Category Archives: News

medConfidential Bulletin, 12 June 2015

chaos.data

Over a year ago, Ben Goldacre wrote “Care.data is in chaos. It breaks my heart”.

Absent explicit instruction from the Secretary of State, it is now clear that NHS England is just going to keep on making the chaos worse. 16 months after it was “paused”, care.data is resurfacing in a way that gives some insight into the shambolic mess it is still in.

This Wednesday, after Blackburn with Darwen Healthwatch announced then withdrew (footnote 2) its announcement, Blackburn with Darwen CCG announced it is “ready to start” sending out patient communications “at the end of June”. But NHS England is nowhere near ready; vital preconditions for a restart – not least honouring the choices a million patients made last year – have yet to be met.

NHS England remains mute on Dame Fiona Caldicott’s 27 areas of concern and there’s ‘missing’ legislation: Directions defining how patient opt-outs must now work; Directions fixing the broken 2013 definition of the programme; Regulations to guarantee vital safeguards, including ‘one strike and you’re out’ sanctions for misuse of patient data, and closing the ‘McDonald’s loophole’ (p6) that legitimises a wide range of “commercial re-uses” of patient data. None of them in place.

It’s utter chaos. But to proceed without honouring a million patients’ existing opt-outs – not just to stop their information being extracted from their GP record, but stopping their hospital data from continuing to be sold for uses other than their direct care – would be a breach of trust on an unprecedented scale, breaking supposedly unconditional promises that Jeremy Hunt gave back as far as April 2013: “We will respect them” (timecode 13:30)

If their intention is to “regain public confidence”, the Secretary of State and NHS England are going about it in the strangest way. NHS England might claim to have been “listening” but, if it has, why is it wilfully ignoring a million patients’ concerns and express wishes?

The clock will start ticking again from the moment the first care.data letter is sent out – not the first data extraction, as some officials would have you believe. And at this point, having broken a million promises, what possible basis does NHS England think it has to ask patients to trust it with their most personal information?

What can you do?

medConfidential continues to push hard for everyone’s confidentiality and consent to be respected. Every use of your medical record must be consensual, safe and transparent. And be assured, we are taking this fight to the highest level – but we need your help.

The first thing you can do is tell your friends and family. If you are reading this, you are clearly paying attention – but many others simply won’t know anything about what’s going on. It’s been well over a year since care.data was “paused” and the vast majority of people probably think it was stopped for good. If nothing else, please forward a copy of this newsletter by e-mail to the people you know and care about.

Please keep posting links to medConfidential’s News feed: https://medconfidential.org/news/ on Facebook or Twitter if you use them, or forums and other social media. If you happen to know anyone in one of the four care.data “pathfinder” areas – that’s Blackburn with Darwen, Somerset, West Hampshire or Leeds – or if you know someone who does, please make sure to get in touch and tell them.

N.B. Given news in the medical press and papers this week about a more localised “care.data-like” scheme in Southend, please tell anyone you know in Southend as well. We’ll provide more details as we get them.

And finally, please take the time this evening or this weekend to write to your MP. The quickest and easiest way to do this is via https://www.writetothem.com/ – and it is particularly important to write if your MP was newly elected in May.

medConfidential has already written to all newly-elected MPs to tell them about the issue, but they need to hear about it from their constituents. And the message that needs to come across loud and clear to every MP right now is: “Opt-outs must be honoured. Trust is being actively damaged (again). Don’t let NHS England make any more mistakes.”

We cannot tell you exactly what to say – it’s actually far better if we don’t, and your letter will have far more impact if you write in your own words – but please write as clearly and concisely as you can about your concerns. If you have opted out, do make sure to ask your MP to ask the Secretary of State when he is going to honour his promise and ensure that your opt-outs are actioned and respected. Even if he or she does not agree with you, your MP should pass on a specific question to a Government Minister when asked.

What’s next?

We await answers from the Commissioning Board (i.e. NHS England) about its re-issued care.data Directions, to replace its broken Directions from 2013. We highlighted significant problems before its last board meeting and the Board’s Chair said he will write to us. He hasn’t yet.

We await sight of Directions from the Secretary of State about ‘Patient Objections’ – the legal definition of how the opt-outs must work, on which NHS England’s Directions depend. HSCIC’s Board is scheduled to consider these in July, but that is after Blackburn with Darwen CCG says it could start contacting patients.

We await publication of the CAG (Confidentiality Advisory Group) Regulations, themselves now delayed for almost a year. Will they contain all of the promised safeguards and, crucially, a clearer definition of the deeply controversial “promotion of health” purpose that perpetuates the sale of patient data to Pharma marketers and other commercial interests?

We await public answers to Dame Fiona Caldicott’s 27 areas of concern but, even more importantly, we are still waiting for the Office of the National Data Guardian to be put onto a proper statutory footing “at the earliest opportunity”, to reinstate the independent information governance oversight abolished by the Health and Social Care Act 2012. Dame Fiona’s advice has been ignored by NHS England before.

We await the re-establishment of the Health Select Committee, and (hopefully) the re-opening of its Inquiry into the ‘Handling of NHS patient data’. Questions have already been asked in the Lords; we sincerely hope the Commons will demand answers about the continuing chaos too.

And finally

We are very grateful for all the support we receive – not just money, but the information people provide and the actions you take. Our thanks to all those who got in touch after our last newsletter; we’ve been a bit busy(!) but we will be contacting you shortly, with some specific requests.

medConfidential is still unfunded. We have submitted grant applications, and hope to hear back on the first of them by the end of the month. But for now we are doing this because we have to.

Last year, amongst other things, we helped hundreds of thousands of people opt out, believing no Government or arm’s-length body would be so stupid or arrogant as to break the promises that had already been made. medConfidential’s promise may have been implicit – “We’ll make sure this works” – but we, unlike some, stick to our promises. So we fight on.

If you can afford to make a donation, please do:





Phil Booth and Sam Smith
medConfidential

12th June 2015

[PRESS RELEASE] care.data restart announced

The restart of NHS England’s hugely controversial care.data scheme was announced on Wednesday afternoon, 10 June. Patients in one of the ‘pathfinder’ CCG areas (Blackburn with Darwen) may begin to be sent care.data “communications” [1] in as soon as two weeks’ time.

2015-06-10 BwD Healthwatch update

The “Update” on the Blackburn with Darwen Healthwatch website [2] states:

Blackburn with Darwen will be ready to start fair processing (the time patients have to make a decision whether to opt out) at the end of June; Somerset and West Hampshire wish to start at the beginning of September.  Leeds have not confirmed when they will commence testing communications but are also working towards the beginning of September.

It goes on to point out that:

Formal accountability for proceeding with the Programme sits with the SRO (Senior Responsible Officer), Tim Kelsey.  Dame Fiona Caldicott will express her view of the safeguards and arrangements in place to the Secretary of State and this will be taken into account by Tim and the Programme Board.

From the moment that “communications” begin to be sent out in each area, patients will have a limited amount of time to decide whether they wish for their identifiable medical information to be extracted from their GP record, or whether they want to opt out [3]. The Update indicates that patient data could begin to be extracted “between September and November”.

This announcement has been made despite that fact that nearly a million [4] patients who opted out of the scheme over a year ago have not yet had their opt-outs actioned, while their hospital data has continued to be sold to third parties – including for “commercial reuse” [5].

Phil Booth, coordinator of medConfidential, said:

“It beggars belief that care.data should be restarted before the serious outstanding problems with the scheme have been fixed and, just as importantly, been seen to be fixed. The shambolic mess that care.data has become must be cleared up before another single patient is contacted.

“What are the million patients who opted out last year supposed to think? Their objections have all been ignored, so why should they or anyone else trust a zombie data grab that hasn’t even got in place statutory backing for Jeremy Hunt’s guarantee to patients, or defined legal safeguards promised last summer?

“NHS England must make good on every opt-out, and demonstrate that every last promise and safeguard is in place, or it’ll show it cares more about getting hold of your most sensitive data than ensuring every use of it will be consensual, safe and transparent.”

Notes for Editors:

  • 1) The communications should include a letter addressed to each person over the age of 15 and three-quarters, an opt-out form and an information leaflet.
  • 5) Quarterly Data Release Registers from the HSCIC: http://www.hscic.gov.uk/dataregister show organisations provided with data in various forms since January 2014 include Experian, McKinsey & Co, General Reinsurance and a number of “information intermediaries” such as Harvey Walsh (which services pharmaceutical marketing clients as well as the NHS), NHIS Ltd and Dr Foster (recently acquired by a subdivision of an Australian telecommunications company).

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

Will Jeremy Hunt ensure that “700,000” patient opt-outs are respected?

In our last newsletter we said there’d be more news soon. While this isn’t quite what we meant, it is very important indeed.

In the House of Lords last week, it was confirmed that Blackburn with Darwen will be the first care.data pathfinder area. Questions asked in the Commons about exactly when this would be remain unanswered.

From launching in six CCGs, as announced last October, care.data is now down to limping out in just one – and with the summer holidays rapidly approaching, sending out letters that may get mixed up with the pizza leaflets while people are away doesn’t seem all that sensible…

In the same Lords Debate last Monday, the Government confirmed that at least 700,000 patient opt outs have yet to be actioned – which prompted some media attention.

medConfidential will be writing to the Information Commissioner with a substantive complaint covering all of the relevant details and providing documentary evidence which won’t allow NHS England to blame HSCIC (or the ICO itself) for delaying everything for another six months.

The solution was outlined in our last newsletter. This is a solution which the Department of Health could authorise and begin this week if it wished, and which HSCIC could make retroactive from last April (i.e. ensuring that those who have opted out by the time the problem is fixed will no longer have their hospital data from last year sold on to third parties) via the “full-year HES” datasets which replace the ‘interim’ HES releases.

Bottom line: if you have concerns, and you haven’t done so already, our advice on opting out remains unchanged until the Department of Health or Secretary of State announces details.

We have not yet seen the Secretary of State’s ‘Directions on Patient Objections’, which could repeat NHS England’s flawed decisions about care.data, or choose another path – as we discussed in our last newsletter – and which would also satisfy Jeremy Hunt’s promises from 2013 (timecode: 14:20).

HSCIC may only do as it is Directed by NHS England and the Secretary of State / Department of Health, which is one reason why the ICO complaint requires exactly the right footnotes; to highlight the specific decisions and (lack of) responsibilities that have led to this mess.

Be assured, medConfidential is on the case and on top of the detail. Possibly more so than NHS England, it could be said.

To stay informed of progress, please join our mailing list. And don’t forget to spread the word – this affects your friends and family too.

medConfidential is a tiny campaign, fighting a huge fight on behalf of every NHS patient. If you can help us, please do.

Every penny received will be spent on averting the most appalling breach of confidence in NHS history and ensuring that in future every flow of patient data into, across and – most importantly – out of the NHS is consensual, safe and transparent.

medConfidential Bulletin, 1 June 2015

care.data’s big post-election question

Over 700,000 people are still waiting for a public announcement about what has happened to the opt-outs they made in 2014 – an announcement that was delayed “until after the election”.

Now the election is over, the Department of Health and its bodies have two choices. The first option is for them to write to every patient affected by their mistake, and say:

“We are very sorry. There was a mistake on our part, but we’re fixing it, and we will do what you asked: your medical records will not be used beyond your direct care. This process has now begun for hospital records, for maternity records, and for mental health records – including the data releases covering all of last year – and other parts of the NHS will meet the guarantee we made you as soon as possible. But, whatever happens, from today forwards you will be told everywhere your data goes, and why.”

They can make every single part of the above statement true, and (as a bonus) it would cost no more to do than what they’re planning on doing anyway. This would represent the NHS taking ownership of the problem, and promising to do much better in future – and being transparent about what happens to your data. You wouldn’t have to simply trust they got it right; you would be able to know what happened, and could make your own judgements.

The Department’s second option – the choice NHS England would like Jeremy Hunt to pick – is to make their invasion of your privacy your problem, and to transfer the complexity of knowing how the NHS works (this week…) from the Government on to you and every other patient.

They might send a different letter which talks only about your GP records as part of care.data, ignoring the information collected by every other care provider; a letter which offers a different opt-out from what you did last year, where you will have to call up or go to the internet for a second form [PDF] if you want to protect your hospital data; and, even if you already opted out, you will get a letter as if you hadn’t.

So the big question is, will Jeremy Hunt make it your problem that NHS England still wants to allow your medical records to be sold?

What happens next?

The Health and Social Care Information Centre will do whichever of those it is allowed to do. It can do either, but it doesn’t make the decision. That’s up to Mr Hunt, who will take advice from NHS England. So what’s it to be?

NHS England kept the opt-out problem secret for over a year – even while it was sending out the junk-mail leaflets last January / February, saying the choice existed. Then it hid the problem for another 10 months, before passing the buck to HSCIC last November without even telling them the size of the problem. (HSCIC told us they were working it out less than a fortnight later.)

Officials have now admitted the likely scale of the problem; we await news from Ministers on what they’ll do next.

The Directions approved “in principle” by NHS England’s Board last Thursday suggest communications could go out to patients as soon as this month, once HSCIC has published the updated ‘clinical code specification’ for the data that will be extracted from your GP record. So it appears NHS England is expecting to do a number two – making your medical privacy your problem, not theirs. Have they learnt nothing?

Live in Somerset, West Hampshire or Blackburn with Darwen? You’re up first…

The Schedule (p5) to the Directions considered by NHS England’s Board last Thursday excluded the three Leeds CCGs, previously announced to be participating as pathfinders. Presuming this wasn’t just a typing error, GPs and patients in Leeds can relax a bit. For now.

However, if you live in one of the other three pathfinder areas listed above, NHS England has decided you’ll be the first guinea-pigs for its ever-more-complicated zombie data grab.

No list of participating GP practices has been published as yet, but as the summer holidays are rapidly approaching please do let friends, family and colleagues know they should be on the alert, e.g. by forwarding them this newsletter, or encouraging them to subscribe – it’ll take less than a minute.

While medConfidential believes and has said it would be a big mistake for NHS England to start sending out patient communications over the summer, they do have form for ignoring sound advice

We have a couple of questions which would benefit from some local knowledge. If you fancy helping us out, please e-mail coordinator@medconfidential.org and we’ll let you know how you can help.

Unless you live in an affected area, there’s no substantive action for you in this newsletter; there will be next time.

Phil Booth and Sam Smith
medConfidential

1st June 2015

(Apologies to those who received the Bulletin by e-mail – we forgot to update the date in the footer, so it read 1st April, not 1st June as it should have.)

It’s OK to ask

Today, on International Clinical Trials Day 2015, medConfidential welcomes the National Institute for Health Research’s ‘OK to Ask‘ about research campaign.

As an advocate of research patients, NIHR is enabling its primary mission in a safe way. ‘OK to ask’ is entirely compatible with consent – indeed, that’s what the entire campaign is about: asking.

There need be no conflict between patients being interested and wanting to participate in research, but not wishing their sensitive medical records to be sold. That NHS England is choosing to make this more difficult / conflating secondary uses is a barrier to research, not an enabler.

We can’t let the day pass without also mentioning our friends at AllTrials – campaigning for all past and present clinical trials to be registered and for their full methods and summary results to be reported. Clinical trial transparency is vitally important, and it doesn’t mean publishing individual patient data.

Consensual, safe and transparent. Anything less just doesn’t make sense.

Marketing2U: Was your health information sold to direct marketers by Pharmacy2U?

For years, we’ve had credible reports of highly accurate marketing that could only be based on health records. Now reports in the media have revealed “a nice little trade” in your health records – and that’s the Information Commissioner’s description, not ours.

These latest reports reveal two ways in which information about your health may be collected and sold on: from insurance forms you fill in and, in particular instances, from information provided to “the UK’s largest online pharmacy”, Pharmacy2U.

Given the number of people who have contacted us over the past two years about this, it is clear that these are not isolated occurrences. Pharmacy2U may have admitted to selling details to a direct marketing agency on a number of occasions, but it is not the only one.

This trade in people’s personal health information is insidious, and makes it all the more essential that the Government legislates clearly and consistently on the ongoing “commercial re-use” of our medical records.

Senior politicians may say something must be done about these latest incidents, but promises to crack down on dodgy data brokers and those who supply them with data ring hollow while the official trade in NHS patients’ information persists. (We note the promised Regulations under the Care Act 2014 – which should clarify the overly-broad definition,“the promotion of health”, that continues to legitimise commercial re-use of your medical information – were not laid before Parliament was Dissolved for the election.)

medConfidential has submitted a formal complaint to the Information Commissioner on behalf of patients who have contacted us after having been sent direct marketing materials in relation to their specific medical condition, treatment or diagnosis. The Information Commissioner’s Office has already begun an investigation, as has the General Pharmaceutical Council. And, given what the chair of the Health Select Committee has said, we hope Parliament will look into this promptly when it returns.

Your rights; take action

Section 11 of the Data Protection Act provides you with the “right to prevent processing for purposes of direct marketing”. You can issue a notice in writing to a data controller at any time, requiring them to cease – or not begin – using your personal information for marketing.

UPDATE 27/4/15: Given their objection to the way we previously expressed things, we asked Pharmacy2U shareholder EMIS – which has been offering a joint service with Pharmacy2U since trials in 2001 – how a patient might determine, without wasting GP time, if their practice is amongst one of the hundreds that have been using Pharmacy2U to provide postal prescriptions for years. EMIS has replied saying that Pharmacy2U is now an option in all practices that use Electronic Prescription Service Release 2 (EPSR2), and that patients with concerns “should contact Pharmacy2U directly”.

Our advice remains as we state below. If you are unsure whether you’re affected, we hope to have more information in our newsletter due out this Friday.

You may not recall nominating Pharmacy2U at your GP at any point over the last 14 years, but if you do not receive a paper prescription and you have ever received your medicines from a warehouse in Leeds rather than your local pharmacy, then it is likely that you did – and you may wish to take action.

If you are a customer of Pharmacy2U, or if you are concerned that your details may have been sold or passed to third parties by them or any other online pharmacy – or by any company to which you have provided information relating your health – we have created a template Section 11 Notice for you to download, fill in, print and post to the relevant organisation.

For Pharmacy2U only, please add your details where indicated:

For other companies, including insurance companies, please fill in the relevant details where indicated:

You will note that our Section 11 Notice letter ends with a request for information about disclosures of your information for purposes other than marketing. This is because you have a further right, under Section 10 of the Data Protection Act – the “right to prevent processing”, if such processing would cause you “unwarranted and substantial damage or distress”.

At this point it is not absolutely clear whether Pharmacy2U or other companies have disclosed your information for purposes other than marketing; the wording of various Terms and Conditions suggests that they might. Our template letter therefore requests that the company tells you with whom it has already shared your information, and for what reason.

By sending our Section 11 Notice letter first, you should be told exactly what the company has done with your information. You can then follow up with a Section 10 Notice [1] on the basis of what you find out. Were you to send a Section 10 Notice straight away, the company should comply with your wishes – but you might not find out what has already been done with your information.

We would hope that companies will come clean, and take the opportunity to reassure those whose details they haven’t sold that their information has been kept confidential. If for any reason a company refuses to provide this information, please let us know.

medConfidential believes people should always know who has had access to their health-related information, and what it has been used for. As we have said to the Information Commissioner, you simply cannot trust an organisation that buries your consent options and which isn’t completely up front about what it has done or will do with your most sensitive personal information.

1) For your convenience, here is a template Section 10 Notice for you to download, fill in, print and post to the relevant organisation. If you are concerned to know what has been done with your information, we recommend you send this only after receiving a response to your Section 11 Notice.

For Pharmacy2U, please add your details where indicated:

For other companies, including insurance companies, please fill in the relevant details where indicated:

UPDATE 20/4/15: We were contacted late on Friday by Pharmacy2U’s PR representative, who stated Pharmacy2U “has not sold information relating to patients’ medical conditions. Names and postal addresses only were provided.”

The PR firm provided the following statement, which we publish in full:

“We want to reassure our customers that Pharmacy2U does not and has never sold information relating to patients’ medical conditions to anyone.

Between November 2014 and December 2014, we trialled a small-scale project with Alchemy Direct Media (UK) Ltd, a data handling company registered with the Information Commissioner’s Office (ICO). 

This project involved us selling limited information – some customers’ names and postal addresses only – for use in selected marketing activity. No medical information, emails or telephone numbers were sold. In conducting this trial project, we acted in line with current data protection and ICO guidelines.

The sale of customer data for marketing purposes is a widespread practice within business and also government. However, in light of public concern about this issue we have decided not to continue with this trial and we can reassure our customers that Pharmacy2U will no longer share customer data for use in third party marketing. All data that was held by Alchemy Direct Media (UK) Ltd has been destroyed by them and is no longer available for use.

We have asked the Information Commissioner’s Office to work with us to review our privacy policy and have also contacted the General Pharmaceutical Council, our industry regulator, and the NHS, to discuss this matter. We await their follow-up report.”

[PRESS RELEASE] Stop this toxic trade in health information; make it all ‘classified when complete’

Responding to revelations about the disgraceful trade in sensitive health information [1], medConfidential today called for all personal health details to be treated as ‘classified when complete’ [2].

Exemptions in the Data Protection Act are not only exploited by unscrupulous traders; some are routinely used by large commercial organisations [3] and public bodies to legitimise the “sharing” and “re-use” of health information.

Despite promises made by Ministers last year following the care.data fiasco and the exposure of the legalised sale of NHS patients’ medical information for “commercial re-use”, changes to the law remain uncommenced [4]. Indeed, the amended definition of legitimate use – “for the promotion of health” – still permits sale to “information intermediaries” and use by pharmaceutical marketers and other commercial interests.

While medConfidential supports, and last year called for [5], criminal sanctions against those who abuse or misuse people’s health information, the threat of harsher punishment for a few ‘bad apples’ will not address the toxic presumption, perpetuated by Government policy, that people’s most sensitive personal details are tradable assets.

Phil Booth, coordinator of medConfidential [6], said:

“For all its fine words, this last government added no real protection for medical records – its political promises came to nothing.

“To stamp out this toxic trade, politicians must take decisive action and guarantee that all medical reports and data are legally defined as classified. There’s no reason your family’s health details should be treated as any less sensitive than a police witness statement or George Osborne’s lunch order, for that matter.

“Only when medical records are properly protected in law, and people are told everywhere they’re sent, can we truly trust our most sensitive information will be kept confidential.”

Notes for editors

1) http://www.dailymail.co.uk/news/article-3018659/Privacy-sale-s-health-secrets.html

2) More details in medConfidential’s proposal, ‘A modern Lloyd George Envelope: CLASSIFIED when complete’: https://medconfidential.org/wp-content/uploads/2015/02/2015-02-16-A-modern-Lloyd-George-Envelope.pdf

3) medConfidential drew attention last June to some insurance and financial services companies’ abuse of enforced Subject Access Requests: https://medconfidential.org/2014/is-jeremy-hunt-serious-about-shutting-down-insurers-access-to-your-medical-records/

4) Regulations to the Care Act 2014 failed to be laid before Parliament was dissolved. These Regulations were necessary to define the operation of the Confidentiality Advisory Group that advises on the dissemination of NHS patients’ information, to enable “one strike and you’re out” sanctions for those who misuse data, and to define “the promotion of health” – the over-broad purpose by which patients’ information can be made available for commercial “re-use”.

5)  See Q7 of Oral Evidence to Health Select Committee, on Tuesday 25 February 2014: http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/health-committee/handling-of-nhs-patient-data/oral/6788.html

6) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

medConfidential update, 21 March 2015

This is just a brief update; we hope to have more substantive (good) news soon, but something else we think you should know about is happening and we wanted to give you the heads-up.

Urgent action – your health data and beyond

While the Government and NHS England still refuse to rule out the commercial re-use of your medical information, their commercial cronies have lobbied the Office of National Statistics to consult on commercial, speculative and secret access to the unprotected data that ONS holds.

This “microdata” is highly sensitive, much of it personal data – which is why the ONS has had to keep it so tightly under lock and key. This isn’t your medical record, but it’s everything else the Government has, including the census and Health Survey; it’s all but your name.

With a general election in the offing and the budget this week, no-one else seems to have noticed. But where does the bulk of the data that the budget depends on come from? That’s right, ONS – and confidential business data is included in these proposals too.

Please act now. With just one week to go before the consultation closes, you can:

  1. Sign the open letter opposing the proposals – it’ll just take a minute
  2. Tell your friends – more information at www.AllButNames.com
  3. Fill in a longer response via the ONS website

There may be just a few of them but, as statisticians can count, your voice really matters.

medConfidential’s attention was drawn to this issue by Methods Insight Analytics’ breach of conditions for using ONS linked data sold by HSCIC last summer. It appears some private companies would rather change fundamental ONS principles than their own business models.

Has nothing been learned from the care.data fiasco? Allowing commercial access to highly detailed, sensitive information for private profit undermines both trust and the public good. Selling access to ONS microdata may make peanuts for companies and their shareholders, compared to the very real damage to public confidence in our National Statistics that will come from these proposals.

 

What’s happening with care.data?

We’d love to be able to tell you what’s going on with the care.data pathfinders but, depending on who’s asked, they’re both going ahead and not before the election… and now NHS England won’t say either way.

It has been clear for some time that data extractions won’t take place “before the autumn”, but that’s not quite the point. The question is when patients will start being written to, what they’ll be told, and whether it’s actually true.

Though the headlines talk about a delay, when pressed, “Mr Kelsey told HSJ that while the extraction would not take place before the election, pathfinders would send out communications around the data extraction and linkage programme.”

As The Register reports, Tim Kelsey repeated this intention to Roger Godsiff MP, who was prompted to lay an Early Day Motion this Monday.

We sincerely hope that NHS England will do the right thing, and postpone sending anything out to patients in the pathfinders until after the election. Too many questions are still unanswered, and critical elements – such as the CAG regulations, new Directions and fixing the ‘Type 2’ opt-out error* – are still not in place.

Proceeding now, so close to the election, could be seen as an attempt by this Government to constrain the next. And, as Shadow Cabinet Office Minister, Chi Onwurah has said: “I think if we have another care.data, then the public sector is not going to want to touch data, whether it is open or shared and that is a real danger.”

* We understand HSCIC is working on a solution to the issue they have taken responsibility for, that will honour your choices and not affect your direct care. We will let you know as soon as anything public is announced, but this is unlikely to be until after the election.

 

 

Lessons learned? Suggestions on writing to a million patients about 9Nu4

The Health and Social Care Information Centre are aware that the number of patients affected by the mistake with the ‘Type 2’ / 9Nu4 objection is indeed much higher than their Chair first stated to Parliament, and they continue to accept – as they did from the start – that they will have to write directly to everyone concerned.

HSCIC’s acceptance that individually-addressed letters are necessary is to be welcomed, not least because it shows some lessons may have been learned from the previous history of NHS England’s care.data fiasco. But to avoid a repeat of previous communications disasters – including the junk mail leaflet and widespread confusion between care.data, the Summary Care Record and local direct care data-sharing initiatives – lessons from 2014 must not only have been learned. They must be seen to be learned.

As last year clearly demonstrated, there can only be one patient communications programme going ahead at a time, and it must be carefully coordinated with any and all other existing data-sharing programmes.

As NHS England Director for Patients and Information and (interim) SRO for care.data, Tim Kelsey, has washed his hands of any responsibility for this latest screw up, this is a clear opportunity for HSCIC to lead and demonstrate itself to be the reformed agency that it is striving to be, absent any interference from NHS England.

What needs to be done?

Dame Fiona Caldicott has articulated a number of tests and questions for the care.data programme as a whole. It would therefore make sense, as a starting point, to apply these to any proposed communications intended to correct the current consent catastrophe. Some tests (e.g. those in section 5, relating specifically to the care.data pathfinders) may not apply directly, and other tests may need to be added, but the as-yet-unanswered questions on the substance of what patients are told – and how it will be made true – continue to apply across the board.

The ‘Type 2’ correction cannot be implemented as a postcode lottery; it must be national, for all affected patients at once. And, unless Mr Kelsey’s promises of “no arbitrary deadline” are untrue, the care.data pathfinder process can happen after the national re-contacting has taken place. (And, if done as we suggest below, at no additional overall cost to DH and the public purse.)

As medConfidential has repeatedly stated, the SRO for the 9Nu4 correction programme – as for all large-scale patient data programmes – must be someone who is subject to GMC regulation.

A process to respect patient choice

A letter must be sent to each affected patient, the content of which should go through a similar consultation process to the one which NHS England stated it would follow for any revision of care.data – though HSCIC should do a better job of actually listening to advice and suggestions.

Given the need to rebuild public confidence, and out of an abundance of caution, letters must be sent to everyone who has expressed a consent preference, whether that was 9Nu4 (‘Type 2’), 9Nu0 (‘Type 1’) or SCR. The bungled communications last year resulted in many patients being given the wrong forms, and it is reasonable to assume that someone who doesn’t want their data to leave their GP practice to be shared for direct care purposes is unlikely to want it sold on for ‘secondary uses’.

Critically, the state of each patient’s ‘consent settings’ immediately before the letter hits their doormat must be as safe as possible. This may involve the introduction of a new code or codes, but the defaults must be set to respect patients’ existing choices.

The communication materials themselves must clearly and accurately reflect what happened, how it has been addressed, and what will happen going forwards. Unambiguous promises must be given to patients around secondary uses, consent and notification. (This may be a good opportunity to introduce personalised data usage reports to a group of data-concerned patients, trialling the process and explanation ahead of a wider communication.)

The letter should provide each patient sufficient information and clear choices to be able to arrive at one of the following 3 outcomes:

  • NO FURTHER ACTION BY PATIENT [DEFAULT] – implement what patients were told would happen last Jan/Feb, i.e. opt out of secondary uses of their data collected from anywhere across the NHS, with no impact on their direct care. This would require our Spine proposal to be implemented.
  • ACTION: Patient has changed their mind – opt them back in for secondary uses of their data collected from places other than their GP. Unless patient gives explicit consent, do not override any other settings, e.g. 9Nu0 or SCR. This would most likely be a subset of those who opted out of SCR, whose decision was inferred as a precaution.
  • ACTION: Patient wants the ‘full 9Nu4 opt out’ – apply the opt out as 9Nu4 was (mistakenly) specified, i.e. HSCIC cannot pass on patient’s data, even for direct care. This is likely to be for a very small number of patients, but the option is clearly important to some people.

“No action” must be the default, and the default must continue to be safe and in the patient’s best interests, i.e. a system-wide consent option on the Spine, respected by all care providers.

It is important these choices are not merely expressions of choice, but immediate and effective realities. Patients whose trust has already been abused should not have to wait a further year for their decisions to be enacted. Ideally, this would be able to be reflected in a personalised data usage report for each patient, so they can see that – this time – their wishes have been properly respected.

Moving forward with care.data (or its successor)

Only once the ‘Type 2’ correction process has been completed – letters have been sent, patients have been given time to act, and their consent choices have been enacted – can the care.data pathfinder process restart.

Those in the pathfinder practices who have not been sent a letter as part of this process, can then be sent a letter and opt-out form for care.data and all secondary uses. (These letters may be modified based on any further lessons learned from the ‘Type 2’ process.) That only those patients who have not already opted out will be written to as part of the ‘new’ opt-out process means that people will not be being asked to opt out of something they’ve already opted out of.

It also means that the cost to the public purse of the programme as a whole should be almost identical to what NHS England currently proposes. The same number of envelopes will be posted (which is the vast majority of the cost) but there will need to be some more meetings to design the two sets of communications, not one – to ensure that what everyone is told is completely consistent. And true.

In the meanwhile, rather than rushing into the extraction of data that may not even provide the benefits claimed, care.data can be revisited, future needs properly identified and the many flaws in the design of the current programme can (hopefully) be corrected. And proposals to reduce the number of individual-level data flows can continue to be applied.

While it looks like the projection of over a million people having opted out will prove correct, it should be remembered that only 29% of people asked at the time had received a leaflet and nearly half the population was still unaware of the scheme at the point it was “paused”. Opt-out rates across the country are likely to be significant, and NHS England cannot afford to cause yet another collapse in public confidence.

This time, there is no option but to do it right.

Will opting out affect the care you receive?

NHS England is very clear, even now: “…this will not affect the care you receive.”

However, displaying their all-too-familiar lack of attention to detail, there currently is a problem – a mess they’re leaving someone else to clean up. That’s no surprise in the ongoing care.data fiasco. The surprise this time is just how badly they cocked it up.

Due to a mistake with one of the objection codes*, everyone who opted out with it will need to be contacted to confirm the details of a new, as yet unspecified, arrangement. Opting out now should mean you are contacted in that group.

If you did opt out last year, NHS England is at least correct in saying that your direct care has not been affected. As of now, none of the opt out codes have been extracted and the care.data programme has taken no information from your GP’s systems.

But because the codes have not been extracted, HSCIC has no way to know whose data to prevent passing on to its customers. Data releases resumed last summer; you can see the organisations which have received data in HSCIC’s quarterly Data Release Register.

Unfortunately at this point no-one, including HSCIC itself, can tell you if your data has been released – which is one example of why we’ve been pushing for personalised Data Usage Reports. With those in place, you would know.

We are working hard to ensure that your opt out is honoured, and that it does what you were told it would do – by us, and by NHS England.

medConfidential believes that wanting to preserve your privacy in the NHS should not exclude you from digital services in the NHS. Anyone who attempts to claim otherwise is blackmailing patients. Again.

*We were shown details in a letter, a couple of minutes before we gave evidence to the Health Select Committee on the 21st January. we suspect NHS England knew some time before then, as the ‘Type 2’ opt out codes had originally been scheduled to be uploaded last autumn.

NHS England posted ‘Important information on data sharing opt out’ at 17:24 on Friday 23rd January. Unfortunately, while the title of its announcement isn’t limited to just the care.data programme, all of the salient bullet points are. Its use of the phrase “the opt out” (not opt outs) is far from reassuring, and signals an imminent attempt to re-write history and break promises.

You will note NHS England’s announcement omits to tell you what you’ve just read in this post. If you want to be kept up to date with comprehensible information and facts you can act on:


Our newsletter is sent using MailChimp.
We will not share your details with anyone else.

We will post more details as we have them on our blog, and in our next newsletter on 30th January.