In practice, the ICO has a very simple test for fair processing:

Do data subjects know (i.e. have they been they fairly informed) what (processing of their data) you’re intending to do?

That’s it – is the organisation being completely honest?

If yes, that’s fair processing.

If no, that’s not “fair processing”.

It’s that simple. It’s not a high bar, and it’s not a complex bar.

If you end up in trouble, it’s because of surprises – you weren’t completely honest with the data subjects about what you were going to do.

With regard to fair processing, the ICO doesn’t make a distinction as to whether or not you should do something; it solely looks at whether you said you would. The ICO is often seen as facilitating data flows, because this test isn’t what people often seem to think it is.

The ICO considers itself to have one job in this regard, defined by the Data Protection Act, and that human rights are the remit of a Court. If someone is honest and informs you about using your data to breach your human rights, the ICO believes this is not a consideration for the data protection authorities. This may be an incomplete or incorrect reading of the law, but the current ICO has made its consideration.

In many controversial cases, organisations themselves – including the Government, Ministers, the NHS – all add additional requirements. These are not data protection constraints, they are moral constraints, they’re other legal constraints or they’re ‘ministerial gifts’ (e.g. the care.data opt out).

Remember, it’s only fair processing so long as what you tell people you’ll do matches what you actually do. (You can tell them you’ll do something and not do it – that’s still fair processing.)

When you want to do something new with data, if that wasn’t in the old rules, you need to tell people about the new rules. It is here that NHS England’s various data grabs have run into trouble, mainly because they don’t want to tell people quite what it is they want to do.

So in short, be completely honest.

No wonder the political machinations in the Department of Health and NHS England keep screwing it up…

P.S. Complaints about “fair processing” basically boil down to, “we don’t want to be honest with you”. Any fines simply show that you weren’t honest; one reason organisations get fined for losing data is because they’ve said that they won’t. If they didn’t say that, then losing your data mightn’t be a breach in those terms – but then no-one would do business with them. Which is why such promises get made in the first place.

NHS England and Rewired State recently ran a competition with a £30k prize fund for apps around obesity

We didn’t win a prize (they get announced next week), but http://simonsayswalk.com/ was our submission. 

“I know I should really go for a walk 3 times a week, but I’m just too busy…”

‘Middle-aged, managerial-class, overweight white man’ – let’s call him ‘David’ – knows he’s at risk of health complications from being overweight, he just doesn’t do anything about it for a host of legitimate reasons; he has meetings… he has dinners… he has an important job that puts many constraints on his time… he has a family with caring responsibilities…  (While we use a male example above, SimonSays:Walk is gender-indifferent)

This is not primarily an information problem amongst those who, over time, are likely to make disproportionate use of NHS services. SimonSays:Walk is designed to help people make a commitment; to schedule time to go for a walk.

Quite simply, SimonSays:Walk provides a ‘button’ people can press to add such a commitment to the calendar / electronic diary they already use (or which their personal assistant manages for them) on their smartphone, PC or tablet. Having made such a commitment, by reminding them and providing them with a simple map, SimonSays:Walk assists someone to get into the habit of taking regular walks.

The regular dates begin after a delayed start: the first appointment to walk will be scheduled two weeks ahead of the point at which someone first chooses to make a commitment. This will help make the decision to commit a bit easier – a decision with consequences two weeks in the future may be easier to make than one that imposes more immediate demands (this is, of course, testable) – and should help ease any diary issues / conflicts. It is also logical, on the basis that if someone decided to go for a walk today, a diary app wouldn’t be particularly helpful!

The use of the person’s existing electronic diary means appointments can be moved if necessary, and means that other people (e.g. personal assistant) with access to the person’s dairy can take account of other considerations and, hopefully, assist the individual to pick up the habit.

SimonSays:Walk is also ‘infinitely forgiving’; if you didn’t go for a walk today, there’s no shame other than that you impose on yourself – you can just go next time. (Someone else with access to your diary may be less forgiving, however!)

SimonSays:Walk does not aim to solve the whole problem of obesity; different people need different things. This tool is designed for those who are busy, and who use some form of electronic diary – though one need not necessarily be busy to make use of it.

In terms of functionality, if you are within a mile or so of an NHS pharmacy – which SimonSays:Walk  determines using open data from the NHS via data.gov.uk – it will suggest you may want to walk past it. We chose this particular function for a number of reasons: firstly, because NHS pharmacies tend to already have helpful information on display in their street-facing windows; and secondly, because those windows offer a low cost way to provide positive reinforcement for individuals who have engaged with the app, and also to promote (the goal of) SimonSaysWalk and the benefits of regular physical exercise more generally.

If the person is not that close to a pharmacy, there are probably nicer walks available. SimonSays:Walk suggests a direction and ‘walk radius’, not a specific route. Suggesting people walk through an industrial estate might not be sensible, or wise. In any case, it better for individuals – who are likely to know their immediate area better than an online tool – to make those decisions for themselves.

The simple premise of SimonSays:Walk is that it matters far less where you are, and exactly where you walk, than that you are sitting in a chair all day long. Any walk is better than no walk; this is about making it happen. When it’s in your diary that you use every day, you can make a commitment that it actually happens.

SimonSays:Walk adopts a privacy-preserving model – and using information and processes that people already use day-to-day – and tries to work with people’s lives, rather than trying to impose a major life change on them.

Once people become used to walking regularly, non-confidential phone calls, etc. could be done via mobile while going for a walk – or meetings could be scheduled about 25 minutes walk apart. We appreciate that in the UK, this would probably work better in the summer months.

If there is no GPS information available, e.g. from a non-location aware desktop browser, the map is centered on the pavement East of the Cenotaph, with a generic message about a walk.

People already have plenty of information that being overweight is bad for them; this is a tool to help them do something about it.

http://simonsayswalk.com/

No newsletter this month, so we thought we’d do a quick round-up on the blog of some things you may wish to read, “chillaxing” on a beach.

What difference does 10% make?

Dribs and drabs of information about care.data are beginning to leak out. Many may have missed the Minister for care.data, George Freeman MP, give a very carefully couched answer to Parliament about the number of patients who have opted out.

As you may recall, the last time anyone said anything to Parliament directly was when Kingsley Manning suggested “about a hundred” patients have been affected by NHS England’s ‘Type 2’ cockup. His follow-up written answer “actually it’s more like 700,000” was somewhat buried by being published in the run-up to the Election.

Mr Freeman, however, had the more difficult task of announcing a much bigger number – which he did by the time-honoured tradition of hiding behind percentages and ranges. Even so, his answer meant we had to update our own estimate to between 950,000 and 1.6 million.

We had increased our estimate based on an extraordinarily detailed series of FOI requests by Dr Neil Bhatia, which he very kindly shared with us (and others). Dr Bhatia’s figures showed that – while what Mr Freeman told Parliament was true in as far as it went – the picture was somewhat more complex, possibly even alarming.

Mr Freeman limited his comments to a range which he said “the majority fall between 0.5 – 2.5%” opt outs. Dr Bhatia’s figures show quite a number of practices with opt outs in the 4 – 6% range, running as high as 12% or even 14% in a handful of practices. And don’t forget, these are the pathfinders – the volunteers, the supposedly keen practices. No one has detailed figures from any urban areas yet, as NHS England is still struggling to recruit practices in Leeds.

Talking more about care.data (not just on a beach)

One thing that does need to massively improve is the way that care.data is talked about.

NHS England is still far too fond of hiding its dodgy commercial re-use ambitions behind the figleaf of research. At the recent “son of care.data” events – officially, NIB ‘Work Stream’ 2.2 – the only secondary use that NHS England really wanted to talk about was research; offering very little to those asking “What about the other uses?”, such as commissioning.

If you happen to be planning a discussion of care.data after the holidays, here are some thoughts we hope are useful.

There are some sensible discussions going on, and a number of positive developments we hope will be announced in the months immediately following the summer – not least HSCIC’s ‘fix’ for the yet-to-be honoured ‘Type 2’ (9Nu4) opt outs. There are several legal instruments in the pipeline: new Directions for the care.data pathfinders and patient objections; CAG Regulations establishing promised safeguards and sanctions, and closing “the promotion of health” loophole; and hopefully, “at the earliest opportunity”, primary legislation to put the National Data Guardian on a statutory footing.

Let’s hope NHS England reflects over the summer on how little its ‘head down, keep people in the dark and keep rolling at all costs’ approach has achieved over the past 18 months – except further eroding public trust – and starts meeting some of the many promises it has made.

NHS Improvement

You may have missed the quiet announcement, just before Jeremy Hunt went off on his holidays, that DH’s troubled arm’s-length body, Monitor, and the NHS “Trust Development Agency” (that’s Trust as in NHS Trusts) are to merge, under the new brand “NHS Improvement”.

When it comes to Monitor’s worldview on data, things can only get better; it seems to have been taking care.data as a handbook, rather than as a salutary lesson. So the new NHS Improvement may provide a springboard for a huge leap forward. Or backwards, depending on crucial choices that must be made. Will they follow NHS England’s past-its-sell-by-date worldview, or the best thinking and actions of the reformed and reforming HSCIC – and what about patients? We’ve pondered the potential…

Beyond this new merger, there are other areas that could be improved – not least the introduction of a data incident protocol aiming to provide patients in data crises with knowledge rather than media management, and to aspire to something more ethical than mere DPA-compliance. Also better consensual, safe and transparent sharing of medical records along care pathways, for patients’ direct care.

Use of data

With regard to the proper use of patient data, we’re still awaiting more details of what the high street pharmacies are looking to do with the Summary Care Record. Three were asked, two denied they were planning to abuse it. And our ‘old friends’ at PA Consulting have come out in their defence. (You may remember PA Consulting as the ones who made money uploading 25 years’-worth of our hospital data to Google, not to mention previous financial benefits from servicing the old Home Office ID cards scheme.)

One bright idea in the run-up to the Election by someone who probably hoped they’d never be responsible for implementing it – think mistakes like the Poll Tax – was to use people’s medical histories to deny them benefits. As we’ve discovered, sometimes “high level” political ideas interact badly on the ground; we wrote to David Cameron recently about just such an initiative, done in his name.

The Government gave the ‘employment problem’ to an Independent Review Panel, which currently has a consultation out. If you have a free moment, you may wish to respond to Question 7 (amongst others).

medConfidential is concerned that as DWP and HMRC are reengineered over the next 5 years, there’ll not only be more and more temptation, but a now practical ability to do similar things.

We would like to think that DWP and HMRC will take a decision that someone in the NHS is capable, though it seems to refuse to accept those same decisions when the professional outcome goes the other way. This type of discrepancy forms the basis for our draft submission to the Comprehensive Spending Review – if you have any comments, please e-mail them to coordinator@medconfidential.org

And finally…

In September, we’ll find out what happened when the deeply flawed Directions for the care.data pathfinders were considered by the HSCIC Board. If there were to be further delay, all the dates that NHS England has been announcing for the last month or more will have been misleading. Let’s hope NHS England didn’t screw anything up due to lack of consultation…

Phil’s on holiday for the next few weeks, so Sam’s really hoping NHS England doesn’t do anything catastrophically stupid before September. For that matter, NHS England probably is too…

We hope you enjoy your summer!
Sam and Phil

The status quo of NHS  data collection could be described as “Collect it all yourself; trust no-one else”. This is clearly unsustainable: care.data may have been the straw that almost broke the camel’s back; the Prime Minister’s Challenge Fund just tossed some steel girders on top. Poor camel.

With the merger of the NHS Trust Development Authority (TDA) and Monitor under a new name, “NHS Improvement”, there may be an opportunity to begin to address some serious data shortcomings – and some persistent category errors. Monitor was supposed to act as a Government “stick”; the TDA was supposed to be an NHS “carrot” – but, as with so many bureaucracies, the left hand seemed not to know what the right hand was doing, so the stick ruled and very little productive got done.

From documents medConfidential has seen, Monitor’s approach to data seems to have adopted care.data as a handbook, rather than recognising the scheme for the “fiasco” it has so clearly become. Problems that emerged with the “pioneer” in Southend could have been as much down to flawed advice propagated by Monitor as it was the result of NHS England’s inadequate and inaccurate guidance.

We had expected the Government to have responded to its “Accredited Safe Havens” consultation from last summer by now. That it hasn’t speaks volumes. That some of the “pioneers” and “vanguards” reflect a backward-looking data worldview still prevalent in parts of DH gives cause for concern. It’s clearly not just care.data that’s infecting the thinking, and in real danger of further damaging patient – and professional – trust.

In the forthcoming consultation on the powers and remit of the National Data Guardian, we hope the Department gathers views on NDG having to be consulted on every use of NHS England’s and other statutory bodies’ powers to require data. While NHS Improvement should certainly not be given powers to require data (HSCIC doesn’t have such powers either), it could be a place where conversations can be had between the various stakeholders – care providers, commissioners and the Department of Health – about the statistics required to firstly measure, and then “improve” a particular area.

This should not be about measuring only what it is you want to manage, but be about measuring the things that matter. Not least because, as has been repeatedly been shown, simple measures can lead to detrimental care when ‘gamed’ by those in the system.

Learning the lessons of care.data – though some are still lagging behind – such datasets must always and exclusively be aggregated datasets; published statistics where not only the figures but the methodology are published for all to read. (Some datasets where the detail contains small numbers may need to remain unpublished, available only in a tightly-controlled safe setting.) The public must be able to see, and debate, the specification of any dataset that will be used for strategic decision making.

While the research process involved in the design and testing of these datasets may need access to consented individual-level data, such as should be possible with data in the new Secure Data Facility, the use of aggregated counts as the basis for decisions, rather than individual-level detail would remove many of the problems NHS England still claims will befall GP practices where 12% or more of the patients have already opted out of its ill-conceived, zombie data grab.

NHS Improvement could be a good place for these conversations to take place, if it steps up several gears. NHS England could even have a seat at the table – so long as NHS Improvement convenes and manages the process of defining these new aggregated measurement datasets, of which, given the dearth of them, there will probably need to be a fair few.

The process could be designed to ensure that care providers can have measures they feel accurately reflect good care, NHS England gets the evidence base it needs to justify decisions, and HSCIC can focus on the vital implementation issues – such as feasibility, assurance and process.

Preventing a repeat of the Prime Minister’s Challenge Fund debacle would appear to require such a venue; NHS England has proved itself institutionally incapable of being a trusted broker, and HSCIC has other roles. A correctly constituted NHS Improvement, appropriately staffed and resourced, could provide a venue to help ensure the outcome: “High quality care for all, now and for future generations”.

It could also help with another problem

In much the same way as the DWP requires health assessments by its own staff, rather than trusting the assessments of NHS care providers, and the way HMRC trusts nothing it didn’t confirm itself, an underlying cause of many problems in the NHS is quite easy to define: NHS bodies simply don’t trust other NHS bodies.

This is why bean counters in a CCG want detailed medical records of all “high cost” patients. Or indeed believe, in spite of Caldicott2, they should have access to individual-level medical records.

Multiple interlocking but discrete datasets, properly designed and produced as above, can show up the various “tricks” that get used to move people out of one column into another – “massaging” the figures – a practice that certainly should be measured. And acted upon by someone independent.

If an NHS organisation believes statistics being provided are fraudulent, then that’s a question for NHS Protect, rather than CCGs thinking they can investigate themselves. Integrity on process can be provided by HSCIC working on collation and process (SUS and GPES already do this for hospitals and GPs).

For NHS Improvement, ask the patients?

Though it has positive potential, NHS Improvement also has the potential to become yet another arcane and somewhat obscure NHS body. Yet one of the groups who understand a great deal about what might provide disproportionate improvements within the NHS are that chronically underrepresented group who use it every day; patients.

While NHS England continues to have its own political priorities and funding considerations, when HSCIC is telling patients what did actually happen to their data, patients can (also) feed back to NHS Improvement what they believe should have happened – a genuine partnership in improvement.

medConfidential notes the various calls for medical records for patients’ direct care to flow with patients along care pathways as a priority, following consent for treatment – and the new (or pending) legal requirement that the NHS number be the mandatory identifier.

Both of these are generating some levels of patient concern. However both can be implemented in a manner which enhances trust, rather than risking it further.

Reporting to HSCIC that a particular NHS number has entered an organisation for care, and whether this was via a ‘handover’ of electronic records or through some other means (e.g. non-electronic referral, for example from A&E – or if there was some form of electronic handover failure) would begin to assuage a range of concerns. HSCIC could also then publish aggregated statistics for each pair of providers, to show how the different types of record handoffs (successful, failed, or other-manual) had worked, with the aim of increasing successful handling of electronic records for direct care along a pathway.

For providers receiving data on a care pathway, a figure could be provided of the number or percentage of patients who had refused consent for their medical records to be handed across electronically to/from that provider, but who consented to care. There will be a range of issues around this, e.g. Mental Health records being restricted – and where there are ‘outliers’ for a particular provider or flow (either due to technical issues, or because of consent choices) these will need to be addressed through a transparent process.

For patients, HSCIC should then be able to report to each person individually, via their Personalised Data Usage Report, everywhere their NHS number (and associated data) has been passed. As patients can learn exactly what does happen to their records, and why – and that it is the norm for this to happen without incident – this will contribute to a tendency towards increasing trust around the handling of records.

This process should be systematic, automatic, accurate and, over time, complete.

Additionally, as the expectation becomes that records do flow, patients will be able to see where this flow hasn’t happened (in addition to potentially experiencing the effects) and can raise questions – which is entirely appropriate if, as is asserted, sharing of medical records along a care pathway for direct care will improve outcomes. It is far more important to patient care and safety to know and correct flows for direct care where they aren’t happening as they should, as it is to know the data and flows for secondary use.

We emphasise the distinction between direct care – in effect, data sharing with implied consent between medical professionals who interact with and provide treatment to a patient – and secondary uses, which cannot presume consent, and for which patients have a right to opt out.

To illustrate this with a recent example; there are very few reasons to dispute or object to medical records being used for direct (“integrated”) care in, say, a meeting held between and run by medical professionals with a duty of care for a particular patient with complex needs, to devise a specific care plan for that patient. But a secondary use of that same information would be a meeting run by an accountant looking ways to manage the impact of a “high cost” individual.

It is entirely up to the system to transparently describe and discuss the difference, and it is the public knowledge that this will be examined which helps keep the system honest. And therefore trustworthy.

One of the things about data releases is that there are cockups. Even if we accept your argument that you’d never screw it up, what about the people who follow you, and the people who follow them? Or your predecessor?

In medConfidential’s usual health arena, those cockups tend to be cognitively uncomfortable, or include difficult tradeoffs, as do many decisions to do with people’s health. However, down the road at the Department for Transport, they have examples that have similar potential effects, but that are easier to talk about at parties.

Everyone knows what a train is and, while trains do crash, we have some idea of just how rare that actually is, and get on them daily anyway. For that reason, the examples in this blog post will look at transport, rather than health.

Finding your way to cockup boulevard

Our friends at the UK Anonymisation Network recently published a presentation on the process of anonymisation – mostly looking at the process that organisations should go through. (While the presentation was published in the context of open data, the rules apply for any data.) Full details are in the presentation and its accompanying documents – for the purposes of this post, the description and process in Section 2 is pretty good, within some constraints:

• Describe your data situation
• Know your data
• Understand the use case
• Understand the legal issues
• Understand the issue of consent and your ethical obligations
• Identify the processes you will need to assess disclosure risk
• Identify the disclosure control processes that are relevant to your situation
• Identify who your stakeholders are and plan how you will communicate
• Plan what happens next after you have shared of released data
• Plan what you will do if things go wrong

The last point is the kicker; this is hard. What happens when you cock it up? Or, if not you, your successor’s successor, who has less of an understanding of what the words actually mean than you do?

The whole process relies on those following the process having an understanding of not only what they’re doing, but the wider data environment in which they are operating. For many organisations, there is a fundamental denial of anything that’s even just outside their narrow silo, let alone the wider “environment”, and that’s going to get messy.

It doesn’t matter how good your SDC process is if you don’t care about the world as it is, rather than just how it would be convenient for it to be. Data, once released, cannot be un-released. Future releases may be stopped (with resultant damage to confidence in the data environment), however, the existing releases will still have been released. Under an Open Data License – which is necessary for arbitrary reuse – it is particularly difficult to get them back.

Some of these will be pure accidents.

Take as an example Transport for London, who run the “Boris bike” hire scheme, and who publish details of cycle hires – from where to where, and when. Data that produces many of the pretty cycle hire maps you see.

The data published should be “a row identifier, the length of hire, the start time/date, a Bike ID, the Start Location, and the End Location”, thus:

Rental Id, Duration, Bike Id, End Date, EndStation Id, EndStation Name, Start Date, StartStation Id, StartStation Name
18884041,271,4313,02/01/2013 13:32,251,”Brushfield Street, Liverpool Street”,02/01/2013 13:28,509,”Fore Street, Guildhall”

A significant amount of public benefit can come from such data being available; many different analyses have been done.

Sometimes the choice to release is deliberate. (The release of New York taxi trip data was a deliberate, if ill-considered, act.) But at some point last year, someone at Transport for London just made a mistake.

For a couple of months, TfL accidentally included the “hire key” ID, which is the identifier of the person who hired the bike. As such, it was possible to derive sensitive details using other data known about the various trips of individuals.

Avoiding cockup boulevard altogether

Whether deliberate or accidental, such issues come from fundamental category errors. We see this a lot – such as people perceiving linked achievement data as a dataset about schools and teachers, without appreciating the crucial significance of it containing the life experiences of children. Some projects see doctors and nurses – people who, when they were aged about 13, decided to spend their life helping people – and consider that an exploitable resource for acquiring nice things.

It will become increasingly common to wrap such things in the banner of “data”, and claim the magic pixie dust will solve all. How likely is it that such category errors will be nowhere within your organisation, and never occur? Especially in a political bureaucracy where you have powerful individuals “masterminding” a programme without regard to the details?

It’s a good thing that the UKAN assessment process has cockup sections one and two.

What is Open Data?

Open data is data published for all to use, with no limit on purpose – which is why personal data cannot ever be open data, except for matters of public record (i.e. some legally-mandated details about people who have power or influence over others’ lives). When aggregated and properly treated, fully anonymised results about people – statistics – can and should be open data. However, any failure to follow a full and complete statistically valid process means you are actually publishing personal data.

In ethical practice, the only entity who can publish rich, detailed personal data on an individual is that individual themselves. It can only ever be something someone does themselves, and not something people do to them.

And broad, open-ended ‘consent’ just won’t cut it. Even if you get someone’s permission for a bunch of the good stuff you imagine doing with their data, it’ll be the bad stuff you haven’t thought of that someone else does that’ll screw you. And the people whose personal data you published. Depending on circumstances, this could be downright abusive or worse.

I may choose to post photos of my meals to instagram; someone I don’t know choosing to post all my meals to instagram is just creepy.

P.S. Good luck to Mike Bracken and Tom Steinberg in their future endeavours.