Category Archives: Press releases

medConfidential press releases

[PRESS RELEASE] Partridge Review: Patients need proof to restore confidence

For immediate release – Thursday 19 June 2014

In case you missed it, medConfidential’s initial response to the Partridge review is here: https://medconfidential.org/2014/press-release-patching-hscics-holes-medconfidential-initial-response-to-the-partridge-review/

Detailed analysis of the Partridge Review, published earlier this week [1], reveals a more disturbing picture than has yet been reported. While Sir Nick Partridge’s recommendations are to be welcomed and have been accepted, they have yet to be implemented and – more importantly – evidence must be provided that they are working. Such evidence will be essential to public confidence in the handling of NHS patient data.

The fact is that during a period when ministers and officials have been pushing for a massively increased amount of identifiable patient data to be extracted from the GP records of every man, woman and child in England to the Information Centre under the care.data scheme, serious issues at the Centre itself were either unknown or unresolved.

The largest single data breach in NHS history?

One of the more extraordinary revelations is that in at least two instances – as the list of releases cannot be guaranteed complete – the Information Centre cannot say where it sent patient data. Given that the instance involving the release of HES data was in 2010/11, the year after administration of HES releases was taken in-house, the suggestion that this may have been “an internal Northgate request for data” [6] seems inconsistent with the information provided.

Similarly, no evidence is provided to substantiate the assertion that “no identifiable or potentially identifiable data went missing” [7]. Indeed, the PwC report confirms only that the release in question “was not flagged as containing sensitive or identifiable data”; HES data is commonly provided as pseudonymised patient-level information, i.e. in re-identifiable form [8]. As no information has been provided as to the size of each HES release – which could be a partial extract or a year’s-worth of hospital episodes (tens of millions of dated events) – it is impossible to quantify the number of patients’ records involved.

That “no individual ever complained that their confidentiality had been breached as a result of data being shared or lost by the NHS IC” is beside the point. Up until now no-one knew their data had been lost and it is unlikely that most patients could determine the effects of inappropriate sharing or abuse. In fact there are cases, such as that of Helen Wilkinson [9], which show just how difficult it can be to remove stigmatising errors once propagated by central systems.

It is incorrect to state that no complaints have been made to the Information Commissioner’s Office. medConfidential and others made a complaint regarding the inappropriate and possibly unlawful uploading of 10 years’-worth of HES by PA Consulting (entry 1292 in the spreadsheet of 3,059 releases) to Google’s BigQuery servers [10], and a number of other ‘high profile cases’ are currently under investigation.

Insurers / re-insurers and commercial exploitation

The Secretary of State has repeatedly stated that use of NHS patient data “for commercial insurance or other purely commercial purposes” will be prohibited [11]. While it is to be welcomed that the HSCIC’s Chief Executive has written to three of the re-insurers who hold HES data asking them to delete it, we do not know whether those companies have even replied, much less complied with the request.

Assuming that deletion was part of the contract with the five other insurance companies listed [12], and every other release, it is concerning that the Review does not point to a single instance of an audited deletion of data. Specific mention is made of the suspension of research use, but no such action appears to have been taken in the case of commercial users (or re-users) of NHS patient data, which one can only assume still hold and process data [13].

Systemic failure

It has been claimed that failures were “not systemic”, but the evidence suggests otherwise. The clearest example of this is that when one study within the sample tested – 60 out of 591 MRIS releases – proved not to have the required ONS Legal Gateway approval, investigation of the remaining 90% revealed a further eight instances [2]. Sometimes the Information Centre followed policy and procedure, sometimes it didn’t; that is a systemic failing.

PwC confirms it used a “haphazard sampling” methodology [3] and clearly states there are too many “unknowns” to give “formal assurance or opinion” [4]. Because of failures in record keeping, and in some instances destruction of records, it cannot guarantee the “completeness of the data release list” nor whether the data released “has been used for the intended/stated purpose” [5].

We note that other instances of failure identified within chosen samples did not lead to similar investigations as with MRIS releases, or follow-up action. While we accept that time and resources were limited for this Review, it would be unsafe to conclude anything other than in quite a number of cases – certainly more than are listed in the PwC report, possibly ten times more, given the 10% sample – we simply don’t know what has happened to our data.

Phil Booth, coordinator of medConfidential [14], said:

“We welcome Sir Nick Partridge’s recommendations, but patients need to see the evidence that they’ve been acted on. Public confidence depends on actions, not just words.

“If patients are to trust that procedures and audit are working they must be provided proof of who has their own data, what they are using it for and when it has been deleted. If the systems being constructed for a 21st century NHS cannot provide these answers, they are not fit for purpose.

“Research has been a convenient fig leaf for NHS England when proposing the care.data scheme, but a picture is emerging of commercial companies who get preferential treatment at the head of the queue, while academics patiently languish on waiting lists.”

—

Notes for editors

1) Partridge Review documents: http://www.hscic.gov.uk/datareview

2) pp36-39, HSCIC Data Release Review PwC Final Report:http://www.hscic.gov.uk/media/14246/HSCIC-Data-Release-Review-PwC-Final-Report/pdf/HSCIC_Data_Release_Review_PwC_Final_Report.pdf

3) p81, HSCIC Data Release Review PwC Final Report: “Haphazard selection, in which the auditor selects the sample without following a structured technique… Haphazard selection is not appropriate when using statistical sampling.” This is not to suggest that such an approach was inappropriate in the time given for the review, more to indicate that conclusions cannot reliably be drawn since it is not a statistically based sampling methodology. Amongst auditors this form of testing is considered of minimal value since there is no assurance findings are representative.

4) p4, HSCIC Data Release Review PwC Final Report: “Given the number of ‘unknowns’ associated with this review due to the time period in question and the availability of historical records/evidence, no formal assurance or opinion have been provided over the findings that may be used by the HSCIC to publish their overall conclusions.”

5) pp4-5, HSCIC Data Release Review PwC Final Report.

6) p7, HSCIC Data Release Review PwC Final Report: “This left 2 data releases where it was not possible to identify the organisation that received the data based on the information retained by the NHS IC. One release related to HES data post April 2009. Further discussion with Northgate has indicated that this could relate to an internal Northgate request for data; however this could not be confirmed.”

7) Paragraph 15, Sir Nick Partridge’s summary of the Review:http://www.hscic.gov.uk/media/14244/Sir-Nick-Partridges-summary-of-the-review/pdf/Sir_Nick_Partridge%27s_summary_of_the_review.pdf

8) For an illustration of the information contained in HES and what can be done with it, see: https://medconfidential.org/2014/commercial-re-use-licences-for-hes-disappearing-webpages/

9) Helen Wilkinson was stigmatised as an alcoholic due to a coding error:http://www.theguardian.com/society/2006/nov/02/health.epublic And as debated in Parliament: http://www.theyworkforyou.com/debates/?id=2005-06-16b.495.0&s=helen+wilkinson#g495.2

10) medConfidential, FIPR & Big Brother Watch complaint re. upload of HES to Google servers: http://medconfidential.org/wp-content/uploads/2014/03/2014-03-13-ICO-PA-FIPR-complaint.pdf

12) As widely reported in February, e.g. the Guardian on 28/2/14:http://www.theguardian.com/society/2014/feb/28/nhs-data-will-not-be-sold-insurance-companies-jeremy-hunt

11) List of insurers and re-insurers who may still be holding HES and SUS data:

143 Actuarial Profession Critical Illness Working Party – HES, 2011/12;
602 FirstAssist – HES, 2012/13;
603 Foresters Friendly Society – HES, 2007/8;
1293 Pacific Life – HES, 2012/13;
1339-42 RGA UK Services Limited – HES, 2009-2013 (Reinsurance Group of America);
1381 Scottish Re – HES, 2008/9 (re-insurer, headquartered in the Cayman Islands);
1517 Scor Global Life UK – HES, 2012/13 (re-insurer);
2676 Milliman – SUS, 2012/13

13) Many of the websites of the commercial companies listed indicate that they are still offering services based on NHS data, e.g. Beacon Consulting, CHKS, Harvey Walsh, NHiS, etc.

14) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 orphil@medconfidential.org

– ends –

[PRESS RELEASE] Patching HSCIC’s holes: medConfidential initial response to the Partridge Review

For immediate release – Tuesday 17 June 2014

The Partridge review of data releases by the NHS Information Centre, published today, indicates systemic failures in the handling of patient information over a period of 8 years. In the 10% sample chosen for closer examination, multiple breaches of proper procedure were discovered, including:

improper record-keeping
“lack of evidence to support” processes and controls
lack of clarity over contractual agreements; confusion over data sharing vs. re-use
lack of systematically-applied audit; no audited deletion of data

In at least two instances, HSCIC admits it doesn’t even know who patient data was sent to, or how many years of patient treatment data they sent.

Phil Booth, coordinator of medConfidential [1], said:

“The Information Centre would clearly like to draw a line and move on, and Sir Nick’s recommendations are to be welcomed in that regard, but what about consequences?

“Breaches of several thousand patient records have resulted in massive fines and prosecutions [2]; the serious failings discovered within just the sample chosen will involve millions of people’s medical records. And what about the 9 out of 10 releases that weren’t examined?

Regarding gaps in the information:

“It’s bad enough that patient data was being sold to so many private companies and passed to Government departments. Not being able to say who got their hands on patient data in every instance is astounding. Tim Kelsey’s assertion [3] that there have been ‘no breaches in 25 years’ has been blown out of the water.

As to future action:

“Patients have every right to be appalled at this litany of failures. What this demonstrates is that without end-to-end audit and timely feedback, so patients can know who has their data and what they are doing with it, the system will not be fully trusted.

“HSCIC’s new management says it will set the highest bar for transparency and good practice, but who will oversee them? Good intentions are fine, but an independent watchdog with teeth – such as the government just rejected [4] – would provide public confidence.

“If the government and NHS England want to continue to reassure the public that companies won’t be exploiting their data for profit, then HSCIC must find and close down every last commercial re-use licence.

Notes for editors

1) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

2) List of monetary penalty notices and prosecutions issued by the Information Commissioner’s Office: http://ico.org.uk/enforcement/fines and http://ico.org.uk/enforcement/prosecutions Just yesterday, details emerged of breaches involving 10,000 patients’ records: http://www.bbc.co.uk/news/uk-england-27864798 – by comparison, Hospital Episode Statistics (HES) in any one year amounts to around 100 million patient episodes.

3) On BBC Radio 4’s Today programme, 4/2/14: https://www.lightbluetouchpaper.org/2014/02/04/untrue-claims-by-nhs-it-chief/ which we followed up with a FOI request, which revealed breaches in each year from 2009-2012: https://www.whatdotheyknow.com/request/independent_audits_of_hessus_and#incoming-502600

4) An amendment that would have reinstated independent, overarching information governance for the entire health and care system on a statutory basis – abolished under the Health and Social Care Act – was rejected in the final stages of the Care Bill this May. See medConfidential’s briefing for more detail, including the fact that the ‘McDonald’s clause (“the promotion of health”) will still permit commercial exploitation: https://medconfidential.org/wp-content/uploads/2014/05/medConfidential-briefing-for-Care-Bill-ping-pong_07May.pdf

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

– ends –

[PRESS RELEASE] Care Bill: Government rejects statutory ‘Caldicott Guardian for England’

For immediate release – Thursday 8 May 2014

Government rejects statutory ‘Caldicott Guardian for England’

Last night in the House of Lords, Government peers voted to reject an amendment to the Care Bill that would have put independent oversight over the handling of patient information across the entire NHS and care system onto a statutory basis.

Despite assurances that the Government was “sympathetic to the desire to put the Oversight Panel on a statutory basis”, Lord Owen’s amendment [1] was voted down 259 to 165. An amendment by Lord Turnberg that would have limited secondary use of patient data to the provision of care and “biomedical and health research” was similarly defeated.

The Government’s own ‘McDonald’s clause’ – “for the promotion of health” – will continue to permit access by pharmaceutical marketers, information intermediaries such as Harvey Walsh – which boasts of holding over a billion NHS patient hospital records [2] – and other commercial re-use licensees, as probed by the Health Select Committee in April. [3]

Phil Booth, coordinator of medConfidential [4], said:

“Rather than legislating to restore public confidence, the government has opened a loophole a mile wide through which to keep selling NHS patient data.

“It doesn’t matter how ‘sympathetic’ ministers are to public concerns. The fact is the government has ducked the only sort of independent scrutiny that might help convince both patients and professionals to trust or have confidence in what it and its arms-length bodies want to do with the medical records of every man, woman and child in the country.

“Rather than putting in place a statutory Caldicott Guardian for England, with the independence and authority to command real respect and trust, the government are all hiding behind trees. Again.” [5]

—

Notes for editors

1) Briefing on the care.data amendments: http://medconfidential.org/2014/lords-care-bill/ including links to Lord Owen’s and Lord Turnberg’s amendments.

2) ‘NHS sells a billion patient records’, Sunday Times, 16/3/14: http://www.thesundaytimes.co.uk/sto/news/uk_news/Health/article1388324.ece and the sort of thing pharmaceutical marketers are doing with it, reported in the Guardian, 17/3/14: http://www.theguardian.com/technology/2014/mar/17/online-tool-identify-public-figures-medical-care. Neither Harvey Walsh nor OmegaSolver will be prevented from buying NHS patient data under the Government’s ‘McDonald’s clause’.

3) Oral evidence to Health Select Committee in Handling of NHS patient data inquiry, 8/4/14: http://data.parliament.uk/writtenevidence/WrittenEvidence.svc/EvidenceHtml/8416

Q272 Barbara Keeley MP: For all those 249 organisations with a commercial reuse licence, can we know who all the end users of our data are?

Kingsley Manning, Chair HSCIC: No, because they are using it and putting it into additional services.

While commercial re-use licences remain in operation, even HSCIC admits it can’t know who has access to what patient data, or what it is being used for.

4) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

5) Quote from “Tim Kelsey discovers that care.data is in trouble” YouTube video, 25/2/14: http://www.youtube.com/watch?v=SgrZ9ZlTTIc

For further information or for immediate or future interview, please contact Sam Smith of medConfidential on 07890 210 746 or sam@medconfidential.org

– ends –

[PRESS RELEASE] Care Bill care.data amendment: no public confidence without Caldicott

For immediate release – Tuesday 6 May 2014

Care Bill care.data amendment: no public confidence without Caldicott

An amendment to the Care Bill [1] tabled today by Lord David Owen for ping-pong tomorrow, would, if adopted, put on a statutory footing an independent oversight body led by Dame Fiona Caldicott, the single person with the moral authority required to restore public trust and confidence in the handling of NHS patient information.

NHS England’s flagship new programme, care.data, was put on hold after a series of revelations about mishandling and sale of patient data to insurers and for commercial re-use, back in February. Since then, wider problems have been revealed, including lack of consultation and coordination between the new arms-length bodies, NHS England and HSCIC, and the Department of Health on the use of NHS patients’ medical information for purposes other than their direct care.

The new amendment would put the Independent Information Governance Oversight Panel (IIGOP) that the Secretary of State asked Dame Fiona Caldicott to establish [2] onto a statutory footing, establishing a single independent body with information governance oversight of the entire health and social care system.

Phil Booth, coordinator of medConfidential [3], said:

“The government has not only failed to act on many of the recommendations in Dame Fiona’s review, it is pushing ahead with initiatives like care.data that contradict some of the core principles she laid out.

“Not only this, but in its single-minded pursuit of an unprecedented data grab from patients’ GP records, NHS England has repeatedly ignored or avoided the very Panel set up to provide advice and challenge on these issues.

“Right now, Dame Fiona is the only person with the moral authority to restore public confidence in the handling of NHS patient information. If it truly wants to regain the trust of both patients and professionals, the government will accept this amendment.”

—

Notes for editors

1) A copy of the amendment is available here: https://medconfidential.org/wp-content/uploads/2014/05/Oversight-Panel-amendment.pdf and associated briefings are available online at: http://medconfidential.org/2014/lords-care-bill/

Some background to the amendment:

On 5^th April a care.data conference co-organised by Richard Horton, Editor of The Lancet and Allyson Pollock, Professor of Public Health Research and Policy, QMUL, was held at Queen Mary University of London:https://medconfidential.org/2014/care-data-conference-at-qmul-05-04-14/ – includes full list of speakers.

Attendees included Lord David Owen, Professor Sir Simon Wessely and other prominent doctors including Dr Joanne Bailey (BMA General Practitioners Committee), plus representatives of statistical bodies, health professionals, NHS campaigners, concerned patients and a representative of NHS England.

Prof Pollock and Peter Roderick from QMUL and Phil Booth from medConfidential were given a mandate to draw up an amendment designed to be constructive and having the broadest appeal; the amendment tabled by Lord Owen today replaces the one originally drafted for Report and Third Reading in the Commons in March:http://www.opendemocracy.net/ournhs/caroline-molloy/privacy-campaigners-team-up-with-leading-public-health-professor-to-fix-hunts

The amendment has wide-ranging support, including the Wellcome Trust, the Association of Medical Research Charities, the Faculty of Public Health and others, and has evolved out of a weeks-long process that demonstrated readiness to engage across the political spectrum.

2) The IIGOP was established at the request of the Secretary of State to oversee the implementation of the recommendations from Dame Fiona’s review, ‘Information: to share or not to share’ (https://www.gov.uk/government/publications/the-information-governance-review, commonly known as Caldicott2) and to “advise, challenge and report on the state of information governance across the health and care system in England”:https://www.gov.uk/government/groups/independent-information-governance-oversight-panel

3) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

– ends –

Addendum to Press Release: HSCIC register “inadequate and patronising”

[PRESS RELEASE] HSCIC’s lack of transparency is not so “innocent” after all

For immediate release – Wednesday 3 April 2014

The Health and Social Care Information Centre’s register of data releases, published at noon today, is incomplete and fails to reveal some of the most potentially embarrassing and damaging releases of patient data.

The register does list dozens of commercial companies that have received patient information in various forms over the past year, but fails to list companies known to be holding significant amounts of patient data under ongoing commercial licences.

For example, PA Consulting was awarded a licence for HES data in 2011 which was extended in 2012 to last until November 2015 [1]. The Information Commissioner’s Office is currently investigating a complaint by medConfidential, the Foundation for Information Policy Research (FIPR) and Big Brother Watch on PA Consulting’s uploading of this data to Google’s BigQuery cloud servers [2] so it is inconceivable that HSCIC is not aware the licence remains active.

Another significant omission is the lack of any Police Forces in the register. A Freedom of Information request revealed that Police Forces routinely request data about patients from HSCIC, and that data has been released in dozens of instances within the last year [3].

Phil Booth, coordinator of medConfidential, [4] said:

“Despite saying it has turned a new leaf, HSCIC is deliberately concealing releases of data that might cause itself, or ministers or other officials, embarrassment or political damage. The Information Centre’s lack of transparency is clearly not as “innocent” as its Chair has claimed. [5]

“HSCIC continues in its ridiculous assertion that pseudonymised data is not sensitive or identifiable when tools its customers have built show you can track individuals visit by visit through hospital – and with information published in press reports, social media posts or the date your child was born make it possible to pick out a named individual and read off their entire record. [6]

“Billions of patient records continue to be sold for commercial use without patients’ knowledge or consent, using as justification the very law that minsters have said provides additional safeguards. How long does HSCIC think it can get away with ignoring Jeremy Hunt’s promise to stamp out the commercial exploitation of NHS patients’ information?”

—

Notes for editors

1) See http://www.hscic.gov.uk/article/3948/Statement-Use-of-data-by-PA-consulting

2) See http://medconfidential.org/wp-content/uploads/2014/03/2014-03-13-ICO-PA-FIPR- complaint.pdf for medConfidential, FIPR and Big Brother Watch’s complaint to the ICO and http://www.theregister.co.uk/2014/03/04/tripleheaded_nhs_privacy_scare_after_hospital_data_rea ch_marketers_google/ for a description of what happened.

3) The FOI response states: “The Health & Social Care Information Centre (HSCIC) was formed on the 1 April 2013. Since the HSCIC was formed there have been 472 requests received from British Police Forces for information.” A spreadsheet detailing just 180 of these requests shows that 51 releases were made during the period covered by today’s register, all but 3 of which were made under Section 29(3) of the Data Protection Act – not under warrant or Court Order.

care.data opt out forms and letters available here: www.medconfidential.org/how-to-opt-out/

5) “Quite rightly however, the public are suspicious that these arrangements are in some way unfairly tipped in favour of the profit makers. This suspicion has been fuelled by our innocent lack of transparency.” Full text of Kingsley Manning’s speech at HC2014 conference – file was (re)moved by HSCIC following this press release. This link is to a copy downloaded by medConfidential on 24/3/14.

6) See http://medconfidential.org/2014/commercial-re-use-licences-for-hes-disappearing-webpages/ for a screen grab and explanation of a tool developed by OmegaSolver – one of the companies listed in the register of releases – for use by pharmaceutical marketers.
For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

– ends –

[PRESS RELEASE] Patient groups slam head of MRC for “offensive” slur against patients

For immediate release – Friday 21 March 2014

Patient advocacy groups today called on the head of the Medical Research Council, Professor Sir John Savill, to publicly apologise for characterising people who have legitimate concerns about NHS England’s controversial care.data scheme as “consent fetishists”.[1]

Research is just one of several proposed ‘uses’ of patient data – which will by default be extracted in identifiable form from the GP records of every man, woman and child in England this autumn – but patients will be given no option to decide how their information will be used, e.g. you wouldn’t be able to choose for your medical data to be used in research, but not be sold to third parties. The only choice patients will be given to protect their and their family’s medical confidentiality is to opt out.

The care.data scheme conflates research with other ‘secondary uses’ such as commissioning, audit or sale to third parties outside the NHS. Despite research being one of the most common benefits claimed for the scheme, research was not a top priority when NHS England first applied to extract data from GP records and in fact care.data has not yet received approval for research use of patients’ medical information.[2]

Phil Booth, coordinator of medConfidential,[3] said:

“Sir John Savill owes an apology to every patient in the country. His arrogant and offensive remark pooh-poohs the legitimate and serious concerns many people have about this toxic scheme.

“care.data is not just about research. In cheerleading for a scheme the breadth of which he seems not to grasp, and with echoes of the GM debacle,[4] Sir John is putting the MRC’s own particular interests over the right of every NHS patient to expect that their doctor will keep their most intimate and sensitive secrets.”

Roger Goss, co-director of Patient Concern, [5] said:

“We support good medical research involving use of identifiable medical records but only with patients’ properly informed explicit consent. This is common sense – not fetishism. Plenty of people have overwhelmingly good reasons for prioritising their privacy.”

—

Notes for editors

1) See, e.g. http://www.thetimes.co.uk/tto/health/news/article4040095.ece and http://www.hsj.co.uk/news/mrc-head-brands-caredata-naysayers-consent-fetishists/5069163.article#.Uywru4Xvvcg

2) See pp5-8 of GPES Independent Advisory Group minutes for 12/9/13: http://www.hscic.gov.uk/media/12911/GPES-IAG-Minutes-for-12-September-2013/pdf/GPES_IAG_Minutes_12.09.13.pdf – these relate to the ‘care.data Addendum’, in which NHS England proposed that requests for patient data by all organisations, not just researchers, be considered: http://www.hscic.gov.uk/article/3525/Caredata

care.data opt out forms and letters available here: www.medconfidential.org/how-to-opt-out/

4) See last paragraph of Nuffield Council on Bioethics blog, 21/3/14: http://blog.nuffieldbioethics.org/?p=1059

5) Patient Concern has campaigned for patient choice and patient empowerment since 1999.

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org or Roger Goss, co-director of Patient Concern, on 01903 785 776 or 07946 644 110.

– ends –

PRESS RELEASE: Information Commissioner inactive on medical privacy

For immediate release – Monday 3 March 2014

Today, in same the building as the NHS Expo in Manchester, the Information Commissioner, Christopher Graham, is expected to continue to ignore the many breaches of Data Protection law emerging from the NHS Health and Social Care Information Centre (HSCIC). With NHS England claiming that the Data Protection Act will fully protect patients, the DPA’s public guardian is ignoring the tannoy calling him to emergencies.

Full hospital histories – with only some of the most identifying pieces of information swapped with nicknames or pseudonyms – have been sold to and shared with insurers [1] and pharmaceutical company marketers [2] for purposes including social media marketing [3]. There is a clear intention to begin sharing this and other patient data with countries outside the EEA, such as the US [4].

The HSCIC uses the fig leaf of the Information Commissioner’s ‘Anonymisation Code of Practice’ [5] as the only protection for a mandatory, full population dataset [6]; an error the ICO says could cause a “very high” degree of “embarrassment or anxiety”.

medConfidential [7] today called on the Information Commissioner to clarify that his ‘Anonymisation Code of Practice’ cannot apply to patient-level medical records of an entire population.

Phil Booth, coordinator of medConfidential, said:

“47 million people don’t have a clue that their hospital history has been used to target ads on Twitter and Facebook. We have an Information Commissioner struggling with Microsoft Encarta in a Wikipedia world.

“With population scale health data, techniques suggested in the ICO’s Code of Practice would include changing the type of disease that you were diagnosed with, which would obviously make the data meaningless.

“The ICO closed a public consultation on updating the Code in light of how it was being used since it was published last year. We call on the Information Commissioner to reopen the consultation, to give the public a chance to comment now people are beginning to get the picture of how their data has been used.”

—

Notes for editors

1) See, e.g. ‘Hospital records of all NHS patients sold to insurers’, Telegraph, 23/2/14: http://www.telegraph.co.uk/health/healthnews/10656893/Hospital-records-of-all-NHS-patients-sold-to-insurers.html

2) See http://www.beaconconsulting.co.uk/ which says:

“Because we hold a large set of historic HES data, Beacon is able to:

– Rapidly check patient numbers so clients can assess project feasibility;
– Start data extraction and analysis as soon as a project’s scope is agreed

We have worked with marketers, market researchers, business intelligence professionals, new product planners and market access teams at many leading pharmaceutical companies across a broad range of therapy areas.”

3) See http://www.beacon-dodsworth.co.uk/site/data/hospital-episode-statistics for a description of how HES data may be used by pharmaceutical companies “to improve [their] social marketing / media awareness campaigns”

4) See Professor Ross Anderson’s letter to the Health Select Committee, following up on misleading statements by NHS England and HSCIC to the Committee in last week’s evidence session: http://www.cl.cam.ac.uk/~rja14/Papers/dorrell-caredata.pdf

5) The ICO’s Anonymisation Code of Practice states: “although there may be no obvious motivation for trying to identify the individual that a particular patient ’episode’ relates to, the degree of embarrassment or anxiety that re-identification could cause could be very high. Therefore, the anonymisation techniques used to protect data should reflect this.” – http://ico.org.uk/for_organisations/data_protection/topic_guides/anonymisation

6) Hospital Episode Statistics (HES) http://www.hscic.gov.uk/hes are derived from a mandatory monthly collection of identifiable patient-level data from all NHS hospitals, by something called the Secondary Uses Service (SUS) http://www.hscic.gov.uk/sus

7) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals. Opt out forms and letters available here: www.medconfidential.org/how-to-opt-out/

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

Fleur Fisher, former Head of Ethics for the BMA and member of medConfidential’s Board of Trustees, will be at the ICO conference and available for comment in Manchester today.

– ends –

PRESS RELEASE: What will the raft of new care.data legislation actually achieve?

For immediate release – Saturday 1^st March 2014

Responding to the announcement that the Secretary of State for Health is to legislate on the care.data scheme [1] in an attempt to appease some of the concerns that have been raised about it, Phil Booth, coordinator of medConfidential [2], said:

“medConfidential is glad to see the Secretary of State is taking the care.data debacle seriously. We’ll be watching closely to see if the small print of these legislative measures matches up to the headlines. At this point patient trust really won’t bear any more spin.”

On the statement that NHS data will only be released to organisations which have abided by data protection rules, Phil Booth said:

“A ‘one strike and you’re out’ approach to the abuse and misuse of patient data, if rigorously enforced, could be a game-changer. The fines that the courts and the Information Commissioner can hand out are peanuts in comparison to the turnover of some of the companies that will still be getting access to patient data.”

On the statement that respecting patient opt-outs will be made a statutory requirement, Phil Booth said:

“Jeremy Hunt is absolutely right to put patient opt-outs on a statutory footing, especially after some of the shenanigans that NHS England has tried to pull [3]. But every patient needs to be written to in person about their right to opt out – and be given the form and other easy ways of exercising it, this time.”

On other measures, Phil Booth said:

“We are less convinced by claims that legislation will prevent patient-level data being released when there is “not a clear health or care benefit for people”. The whole care.data scheme is engineered to pass around data for ‘secondary purposes’, not for direct care. We don’t believe it is helpful for the government to continue to conflate the future benefits of research use with things like the administrative and monitoring purposes of commissioning.”

“Putting the Confidentiality Advisory Group on a statutory footing may be a step in the right direction, but only if its remit is expanded to cover every release of patient-level data. Otherwise, the Information Centre that we now know has been selling patient data for years could still be open for business without effective, independent oversight and transparency [4].”

“Legislating for protections that are already in place, such as requiring “ethical reasons” from researchers who are already bound by strong professional ethical codes, or binding the scheme to ‘anonymisation’ practices that aren’t even as tough as the highest standards used elsewhere in government feels a bit like window dressing. More meaningful would be a move to put the powers that have permitted NHS England to cause this mess back under full, democratic scrutiny.”

—

Notes for editors

1) See, e.g. http://www.telegraph.co.uk/health/10669295/NHS-legally-barred-from-selling-patient-data-for-commercial-use.html

2) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals. Opt out forms and letters available here: www.medconfidential.org/how-to-opt-out/

3) See http://medconfidential.org/2014/opt-out-fixed-for-now/ for an explanation of how the opt-out – which could potentially have been meaningless – had to be fixed over the last fortnight.

4) The Confidentiality Advisory Group (CAG) deals with requests for the use of patient-identifiable data without consent, using what is known as Regulation 5 or Section 251 support. The decision to release sensitive patient-level ‘pseudonymised’ data has been the job of the 4 person, non-independent Data Access Advisory Group (DAAG) at HSCIC. Patient-level data that HSCIC classes as ‘non-sensitive’ – a term many patients may dispute – has in the past been released without submission to any sort of oversight body, and such releases have not been published or reported. This would include the data sold to actuarial companies, as reported in http://www.telegraph.co.uk/health/healthnews/10656893/Hospital-records-of-all-NHS-patients-sold-to-insurers.html

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

– ends –

PRESS RELEASE: medConfidential responds to announcement of a 6 month delay to care.data uploads

For immediate release – Tuesday, 18 February 2014

In response to the announcement by Tim Kelsey that NHS England will be postponing the uploading of confidential patient data under the care.data scheme for 6 months [1], Phil Booth, coordinator of medConfidential [2] said:

“Finally, officials at NHS England have seen reason. To upload millions of patients’ confidential data without providing full and proper information or seeking consent would have been the largest breach of confidence in NHS history.

“It still could be, if NHS England does not now write to each patient in England individually by name, explaining the risks it has acknowledged as well as the claimed benefits. And this time they’d better not forget to include an opt out form.

“This delay will mean nothing if the care.data programme is not overhauled to provide patients with a clear and constantly updated picture of exactly who will have access to their data, why and what for. The entire scheme could do with a radical dose of transparency.”

– ends –

Notes for editors

1) See, e.g. http://www.bbc.co.uk/news/health-26239532

2) medConfidential campaigns for confidentiality and consent in health and social care. Our goal is to see that every flow of data into, within and out of the NHS is consensual, safe and transparent. Founded in January 2013 in response to the imminent and serious threat posed by radical changes in the way patient health information is to be collected and passed on, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals. Opt out forms and letters available here: www.medconfidential.org/how-to-opt-out/

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org