Despite the name, this consultation has nothing to do with care.data, but has to do with commissioning, care and data, which was allegedly the point of care.data. Yet another example of, when a major problem is confused and fundamentally flawed, those flaws get copied into random other places because of the confusion that assumes that the people running care.data were competent.

Oops.

The DH consultation itself was relatively confusing, and our response was constituted in 5 parts, 2 of which had been published before. We’ve also recently created two supplementary submissions, in response to specific discussions with DH on topics where it wasn’t entirely clear that what academia and we ourselves meant by a term, is what DH considered it to mean. Longitudinal studies form an important part of research, but you can’t just leave some data lying around a safe setting and plead that it’s a longitudinal study.

Special pleading for your medical records

The Nuffield Trust’s submission says: “We strongly support the recognition that appropriately pseudonymised data used for research, service evaluation and other approved purposes are not ‘personal data’ within the meaning of the Data Protection Act.”

It is “recognitions” like that, that led to the debacle of HES being used for purposes that the public disagreed with. We’re not sure that grabbing data at any point and pretending that individual level data is not identifiable is likely to increase public confidence.

Other organisations who don’t gain direct benefit from special pleading, such as the Royal Statistical Society and British Computer Society have made somewhat more balanced submissions.

The BCS submission makes an interesting point, that should any non-public entities to have the ability to become an ASH, or any form of safe setting, BCS would expect them to explicitly agree to the same level of audit that the public sector has: no notice inspections.

Our submission documents, in order for sequential reading:

• Overview
• A substantive proposal for safe settings
• Implementing a safe setting (HRRDL) – ASH version
• Getting to safe settings from the status quo
• Response to the consultation
• Supplementary 1 – Longitudinal Studies
• Supplementary 2 – The Farr Institutes

In recent weeks, we have been asking why NHS England has refused to say whether they have written to all CCGs regarding becoming a care.data pathfinder. We still have no answer.

medConfidential has now written to all CCGs (and their corresponding Healthwatch organisations), raising “a number of issues” beyond just care.data, “which may significantly affect patients and healthcare providers within your Clinical Commissioning Group in coming months. Issues raised include:

• care.data pathfinders
• Storage of patient objections
• Respecting patient dissent
• Coerced ‘consent’

A copy of the letter is available here (footnote listing known research databases now updated, with links).

We look forward to working with CCGs as they consider the questions raised and implications for their CCG and GPs.

Question: Did NHS England contact CCGs inviting them to become care.data pathfinders?

It seems all of the NHS England press office are relaxing under a tree, as they wont answer that question. In two other care.data articles also published yesterday, Pulse reports the ICO’s view that responsiblities are “good customer service” and that doctors are getting closer to opting their patients out.

A quote from a GP in that last article says, “opt outs in her surgery currently stood at 20%”, which is a significant amount of the population in that area, when at best only 50% will likely have heard of it. Tim Kelsey may argue “there is no percentage at which this becomes useful or not”, yet the statisticians may begin to have views as more figures are revealed. We’ve previously posted some thoughts on how NHS England can choose to empower GPs and also allow consensual research. Maybe NHS England can read that on their holidays, while figuring out how to be very clear and transparent with everyone on what they’re doing. Secrecy and confusion benefits no one.

The current level of confusion is highlighted by one GP who says patients initially think it a “good idea if the emergency doctors knew about their medical conditions.”. That of course, is unrelated to of care.data, which has no direct care applications at all, but a feature of an entirely different scheme, with a different set of problems and consent questions, the Summary Care Record (as it was known before being rebranded due to it being “toxic”). We can see why even GPs get confused though.

As NHS England recommunicates with GPs, hopefully they wont continue to cross-sell the benefits of other programmes as benefits of care.data. NHS England have no excuse for confusion remaining, as they near the end of the 6 month pause that was supposedly to solve all the problems

Consultations

As everyone’s on holiday, there are a number of open consultations at the moment that may be of interest:

1. Department of Health on Accredited Safe Havens. We’ve posted our outline replacement proposal here before, and will post a fuller submission when it’s completed. Deadline, this Friday
2. HSCIC Confidentiality Code of Practice. The long awaited HSCIC Confidentiality Code of Practice is out for consultation. Deadline: Next week
3. And a new one, which isn’t so much of a formal consultation as asking a bunch of people who have shown some interest, is on the new HSCIC contracts and agreements for data sharing, including rules for sub-licensing. We’ll have quite a lot of questions about these. If you yourself have any comments on either the drafts or documents, the HSCIC would like to receive your comments by August 29th, marked FAO Simon Gray via <enquiries@hscic.gov.uk>.

Job hunting?

The Department of Health is recruiting 3 lay members, at a day a month, for the “National Information Board”, which was set up in January to try and fix the trainwreck that DH saw coming. This is an important panel with oversight of both DH and NHS England’s overlapping remits and strategies.

[this para added later]: The academicly funded “Administrative Data Research network” is looking for a member of the public willing to give over a day a month, for free, reviewing their applications. The commitment includes relevant reading time, plus a video conference a month, with 4 in person meetings a year. Details now appear here (their website was broken, so here’s the word document they mailed to their existing lists).

NHS England is also trying to hire someone to be Senior Responsible Owner for Care.data, having failed to find an internal candidate — we can’t imagine why. If you’re interested, we put together a list of questions that you may wish to ask at inteview. Apparently the risk that they may have to answer them in a binding way has caused some furrowed brows, as an interview board misleading candidates is considered bad form.

I can’t imagine why.

NHS England are hiring for a new Senior Responsible Owner for Care.Data, having  internally failed to find someone willing to be responsible for fixing the mess.

The Senior Responsible Owner is the individual who must sign off on major decisions, and is responsible for project delivery. Heretofore, Tim Kelsey has been in the role, and we can see why he would like to pass responsibility onto others. Whether he’ll remain pulling the strings behind the scenes, is a different matter. It wouldn’t be the first time that Tim has looked for a human shield for his programme, having tried to persuade Geraint Lewis and more junior staff as a press buffer.

Hopefully a new external owner will accept the state of the mess they inherit, and as that new entrant, they may wish to ask some questions at interview:

1. If individually addressed letters to each patient are sent, will this be financially and politically supported by NHS England?
2. Are forward looking statements re free text true? How will the public position change over the course of my responsibility?
3. Are forward looking statements re DNA true? How will the public position change over the course of my responsibility?
4. What will happen to CPRD, and other research supporting datasets?
5. What is the state of the implementation of the more sensitive parts of the IGAR review?
6. What was the process that led to the BMA rejecting these proposals so emphatically? What concessions have NHS England offered to meet those concerns? Why do NHS England believe they failed?
7. care.data has had many benefits claimed for research, ie beyond the commissioning for which it is currently permitted. What is the current roadmap for consent for those? If they are so vital, why were they dropped in the first instance?

We would hope that any successful applicant understands why people would choose to opt out, and would not demonise them for that choice, nor consider them a “consent fetishist”. We do not believe that the personal choice of any candidate to opt-in or opt-out is relevant to their suitability for the role, but they must be able to demonstrate a human understanding of the range of reasons that an individual may make a different choice to theirs. We hope the interview panel will ensure this is the case.

We look forward to working with the successful applicant for the role when they take office. If you’re interested in applying, details are here, and feel free to ask the the above questions. If you get the job, we’ll be asking you for the answers.

Yesterday, medConfidential and others attended the HSCIC’s “Driving Positive Change” event, to briefly look back at the Partridge Review, and forward to future work of the HSCIC. The two major topics were communications of various types, and the proposed HSCIC “safe setting” where bona fide research could be conducted on data (currently subject to opt-out). Both of these things are welcome areas, and we seek to be closely involved in what happens next with the first public steps in the next week or so.

The Department for Health is running a consultation on “Accredited Safe Havens” for commissioning purposes, or, as they call it slightly less clearly, “Protecting personal health and care data”. The consultation gives NHS England companionship in terms of public engagement quality, and has led to a great number of puzzled looks by area experts. I’m currently attending a variety of meetings with a variety of organisations, and not only is no one really sure what the answers could be, few people agree on what the questions are intending to ask. This seems less than ideal.

Yet, as we are now in week 5 of a 7 week consultation, and no one really has a solid articulation of what the Department of Health are trying to do, I’ve put together this draft of a substantive paper on a way forward: “HRRDL’s for commissioning”. It’s based on previous work which has been adopted by HSCIC but after DH began their consultation drafting, which was as care.data was imploding around NHS England. If you think that the consultation as drafted takes no account of HSCIC’s progress since February, that’s because it mostly doesn’t. Comments by email are very welcome.

What is a safe setting? A safe setting is a physical venue where (usually remote) data can be accessed under tightly controlled and audited conditions. Restrictions are placed on who and what enters the room, what they do when in there, and what they can take out. This allows for research to be conducted on individual level records which have minimal protections (which, for health data, has other problems). They were previously discussed for legitimate research, along existing models. This paper takes the proposal further. We fully expect, and have no reason to disbelieve, that the optout codes for care data (and beyond) would be fully honoured. We intend that this proposal is fully compatible with the consent mechanisms that are in place, and that should be in place, and does not deny screening to those who have opted out of secondary uses. A safe setting can also restrict which individuals can see which data, which has implications for a granular approach to parity-of-esteem questions.

I don’t think that this is currently a final proposal so can evolve, (it’s dated so you can tell, and we’ll put a note here: when we do), and some may need more explanation, but if you’re interested in how we think commissioning data for invoice reconciliation and risk stratification (neither of which are direct care, so all come under the opt out process) could work in a way that is safe, consensual and transparent, I’d like to hear your comments below or to sam@medConfidential.org

Please note that making comments to us is not the same as responding to DH itself, which you can do online. 

The Health and Social Care Information Centre has produced its latest data release register, following the Partridge Review. Two lines and one whole section jump out.

Experian, which most people know as a credit reference agency, sell a product called Mosaic; a database which subdivides your and every other neighbourhood in the country into a variety of categories, which are then used for all sorts of purposes – from selling you burgers to insuring your house or car.

We don’t yet know when, but sometime this year HSCIC approved the sale of 3 datasets of hospital episodes (inpatient, outpatient and A&E) to Experian, to help it produce Mosaic “postal sector level” profiles. In the data released, individuals’ diagnoses are linked, via pseudonyms, across events and the various data sets used.

The stated purpose of Mosaic is commercial. Mosaic is used by marketing firms to target people such as “Vulnerable young parents needing substantial state support” (category O69) and  “Childless new owner occupiers in cramped new homes” (H35). Experian, as elsewhere, may offer a figleaf of fragments for researchers to give a fake appearance of legitimacy but we’re not fooled. Whatever the spin, this is commercial exploitation of NHS patients’ data.

We shall have to wait and see how HSCIC will interpret the new rules in the Care Act, which this particular release may predate. Will such uses by Experian and commercial marketers be classified as “promotion of health”? Public trust hangs in the balance.

Despite ongoing concern about selling data to insurers, we see that “General Reinsurance” also appears in the list – requesting a customised extract of inpatient data for the whole country in aggregated form. If properly aggregated as statistics, such as the ones HSCIC routinely produces and releases as open data, then we would expect to see this published as open data as well, but we’ve not found it yet.

If these are genuine statistics, then publishing them shouldn’t be a problem. Selling custom extracts, however, puts HSCIC in the position of providing data for private commercial advantage rather than for the benefit of all. Given the huge sensitivities around use by insurers, we have suggested this is not such a good idea.

(For the 6 studies mentioned which involve DNA and/or genomic data, we’re working with our friends at GeneWatch UK to examine what is already public knowledge, and where further information must be requested.)

Though still lacking in detail – no mention of dates, nor links to official approvals or audited deletions – at least this release of the register shows that HSCIC is trying to be more transparent in its actions. C+ for effort, but let’s see fewer omissions next time.

‘National Back Office’

After repeated denials about police access, one of the big surprises in the Partridge Review was the discovery of a whole department dealing with ‘trace requests’ from law enforcement agencies and the courts. Such requests, if approved, attempt to track down individuals using the national electronic database of NHS patient demographic details.

The latest register shows there was a large spike in requests from the Home Office in 2013. It’s not clear if the UK Border Agency’s absorption into the Home Office explains some or all of this increase, nor if other subsidiary agencies of the Home Office make requests. Police requests are recorded separately – and are broken down in a bit more detail in the press release – but we do wonder which other agencies are using section 29(3) of the Data Protection Act.

Given the number of bodies and agencies working out of Smedley Hydro, these relationships cannot afford to be murky – absolute clarity is required.

Crashing consultations in the ‘IG universe’?

Also in the last week we’ve seen a new consultation from the Department for Health on, amongst other things, “Accredited Safe Havens” (ASHs) for commissioning.

Individual-level patient data is already being passed around for purposes such as invoice reconciliation, using what was supposed to be ‘emergency’ Section 251 support. This consultation is about doing it slightly less badly. Though clearly desperate to avoid the contamination of any association with the toxic care.data scheme, DH appears to be saying that patient-level data gathered under care.data could be passed around Accredited Safe Havens.

Uh oh.

One thing that had begun to generate confidence was HSCIC’s statement that, under care.data, the only place to which any data extracted from GP systems would go was into a safe setting – what medConfidential calls a Health Research Remote Data Laboratory. (We think ‘HRRDL’ sounds better than ‘fume cupboard’.) This was good news, and a necessary step for public confidence in any extraction of their identifiable data.

But despite HSCIC having said this in public statements and directly to Parliament’s Health Select Committee, the Department of Health clearly hasn’t thought through the implications for this consultation, which is on the flows of data for commissioning – the sole use of care.data for which NHS England has at this point received approval.

This isn’t necessarily a complete contradiction, as patient data will be collected from providers other than GPs and be passed around in other ways – but one might hope that DH would have thought through the implication of its own arms length body’s commitments, rather than taking NHS England’s steamroller approach to governance and schedules.

Another notable feature of the DH consultation is the way it contradicts assumptions made in an NHS England consultation on “Priority Issues in Information Governance“, which opened in February 2014 and should have closed at the end of April. As with much of NHS England’s Information Governance, its ‘Priority Issues’ consultation is an ill-considered mess: surely NHS England has shifted its world view since early February? Given all that has come to light, why has the consultation not been withdrawn or re-issued?

So, other than statements by HSCIC, we’re seeing scant evidence that lessons have been learnt.
HSCIC proposes to limit the number of copies of the nation’s medical records that it hands out for various purposes. This is both welcome and achievable, but it requires both DH and NHS England to accept that business as usual is no longer an option.

medConfidential is deeply concerned at the growing use of enforced Subject Access Requests by insurance companies to acquire cut-price back-door copies of an applicant’s entire medical record, while at the same time we are seeing pharmaceutical companies deny researchers access to individual-level detail on clinical trial results for which volunteers’ explicit consent should have been freely granted.

It seems that in both cases companies are taking a position based on corporate self-interest rather than the patient’s or public interest. They are ‘gaming’ consent. Information cannot be both ‘nothing to worry about’ when companies want it to make decisions about you, yet ‘too sensitive to reveal’ when it exposes them and their decisions to scrutiny; mandatory on the one hand, prohibited on the other.

Only last week, the European Medical Agency modified its plans to allow researchers to print and copy clinical trial reports – information necessary for safe, independent evaluations of whether drugs work the way the companies selling them say they do. Meanwhile insurers continue to push patients into handing over their entire medical history via Subject Access Requests. Of course a SAR also gives the insurer far more information than they would receive from a properly paid-for GP report, which they will then keep for later use.

Forms we’ve seen include wording like, “You do not need to give your permission, but if you do not, we will not be able to proceed with your application”and“This will give us permission to obtain a full copy of your health records from your doctor so we can assess your application or any future claims” (our emphasis). The language is often understated and companies adopt different ‘nudge’ approaches, e.g. providing applicants with a SAR-only consent form but making them specifically request a GP report form.

We’re hoping you can help build an evidence base, providing a wider range of examples to demonstrate the systematic nature of these problems.

We don’t want your personal information! But if you have a copy of a clinical trial medical record release consent form (from 2010 onwards) or if you have been given a Subject Access Request consent form so an insurer can get records from your GP (again, from any time after 2010) please could you scan or e-mail a digital copy to forms@medconfidential.org?

If all you have is a filled-in copy of your form, please remove or black out all of your personal details before you send anything. If you’re not sure how to do this, or if you have any other questions, please email forms@medconfidential.org – our apologies if it takes us a few days to get back to you, we are busy fighting on a number of fronts at present.

What we are after is the wording of the forms themselves, such as the lines we quoted above. It is these we intend to share with other organisations; language about data re-use will likely be of interest to colleagues on the allTrials.net team and we’re sure the Information Commissioner will pay close attention to the varied forms of coercion used around Subject Access Requests.

If you don’t have a form, you can still help by tweeting or passing on a link to this article. The more examples we can gather, the stronger the case.