Today, on International Clinical Trials Day 2015, medConfidential welcomes the National Institute for Health Research’s ‘OK to Ask‘ about research campaign.

As an advocate of research patients, NIHR is enabling its primary mission in a safe way. ‘OK to ask’ is entirely compatible with consent – indeed, that’s what the entire campaign is about: asking.

There need be no conflict between patients being interested and wanting to participate in research, but not wishing their sensitive medical records to be sold. That NHS England is choosing to make this more difficult / conflating secondary uses is a barrier to research, not an enabler.

We can’t let the day pass without also mentioning our friends at AllTrials – campaigning for all past and present clinical trials to be registered and for their full methods and summary results to be reported. Clinical trial transparency is vitally important, and it doesn’t mean publishing individual patient data.

Consensual, safe and transparent. Anything less just doesn’t make sense.

For years, we’ve had credible reports of highly accurate marketing that could only be based on health records. Now reports in the media have revealed “a nice little trade” in your health records – and that’s the Information Commissioner’s description, not ours.

These latest reports reveal two ways in which information about your health may be collected and sold on: from insurance forms you fill in and, in particular instances, from information provided to “the UK’s largest online pharmacy”, Pharmacy2U.

Given the number of people who have contacted us over the past two years about this, it is clear that these are not isolated occurrences. Pharmacy2U may have admitted to selling details to a direct marketing agency on a number of occasions, but it is not the only one.

This trade in people’s personal health information is insidious, and makes it all the more essential that the Government legislates clearly and consistently on the ongoing “commercial re-use” of our medical records.

Senior politicians may say something must be done about these latest incidents, but promises to crack down on dodgy data brokers and those who supply them with data ring hollow while the official trade in NHS patients’ information persists. (We note the promised Regulations under the Care Act 2014 – which should clarify the overly-broad definition,“the promotion of health”, that continues to legitimise commercial re-use of your medical information – were not laid before Parliament was Dissolved for the election.)

medConfidential has submitted a formal complaint to the Information Commissioner on behalf of patients who have contacted us after having been sent direct marketing materials in relation to their specific medical condition, treatment or diagnosis. The Information Commissioner’s Office has already begun an investigation, as has the General Pharmaceutical Council. And, given what the chair of the Health Select Committee has said, we hope Parliament will look into this promptly when it returns.

Your rights; take action

Section 11 of the Data Protection Act provides you with the “right to prevent processing for purposes of direct marketing”. You can issue a notice in writing to a data controller at any time, requiring them to cease – or not begin – using your personal information for marketing.

UPDATE 27/4/15: Given their objection to the way we previously expressed things, we asked Pharmacy2U shareholder EMIS – which has been offering a joint service with Pharmacy2U since trials in 2001 – how a patient might determine, without wasting GP time, if their practice is amongst one of the hundreds that have been using Pharmacy2U to provide postal prescriptions for years. EMIS has replied saying that Pharmacy2U is now an option in all practices that use Electronic Prescription Service Release 2 (EPSR2), and that patients with concerns “should contact Pharmacy2U directly”.

Our advice remains as we state below. If you are unsure whether you’re affected, we hope to have more information in our newsletter due out this Friday.

You may not recall nominating Pharmacy2U at your GP at any point over the last 14 years, but if you do not receive a paper prescription and you have ever received your medicines from a warehouse in Leeds rather than your local pharmacy, then it is likely that you did – and you may wish to take action.

If you are a customer of Pharmacy2U, or if you are concerned that your details may have been sold or passed to third parties by them or any other online pharmacy – or by any company to which you have provided information relating your health – we have created a template Section 11 Notice for you to download, fill in, print and post to the relevant organisation.

For Pharmacy2U only, please add your details where indicated:

• Pharmacy2U Section 11 Notice – MS Word (.doc) version / Rich Text (.rtf) alternate

For other companies, including insurance companies, please fill in the relevant details where indicated:

• Generic Section 11 Notice – MS Word (.doc) version / Rich Text (.rtf) alternate

You will note that our Section 11 Notice letter ends with a request for information about disclosures of your information for purposes other than marketing. This is because you have a further right, under Section 10 of the Data Protection Act – the “right to prevent processing”, if such processing would cause you “unwarranted and substantial damage or distress”.

At this point it is not absolutely clear whether Pharmacy2U or other companies have disclosed your information for purposes other than marketing; the wording of various Terms and Conditions suggests that they might. Our template letter therefore requests that the company tells you with whom it has already shared your information, and for what reason.

By sending our Section 11 Notice letter first, you should be told exactly what the company has done with your information. You can then follow up with a Section 10 Notice [1] on the basis of what you find out. Were you to send a Section 10 Notice straight away, the company should comply with your wishes – but you might not find out what has already been done with your information.

We would hope that companies will come clean, and take the opportunity to reassure those whose details they haven’t sold that their information has been kept confidential. If for any reason a company refuses to provide this information, please let us know.

medConfidential believes people should always know who has had access to their health-related information, and what it has been used for. As we have said to the Information Commissioner, you simply cannot trust an organisation that buries your consent options and which isn’t completely up front about what it has done or will do with your most sensitive personal information.

—

1) For your convenience, here is a template Section 10 Notice for you to download, fill in, print and post to the relevant organisation. If you are concerned to know what has been done with your information, we recommend you send this only after receiving a response to your Section 11 Notice.

For Pharmacy2U, please add your details where indicated:

• Pharmacy2U Section 10 Notice – MS Word (.doc) version / Rich Text (.rtf) alternate

For other companies, including insurance companies, please fill in the relevant details where indicated:

• Generic Section 10 Notice – MS Word (.doc) version / Rich Text (.rtf) alternate

—

UPDATE 20/4/15: We were contacted late on Friday by Pharmacy2U’s PR representative, who stated Pharmacy2U “has not sold information relating to patients’ medical conditions. Names and postal addresses only were provided.”

The PR firm provided the following statement, which we publish in full:

“We want to reassure our customers that Pharmacy2U does not and has never sold information relating to patients’ medical conditions to anyone.

Between November 2014 and December 2014, we trialled a small-scale project with Alchemy Direct Media (UK) Ltd, a data handling company registered with the Information Commissioner’s Office (ICO). 

This project involved us selling limited information – some customers’ names and postal addresses only – for use in selected marketing activity. No medical information, emails or telephone numbers were sold. In conducting this trial project, we acted in line with current data protection and ICO guidelines.

The sale of customer data for marketing purposes is a widespread practice within business and also government. However, in light of public concern about this issue we have decided not to continue with this trial and we can reassure our customers that Pharmacy2U will no longer share customer data for use in third party marketing. All data that was held by Alchemy Direct Media (UK) Ltd has been destroyed by them and is no longer available for use.

We have asked the Information Commissioner’s Office to work with us to review our privacy policy and have also contacted the General Pharmaceutical Council, our industry regulator, and the NHS, to discuss this matter. We await their follow-up report.”

The Health and Social Care Information Centre are aware that the number of patients affected by the mistake with the ‘Type 2’ / 9Nu4 objection is indeed much higher than their Chair first stated to Parliament, and they continue to accept – as they did from the start – that they will have to write directly to everyone concerned.

HSCIC’s acceptance that individually-addressed letters are necessary is to be welcomed, not least because it shows some lessons may have been learned from the previous history of NHS England’s care.data fiasco. But to avoid a repeat of previous communications disasters – including the junk mail leaflet and widespread confusion between care.data, the Summary Care Record and local direct care data-sharing initiatives – lessons from 2014 must not only have been learned. They must be seen to be learned.

As last year clearly demonstrated, there can only be one patient communications programme going ahead at a time, and it must be carefully coordinated with any and all other existing data-sharing programmes.

As NHS England Director for Patients and Information and (interim) SRO for care.data, Tim Kelsey, has washed his hands of any responsibility for this latest screw up, this is a clear opportunity for HSCIC to lead and demonstrate itself to be the reformed agency that it is striving to be, absent any interference from NHS England.

What needs to be done?

Dame Fiona Caldicott has articulated a number of tests and questions for the care.data programme as a whole. It would therefore make sense, as a starting point, to apply these to any proposed communications intended to correct the current consent catastrophe. Some tests (e.g. those in section 5, relating specifically to the care.data pathfinders) may not apply directly, and other tests may need to be added, but the as-yet-unanswered questions on the substance of what patients are told – and how it will be made true – continue to apply across the board.

The ‘Type 2’ correction cannot be implemented as a postcode lottery; it must be national, for all affected patients at once. And, unless Mr Kelsey’s promises of “no arbitrary deadline” are untrue, the care.data pathfinder process can happen after the national re-contacting has taken place. (And, if done as we suggest below, at no additional overall cost to DH and the public purse.)

As medConfidential has repeatedly stated, the SRO for the 9Nu4 correction programme – as for all large-scale patient data programmes – must be someone who is subject to GMC regulation.

A process to respect patient choice

A letter must be sent to each affected patient, the content of which should go through a similar consultation process to the one which NHS England stated it would follow for any revision of care.data – though HSCIC should do a better job of actually listening to advice and suggestions.

Given the need to rebuild public confidence, and out of an abundance of caution, letters must be sent to everyone who has expressed a consent preference, whether that was 9Nu4 (‘Type 2’), 9Nu0 (‘Type 1’) or SCR. The bungled communications last year resulted in many patients being given the wrong forms, and it is reasonable to assume that someone who doesn’t want their data to leave their GP practice to be shared for direct care purposes is unlikely to want it sold on for ‘secondary uses’.

Critically, the state of each patient’s ‘consent settings’ immediately before the letter hits their doormat must be as safe as possible. This may involve the introduction of a new code or codes, but the defaults must be set to respect patients’ existing choices.

The communication materials themselves must clearly and accurately reflect what happened, how it has been addressed, and what will happen going forwards. Unambiguous promises must be given to patients around secondary uses, consent and notification. (This may be a good opportunity to introduce personalised data usage reports to a group of data-concerned patients, trialling the process and explanation ahead of a wider communication.)

The letter should provide each patient sufficient information and clear choices to be able to arrive at one of the following 3 outcomes:

• NO FURTHER ACTION BY PATIENT [DEFAULT] – implement what patients were told would happen last Jan/Feb, i.e. opt out of secondary uses of their data collected from anywhere across the NHS, with no impact on their direct care. This would require our Spine proposal to be implemented.
• ACTION: Patient has changed their mind – opt them back in for secondary uses of their data collected from places other than their GP. Unless patient gives explicit consent, do not override any other settings, e.g. 9Nu0 or SCR. This would most likely be a subset of those who opted out of SCR, whose decision was inferred as a precaution.
• ACTION: Patient wants the ‘full 9Nu4 opt out’ – apply the opt out as 9Nu4 was (mistakenly) specified, i.e. HSCIC cannot pass on patient’s data, even for direct care. This is likely to be for a very small number of patients, but the option is clearly important to some people.

“No action” must be the default, and the default must continue to be safe and in the patient’s best interests, i.e. a system-wide consent option on the Spine, respected by all care providers.

It is important these choices are not merely expressions of choice, but immediate and effective realities. Patients whose trust has already been abused should not have to wait a further year for their decisions to be enacted. Ideally, this would be able to be reflected in a personalised data usage report for each patient, so they can see that – this time – their wishes have been properly respected.

Moving forward with care.data (or its successor)

Only once the ‘Type 2’ correction process has been completed – letters have been sent, patients have been given time to act, and their consent choices have been enacted – can the care.data pathfinder process restart.

Those in the pathfinder practices who have not been sent a letter as part of this process, can then be sent a letter and opt-out form for care.data and all secondary uses. (These letters may be modified based on any further lessons learned from the ‘Type 2’ process.) That only those patients who have not already opted out will be written to as part of the ‘new’ opt-out process means that people will not be being asked to opt out of something they’ve already opted out of.

It also means that the cost to the public purse of the programme as a whole should be almost identical to what NHS England currently proposes. The same number of envelopes will be posted (which is the vast majority of the cost) but there will need to be some more meetings to design the two sets of communications, not one – to ensure that what everyone is told is completely consistent. And true.

In the meanwhile, rather than rushing into the extraction of data that may not even provide the benefits claimed, care.data can be revisited, future needs properly identified and the many flaws in the design of the current programme can (hopefully) be corrected. And proposals to reduce the number of individual-level data flows can continue to be applied.

While it looks like the projection of over a million people having opted out will prove correct, it should be remembered that only 29% of people asked at the time had received a leaflet and nearly half the population was still unaware of the scheme at the point it was “paused”. Opt-out rates across the country are likely to be significant, and NHS England cannot afford to cause yet another collapse in public confidence.

This time, there is no option but to do it right.

NHS England is very clear, even now: “…this will not affect the care you receive.”

However, displaying their all-too-familiar lack of attention to detail, there currently is a problem – a mess they’re leaving someone else to clean up. That’s no surprise in the ongoing care.data fiasco. The surprise this time is just how badly they cocked it up.

Due to a mistake with one of the objection codes*, everyone who opted out with it will need to be contacted to confirm the details of a new, as yet unspecified, arrangement. Opting out now should mean you are contacted in that group.

If you did opt out last year, NHS England is at least correct in saying that your direct care has not been affected. As of now, none of the opt out codes have been extracted and the care.data programme has taken no information from your GP’s systems.

But because the codes have not been extracted, HSCIC has no way to know whose data to prevent passing on to its customers. Data releases resumed last summer; you can see the organisations which have received data in HSCIC’s quarterly Data Release Register.

Unfortunately at this point no-one, including HSCIC itself, can tell you if your data has been released – which is one example of why we’ve been pushing for personalised Data Usage Reports. With those in place, you would know.

We are working hard to ensure that your opt out is honoured, and that it does what you were told it would do – by us, and by NHS England.

medConfidential believes that wanting to preserve your privacy in the NHS should not exclude you from digital services in the NHS. Anyone who attempts to claim otherwise is blackmailing patients. Again.

—

*We were shown details in a letter, a couple of minutes before we gave evidence to the Health Select Committee on the 21st January. we suspect NHS England knew some time before then, as the ‘Type 2’ opt out codes had originally been scheduled to be uploaded last autumn.

NHS England posted ‘Important information on data sharing opt out’ at 17:24 on Friday 23rd January. Unfortunately, while the title of its announcement isn’t limited to just the care.data programme, all of the salient bullet points are. Its use of the phrase “the opt out” (not opt outs) is far from reassuring, and signals an imminent attempt to re-write history and break promises.

You will note NHS England’s announcement omits to tell you what you’ve just read in this post. If you want to be kept up to date with comprehensible information and facts you can act on:

We will post more details as we have them on our blog, and in our next newsletter on 30th January.

NHS England is still trying to justify in 2015 what it tried to sneak through in 2013. Has it learnt nothing?

• Original Sky News piece and article;
• NHS England briefing;
• PharmaTimes repeats NHS England briefing.

Disclosure: Sam Smith of medConfidential sits on the Privacy Advisory Group for the Office of National Statistics’ (census replacement) Beyond 2011 & Big Data programmes, of which the expert academic at the Oxford Internet Institute interviewed by Sky News is also a member.

 

Does the database exist?

NHS England: “firstly, there is no database of information for the care.data programme yet”
NHS England: “confirmed that pilot schemes are starting again”
NHS England: “To access the data collected as part of care.data, applicants will need to…”

NHS England itself acknowledges, on a page named “our plans”: “for example, the hospital episode statistics (HES) service has been collating administrative information since the 1980s about every hospital admission funded by the NHS.”

So there are existing databases which are vulnerable to these problems and a new database is being built, it’s just not been built yet. (The ‘new’ specification in 2015 appears to be the same care.data specification from 2013 – with various ‘mistakes’ covering HIV, HPV, and AIDS codes corrected.)

Aspects of the existing data services are as concerning, if not more so, than the care.data proposals.

 

“A statement and briefing were provided to Sky by NHS England ahead of broadcast”

On Thursday evening, NHS England contacted medConfidential, having seen our tweet, to say they had commented to Sky News. But, as of Monday, the Sky News piece still contained no attributed quote or statement from NHS England. It has a quote from the programme director at HSCIC, not NHS England.

We don’t know the ins and outs of exactly who said what to who when but, yet again, it seems that NHS England is hiding behind another government body – the Health and Social Care Information Centre – to provide justifications that do not speak to the full consequences of its own future proposals.

HSCIC is a “creature of statute”, a body which in law may only do things as Directed, including by NHS England. NHS England is the puppeteer cowering behind the curtain, insisting the puppet’s the one at fault.

 

“this would be a criminal offence”

While ‘hacking’ into a database of medical information would indeed be a criminal offence, it is rather beside the point. It’s the the ‘Hollywood scenario’ of a remote attacker defeating NHS England’s defences with cunning from their back bedroom, or North Korean data terrorists launching an attack.

What is far more relevant is that copies of the data (HES, etc.) have been sold [1] to a whole range of organisations and companies, many of which continue to receive data. And there are no criminal sanctions for misuse of the data by the recipients or data breaches, which – despite previous denials [2] – we now know there have been [3].

NHS England is quite clear that confidential data is already being sent to places: “confidential data is always encrypted whilst in transmission and the secure networks used to transfer data are regularly tested and monitored for any vulnerabilities”. (Unless David Cameron succeeds in outlawing it, as he proposed last week.)

In the case of the Sky News piece, the researcher acted entirely ethically and correctly in using the information provided by the journalist – who had given full and informed consent, and was clearly aware of the risks. Those who would rather continue the status quo and placate, rather than inform, the public are less likely to explain all of the risks and mitigations to a journalist. And highly selective ‘explanations’ do not give the full picture.

Given the continuing distribution of 25 years of hospital records – over 1 billion dated events – this research identifies both the grave risk to the medical privacy of the country, and the continued wilful ignorance of NHS England.

---

1) On a “cost recovery” basis.
2) On BBC Radio 4’s Today programme, 4 February 2014, Tim Kelsey claimed “in 25 years there has never been a single episode in which the rules… have ever compromised a patient’s privacy.”
3) HSCIC’s FOI response on 7 April 2014 lists a data breach in every year from 2009 to 2012; HSCIC holds no records from before it was formed in 2005.

 

Where does the data go?

NHS England: “To access the data collected as part of care.data, applicants will need to go through an approvals process and then, during the pathfinder stage, can only see it in a secure data facility (SDF). During pathfinder stage, access applications will only be accepted from select organisations and there is a robust security procedure in place when the applicant visits the SDF.” [our emphasis]

The crucial point being, what about after the pathfinder stage? Where will applicants be able to “see” the data then?

Will NHS England revert to current practice, as for HES and other data, and permit copies of the data to be sent out? There’s little point constructing a “secure data facility” if it is not then used for all future access to the data.

If all NHS England will promise is to keep patients’ data in the SDF “during the pathfinder stage” then it is just a temporary safeguard, which can be removed for the full national roll-out.

So why won’t NHS England promise that patients’ data will always be kept in the secure data facility? It clearly wants to keep its options open – but if the intention is for data to be accessed in other ways in future, why aren’t patients and GPs being told? Given NHS England’s track record of miscommunication, trumpeting what actually amounts to a tightly time-limited conditional safeguard does very little to inspire confidence.

 

“NHS to carry on selling patient records to insurers” – Telegraph, 27 November 2014

NHS England: “credit rating agencies or health insurers would not be granted access to the NHS’ secure data facility where the information will be held.”

This may sound pretty definite, but can NHS England cite the precise part of legislation which provides the same level of certainty as that statement? We doubt it, because it has never previously been able to do so. NHS England argues the claim on the Telegraph front page was false, but has never provided any evidence to support its assertions. And we’ve asked, repeatedly.

In fact, the law remains mute on the types of companies that may have access to the data – it concentrates on uses – and the undefined phrase “for the promotion of health” leaves open loopholes for data access that even McDonalds or Big Tobacco might use. (Regulations that might begin to address this, for the Care Act passed in May, are still unpublished.)

 

Misunderstanding the ‘birthday attack’

PharmaTimes: “NHS England said the suggestion by Sky is incorrect, saying the likelihood of being able to identify an individual “is negligible”

NHS England is again misleading the public.

As an analogy, if you consider a classroom and pick two children at random it is highly unlikely – 1 in 133,225 (i.e. 365 x 365) – that they will both have a specific birthday. But if you walk into that same classroom of 23 children or more and ask “Do two of you share a birthday?” then the chances are better than 50-50 that the answer is yes.

Example 1: Know someone who had a heart attack?

Presume someone you know has had a heart attack.

NHS England has 181 A&E departments [4] handling England’s 386 heart attacks per day [5], so each A&E receives, on average, 2 heart attack victims per day. Which, even without any other information, gives a 50% probability of spontaneous identification of a victim whose hospital and date of event is known (neither should be sensitive on their own). As the OII research into the Sky News journalist argued, that is information that gets tweeted, as it is ‘not sensitive’.

Because the data is linked over time – ‘longitudinal’, to use the proper statistical term – discovery of a single medical event would mean you can use that pseudonym to link back to all of that person’s other medical events, because “the pseudonym is allocated to the record instead” (NHS England).

It doesn’t matter what the pseudonym is or what form it takes, what matters is that it links the records. The information associated with the date of the event is what gives you the link to a victim, not the NHS number or pseudonym.

NHS England is therefore being disingenuous when it says “once a patient’s record has been matched, the information that could identify a patient is removed and the pseudonym is allocated to the record instead” and that pseudonyms can be converted back to the original identifier “only by using the specific encryption key that created the pseudonym” and this is “only ever disclosed in very exceptional circumstances”.

Of course NHS England does not disclose the original identifier (NHS number). The key point that the researcher made, and that NHS England missed or continues to wilfully ignore, is that this is completely irrelevant.

And it shows that NHS England has learnt nothing from the concerns of the last year.

In February 2014, David Davis MP argued that knowing the dates he had his nose broken (due to media attention) would mean his entire medical record could be identified. NHS England has never refuted this argument with substance.

---

4) DH count. See https://www.whatdotheyknow.com/request/131933/response/325271/attach/3/Annex%20A%20Final.pdf 
5) 141,000 per year in England: https://www.bhf.org.uk/publications/statistics/cardiovascular-disease-statistics-2014

Example 2: Women with children

NHS England seems to believe that your children’s birthdays are secret.

For example, by the HSCIC’s own rules, in HES the date and code for “Birth date – baby” is deemed identifiable, but the date and code for “maternity: where the baby was delivered” is not [6]. These are the same event, stored twice, but treated as if they are entirely different. Removing only one of them does not magically turn HES into non-personal data, and HES contains dozens – if not hundreds – of such fields.

Similarly, a family is identifiable by knowing the birthdays of the children. For a family of 2 children, there is a 90% likelihood that the birthdays of the two children are unique. For a family with 3 children, the children’s birth dates are almost certainly a unique identifier for that family in the country, tracked via the mother’s medical history.

On average, one set of twins are born in each maternity hospital in the UK per day. There are just 208 triplets born in the UK per year, i.e. fewer than one per day. If you know the birthdate of a triplet you could therefore read off the entire medical history of the mother via that single event.

---

6) For a single illustrative example, see HSCIC HES inpatient data dictionary, page 11, field: admimeth (and many, many others). This is only one method of delivery, others are equivalent.

Example 3: Who gets chemotherapy?

NHS England repeatedly argues that its care.data programme is necessary because “the NHS isn’t capable, currently, of telling you how many patients are undergoing chemotherapy, for example”.

In fact, the vast majority of chemotherapy is delivered in secondary, not primary care. Extracting data from GPs’ systems would provide no more information than is (or should already be) gathered from the actual providers. If you want to know who is receiving treatment, the most sensible choice is to go to the source of the treatment.

And to count the number of people, it is simply not necessary to know who they are – a count of unique identifiers is enough. NHS England is mandating the use of NHS numbers by care providers, and that mandate is in the process of being passed into law.

To count people, you need to know only that you’re counting non-duplicate entities. It does not matter whether you use names, physical people or their pseudonyms (e.g. telephone number, NHS number, or an arbitrary pseudonym).

Worked example 4:  Don’t get into an accident

Relatively minor medical events of those in the public domain are often reported – how many women of a particular age reported to a particular hospital with an elbow injury, for example, the day that Nick Clegg’s wife broke her elbow in 2010, just before the general election? [7] – and even the most private of individuals can find themselves in the newspaper due to an accident.

Standard journalistic practice means that accidents reported in the local press will include the date of the event, a person’s name and age, along with the area of town – in some cases even the road – where the victim lives. Such reports usually provide enough information for an informed guess at likely diagnoses, which can then be matched with a particular incident. (With regard to example 2, the same would be true of someone announcing the birth of their triplets on Twitter or Facebook.)

An experiment by Professor Latanya Sweeney of the Harvard Data Laboratory starkly demonstrates the risks of matching within ‘de-identified’ data, i.e. data where some identifiers have been removed, rather than being replaced by pseudonyms.

Taking the US equivalent of HES – de-identified public hospital records for a state – and using articles in local news reports giving an indication of types of injury, her team was able to confirm that merely by being involved in an incident where you were taken to hospital, it was routinely possible to match to the victim’s entire hospital history, and discover details that even the patient had not told the hospital directly, but which had been discovered from their medical profile.

When contacted by the project, patients were horrified to find they could be identified and have their medical history exposed from the data made available.

---

7) https://www.google.com/search?q=nick+clegg+wife+election+elbow+broken

 

Pseudonyms

Identification isn’t just about finding someone’s name; it’s about linking an individual’s data records together so that you can learn things about them. If I know your home address, gender, date of birth, hair colour, eye colour, weight and telephone number, it doesn’t matter how many characters are in your database’s pseudonym – what matters is that I, and my data, can be (re)identified.

NHS England’s argument is bureaucratic obfuscation. It’s like saying that having a phone number doesn’t tell you who someone is and then blaming the patient for answering the phone with their name.

Or in another analogy, it’s the sort of approach that insists you have to know the name of the bug that bit you in order for it to matter. We don’t have many small poisonous bugs in England, but other places do. Small creatures have many names; they have their Latin classification, they have names in English, and in local areas they have names in local languages, etc. In short, they have many pseudonyms – but it’s all the same bug.

If you’re bitten by a poisonous bug, the sensible medical approach doesn’t care about its actual name but rather, by asking questions about its attributes – what colour was it? was it spotty or stripy? how many legs? any wings? – the care provider can work out the appropriate treatment. The name really doesn’t matter; what you care about is the antidote, a name you will care about far, far more! At best, whatever the bug is called may be a link between looking it up and how you cure the bite – but you really don’t need the name.

Attempting to make this all about pseudonyms seriously misses the point. The real problem is the linked individual-level data that the NHS has treated so egregiously badly in the past, which with this argument NHS England appears to continue to want to do.

In 1989 this was all new, and difficult. In 2015, there are no excuses.

 

In summary

NHS England’s scenario: “In the extremely unlikely event an individual was able to ‘hack’ the system, they would need the encryption key to convert back the coding” is a diversion.

The point is not that one can infer an individual’s identity from the linking pseudonym – taking the “100 character” pseudonym to “convert back the coding” – it’s that there is so much other data in the file that you don’t have to.

As detailed above, in the ‘Hollywood Scenario’ the chances of someone arbitrarily picking a row in a dataset and knowing who it is are slim. But, as PharmaTimes suggests, that’s the imaginary plotline for a movie, not real world protection of patients.

Can NHS England tell the difference? We suggest they listen to the experts who can.

For the rich, dated linked data about which NHS England has given no assurances regarding dissemination beyond the ‘pathfinder’ stage of care.data and using widely-available other information, as the researcher at OII and our by no means exhaustive examples show, there are many ways to identify people’s medical records in individual-level data – regardless of whether it has been pseudonymised (or de-identified).

That NHS England continues to try to mislead the public on this fundamental point in 2015 suggests the “pause” it took to “listen and understand” public concerns throughout 2014 was not enough. Continuing to hold onto and propagate the fantasy that pseudonymisation makes the possibility of re-identification “negligible” is either naïve or incompetent.

We’re not quite sure what’s worse.

Last summer, the Department of Health consulted on a programme called “Accredited Safe Havens” (ASH), an idea by which individual level medical records could be transferred somewhere (an ASH) for certain reasons.

While research needs clear individual level data for some applications (because while researchers research a topic, they don’t know the precise question – if they did, it wouldn’t be research), for the two other main uses, risk stratification, and invoice reconciliation, there are alternate approaches available which don’t need to transfer millions of individual level records.

In our response to the DH consultation, we summarised those approaches rather briefly, with various grey areas.

Updated 2018: The various discussion documents are now available directly:

1. An introduction to the approach
2. Risk Stratification
3. Invoice Reconciliation (2018)
4. Invoice Reconciliation (2015)
5. Invoice Reconciliation for A&E (September 2015)

If DH/NHS England were to put any resources into this, there may be no individual level records that need to be transferred under provisional, interim governance, blanket authorisations that have been renewed “temporarily” since 2013.

We’re also giving evidence to the Health Select Committee tomorrow, and put one new idea into our submission as an annex: “CLASSIFIED when completed”: Which needs better protection – official memos, police witness statements, or all our medical records?

IIGOP Annual Report

Following its care.data report at the end of last year, the 2014 Annual Report of Dame Fiona Caldicott’s Independent Information Governance Oversight Panel (IIGOP) was published in early January. Amongst other things, it says:

In summary, the goal should be a state of information governance in which the following proposition prevails: “Organisations have no hiding places, the public have no surprises.”

But with good progress having been made on just six of the year-long Caldicott2 Review’s 26 recommendations, the IIGOP is forced to conclude:

Unfortunately the cultural change that we called for [in 2013] in relation to information governance has only emerged in parts of the system.

The annual report goes into some detail on care.data in Chapter 3, noting:

The unintended consequence of care.data was a positive cycle of change, with greater public interest causing organisations to respond with greater transparency and stronger information governance.

But, worryingly, on consent across the health and care system:

IIGOP welcomes the Secretary of State’s enhancement of the “right to object” in the care.data programme, but calls for a more consistent approach. It is not reasonable to expect the public to understand objections and “opt outs” if there are different rules for different programmes. This remains unfinished business.

Over the next few weeks, we will see whether the Government and NHS England are moving towards that goal – or whether they’ve been hiding more surprises for the public later in the year.

Meanwhile, Healthwatch England “found disturbing evidence of the harm caused by failure to share information appropriately. The inquiry focused on the experiences of older people, people with mental health conditions and people who are homeless.”

The findings, summarised on pages 17 and 18 of the annual report, are especially horrifying due to the impacts on the direct care of patients – a missed opportunity cost due to the care.data programme:

Public opinion research has shown that most patients want any healthcare professional who treats them to have secure electronic access to key data from their GP health record. Most were surprised that emergency care doctors do not have automatic access to records, and concerned that lack of access may lead to delays in treatment and fatal errors. The public’s main concerns about the use of information about them were suspicions around usage creep, lack of personal benefits and loss of data.

As medConfidential has always said, there need be no conflict between good ethics, good data handling and good medical care.
A Statutory Data Guardian?

We had hoped that, as the Secretary of State said would happen, the National Data Guardian – providing independent, overarching information oversight for the entire health and care system – would be put on a statutory footing “at the earliest opportunity”. That opportunity was last Friday, but the Secretary of State failed to meet his commitment.

As we now discover from the IIGOP’s Annual Report, this is just one example of what happened without a strong oversight body:

NHS England communicated the proposal in a leaflet that was supposed to be delivered to all homes across England in January 2014. A copy of the intended leaflet was sent to IIGOP shortly before the quarterly meeting of the panel on 9th December 2013. On the following day IIGOP advised NHS England that its leaflet was not fit for purpose, but was informed that it had already been sent to the printers and would not be recalled.

Last Friday, Jeremy Lefroy’s Private Member’s Bill reached its final stage in the House of Commons, and has now moved on to the Lords. When the NHS Number is used beyond the NHS, its wider use a lifelong identifier for every person in the UK will also never be recalled. We wrote a briefing on this issue when it first raised its head.

 

Anniversary

2015 marks 10 years since the dodgy deal between the (then) NHS Information Centre and Dr Foster Ltd – a period during which, as we now know, less-than-optimal decisions were made.

One quote in the Public Accounts Committee’s report that sounds entirely familiar from the care.data fiasco a decade on:

At the outset there was an urgency to complete the deal with Dr Foster Ltd, and in negotiating the joint venture the roles and responsibilities of the Department’s advisors were sometimes confused.

With echoes of the messy “IG Universe” picture that emerged last year, and with venture capitalists that now own bits of the private sector part of Dr Foster Ltd writing down their stake and seeking an exit, we see once again that – in the long term – routing round or failing to institute and apply proper Information Governance doesn’t help anyone.

Finally, as the 12 month mark approaches, we understand the Health Select Committee will continue its inquiry into care.data and the handling of NHS patients’ records shortly. Let’s hope that this time its members will be given full and frank evidence by all.