Yesterday, medConfidential and others attended the HSCIC’s “Driving Positive Change” event, to briefly look back at the Partridge Review, and forward to future work of the HSCIC. The two major topics were communications of various types, and the proposed HSCIC “safe setting” where bona fide research could be conducted on data (currently subject to opt-out). Both of these things are welcome areas, and we seek to be closely involved in what happens next with the first public steps in the next week or so.

The Department for Health is running a consultation on “Accredited Safe Havens” for commissioning purposes, or, as they call it slightly less clearly, “Protecting personal health and care data”. The consultation gives NHS England companionship in terms of public engagement quality, and has led to a great number of puzzled looks by area experts. I’m currently attending a variety of meetings with a variety of organisations, and not only is no one really sure what the answers could be, few people agree on what the questions are intending to ask. This seems less than ideal.

Yet, as we are now in week 5 of a 7 week consultation, and no one really has a solid articulation of what the Department of Health are trying to do, I’ve put together this draft of a substantive paper on a way forward: “HRRDL’s for commissioning”. It’s based on previous work which has been adopted by HSCIC but after DH began their consultation drafting, which was as care.data was imploding around NHS England. If you think that the consultation as drafted takes no account of HSCIC’s progress since February, that’s because it mostly doesn’t. Comments by email are very welcome.

What is a safe setting? A safe setting is a physical venue where (usually remote) data can be accessed under tightly controlled and audited conditions. Restrictions are placed on who and what enters the room, what they do when in there, and what they can take out. This allows for research to be conducted on individual level records which have minimal protections (which, for health data, has other problems). They were previously discussed for legitimate research, along existing models. This paper takes the proposal further. We fully expect, and have no reason to disbelieve, that the optout codes for care data (and beyond) would be fully honoured. We intend that this proposal is fully compatible with the consent mechanisms that are in place, and that should be in place, and does not deny screening to those who have opted out of secondary uses. A safe setting can also restrict which individuals can see which data, which has implications for a granular approach to parity-of-esteem questions.

I don’t think that this is currently a final proposal so can evolve, (it’s dated so you can tell, and we’ll put a note here: when we do), and some may need more explanation, but if you’re interested in how we think commissioning data for invoice reconciliation and risk stratification (neither of which are direct care, so all come under the opt out process) could work in a way that is safe, consensual and transparent, I’d like to hear your comments below or to sam@medConfidential.org

Please note that making comments to us is not the same as responding to DH itself, which you can do online. 

The Health and Social Care Information Centre has produced its latest data release register, following the Partridge Review. Two lines and one whole section jump out.

Experian, which most people know as a credit reference agency, sell a product called Mosaic; a database which subdivides your and every other neighbourhood in the country into a variety of categories, which are then used for all sorts of purposes – from selling you burgers to insuring your house or car.

We don’t yet know when, but sometime this year HSCIC approved the sale of 3 datasets of hospital episodes (inpatient, outpatient and A&E) to Experian, to help it produce Mosaic “postal sector level” profiles. In the data released, individuals’ diagnoses are linked, via pseudonyms, across events and the various data sets used.

The stated purpose of Mosaic is commercial. Mosaic is used by marketing firms to target people such as “Vulnerable young parents needing substantial state support” (category O69) and  “Childless new owner occupiers in cramped new homes” (H35). Experian, as elsewhere, may offer a figleaf of fragments for researchers to give a fake appearance of legitimacy but we’re not fooled. Whatever the spin, this is commercial exploitation of NHS patients’ data.

We shall have to wait and see how HSCIC will interpret the new rules in the Care Act, which this particular release may predate. Will such uses by Experian and commercial marketers be classified as “promotion of health”? Public trust hangs in the balance.

Despite ongoing concern about selling data to insurers, we see that “General Reinsurance” also appears in the list – requesting a customised extract of inpatient data for the whole country in aggregated form. If properly aggregated as statistics, such as the ones HSCIC routinely produces and releases as open data, then we would expect to see this published as open data as well, but we’ve not found it yet.

If these are genuine statistics, then publishing them shouldn’t be a problem. Selling custom extracts, however, puts HSCIC in the position of providing data for private commercial advantage rather than for the benefit of all. Given the huge sensitivities around use by insurers, we have suggested this is not such a good idea.

(For the 6 studies mentioned which involve DNA and/or genomic data, we’re working with our friends at GeneWatch UK to examine what is already public knowledge, and where further information must be requested.)

Though still lacking in detail – no mention of dates, nor links to official approvals or audited deletions – at least this release of the register shows that HSCIC is trying to be more transparent in its actions. C+ for effort, but let’s see fewer omissions next time.

‘National Back Office’

After repeated denials about police access, one of the big surprises in the Partridge Review was the discovery of a whole department dealing with ‘trace requests’ from law enforcement agencies and the courts. Such requests, if approved, attempt to track down individuals using the national electronic database of NHS patient demographic details.

The latest register shows there was a large spike in requests from the Home Office in 2013. It’s not clear if the UK Border Agency’s absorption into the Home Office explains some or all of this increase, nor if other subsidiary agencies of the Home Office make requests. Police requests are recorded separately – and are broken down in a bit more detail in the press release – but we do wonder which other agencies are using section 29(3) of the Data Protection Act.

Given the number of bodies and agencies working out of Smedley Hydro, these relationships cannot afford to be murky – absolute clarity is required.

Crashing consultations in the ‘IG universe’?

Also in the last week we’ve seen a new consultation from the Department for Health on, amongst other things, “Accredited Safe Havens” (ASHs) for commissioning.

Individual-level patient data is already being passed around for purposes such as invoice reconciliation, using what was supposed to be ‘emergency’ Section 251 support. This consultation is about doing it slightly less badly. Though clearly desperate to avoid the contamination of any association with the toxic care.data scheme, DH appears to be saying that patient-level data gathered under care.data could be passed around Accredited Safe Havens.

Uh oh.

One thing that had begun to generate confidence was HSCIC’s statement that, under care.data, the only place to which any data extracted from GP systems would go was into a safe setting – what medConfidential calls a Health Research Remote Data Laboratory. (We think ‘HRRDL’ sounds better than ‘fume cupboard’.) This was good news, and a necessary step for public confidence in any extraction of their identifiable data.

But despite HSCIC having said this in public statements and directly to Parliament’s Health Select Committee, the Department of Health clearly hasn’t thought through the implications for this consultation, which is on the flows of data for commissioning – the sole use of care.data for which NHS England has at this point received approval.

This isn’t necessarily a complete contradiction, as patient data will be collected from providers other than GPs and be passed around in other ways – but one might hope that DH would have thought through the implication of its own arms length body’s commitments, rather than taking NHS England’s steamroller approach to governance and schedules.

Another notable feature of the DH consultation is the way it contradicts assumptions made in an NHS England consultation on “Priority Issues in Information Governance“, which opened in February 2014 and should have closed at the end of April. As with much of NHS England’s Information Governance, its ‘Priority Issues’ consultation is an ill-considered mess: surely NHS England has shifted its world view since early February? Given all that has come to light, why has the consultation not been withdrawn or re-issued?

So, other than statements by HSCIC, we’re seeing scant evidence that lessons have been learnt.
HSCIC proposes to limit the number of copies of the nation’s medical records that it hands out for various purposes. This is both welcome and achievable, but it requires both DH and NHS England to accept that business as usual is no longer an option.

medConfidential is deeply concerned at the growing use of enforced Subject Access Requests by insurance companies to acquire cut-price back-door copies of an applicant’s entire medical record, while at the same time we are seeing pharmaceutical companies deny researchers access to individual-level detail on clinical trial results for which volunteers’ explicit consent should have been freely granted.

It seems that in both cases companies are taking a position based on corporate self-interest rather than the patient’s or public interest. They are ‘gaming’ consent. Information cannot be both ‘nothing to worry about’ when companies want it to make decisions about you, yet ‘too sensitive to reveal’ when it exposes them and their decisions to scrutiny; mandatory on the one hand, prohibited on the other.

Only last week, the European Medical Agency modified its plans to allow researchers to print and copy clinical trial reports – information necessary for safe, independent evaluations of whether drugs work the way the companies selling them say they do. Meanwhile insurers continue to push patients into handing over their entire medical history via Subject Access Requests. Of course a SAR also gives the insurer far more information than they would receive from a properly paid-for GP report, which they will then keep for later use.

Forms we’ve seen include wording like, “You do not need to give your permission, but if you do not, we will not be able to proceed with your application”and“This will give us permission to obtain a full copy of your health records from your doctor so we can assess your application or any future claims” (our emphasis). The language is often understated and companies adopt different ‘nudge’ approaches, e.g. providing applicants with a SAR-only consent form but making them specifically request a GP report form.

We’re hoping you can help build an evidence base, providing a wider range of examples to demonstrate the systematic nature of these problems.

We don’t want your personal information! But if you have a copy of a clinical trial medical record release consent form (from 2010 onwards) or if you have been given a Subject Access Request consent form so an insurer can get records from your GP (again, from any time after 2010) please could you scan or e-mail a digital copy to forms@medconfidential.org?

If all you have is a filled-in copy of your form, please remove or black out all of your personal details before you send anything. If you’re not sure how to do this, or if you have any other questions, please email forms@medconfidential.org – our apologies if it takes us a few days to get back to you, we are busy fighting on a number of fronts at present.

What we are after is the wording of the forms themselves, such as the lines we quoted above. It is these we intend to share with other organisations; language about data re-use will likely be of interest to colleagues on the allTrials.net team and we’re sure the Information Commissioner will pay close attention to the varied forms of coercion used around Subject Access Requests.

If you don’t have a form, you can still help by tweeting or passing on a link to this article. The more examples we can gather, the stronger the case.

The Secretary of State for Health has repeatedly promised that the government will legislate to prohibit people’s medical records being used for the purpose of “commercial insurance”. This may have been prompted by the sale of HES data to insurers, but it is not the only way that insurers get their hands on your medical records.

Press reports have revealed a massive increase in an insidious practice in the insurance and mortgage industries; pressuring applicants for insurance or loans to consent to a Subject Access Request (SAR) of their whole GP record – minus a few redactions, such as HIV status or sexually transmitted infections.

The practice of ‘enforced Subject Access Requests’ happens in other sectors as well, such as background checks by employers, where a prospective employee or volunteer is required to give consent for a SAR of their local police force as a proxy for a Disclosure and Barring Service check – what was formerly known as a CRB check.

The increase in enforced Subject Access Requests appears to be financially motivated. SAR charges are capped at £10 if the information requested is held on computer or £50 if some or all of it is held on paper, whereas an official DBS check costs £26 or £44 – depending on how wide a search has to be made – and a General Practitioners Report (GPR) may cost around £100, as opposed to the maximum of £50 for a Subject Access Request for your complete medical record.

Yet again, insurers are getting your medical information on the cheap.

Setting aside the issue of duress, demanding a copy of someone’s entire medical record rather than a report declaring just those details that may be relevant is self-evidently excessive and therefore in breach of the Third Principle of the Data Protection Act. One might also question what is done with the information gathered unlawfully from people’s medical records after the application process – especially given insurers’ notoriety for finding reasons not to pay out on claims.

And if patients are not fully aware of what they are consenting to, or are not giving their consent freely – which is arguably difficult to do if their application may otherwise be delayed or turned down – then fair processing is brought into question, and the First Data Protection Principle may have been breached as well.

With thanks to Tony Collins at Campaign4Change and a GP who would rather remain anonymous, via Pulse, we provide a template letter for GPs (not patients) to send to commercial third parties who have got their patients to consent to a Subject Access Request of their medical record:

Letter declining an enforced Subject Access Request – editable MS Word (.doc) format

Letter declining an enforced Subject Access Request – editable Rich Text Format (.rtf)

To comply with such requests is not safe; it’s not safe for patients, nor is it safe for a GP practice to hand over excessive amounts of sensitive personal information to commercial third parties. Legal liability in case of breach would rest with the data controller.

There is a lawful mechanism – the General Practitioners Report – so GPs should make sure that insurers, mortgage providers and all other such companies use it. And patients should insist upon it as well; don’t be fooled or pressured into signing away access to your whole medical record.

But should this just be down to individual patients and GPs to deal with?

Amendments to the Care Act, which received Royal Assent last month, left a mile-wide loophole – the McDonald’s amendment, “for the promotion of health” – for commercial access to NHS patients’ information collected under care.data and other programmes, and industry practices such as enforced Subject Access Requests continue to put many thousands of patients’ medical confidentiality at risk.

If Jeremy Hunt is serious about shutting down commercial access to and exploitation of NHS patients’ medical records, when will he take action that genuinely protects patient data rather than allowing it to be sold to the lowest bidder?

At the BMA’s Local Medical Committee’s conference in York today, 23 May, each part of the following (composite) motion was carried overwhelmingly:

That conference believes the introduction of care.data has been nothing short of a disaster and:

(i) approves the decision of NHS England to put its roll out on hold until the autumn

(ii) believes that GPs have been placed in a difficult position in respect of the demands of the Health and Social Care Act and the Data Protection Act

(iii) asserts that data should be pseudonymised or anonymised before it leaves the practice

(iv) asserts that extraction should only take place with the explicit and informed consent of patients opting-in

(v) insists that it should only be used for its stated purpose of improving health care delivery, and not sold for profit.

So much for Tim Kelsey’s bald assertion that “Changes to the NHS data-sharing scheme now make it fit for purpose” in GP magazine, Pulse, yesterday. Given the opportunity to democratically express their opinion, the vast majority of GP representatives at LMC conference simply weren’t buying it.

Crucially, the LMC vote puts consent front and centre. In a move which again starts to look like serious political miscalculation, the Secretary of State’s promise to put patient opt-out onto a statutory footing is to be executed in tertiary legislation*. So GPs – who are after all the ‘gatekeepers’ to the patient data held on their IT systems, the ones who’ll be held liable in the unresolved conflict between the Health and Social Care Act and their duty of confidence, professional ethics and duties as data controllers, and the ones who best understand the risks if trust between them and their patients is broken – have put opt-in on the table.

In reality, the amendments to the Care Bill – now the Care Act 2014 – fail to address very real concerns that NHS patients’ medical information will continue to be sold and exploited. By rejecting definitions that would have limited data use to (improving) the delivery of care and legitimate research and by instead adding a “promotion of health” loophole that would allow fast food chains or tobacco manufacturers to make a justifiable case for access, the Government has seriously underestimated the strength of public and professional opinion.

What’s more, those driving forward the care.data scheme have clearly failed to make the case for masses of identifiable patient data to be extracted from GP records. And they continue to make sweeping, emotive appeals based on speculative research outcomes without addressing far more controversial uses such as commissioning, for which the Caldicott2 report said consent could not be presumed.

As chuffed as Mr Kelsey clearly is, now he believes he’s cracked it, getting Dame Fiona Caldicott’s panel to “advise” or “evaluate” care.data is not the sort of robust oversight required to inspire public confidence. The problem is already much bigger than one programme in any case. Overarching, independent information governance oversight for the entire health and care system, fully independent, properly resourced and with real teeth – statutory and enforced – might convince the public that the government and its arms-length bodies can be trusted. There’s only so much moral authority you can ‘borrow’.

It remains to be seen if the BMA’s General Practioners Committee and Annual Representatives Meeting will follow the lead of the LMC:

“extraction should only take place with the explicit and informed consent of patients opting-in”

If Mr Kelsey and Mr Hunt believed their fiddlings round the edges had put care.data back on the rails, this afternoon’s vote shows them the scale of the task – and the battle – that is to come.

—

*The intended statutory basis for patient opt out would be in Directions to HSCIC under the Health and Social Care Act – the very same sort of legal instrument that, as currently issued, would have authorised the extraction of the clinical data of patients who had opted out.

In our earliest communications in March and April of 2013, when even the most basic details about care.data were unclear, medConfidential urged the Secretary of State, Jeremy Hunt, “to mandate informed consent (i.e. opt in) for any sharing of identifiable data not for a person’s direct medical care” [1] but, if he would not, to ensure there was at the very least a properly-managed opt-out process.

The Secretary of State effectively took opt-in off the table when he announced the ‘no-quibble’ patient opt-out at the launch of the Caldicott2 report. And no-one is in any doubt as to how badly NHS England has mismanaged the public communication of care.data and the opt-out process – both last summer and during the early months of 2014.

We have made it clear that, were opt-in to be put on the table at any point, medConfidential would reconsider its position – but that while the scope and definition of the system is so uncertain, both now and for the future, we would need to be reassured that processes were in place to ensure that any consent so given could be considered properly informed, and that consent would be ‘refreshed’ on a regular basis.

medConfidential has worked consistently since the Secretary of State’s decision to ensure that the opt-out works as any normal person would understand, i.e. that if a patient opts out, their data does not flow. This was not the way that HSCIC was directed by NHS England to establish the system, despite Jeremy Hunt’s clear assurance to the public.

Though our proposed amendments to the Care Bill were rejected, in debate Earl Howe confirmed that new Directions will be issued to HSCIC – i.e. the opt out will finally be properly fixed. But despite saying it was “sympathetic to the desire to see the oversight panel placed on a statutory footing” and undertaking to “explore with Dame Fiona Caldicott and all interested parties how best to achieve [a robust and coherent system of oversight, scrutiny and advice], which may include using existing legal powers to establish an independent committee able to advise on data-sharing matters”, the government is still ducking what we believe are critical measures if public trust is to be regained.

We await the detail of these new Directions and the result of these ‘explorations’, but meanwhile medConfidential’s basic position remains unchanged; patients must be given the means to definitively exclude themselves and their dependents from secondary use and sale of their medical information, and this should be a statutory right – not just at the gift of the Secretary of State.

Opt-in is now being proposed in motions to be debated at the BMA’s Local Medical Committees (LMCs) conference this month and the BMA Annual Representative Meeting in June. To help inform debate, medConfidential has written a note laying out medConfidential’s consideration of some of the principles around consent processes. We will of course comment in detail on any specific opt-in proposals that are made.