NHS England and Rewired State recently ran a competition with a £30k prize fund for apps around obesity

We didn’t win a prize (they get announced next week), but http://simonsayswalk.com/ was our submission. 

“I know I should really go for a walk 3 times a week, but I’m just too busy…”

‘Middle-aged, managerial-class, overweight white man’ – let’s call him ‘David’ – knows he’s at risk of health complications from being overweight, he just doesn’t do anything about it for a host of legitimate reasons; he has meetings… he has dinners… he has an important job that puts many constraints on his time… he has a family with caring responsibilities…  (While we use a male example above, SimonSays:Walk is gender-indifferent)

This is not primarily an information problem amongst those who, over time, are likely to make disproportionate use of NHS services. SimonSays:Walk is designed to help people make a commitment; to schedule time to go for a walk.

Quite simply, SimonSays:Walk provides a ‘button’ people can press to add such a commitment to the calendar / electronic diary they already use (or which their personal assistant manages for them) on their smartphone, PC or tablet. Having made such a commitment, by reminding them and providing them with a simple map, SimonSays:Walk assists someone to get into the habit of taking regular walks.

The regular dates begin after a delayed start: the first appointment to walk will be scheduled two weeks ahead of the point at which someone first chooses to make a commitment. This will help make the decision to commit a bit easier – a decision with consequences two weeks in the future may be easier to make than one that imposes more immediate demands (this is, of course, testable) – and should help ease any diary issues / conflicts. It is also logical, on the basis that if someone decided to go for a walk today, a diary app wouldn’t be particularly helpful!

The use of the person’s existing electronic diary means appointments can be moved if necessary, and means that other people (e.g. personal assistant) with access to the person’s dairy can take account of other considerations and, hopefully, assist the individual to pick up the habit.

SimonSays:Walk is also ‘infinitely forgiving’; if you didn’t go for a walk today, there’s no shame other than that you impose on yourself – you can just go next time. (Someone else with access to your diary may be less forgiving, however!)

SimonSays:Walk does not aim to solve the whole problem of obesity; different people need different things. This tool is designed for those who are busy, and who use some form of electronic diary – though one need not necessarily be busy to make use of it.

In terms of functionality, if you are within a mile or so of an NHS pharmacy – which SimonSays:Walk  determines using open data from the NHS via data.gov.uk – it will suggest you may want to walk past it. We chose this particular function for a number of reasons: firstly, because NHS pharmacies tend to already have helpful information on display in their street-facing windows; and secondly, because those windows offer a low cost way to provide positive reinforcement for individuals who have engaged with the app, and also to promote (the goal of) SimonSaysWalk and the benefits of regular physical exercise more generally.

If the person is not that close to a pharmacy, there are probably nicer walks available. SimonSays:Walk suggests a direction and ‘walk radius’, not a specific route. Suggesting people walk through an industrial estate might not be sensible, or wise. In any case, it better for individuals – who are likely to know their immediate area better than an online tool – to make those decisions for themselves.

The simple premise of SimonSays:Walk is that it matters far less where you are, and exactly where you walk, than that you are sitting in a chair all day long. Any walk is better than no walk; this is about making it happen. When it’s in your diary that you use every day, you can make a commitment that it actually happens.

SimonSays:Walk adopts a privacy-preserving model – and using information and processes that people already use day-to-day – and tries to work with people’s lives, rather than trying to impose a major life change on them.

Once people become used to walking regularly, non-confidential phone calls, etc. could be done via mobile while going for a walk – or meetings could be scheduled about 25 minutes walk apart. We appreciate that in the UK, this would probably work better in the summer months.

If there is no GPS information available, e.g. from a non-location aware desktop browser, the map is centered on the pavement East of the Cenotaph, with a generic message about a walk.

People already have plenty of information that being overweight is bad for them; this is a tool to help them do something about it.

http://simonsayswalk.com/

No newsletter this month, so we thought we’d do a quick round-up on the blog of some things you may wish to read, “chillaxing” on a beach.

What difference does 10% make?

Dribs and drabs of information about care.data are beginning to leak out. Many may have missed the Minister for care.data, George Freeman MP, give a very carefully couched answer to Parliament about the number of patients who have opted out.

As you may recall, the last time anyone said anything to Parliament directly was when Kingsley Manning suggested “about a hundred” patients have been affected by NHS England’s ‘Type 2’ cockup. His follow-up written answer “actually it’s more like 700,000” was somewhat buried by being published in the run-up to the Election.

Mr Freeman, however, had the more difficult task of announcing a much bigger number – which he did by the time-honoured tradition of hiding behind percentages and ranges. Even so, his answer meant we had to update our own estimate to between 950,000 and 1.6 million.

We had increased our estimate based on an extraordinarily detailed series of FOI requests by Dr Neil Bhatia, which he very kindly shared with us (and others). Dr Bhatia’s figures showed that – while what Mr Freeman told Parliament was true in as far as it went – the picture was somewhat more complex, possibly even alarming.

Mr Freeman limited his comments to a range which he said “the majority fall between 0.5 – 2.5%” opt outs. Dr Bhatia’s figures show quite a number of practices with opt outs in the 4 – 6% range, running as high as 12% or even 14% in a handful of practices. And don’t forget, these are the pathfinders – the volunteers, the supposedly keen practices. No one has detailed figures from any urban areas yet, as NHS England is still struggling to recruit practices in Leeds.

Talking more about care.data (not just on a beach)

One thing that does need to massively improve is the way that care.data is talked about.

NHS England is still far too fond of hiding its dodgy commercial re-use ambitions behind the figleaf of research. At the recent “son of care.data” events – officially, NIB ‘Work Stream’ 2.2 – the only secondary use that NHS England really wanted to talk about was research; offering very little to those asking “What about the other uses?”, such as commissioning.

If you happen to be planning a discussion of care.data after the holidays, here are some thoughts we hope are useful.

There are some sensible discussions going on, and a number of positive developments we hope will be announced in the months immediately following the summer – not least HSCIC’s ‘fix’ for the yet-to-be honoured ‘Type 2’ (9Nu4) opt outs. There are several legal instruments in the pipeline: new Directions for the care.data pathfinders and patient objections; CAG Regulations establishing promised safeguards and sanctions, and closing “the promotion of health” loophole; and hopefully, “at the earliest opportunity”, primary legislation to put the National Data Guardian on a statutory footing.

Let’s hope NHS England reflects over the summer on how little its ‘head down, keep people in the dark and keep rolling at all costs’ approach has achieved over the past 18 months – except further eroding public trust – and starts meeting some of the many promises it has made.

NHS Improvement

You may have missed the quiet announcement, just before Jeremy Hunt went off on his holidays, that DH’s troubled arm’s-length body, Monitor, and the NHS “Trust Development Agency” (that’s Trust as in NHS Trusts) are to merge, under the new brand “NHS Improvement”.

When it comes to Monitor’s worldview on data, things can only get better; it seems to have been taking care.data as a handbook, rather than as a salutary lesson. So the new NHS Improvement may provide a springboard for a huge leap forward. Or backwards, depending on crucial choices that must be made. Will they follow NHS England’s past-its-sell-by-date worldview, or the best thinking and actions of the reformed and reforming HSCIC – and what about patients? We’ve pondered the potential…

Beyond this new merger, there are other areas that could be improved – not least the introduction of a data incident protocol aiming to provide patients in data crises with knowledge rather than media management, and to aspire to something more ethical than mere DPA-compliance. Also better consensual, safe and transparent sharing of medical records along care pathways, for patients’ direct care.

Use of data

With regard to the proper use of patient data, we’re still awaiting more details of what the high street pharmacies are looking to do with the Summary Care Record. Three were asked, two denied they were planning to abuse it. And our ‘old friends’ at PA Consulting have come out in their defence. (You may remember PA Consulting as the ones who made money uploading 25 years’-worth of our hospital data to Google, not to mention previous financial benefits from servicing the old Home Office ID cards scheme.)

One bright idea in the run-up to the Election by someone who probably hoped they’d never be responsible for implementing it – think mistakes like the Poll Tax – was to use people’s medical histories to deny them benefits. As we’ve discovered, sometimes “high level” political ideas interact badly on the ground; we wrote to David Cameron recently about just such an initiative, done in his name.

The Government gave the ‘employment problem’ to an Independent Review Panel, which currently has a consultation out. If you have a free moment, you may wish to respond to Question 7 (amongst others).

medConfidential is concerned that as DWP and HMRC are reengineered over the next 5 years, there’ll not only be more and more temptation, but a now practical ability to do similar things.

We would like to think that DWP and HMRC will take a decision that someone in the NHS is capable, though it seems to refuse to accept those same decisions when the professional outcome goes the other way. This type of discrepancy forms the basis for our draft submission to the Comprehensive Spending Review – if you have any comments, please e-mail them to coordinator@medconfidential.org

And finally…

In September, we’ll find out what happened when the deeply flawed Directions for the care.data pathfinders were considered by the HSCIC Board. If there were to be further delay, all the dates that NHS England has been announcing for the last month or more will have been misleading. Let’s hope NHS England didn’t screw anything up due to lack of consultation…

Phil’s on holiday for the next few weeks, so Sam’s really hoping NHS England doesn’t do anything catastrophically stupid before September. For that matter, NHS England probably is too…

We hope you enjoy your summer!
Sam and Phil

The status quo of NHS  data collection could be described as “Collect it all yourself; trust no-one else”. This is clearly unsustainable: care.data may have been the straw that almost broke the camel’s back; the Prime Minister’s Challenge Fund just tossed some steel girders on top. Poor camel.

With the merger of the NHS Trust Development Authority (TDA) and Monitor under a new name, “NHS Improvement”, there may be an opportunity to begin to address some serious data shortcomings – and some persistent category errors. Monitor was supposed to act as a Government “stick”; the TDA was supposed to be an NHS “carrot” – but, as with so many bureaucracies, the left hand seemed not to know what the right hand was doing, so the stick ruled and very little productive got done.

From documents medConfidential has seen, Monitor’s approach to data seems to have adopted care.data as a handbook, rather than recognising the scheme for the “fiasco” it has so clearly become. Problems that emerged with the “pioneer” in Southend could have been as much down to flawed advice propagated by Monitor as it was the result of NHS England’s inadequate and inaccurate guidance.

We had expected the Government to have responded to its “Accredited Safe Havens” consultation from last summer by now. That it hasn’t speaks volumes. That some of the “pioneers” and “vanguards” reflect a backward-looking data worldview still prevalent in parts of DH gives cause for concern. It’s clearly not just care.data that’s infecting the thinking, and in real danger of further damaging patient – and professional – trust.

In the forthcoming consultation on the powers and remit of the National Data Guardian, we hope the Department gathers views on NDG having to be consulted on every use of NHS England’s and other statutory bodies’ powers to require data. While NHS Improvement should certainly not be given powers to require data (HSCIC doesn’t have such powers either), it could be a place where conversations can be had between the various stakeholders – care providers, commissioners and the Department of Health – about the statistics required to firstly measure, and then “improve” a particular area.

This should not be about measuring only what it is you want to manage, but be about measuring the things that matter. Not least because, as has been repeatedly been shown, simple measures can lead to detrimental care when ‘gamed’ by those in the system.

Learning the lessons of care.data – though some are still lagging behind – such datasets must always and exclusively be aggregated datasets; published statistics where not only the figures but the methodology are published for all to read. (Some datasets where the detail contains small numbers may need to remain unpublished, available only in a tightly-controlled safe setting.) The public must be able to see, and debate, the specification of any dataset that will be used for strategic decision making.

While the research process involved in the design and testing of these datasets may need access to consented individual-level data, such as should be possible with data in the new Secure Data Facility, the use of aggregated counts as the basis for decisions, rather than individual-level detail would remove many of the problems NHS England still claims will befall GP practices where 12% or more of the patients have already opted out of its ill-conceived, zombie data grab.

NHS Improvement could be a good place for these conversations to take place, if it steps up several gears. NHS England could even have a seat at the table – so long as NHS Improvement convenes and manages the process of defining these new aggregated measurement datasets, of which, given the dearth of them, there will probably need to be a fair few.

The process could be designed to ensure that care providers can have measures they feel accurately reflect good care, NHS England gets the evidence base it needs to justify decisions, and HSCIC can focus on the vital implementation issues – such as feasibility, assurance and process.

Preventing a repeat of the Prime Minister’s Challenge Fund debacle would appear to require such a venue; NHS England has proved itself institutionally incapable of being a trusted broker, and HSCIC has other roles. A correctly constituted NHS Improvement, appropriately staffed and resourced, could provide a venue to help ensure the outcome: “High quality care for all, now and for future generations”.

It could also help with another problem

In much the same way as the DWP requires health assessments by its own staff, rather than trusting the assessments of NHS care providers, and the way HMRC trusts nothing it didn’t confirm itself, an underlying cause of many problems in the NHS is quite easy to define: NHS bodies simply don’t trust other NHS bodies.

This is why bean counters in a CCG want detailed medical records of all “high cost” patients. Or indeed believe, in spite of Caldicott2, they should have access to individual-level medical records.

Multiple interlocking but discrete datasets, properly designed and produced as above, can show up the various “tricks” that get used to move people out of one column into another – “massaging” the figures – a practice that certainly should be measured. And acted upon by someone independent.

If an NHS organisation believes statistics being provided are fraudulent, then that’s a question for NHS Protect, rather than CCGs thinking they can investigate themselves. Integrity on process can be provided by HSCIC working on collation and process (SUS and GPES already do this for hospitals and GPs).

For NHS Improvement, ask the patients?

Though it has positive potential, NHS Improvement also has the potential to become yet another arcane and somewhat obscure NHS body. Yet one of the groups who understand a great deal about what might provide disproportionate improvements within the NHS are that chronically underrepresented group who use it every day; patients.

While NHS England continues to have its own political priorities and funding considerations, when HSCIC is telling patients what did actually happen to their data, patients can (also) feed back to NHS Improvement what they believe should have happened – a genuine partnership in improvement.

medConfidential notes the various calls for medical records for patients’ direct care to flow with patients along care pathways as a priority, following consent for treatment – and the new (or pending) legal requirement that the NHS number be the mandatory identifier.

Both of these are generating some levels of patient concern. However both can be implemented in a manner which enhances trust, rather than risking it further.

Reporting to HSCIC that a particular NHS number has entered an organisation for care, and whether this was via a ‘handover’ of electronic records or through some other means (e.g. non-electronic referral, for example from A&E – or if there was some form of electronic handover failure) would begin to assuage a range of concerns. HSCIC could also then publish aggregated statistics for each pair of providers, to show how the different types of record handoffs (successful, failed, or other-manual) had worked, with the aim of increasing successful handling of electronic records for direct care along a pathway.

For providers receiving data on a care pathway, a figure could be provided of the number or percentage of patients who had refused consent for their medical records to be handed across electronically to/from that provider, but who consented to care. There will be a range of issues around this, e.g. Mental Health records being restricted – and where there are ‘outliers’ for a particular provider or flow (either due to technical issues, or because of consent choices) these will need to be addressed through a transparent process.

For patients, HSCIC should then be able to report to each person individually, via their Personalised Data Usage Report, everywhere their NHS number (and associated data) has been passed. As patients can learn exactly what does happen to their records, and why – and that it is the norm for this to happen without incident – this will contribute to a tendency towards increasing trust around the handling of records.

This process should be systematic, automatic, accurate and, over time, complete.

Additionally, as the expectation becomes that records do flow, patients will be able to see where this flow hasn’t happened (in addition to potentially experiencing the effects) and can raise questions – which is entirely appropriate if, as is asserted, sharing of medical records along a care pathway for direct care will improve outcomes. It is far more important to patient care and safety to know and correct flows for direct care where they aren’t happening as they should, as it is to know the data and flows for secondary use.

We emphasise the distinction between direct care – in effect, data sharing with implied consent between medical professionals who interact with and provide treatment to a patient – and secondary uses, which cannot presume consent, and for which patients have a right to opt out.

To illustrate this with a recent example; there are very few reasons to dispute or object to medical records being used for direct (“integrated”) care in, say, a meeting held between and run by medical professionals with a duty of care for a particular patient with complex needs, to devise a specific care plan for that patient. But a secondary use of that same information would be a meeting run by an accountant looking ways to manage the impact of a “high cost” individual.

It is entirely up to the system to transparently describe and discuss the difference, and it is the public knowledge that this will be examined which helps keep the system honest. And therefore trustworthy.

One of the things about data releases is that there are cockups. Even if we accept your argument that you’d never screw it up, what about the people who follow you, and the people who follow them? Or your predecessor?

In medConfidential’s usual health arena, those cockups tend to be cognitively uncomfortable, or include difficult tradeoffs, as do many decisions to do with people’s health. However, down the road at the Department for Transport, they have examples that have similar potential effects, but that are easier to talk about at parties.

Everyone knows what a train is and, while trains do crash, we have some idea of just how rare that actually is, and get on them daily anyway. For that reason, the examples in this blog post will look at transport, rather than health.

Finding your way to cockup boulevard

Our friends at the UK Anonymisation Network recently published a presentation on the process of anonymisation – mostly looking at the process that organisations should go through. (While the presentation was published in the context of open data, the rules apply for any data.) Full details are in the presentation and its accompanying documents – for the purposes of this post, the description and process in Section 2 is pretty good, within some constraints:

• Describe your data situation
• Know your data
• Understand the use case
• Understand the legal issues
• Understand the issue of consent and your ethical obligations
• Identify the processes you will need to assess disclosure risk
• Identify the disclosure control processes that are relevant to your situation
• Identify who your stakeholders are and plan how you will communicate
• Plan what happens next after you have shared of released data
• Plan what you will do if things go wrong

The last point is the kicker; this is hard. What happens when you cock it up? Or, if not you, your successor’s successor, who has less of an understanding of what the words actually mean than you do?

The whole process relies on those following the process having an understanding of not only what they’re doing, but the wider data environment in which they are operating. For many organisations, there is a fundamental denial of anything that’s even just outside their narrow silo, let alone the wider “environment”, and that’s going to get messy.

It doesn’t matter how good your SDC process is if you don’t care about the world as it is, rather than just how it would be convenient for it to be. Data, once released, cannot be un-released. Future releases may be stopped (with resultant damage to confidence in the data environment), however, the existing releases will still have been released. Under an Open Data License – which is necessary for arbitrary reuse – it is particularly difficult to get them back.

Some of these will be pure accidents.

Take as an example Transport for London, who run the “Boris bike” hire scheme, and who publish details of cycle hires – from where to where, and when. Data that produces many of the pretty cycle hire maps you see.

The data published should be “a row identifier, the length of hire, the start time/date, a Bike ID, the Start Location, and the End Location”, thus:

Rental Id, Duration, Bike Id, End Date, EndStation Id, EndStation Name, Start Date, StartStation Id, StartStation Name
18884041,271,4313,02/01/2013 13:32,251,”Brushfield Street, Liverpool Street”,02/01/2013 13:28,509,”Fore Street, Guildhall”

A significant amount of public benefit can come from such data being available; many different analyses have been done.

Sometimes the choice to release is deliberate. (The release of New York taxi trip data was a deliberate, if ill-considered, act.) But at some point last year, someone at Transport for London just made a mistake.

For a couple of months, TfL accidentally included the “hire key” ID, which is the identifier of the person who hired the bike. As such, it was possible to derive sensitive details using other data known about the various trips of individuals.

Avoiding cockup boulevard altogether

Whether deliberate or accidental, such issues come from fundamental category errors. We see this a lot – such as people perceiving linked achievement data as a dataset about schools and teachers, without appreciating the crucial significance of it containing the life experiences of children. Some projects see doctors and nurses – people who, when they were aged about 13, decided to spend their life helping people – and consider that an exploitable resource for acquiring nice things.

It will become increasingly common to wrap such things in the banner of “data”, and claim the magic pixie dust will solve all. How likely is it that such category errors will be nowhere within your organisation, and never occur? Especially in a political bureaucracy where you have powerful individuals “masterminding” a programme without regard to the details?

It’s a good thing that the UKAN assessment process has cockup sections one and two.

What is Open Data?

Open data is data published for all to use, with no limit on purpose – which is why personal data cannot ever be open data, except for matters of public record (i.e. some legally-mandated details about people who have power or influence over others’ lives). When aggregated and properly treated, fully anonymised results about people – statistics – can and should be open data. However, any failure to follow a full and complete statistically valid process means you are actually publishing personal data.

In ethical practice, the only entity who can publish rich, detailed personal data on an individual is that individual themselves. It can only ever be something someone does themselves, and not something people do to them.

And broad, open-ended ‘consent’ just won’t cut it. Even if you get someone’s permission for a bunch of the good stuff you imagine doing with their data, it’ll be the bad stuff you haven’t thought of that someone else does that’ll screw you. And the people whose personal data you published. Depending on circumstances, this could be downright abusive or worse.

I may choose to post photos of my meals to instagram; someone I don’t know choosing to post all my meals to instagram is just creepy.

P.S. Good luck to Mike Bracken and Tom Steinberg in their future endeavours.

The Telegraph, followed up by the Independent and Daily Mail, reports today that Boots and other pharmacies – including the large supermarket pharmacies – may from this Autumn be granted access to the Summary Care Record*. There are concerns that such access may be used for marketing purposes. Further details will likely follow in due course.

Under current rules, patients should always be asked for their consent – what is called “Permission To View” – before anyone looks at their Summary Care Record. How the high street pharmacies, and their commercial managers with their incentives to cross-sell remedies, will make this work in practice is an open question.

Safeguards that may operate in a hospital context are going to have to be applied to a whole range of other (possibly non-medically registered) people, who must all be properly trained and rigorously audited on an ongoing basis. A considerable investment must be made if pharmacies are to be given access and patient confidentiality and consent is to be maintained. A report of a pilot scheme earlier this year found, for example, that:

The principles around asking patients for permission to view (PTV) their SCR and its practical application for some prevalent patient groups in the pharmacy setting caused confusion and uncertainty.

medConfidential hopes the Department of Health will urgently clarify the rules around using NHS medical records for marketing to patients.

* The Summary Care Record (SCR) was originally intended “for emergency or out-of-hours” access to your last 12 months’ prescriptions and information about any allergies you suffer from and any bad reactions to medicines that you have previously experienced. The SCR also contains your name, address, date of birth and your NHS Number.

What you can do

If you have a Summary Care Record (around 94% of the population do) and you are concerned that your record may be misused or abused, you can opt-out of the scheme. Here’s a link to the official opt-out form, which you need to fill in and give to your GP.

Please note: the Summary Care Record is entirely different from care.data. SCR is intended for use only by those providing you with direct care; care.data (a different scheme, currently on “pause”) is about ‘secondary uses’ of information from your medical record, i.e. purposes like research, commissioning, “healthcare intelligence” and commercial re-use.

N.B. If you do have particular allergies or bad reactions to particular types of medicine, having this information available to emergency responders is directly beneficial to you, so you may wish to look into getting a MedicAlert bracelet or something equivalent.

A long-term solution, which could provide reassurance to all patients, is for every patient to know everywhere their data has been used, by whom, and for what purpose. Such an approach would make any abuse, even by a single Boots store manager looking to hit their targets, highly transparent – not just to officials at NHS England, but to every patient themselves.

It used to be that the different parts of the NHS looked after the data of the patients they treated, and talked to each other when they needed to know something.

Of course that model doesn’t work if you are NHS England, with its egomaniacal urge to micromanage and control everything. From that perspective, NHS England and other bodies each collecting every bulk personal dataset they can, from anywhere in the system is essential – even if the result starts to look like the ‘shadow’ monitoring and embedded political control structures of the Communist Party of China being imposed on the NHS.

From a patient perspective, rather than being ‘confidential’, this starts to feel deeply invasive – and the secretive manner in which some of these bodies expect to be able to act could be considered downright nasty.

From the perspective of NHS staff, it could be the final nail in the coffin of trust.

In the simplest terms, the level of access NHS England is mandating (with Government backing) boils down to managers, commissioners, policy makers and even commercial “re-users” being able to reach into your individual medical record – right down to the level of specific, dated events – and, as we now learn, to check every appointment.

“Collect it all” is the digital approach of the intelligence and security services – the agencies tasked with the prevention of “never events”; those things that must never occur.

“Bulk Personal Datasets” have been defined by Parliament as “large databases containing personal information about a wide range of people”. Parliament’s Intelligence and Security Committee in its 2015 report, ‘Privacy and Security: A modern and transparent legal framework‘, also concluded that as a Dataset of this type “may be highly intrusive and impacts upon large numbers of people, it is essential that it is tightly regulated”.

“Tightly regulated” is clearly not a term that applies to initiatives such as the Prime Minister’s Challenge Fund or toxic schemes like care.data, with its still-missing legal safeguards, ever-diminishing consent options and the “promotion of health” loophole that has legalised the ongoing sale of patient data to commercial re-users – including the data of over a million people who’ve already opted out. Whatever the claimed justification, the collected medical records of every man, woman and child in the country certainly meet every other criteria.

In the NHS, bulk personal datasets that were and are being collected for one purpose – the provision of health care – can now be interrogated for other reasons. These other purposes, all lumped together under the deceptively anodyne term “secondary use”, cover such distinct and broad categories of activity as research (both medical and market), NHS commissioning and “health intelligence”, and include servicing the data demands of commercial third parties. Every single one of these uses being derived from data which had a single primary purpose: the treatment and health of NHS patients.

If other bodies want to extract and use bulk personal datasets for purposes beyond patient care, then the whole process must be consensual, safe, transparent and – most important of all – grounded in trust. However trust, as Baroness Onora O’Neill argues, cannot merely be asserted (“trust us”) nor, as the care.data debacle continues to demonstrate, can it be presumed.

To be trusted, these users of our data must demonstrate they are trustworthy:

“[Those] who want others’ trust have to do two things. First, they have to be trustworthy, which requires competence, honesty and reliability. Second, they have to provide intelligible evidence that they are trustworthy, enabling others to judge intelligently where they should place or refuse their trust.” – Baroness Onora O’Neill

Evidence shows, if given a choice and clear information on what it’ll be used for and by whom, a large majority of patients are quite happy for their medical information to be used for public good purposes, such as ethically-approved research. Limit the choice or information, or re-use the data for something else, and opinion flips – and the majority are not happy at all.

The sale of ‘Hospital Episode Statistics’ (not actually statistics but rather linked, patient-level hospital events) which caused so much public outrage last year, is a case in point. As it turned out, the basis for public confidence amounted to little more than the fact the data had been collected “for years”. When the sale of billions of linked, dated health events – the very definition of a bulk personal dataset – came to people’s attention in 2014, it quickly became apparent that public acceptance was lacking.

The lesson here? Just because you happened to get away with something in 1988 doesn’t make it a good idea.

In a digital world, it is all too easy for bulk personal datasets to be copied and re-used outside of the understood framework, leading to loss of trust (what the Royal Statistical Society calls the “data trust deficit”) in not only the end users, but the original data ‘collectors’ themselves; doctors, nurses and other front-line NHS staff for whom trust is absolutely essential. For if people cannot trust that what they tell their doctor will be kept in confidence, some will simply not say anything – putting their own health, and in some cases the public health, at risk.

There are many predictable, if unintended, consequences of a “Collect it all” strategy; consequences that agencies and institutions which have followed one have now discovered. Public outcry over the secretive extraction and misuse of patients’ medical records and NHS information should be seen as a cautionary tale. Not a guide book.

With care.data trying to get underway again, we expect to see NHS England on the conference circuit, talking about how this time they’ve got it perfectly right.

Unfortunately, with several significant – indeed fundamental – problems as yet unresolved, such a line suggests that (while HSCIC may soon be in a position to provide a fix for one of the most egregious consent screw-ups of the entire programme thus far) NHS England itself still hasn’t learnt the lessons.

So, if you’re running an event where care.data is going to be a topic – and for the next year, we reckon there should be at least one such session at every conference that wants to be taken seriously by either the public or the profession – medConfidential suggests that, rather than providing a platform for a casuistic monologue from NHS England, care.data-related sessions should take the form of a panel.

A useful panel would probably include at least 3 representatives drawn from these different groups:

• A GP, psychiatrist or other Registered medical practitioner;
• A patient representative (not someone funded or employed by a DH body);
• A research advocate (not currently employed by a DH body);
• A commercial company that sells products or services based on NHS medical records;
• A human rights advocate* (not someone funded or employed by a DH body);
• NHS England (not HSCIC, who can only speak to particular things);
• And, if it is a local meeting, a representative of the CCG.

*Please note, medConfidential is not angling for an invitation – though we are always happy to provide a speaker, where we can. There are many great people who understand the fundamental necessities of patient privacy / confidentiality and consent.

Conference organisers should take particular care to ensure that DH Arm’s-Length Body staff aren’t banging the drum for the Department line, while claiming to represent research.

The only way to prevent a repeat of the previous care.data debacles is for people to fully appreciate the diverse views and motivations of the various “stakeholders”. The story of care.data from its suspension in February 2014 to the pathfinder ‘relaunch’ in late 2015 (or beyond) has been characterised by various stakeholders talking to each other – mostly quite sensibly – until NHS England had to ‘join the consensus’, having ignored it for over a year.

It would be a disservice to your audience and to your event to allow NHS England to preserve silos that allow it to pretend areas of controversy do not (still) exist.

medConfidential does not seek unanimity of views; we seek a properly-engaged discussion, fully representing the diversity of perspectives from which a solution can be drawn.

As Phil has said, following a panel discussion at the 2015 Sowerby eHealth Symposium, until patients and doctors, commissioning, research, and commercial (re)users are all in the same room, everyone will be talking past each other.

medConfidential mostly works on issues to do with confidentiality and consent around what the NHS (and wider care system) do with your data beyond your direct care; what are called ‘secondary uses’.

However, the world of ‘health-enabled’ smartphones has slipped into almost everyone’s pocket, and the NHS is beginning to notice. Unfortunately, NHS England is starting from its usual cultural assumption that it can do things by dictat, ignoring the rules – even ones it made up – if they prove less than convenient.

Health apps are quite different to most of what the NHS does; in many ways they are more like a pharmacy than a hospital. Apps are something that patients do for themselves – possibly with professional advice, possibly without. Apps are done by patients, not something the doctor or the system does to, or for, the patient.

Apps are the rough equivalent of a prescription, in that it’s up to patients themselves to ‘take the pills’. Apps are not some sort of “machine doctors” that NHS England can bend to its will. (It rarely turns out well when NHS England tries to do this, but that doesn’t stop it trying again and again and again.)

For the main part, apps exist between a patient and a third party without a medical consent relationship. The Terms and Conditions of some (should you read them) set you up to have your data exploited and sold on – quite legally, under the contract you signed up to when you installed the app and gave it permissions – in ways even Pharmacy2U would never dream of.

Unfortunately, compliance with the Data Protection Act – a legal minimum – offers nothing like the standards of ethics and confidentiality you should expect for your medical records. And consent in the ‘planet of the apps‘ is merely a tick box, or a flick of the finger.

That’s not to say that app providers can’t do “mass participation surveys” properly, ethically and in ways impossible by other means. Some certainly do. It’s just that – as with all innovative but immature markets – there needs to be guidance, and proper oversight, to help members of the public distinguish between legitimate research and profit-seeking charlatans.

Requirements

In a future NHS world, if an app had access to an individual’s details and offered services which could receive that individual’s consent settings from the Spine, then their existing consent choices could, in principle, be honoured (though whether widening access to NHS Spine is a good idea or not is a subject for another blog post). What’s for certain now, though, is that app screw-ups and scams will continue until consent improves.

Most health apps don’t and will not connect to anything in the NHS, other than maybe allowing a patient to e-mail a standardised report to somewhere. In the Apple ecosystem, where health apps have to write data to the protected ‘HealthKit repository’, it’s at least possible that the 4 UK GP IT providers could handle reading and integration of your data with NHS systems, under the control of the patient. [UPDATE 7/8/15: EMIS already does something along these lines – thanks to @theABB for screenshots.] So building something useful doesn’t necessarily require dealing with the idiosyncrasies of the Directorate of Patients and Information at NHS England.

The NHS ‘Health Apps Library’ right now is in a mess. The positive intention may have been to help patients navigate shark-infested waters, the reality in some cases is more like being left up a creek without a paddle.

To be included in the NHS Apps Library, there must be far tighter restrictions on data transfer, sale and exploitation – burying a statement somewhere on page 97 of the terms of use, because “this is part of our business model”, may suffice for the Android Play Store and the Information Commissioner – it cannot be sufficient for an endorsement by the NHS.

If an app is able to connect to the NHS infrastructure, it must honour the consent settings available to whatever NHS service it connects to – which includes providing a complete, patient-accessible audit trail. The vast majority of apps will not be connected, so they must proactively request consent – with informed opt-in (not opt-out) for any and all data transfers to third parties, and a separate opt-in for any sale of data.

In fact, good apps should probably follow Apple’s lead or equivalents that are beginning to emerge in other places: health data stays in a locked silo on your device, in your control, and all transfers and processing must honour your wishes. If you claim to be doing research, and you want to use the NHS brand, then your project must have received ethics approval.

When you walk into a pharmacy, if you look, there’s a sign which tells you the name and registration number of the professional currently responsible for dispensing from that pharmacy. On the page for each app in the NHS Apps Library, the equivalent information should be visible: who is responsible for the quality of this app? NHS England may decide the answer “no-one” is OK as an answer – but patients deserve to know that.

If all these and the existing – and emerging – criteria for apps are not met, NHS England’s Apps Library (which sits on MPA Red-rated NHS Choices) will simply accelerate the race to the bottom for predatory data sale, and public confidence in its recommendations will collapse. Again.

You would hope by now that NHS England has been “listening” and learning enough to realise the very real risks of jumping feet-first into a “visionary” programme; there’s a lot at stake, but it’s your medical data they’re gambling with.

“The care.data programme has yet to routinely publish agendas, minutes, highlight reports and finalised papers which arise from the care.data Programme Board, something which other programmes, such as NHSmail do routinely. The publication of papers will increase confidence in the programme by demonstrating progress and good governance.”

– HSCIC, November 2014, ‘Background to the decision to publish‘

And yet: [update see below]

1. Missing: Video of care.data Advisory Group public meeting in London (our copy)
2. Missing: Video of care.data Advisory Group public meeting in Manchester (our copy)
3. Missing: January 2014* care.data Programme Board meeting – all documents
4. Missing: February 2014 care.data Programme Board meeting – all documents
5. Missing: March 2014 care.data Programme Board meeting – all documents
6. Missing: April 2014 care.data Programme Board meeting – all documents
7. Missing: May 2014 care.data Programme Board meeting – all documents
8. Missing: June 2014 care.data Programme Board meeting – all documents
9. Missing: July 2014 care.data Programme Board meeting – all documents
10. Missing: August 2014 care.data Programme Board meeting – all documents
11. Missing: September 2014 care.data Programme Board meeting – agenda and papers
12. Missing: January 2015 care.data Programme Board meeting – all documents
13. Missing: February 2015 care.data Programme Board meeting – all documents
14. Missing: March 2015 care.data Programme Board meeting – all documents
15. Missing: April 2015 care.data Programme Board meeting – all documents
16. Missing: May 2015 care.data Programme Board meeting – all documents
17. Missing: June 2015 care.data Programme Board meeting – agenda and papers
18. Missing: July 2015 care.data Programme Board meeting – agenda
19. Missing: Freedom of Information Act requests for the above – October 2014 Request
20. Missing: Freedom of Information Act requests about the above – May 2015 Request
21. Missing: Letter from care.data SRO and Chair of Programme Board, Tim Kelsey, to medConfidential – should be published with June care.data Advisory Group notes, following 24th July meeting.

“This is the most transparent programme I’ve ever worked on”

*We have listed only those papers missing from 2014 onwards, but a care.data Programme Board must have existed for some while before January 2014, given the first application to extract patient data was made (and knocked back by the now-abolished GPES IAG) in February 2013.

Update 14/August: A seemingly incomplete dump of documents has now been published and has been collated here pending review:

• 2015-05: cd-prog-brd-highlt-rep-150513.pdf
• 2015-05: cd-prog-brd-decsn-pub-150513.pdf
• 2015-05: cd-prog-brd-agda-150513.pdf
• 2015-03: cd-prog-brd-ms-mins-150324.pdf
• 2015-03: cd-prog-brd-highlt-rep-150324.pdf
• 2015-03: cd-prog-brd-decsn-pub-150324.pdf
• 2015-03: cd-prog-brd-agda-150324.pdf
• 2015-03: cd-pid-150331.pdf
• 2015-03: cd-core-pub-comms-mats-150324.pdf
• 2015-03: cd-aae-path-150330.pdf
• 2015-02: cd-prog-brd-tor-upd-150211.pdf
• 2015-02: cd-prog-brd-ms-mins-150211.pdf
• 2015-02: cd-prog-brd-highlt-rep-150211.pdf
• 2015-02: cd-prog-brd-decsn-pub-150211.pdf
• 2015-02: cd-prog-brd-agda-150211.pdf
• 2015-01: cd-prog-brd-mins-150114.pdf
• 2015-01: cd-prog-brd-highlt-rep-150114.pdf
• 2015-01: cd-prog-brd-agda-150114.pdf
• 2014-11: cd-prog-brd-mins-141215.pdf
• 2014-11: cd-prog-brd-mins-141117.pdf
• 2014-11: cd-prog-brd-highlt-rep-141215.pdf
• 2014-11: cd-prog-brd-highlt-rep-141117.pdf
• 2014-11: cd-prog-brd-decsn-pub-1412151.pdf
• 2014-11: cd-prog-brd-decsn-pub-141117.pdf
• 2014-11: cd-prog-brd-agda-141215.pdf
• 2014-11: cd-prog-brd-agda-141117.pdf
• 2014-10: Original-20141015-05 Creative Approach Presentation 20141015.pdf
• 2014-10: Original-20141015-03 Pathfinder Stage Plan 20141015.pdf
• 2014-10: Original-20141015-02 care data PB Highlight Report 20141015.pdf
• 2014-10: FVTP-20141015-01 Programme Board Minutes 20140923 final.pdf
• 2014-10: FVTP-20141015-00 care data Programme Board Agenda Final.pdf
• 2014-10: cd-prog-brd-mins-141015.pdf
• 2014-10: cd-prog-brd-highlt-rep-141015.pdf
• 2014-10: cd-prog-brd-descn-pub-141015.pdf
• 2014-10: cd-prog-brd-agda-141015.pdf
• 2014-09: Original-20140923-04 Information Analysis Linked Primary Care – Secondary Care Dataset.pdf
• 2014-09: Original-20140923-03 Pathfinder Selection Panel Notes 20140923.pdf
• 2014-09: Original-20140923-02 care data Programme Board Highlight Report 20140923.pdf
• 2014-09: FVTP-20140923-01 Programme Board Minutes 20140826 final.pdf
• 2014-09: FVTP-20140923-00 care data Programme Board Agenda final.pdf
• 2014-09: cd-prog-brd-highlt-rep-140923.pdf
• 2014-09: cd-prog-brd-agda-140923.pdf
• 2014-09: cd-path-sel-notes-140923.pdf
• 2014-09: cd-info-an-pc-sc-dataset-140923.pdf
• 2014-08: Original-20140826-11 20140826 care data narrative draft 3.pdf
• 2014-08: Original-20140826-09 20140826 care data Planning Principles.pdf
• 2014-08: Original-20140826-06 20140826 CCG Approval and Selection Process.pdf
• 2014-08: Original-20140826-03 care data – Pathfinder Stage Plan Summary v1 0 26082014.pdf
• 2014-08: Original-20140826-02 20140826 Programme Board Highlight Report.pdf
• 2014-08: FVTP-20140826-01 Programme Board Minutes 20140716 final.pdf
• 2014-08: FVTP-20140826-00 care data Programme Board Agenda final.pdf
• 2014-08: cd-prog-brd-mins-140826.pdf
• 2014-08: cd-prog-brd-highlt-rep-140826.pdf
• 2014-08: cd-prog-brd-agda-140826.pdf
• 2014-08: cd-ccg-appr-sel-proc-140826.pdf
• 2014-07: Original-20140716-07 care.data Planning Principles 20140716.pdf
• 2014-07: Original-20140716-04 Business Case Approach.pdf
• 2014-07: Original-20140716-02 Programme Board Highlight Report 20140716.pdf
• 2014-07: Original-20140716-00 care data Programme Board Agenda.pdf
• 2014-07: FVTP-20140716-01 Programme Board Minutes 20140625.pdf
• 2014-07: cd-prog-brd-mins-140716.pdf
• 2014-07: cd-prog-brd-highlt-rep-140716.pdf
• 2014-07: cd-prog-brd-decsn-pub-140716.pdf
• 2014-07: cd-prog-brd-agda-140716.pdf
• 2014-06: Original-20140625-04 Planning Principles and FAQs.pdf
• 2014-06: Original-20140625-02 care.data Programme Board Highlight Report.pdf
• 2014-06: Original-20140625-00 care.data Programme Board Agenda 25June2014.pdf
• 2014-06: cd-prog-brd-mins-140625.pdf
• 2014-06: cd-prog-brd-highlt-rep-140625.pdf
• 2014-06: cd-prog-brd-agda-140625.pdf
• 2014-05: Original-20140513-03 care.data Draft Communications Plan.pdf
• 2014-05: Original-20140513-02 care.data Programme Board Highlight Report.pdf
• 2014-05: Original-20140513-01 care data Programme Board Minutes 310314.pdf
• 2014-05: Original-20140513-00 care.data Programme Board Agenda.pdf
• 2014-03: Original-20140331-06 care data Plan on a Page.pdf
• 2014-03: Original-20140331-05 care.data Programme Board Highlight Report.pdf
• 2014-03: Original-20140331-03 care.data Programme Governance.pdf
• 2014-03: Original-20140331-02 care.data Revised Governance Overview.pdf
• 2014-03: Original-20140331-01 care data Programme Board Minutes 280114.pdf
• 2014-03: Original-20140331-00 care.data Programme Board Agenda.pdf
• 2014-01: Original-20140128-04 Proposed approach for selecting additional patient-level data sets.pdf
• 2014-01: Original-20140128-02 care.data Programme Board Highlight Report.pdf
• 2014-01: Original-20140128-00 care.data Programme Board Agenda.pdf
• 2014-01: FVTP-20140128-03 care.data Programme Brief_v1 1 220114.pdf
• 2014-01: FVTP-20140128-01 care.data Programme Board Minutes from 20131125 final.pdf