wish to take to protect your medical records will become clear in the new year. If you are in immediate distress, our website contains a longer route to doing so now if necessary. If that is not the case for you, we’d suggest you wait until our full response is available. There is more to come on this, and the shabby secret is now out.

Jeremy Hunt offered you a convenient route which didn’t place an undue burden on your the NHS. If you took him up on that, he should keep his word. He retracted it in secret, and it took 6 months of work to find out what had actually happened. The opt out you took up for hospital has begun to be implemented, but is not yet fully in place. The opt out of your GP data, which is a separate tick box on the form you used, is not affected. The GP opt out is working, as it has been since you handed in your form.

Where does data go?

NHS Digital publishes details of where they send data each month, and why. Now they publish detailed official spreadsheets, we turn it into simple webpages. They are at https://dataregister.medconfidential.org

That gives a list of which projects honoured your opt out, and which companies got data on you anyway.

Merry Christmas

2017 is looking busy. The Government will announce what it is going to do. We hope they will do the right thing and honour your opt out (even if they try to do everything else first).

We rely on donations for some of our work, and anything you wish to offer in support will be put to good use. We have some fun plans for ensuring your choice is respected, and donations help them happen.

We will still be here. The Government know we will still be here, and know we will do what we say we will do. We work to ensure that your medical records are only used in a way which is consensual, safe, and transparent.

You can help make that happen.

We wish you and your loved ones a Merry Christmas, and we’ll have more in the New Year. The next newsletter will have better news than this one. We hope.

Thanks for helping

Best wishes, for a Merry Christmas, and a consensual, safe, and transparent New Year.

From Phil, Sam, and all at MedConfidential.

Briefing for the Digital Economy Bill – House of Lords 2nd Reading

Our 3 page briefing is here.

Summary

Given the obstinacy of the Cabinet Office, Part 5 of this Bill has been offered on a take or leave it basis to Parliament. If it is not improved at Committee stage, we suggest you leave it.

A major hospital in London has a deal with Google to produce an app to tell doctors which patients are in the most urgent need. This is a good thing. But to produce it, Google insisted on having a copy of main dataset covering every patient in the hospital, which is only available up until the end of the previous calendar month. The appropriate way to get the information needed, was to get up to the minute information on the patient whose details they were going to display. However, Google wanted all the data, and insisted on it if the hospital wanted to work with them.

It’s not the creation or production of a pretty app that’s the problem – it’s the demand for excessive data in return for using the app. It’s entirely rational for the hospital to accept the app as it may lead to marginally better care for their patients; but the price is being paid in their patients’ data. The Bill applies this principle across Government: third parties want the benefits of having the data, because this Bill does not require any protections.

The Minister was asked a simple question about safeguards: “Could you explain where they are and what they look like?” and no answer – because there are none.

Characterising Chapters 1 and 2, it can be said they “will have the effect of removing all barriers to data-sharing between two or more persons, where the sharing concerns at least in part the sharing of personal data, where such sharing is necessary to achieve a policy objective…”

Unfortunately for the Government, that characterisation is quoting from the Government’s explanatory notes for s152 of the Coroners and Justice Bill (para 962). Nothing has changed in Government thinking since 2009, when the House of Lords threw out that clause.

Our 3 page explanatory briefing is here.

medConfidential statement on continued sale of hospital records

During the failed Care.Data project, NHS England and the Department of Health said “patients have a choice” about how their data is used – they could opt out if they wished.

NHS Digital, the bit of the Department of Health that sells data to companies, has gone back on the Secretary of State’s word on a critical detail, and Jeremy Hunt has given up. To the Information Commissioner, they now say: there is no choice about whether your hospital data is sold. NHS Digital admit and demonstrate that it continues to be sold.

The opt out was the gift of the Secretary of State, and he has taken part of it away again. Merry Christmas everyone.

On that basis, other legal options remain open to patients. This is not the end, but it is the end of the beginning.

The opt out has begun to be implemented – it does do some things – but the main purpose of opting out of your hospital data being sold, is that your hospital data doesn’t get sold. That is the part that continues to happen in spite of the NHS promise to you as a patient.

We are obviously disappointed that Jeremy Hunt has chosen to go back on his word, and continue selling the nation’s private hospital history to anyone who fills in a form correctly, after he offered patients a choice to opt out of that.

The ICO has ruled that it was the Secretary of State’s choice, and he was entitled to make it. This does not affect rights available to patients under the Data Protection Act.

If patients are concerned, we suggest they join our newsletter at www.medConfidential.org, and we will provide a detailed update shortly – it is likely to involve a trip to the post box.

We will have a more detailed analysis of the contradictory parts of the ICO response in due course.

medConfidential

Notes to Editors

Care.data was the extension of GP data to link it with Hospital data, and continue the practices used in ongoing releases of hospital data. The Government was very clear that if patients didn’t want their hospital data used, they could opt out:
Parliament: https://www.theyworkforyou.com/whall/?id=2014-03-25a.49.0#g56.7
NHS England: https://www.dropbox.com/s/qaax5zj77zxddwz/leaflet-manchester.jpg?dl=0
NHS Digital’s convoluted policy statement is the 5th bullet point here: http://content.digital.nhs.uk/article/7092/Information-on-type-2-opt-out
For alternate approaches, we note s10 of the Data Protection Act allows a person to dissent from processing, and purposes beyond direct care are subject to legal dissent. The opt out was supposed to be the convenient way of expressing dissent; it is not the only way.
This decision is about data flows as they exist today. Looking forwards to future changes, NHS Digital argue that this implementation is entirely consistent with the future Caldicott Consent Choice under review by the Government following a public consultation. That is in the hands of the Government.
The NHS Digital Privacy Impact Assessment for the Hospital Episode Statistics shows that reidentification from this data could happen: http://content.digital.nhs.uk/article/7116/Consultation-on-the-Hospital-Episode-Statistics-Privacy-Impact-Assessment-Report
The recipients of data releases, which includes releases containing data on patients who had opted out, can be seen here: https://dataregister.medconfidential.org
For what patients can do about this change, see: https://medconfidential.org/2016/opt-out-process-update-december-2016/

-ends-

PHE Board papers

In 2016, Public Health England stopped publishing linkable PDFs for their board papers, and started hiding them in zip files. As we have previously done with HSCIC, we’ll publish the zip archives here until they switch back (which they may now have done).

PHE Board May 2018

For the May 2018 board meeting, they published original documents individually here.
Future meeting papers should be individually available here (we’ll keep an eye on things, and this page will come back to life if they change back to publishing impenetrable archives).

PHE Board February 2018

PHE Board November 2017

PHEBoard September 2017

PHE Board June 2017

PHE Board April 2017

PHE Board February 2017

PHE Board January 2017

These papers were published 36 hours after the meeting happened.

PHE Board November 2016

PHE Board September 2016

PHE board July 2016

- Board agenda 20 July 2016 v00.02 OPEN.pdf

/wp-content/uploads/hscic/phe/phe-2016-08/PHE16-036 (1 of 4) Board paper public mental health – v7.pdf

PHE Board May 2016

Showing the Thing: Jeremy Hunt’s desire for an “NHS App”

Every flow of data across the NHS should be consensual, safe and transparent. Following the Caldicott Review call for a continuing conversation, Secretary of State Jeremy Hunt has asked for an “NHS App” by September 2017. Since he made that request, there has been no visible progress.

Additionally, patients should not have to work out how the NHS works in order to use digital services.

One of the pre-requisites is a login system for patients that works across the NHS – how many usernames and passwords should people have to remember?

The savings from avoiding missed appointments (via the “choose and book” system) can only come if patients can log in to change their appointments, and aren’t put off by terrible technology.

We’ll have more on patient identity shortly, but the GP managed login, and password reset process, is sufficient for now (it’s not perfect everywhere, but the other suggestions of perfection are untarnished by the requirements of delivery or reality).

Using Gov.UK Verify’s providers would require every patient to only receive care in the name they have legal documents for. Facebook may insist on a real name policy, the NHS should not. There are many reasons it does not.

So what might a good digital app start to look like?

Here’s our thought experiment:

https://nhsapp.experiment.medconfidential.org

Comments welcome.

Deepmind try again – November 2016

DeepMind this morning reannounced their partnership with the Royal Free Hospital. Updates are at the bottom – details are in the 9:50 and 10:10 updates.

There’s apparently a new legal agreement to copy exactly the same data that caused so much controversy over the summer. We have not yet seen the new legal agreement, so can’t comment on what it permits or disallows.

Responding to the press release, Phil Booth, Coordinator of medConfidential said:

“Our concern is that Google gets data on every patient who has attended the hospital in the last 5 years and they’re getting a monthly report of data on every patient who was in the hospital, but may now have left, never to return.

“What your Doctor needs to be able to see is the up to date medical history of the patient currently in front of them.

“The Deepmind gap, because the patient history is up to a month old, makes the entire process unreliable and makes the fog of unhelpful data potentially even worse.

As Deepmind publish the legal agreements and PIA, we will read them and update comments here.

8:50am update. The Deepmind legal agreement was expected to be published at midnight. As far as we can tell, it wasn’t. Updated below.

TechCrunch have published a news article, and helpfully included the DeepMind talking points in a list. The two that are of interest (emphasis added):

An intention to develop what they describe as “an unprecedented new infrastructure that will enable ongoing audit by the Royal Free, allowing administrators to easily and continually verify exactly when, where, by whom and for what purpose patient information is accessed.” This is being built by Ben Laurie, co-founder of the OpenSSL project.
A commitment that the infrastructure that powers Streams is being built on “state-of-the-art open and interoperable standards,” which they specify will enable the Royal Free to have other developers build new services that integrate more easily with their systems. “This will dramatically reduce the barrier to entry for developers who want to build for the NHS, opening up a wave of innovation — including the potential for the first artificial intelligence-enabled tools, whether developed by DeepMind or others,” they add.

Public statements about streams (an iPhone app for doctors) don’t seem to explain what that is. What is it?

9:30 update: The Deepmind website has now been updated. We’re reading.

The contracts are no longer part of the FAQ, they’re now linked from the last paragraph of text. (mirrored here)

9:40 update: MedConfidential is greatly helped in its work by donations from people like you.

9:50 update: Interesting what is covered by what…

screen-shot-2016-11-22-at-09-54-17 screen-shot-2016-11-22-at-09-45-28

screen-shot-2016-11-22-at-09-47-34

10:10 update: What data does the DeepMind FIHR API cover? What is the Governance of that API? Is it contractually, legally, and operationally independent of the Streams app?

(it’s clearly none of those things, as the above screenshots say).

Deepmind have made great play of their agreement being safe, but consent is determined in a google meeting room, and the arrangements for the “FIHR API” are secretive and far from transparent.

There is likely to only be one more update today around 1pm. Unless Google make an announcement that undermines their contractual agreements.

1pm update: The original information sharing agreement was missing Schedule 1, and has been updated.

3:30 update: DeepMind have given some additional press briefings to Wired (emphasis added):

“Suleyman said the company was holding itself to “an unprecedented level of oversight”. The government of Google’s home nation is conducting a similar experiment…

““Approval wasn’t actually needed previously because we were really only in testing and development, we didn’t actually ship a product,” which is what they said last time, and MHRA told them otherwise.

Apparently “negative headlines surrounding his company’s data-sharing deal with the NHS are being “driven by a group with a particular view to pedal”.”. The headlines are being driven by the massive PR push they have done since 2:30pm on Monday when they put out a press release which talked only about the app, and mentioned data as an aside only in the last sentence of the first note to editors. – Beware of the leopard.

As to our view, MedConfidential is an independent non-partisan organisation campaigning for confidentiality and consent in health and social care, which seeks to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Does Google Inc disagree with that goal?

Data in the rest of Government: A register of data sharing (managed, rather than inadvertent)

The Codes of Practice for the Digital Economy Bill aren’t worth the paper they’re (not) printed on. They aren’t legally binding (para 11), and are effectively subservient to the ICO’s existing code, even while paragraph 60 pretends a single side of A4 is a valid Privacy Impact Assessment for data sharing for operational purposes.

As this is the case, why is there a code of practice necessary under the legislation? Is does nothing new. Is it solely to make it look more respectable than the dark and dank dodgy deal that it actually is?

In places such as supermarkets, you have a choice of whether to use a clubcard, and can easily use one of the other supermarkets that are available – Government doesn’t have competition promoting integrity. To ensure a citizen can see how Government uses data about them, there should be a statutory register of data sharing agreements (involving public sector data). A register prevents nothing (which seems to be the policy intent of the Bill), but is simply a list of stated intents. From the Register comes an informed discussion of what organisations are actually doing and sharing, rather than excessive secrecy and double dealing.

Opposition to a register comes from fear, based in Government’s lack of knowledge of what data they have, or currently share it. If you don’t have a clue where your data is, or why it’s there, you oppose a register because you don’t want to find out.

How this state of affairs came about, is at the heart of this Bill.

We’ve previously posted about the definition of Personal Data in the Investigatory Powers Bill. What about in the non-secret parts of Government?

In 2010, the Cabinet Office told GCHQ that “to be considered personal data, a dataset has to contain at least the actual names of individuals.” GCHQ being subject to the national security exceptions of the Data Protection Act.

In March 2015, the term “bulk personal datasets” was used by Parliament, and entered common terminology, but it wasn’t until November 2015 that the full definition of the Data Protection Act was restored (with DPA exceptions for National Security).

But, in the middle 7 months, the term gained increased currency within Government and used much more widely as it crossed into the non-secret sphere. The Cabinet Office took the existing meaning and thinking and applied it elsewhere.

It was never noted that the definitions in the non-secret parts of Government should have been different, likely weren’t, and hence possibly are invalid under DPA, because the narrow term for GCHQ was classified, and hence restricted. Ie “actual names” is not the DPA standard.

So what effect did this have?

Following the talk talk hacks, Government ran an exercise described as the “Cabinet Office audit 2016” looking at what each Department held, and the impact of them losing it.

We made FoI requests about what each department held, and got very interesting answers (we excluded national security or serious crime).

The Cabinet Office hold no bulk personal data (apparently… ).

DCMS hold some bulk personal datasets – on people who have responded to their consultations (and some data from the Olympics)… (erm… what?)

The Department of Transport gave a much longer answer, (but didn’t know how much was in each dataset).

Does the Government known what personal data it has, uses and shares, and where it keeps it? If so, did Departments share that list with the Cabinet when asked?

Since we can see they probably didn’t, are all uses of large datasets (whether they are considered personal data or otherwise) fully compliant with the definitions in the Data Protection Act?

How does the Bill and associated work help resolve this mess?

Data in the rest of Government: a fertile breeding ground for fraud and misery

We have now published our submission on Part 5 of the Digital Economy Bill to the Committee scrutinising the Bill.

The Digital Economy Bill (Part 5) promotes a fertile breeding ground for fraud and misery: excessive data sharing, but only in secret.

The protections on sharing data to academic researchers are strict – people who work to increase human knowledge have to jump through a range of hoops to get funded, with critique and transparency; and then even more hoops to get data, again with critique and transparence; and even then, the the Digital Economy Bill does not apply that process to health data for research until we see the outcome to the Caldicott process.

Yet, the Digital Economy Bill contains no prohibition on civil servants secretly sharing any data, including medical records. This includes secret sharing by Government Departments to inform operational decisions. There are no meaningful restrictions on copying of any data held by any public body. From anywhere, to anywhere except independent experts.

“If you give me six lines written by the hand of the most honest of men,
I will find something in them which will hang him.” – Cardinal Richelieu

In recent weeks, it has emerged that a citizen was stripped of housing benefits because data showed they were cohabiting with “Joseph Rowntree”, the 19th Century philanthropist whose modern legacy includes a Housing Trust which bears his name, and which was that woman’s social landlord. The DWP contractors used just enough data to create “evidence” that reinforced their prejudice, but not enough to realise their “evidence” was lunacy. This Bill makes those events more common, more harmful, and more opaque.

The Cabinet Office believe that they should be trusted with everything, and independent academics can be trusted with almost nothing. Neither of those are likely to be right.

That is learning the wrong lesson from care.data. Academic use of data to improve the public knowledge was not what people objected to. It was the secrecy and other purposes.

The Cabinet Office clearly don’t understand that their approach is part of the problem. More copying with the same rules was care.data; this bill is more copying with less rules, less transparency, and less oversight. No one suggests that fraud prevention should be subject to consent, but Parliament should be able to assess whether the approach has worked.

The existing minimal oversight of Parliament goes away, and Departments can do what they wish. A statutory basis for disclosure to prevent fraud is entirely sensible – individuals shouldn’t get that choice – but in addition to all sharing the data, the Government demands secrecy as to whether that sharing was effective.

If governance is effective, then it should apply to all. If it’s ineffective, then it shouldn’t happen at all. Parliament needs to pick one.

The reason the last Government didn’t want good governance and accountability to apply to Government, is because the governance and accountability process works.

An accountability process that is entirely absent from most parts of this Bill.

Which way is the new Government going to go?

Mid-September Update

It’s been a busy few weeks for consultations and briefings. While links are (usually) tweeted as we publish them, the below is a consolidated summary of events. We’ll send a newsletter in the week or so, with other information, including last week’s re-announcement of the new NHS apps library.

Following the change in Prime Minister, there is a new Minister for these issues in the Department of Health. We welcome Nicola Blackwood MP into the post. Her track record as chair of the Science and Technology committee stands her in very good stead, as does her first public speech on her new remit.

The Caldicott Consultation

NHS England has published a series of 3 “discussion events” in London, Southampton, and Leeds. They start 3 weeks after the consultation closed, and end 3 weeks before the Department aim to respond.

Our main submission to the Caldicott Consultation was submitted before the deadline. A supplementary will follow, because of subsequent events.

Updated October 10th: first supplementary publication.

Public Health England

The contents of this consultation, and this Report, suggest that the lessons of care.data have not yet reached Public Health England. With the Government response to the Caldicott Review, they will have to. This will be a focus of our first supplementary submission to the Caldicott Consultation

Update (19/Sep): We’ve published our blood spot consultation response.

Legislation

The Investigatory Powers Bill has added an extra tickbox if the Agencies want access to health data. Ironically, this is one area where those overseas have greater protections than those in the UK – there is far more concern about the reaction of foreign governments/press than there is about our own.

The Digital Economy Bill has also begun lumbering through Parliament, published shortly after the Referendum with relatively little content. We’ll have more than our initial briefing in due course. The “data science” work of Cabinet Office can easily justify care.data, and doesn’t seem to understand what personal data is. The problems with this Bill are solely of Cabinet Office’s making.

Anonymisation

As HSCIC has now confirmed (page 246), we have a complaint into the Information Commissioner. It covers the “definition” of anonymisation used to exclude opt outs being applied to hospital data. Here is a short summary of what Anonymisation is (and isn’t) in 2016. It is easy to forget the full meaning of “personal data” when there’s a desire to ignore it.

We also responded to the Privacy Impact Assessment consultation on the Hospital Episode Statistics.

What’s in a name?

HSCIC has changed its trading name to NHS Digital. For the next little while, we will use NHS Digital to refer to NHS services provided by the organisation, and HSCIC to refer to actions as an Arms Length Body of the Department of Health. Despite the name, NHS Digital is not an NHS body: it is accountable to Secretary of State, not NHS England.

How much confidence does the Department of Health have in Electronic Health Records? Invoice Reconciliation and the DH Caldicott Consultation.

“By 2018, clinicians in primary care, urgent and emergency care and other key transitions of care contexts will be operating without the use of paper records” says the Department of Health. MedConfidential agrees that Electronic Health Records to pass information electronically along a patient’s care pathway will lead to better care and better patient outcomes (and better privacy), but that’s not all they do.

To ensure the uptake of flows along care pathways, there should be transparency of process. As part of a Data Usage Report, patients should be able to see where their EHRs have gone and why. That data could go anywhere is mitigated by telling patients exactly where it did go, so patients can have confidence it didn’t go elsewhere. The requirement for all care providers to use the NHS number makes this feasible.

There will also be published statistics on the adoption of EHRs. Those statistics should also include what percentage of patients arrive at an organisation with an EHR, or how many need to have an NHS number lookup to create a record (organisations with walk-in patients, including A&E, should be excluded). By institution, they don’t tell us very much, but when you look at pairs of institutions, you can see patterns. How many EHRs did hospital A send to care provide B? How many B receive from A? Where does this process go wrong, and is there anyone chasing up why and fixing it?

In practice, no. Because there’s no strong incentive to.

The place that the chasing up does happen, predictably, is when money becomes involved. The NHS has a balance of accountants whose job it is to make sure that one bit of the NHS bills the other bits the right amounts for the care provided. Given NHS bodies don’t trust each other, those other bits of the NHS then have a different balance of accountants to check all the invoices.

For years, there has been a “temporary” arrangement where those accountants could see identifiable data, because that’s what had to be on invoices otherwise the accountants wouldn’t necessarily pay them. That temporary arrangement should have expired many times, but it keeps being renewed, as the accountants have never changed how they work, and the system doesn’t trust itself. The current incentives are wrong.

It was outside the Caldicott Review’s remit (and time) to look at them, and so the Review had no choice but to suggest that the accountants can continue to look at identifiable information.

In a world with Electronic Health Records that flow along care pathways with patients, that doesn’t have to happen – the constraint on the Review should not apply to the Department. The reporting on those flows can include a summary of care provided at the previous stage from that provider, which provides a separately accountable (to CCG via HSCIC) reporting streams which the accounts can rely on. As it derived from clinical data, any fraud by commercial actors in the system would require clinical fraud, as well as accounting fraud, with it’s far higher penalties. If the counts of care provided from one side are very different to another, that is examined as a clinical issue as well as a financial one.

“Should we pay this invoice?” becomes a simple question based on audited information from multiple automated sources. The counts will show whether all care provided along pathways has yet been paid for by the relevant CCG. Where there are queries, it means there was an EHR flaw which should be addressed, not just for financial reasons, but to improve care. (This is in need of refinement, but the likely question for adoption is “What percentage of new records have an NHS number entered manually, rather than via an electronic records transfer?”. Care per provider per CCG is derivable from EHR flows by third parties).

Invoice reconciliation has been a thorn in the side of privacy and good governance since the inception of the internal market in the NHS – the Department of Health has never bothered to fix it. As EHRs roll out on the same timescale as the Caldicott Review, there is the opportunity to do so. Besides legislative changes in the consent model, when the CAG regulations are finally laid, they should prevent the approval of s251 for invoice reconciliation “by 2018”. If the organisations of the NHS care about high quality EHRs because Treasury cares about accounting, incentives will be aligned to resolve problems along care pathways, which will improve direct care at the same time.

This is the administrative backwater of the NHS, that only cares about money (which makes it very important to the Department) Disease Registries or the GP opt out are far more high profile and important. But if the destruction of the GP opt out is the primary signal of intent to patients, data flowing to the accountants is the primary signal of intent to NHS managers and institutions on whether the Secretary of State means to deliver on his promises, or whether he will give up if the system ignores him.

This is not a new change – this has long been trailed as coming soon, yet the bullet has never been bitten, and the identifiable data turned off even though it has repeatedly been decided to. Given the changes in the consent model proposed by the Review, if not now, then when?

No evidence was provided by the Caldicott Review for the override of the GP opt out, for the exception of the disease registers, or the override for invoice reconciliation. The Department of Health seems to think it’s easy to override your wish that your data does not leave your GP, but will they ask the accountants to change what it is they count? Or will the Department give itself an opt out on a major flagship policy?