Category Archives: What’s the story?

A digital strategy for the NHS: remember Martha’s Talisman

“Apply the following test. Recall the face of the poorest and the weakest, the most digitally-disengaged patient whom you may have seen, and ask yourself if the step you contemplate is going to be of any use to them? Will they gain anything by it? Will it restore them to a control over their own life and destiny? Will they have the information to make an informed decision?

– with apologies to Gandhi and Martha Lane-Fox

Any strategy for a Digital NHS must account for the furthest first. And, while addressing their needs, must also recognise the circumstances and humanity of all those whom the data is about, via user research. Wanting to help people is not the same as actually helping them – as previous recent NHS strategies have demonstrated.

An effective strategy must be short enough that people can both remember what it is, and hold it in their mind while thinking about the challenge in front of them. A 200-page PDF is not only indigestible, it is undeliverable; our attempt above is at a strategy people could remember.

What follows are guidelines on how not to misapply it.


The handling of medical records must be underpinned by accountability – whether “handling” means digital services used by clinicians, by patients, or for secondary uses. If built on a basis of pervasive transparency on all data flows, flawed decisions can be identified and corrected, and progress made within an environment characterised by evidence rather than promises.

Some strands of the Five Year Forward View are mired in secrecy and political choices, which – while any one decision may work out well (or otherwise) for patients – is an unsustainable basis for long-term effective and efficient delivery of public health and care services at nation-scale.

High quality digital services are built with humility, by learning from the real world, with meaningful involvement in the process by patients and clinicians – and others who also contribute, e.g. researchers, administrators, and commercial providers.

There may well be an extremely narrow case for sharing a patient’s entire clinical treatment history with the NHS.UK website backend in order to personalise the front page of that website on an initial visit, but the harm of doing so without fully-informed choice and consent is far greater than the harm of not having that feature at all. And with every such decision arises the opportunity cost of those things (whether treatment or prevention) that will not subsequently be possible, due to the impact of such flawed priorities, and/or patient fears.

Only the NHS

Only the NHS connects people through their lives from cradle to grave – and can therefore tell people how they contributed to research, even long after the event.

Unlike, for example, shonky ‘public-private’ initiatives, hiding behind the NHS ‘brand name’, set up to profit from a ‘Bonfire of the Faxes’, the NHS proper doesn’t bodge it and scarper, leaving others to clean up its messes. It is the NHS that cleans up the messes created by others; thousands upon thousands of true public servants caring for people under their shared and lived understanding of the Hippocratic Oath: Do No Harm.

In the digital world, there is a Talisman that can direct every significant choice. It will not stop post-rationalisation or self-justification of pre-conceived ideas – that outcome is outwith any strategy, lying as it does in the hearts and minds of the strategists themselves. But if the Talisman helps, and is respected and used as a touchstone across the entire system, then it should stop incorrect ideas before they can go wrong at scale, and also encourage good work to flourish.

For if nothing else, this must be a fundamental goal of any (digital) strategy: to support and encourage positive innovation in care and prevention, while not killing people through ignorance, oversight or ideology.

NHS #1: What’s happening in England? The new legislation

You’ve probably gathered that a lot of reorganisation is going on within the NHS. The most obvious changes and difficulties have been well-reported, but others are passing pretty much unremarked. In particular changes to the way that patient information in England is collected, passed around and processed fundamentally alter the concept of doctor-patient confidentiality. That isn’t hyperbole.

It’s been quite difficult to write the blogs that follow because it’s so interwoven. Please read all of the blog posts in sequence and bear with us if the story loops back on itself or if we haven’t explained something clearly enough.

For the time being we have switched comments off. When we’ve finished our outline of the current state of play, we will put them back on so that you can leave your views, ask questions and tell us if you think we’ve got something wrong – for which we apologise in advance. The situation is changing all the time and all we can do is set out our current understanding of it. Once we have set out the basic framework, we will discuss some of the elements in greater detail and with a wider range of links.

And now to get down to business. The first step is to look at the legislative framework that allows your medical records to be used in surprising new ways.

The Health and Social Care Act 2012, which came into force on April 1st 2013, made some fundamental changes to the structure of the NHS. The ones that are of particular interest here are:

1)    The creation of the ‘NHS Commissioning Board’

2)    The creation of ‘Clinical Commissioning Groups’

3)    New powers that change the ‘Regulation of health care and associated professions’ into the ‘Regulation of health professions, social workers, other care workers etc’ – in other words, the creation of a new over-arching Health and Social Care Service

4)    And finally, the whole of Part 9 of the Act.  This creates another new body: ‘The Health and Social Care Information Centre’. It also sets out various powers and duties relating to the establishment of information systems (e.g. databases) and the central collection and dissemination of health and social care information about every individual in England.

Tomorrow we’ll explain how this new structure actually works.

NHS #2 The new structure

At the top of the new pyramid sits the National Health Service Commissioning Board (NHSCB). This is an arms-length body of the Department of Health responsible for spending the £95.6 billion budget of the NHS. Actually, it has now changed its name to ‘NHS England’ – the reasons for this change are set out in this letter from NHSCB to the Secretary of State – so if you see any reference to NHSCB or NHS England, it should be taken as meaning the same thing.

Primary Care Trusts have been abolished and their staff have been moved across to local authorities and 19 regional Commissioning Support Units (CSUs). Or made redundant. In theory, decisions about the provision of services in your area will now be made by Clinical Commissioning Groups (CCGs). These are local groups made up of representatives of every GP practice in the area, a nurse, a hospital doctor and other healthcare practitioners. In practice, many decisions will still be made centrally by NHS England or one of its 27 Local Area Teams (LATs).

The NHS Information Centre – up until now principally a statistical data warehouse – has been renamed the Health and Social Care Information Centre (HSCIC) that is now to act as a ‘hub’ for data flows inside and out of the NHS.

As the legislation shows, the HSCIC:

  • can be directed by NHS England (or the Secretary of State) ‘…to establish and operate a system for the collection or analysis of information of a description specified in the direction.’  (s254)
  • can require health and social care bodies, and any of their sub-contractors, to provide it ‘with any information which the Centre considers it necessary or expedient for the Centre to have…’ (s259)
  • can request information from anyone else
  • must publish statistical information that does not identify individuals and
  • ‘may disseminate (other than by way of publication), to any such persons and in such form and manner and at such times, as it considers appropriate’ any other information – including identifiable patient information – that it receives (s261)

The National Information Governance Board (NIGB) – the independent statutory body responsible for data handling procedures and practices across the NHS – has been abolished, leaving responsibility for how your confidential information is treated spread across a number of different groups: the Confidentiality Advisory Group (CAG), the Data Access Advisory Group (DAAG) and other Independent Advisory Groups, such as GPES IAG*. You will need more information about how the new structure works in order to understand their functions, so we will deal with them later.

For further reading about the changes, you may find this BMA explanation helpful.
An overview of the current trusts and authorities in the English NHS can be found here.

*@Bigjoe498 adds: The Confidentiality Advisory Group and the Health Research Authority are the only ones that can advise the Secretary of State to grant s251 approval for the release of identifiable data. The Data Access Advisory Group only deals with sensitive data items, which for HES (Hospital Episode Statistics) includes things like consultant code, referrer and census area. DAAG also look at consent forms to make sure they are explicit enough to release identifiable data for those who have consented using each form. The GPES Independent Advisory Group only advises the HSCIC about whether they should allow an extraction of GP data using GPES. The IAG has no standing in law to decide whether or not identifiable data can be shared outside the HSCIC.

NHS #3: General Practice Extraction Service – GPES

The next thing you need to know about at this stage is something called the General Practice Extraction Service or GPES. This is a tool for extracting patient data directly from the records held on GP surgery systems and transferring it to central HSCIC systems.

Sending data from a GP practice to an Information Centre is not new. Information about specific groups of patients – e.g. those with mental health problems – has been submitted in anonymised form for some time. The difference now is that, for the first time, information that identifies you will routinely be extracted from your GP-held records – even if that information was gathered elsewhere.

Details of diagnoses and treatments will be collected together with each patient’s NHS number, date of birth, postcode, gender, ethnicity and other information. It may be processed in regional Data Management Integration Centres (DMICs) or be sent directly to the HSCIC, still in identifiable form, to be processed, stored and disseminated to others.

The data will be made available to researchers in universities and hospitals, but also to private companies – in fact, to anyone who can make a case for access to the data. Although the precise arrangements for charging are not yet entirely clear, the existence of a pricing structure indicates that there will be a charge for this data.

NHS England repeatedly insists that the information will be ‘anonymised’ before release. In reality, the standard they are using requires that they ‘…ensure that, as far as it is reasonably practicable to do so, information published does not identify individuals.’ In other words, they will do their best to ensure that information cannot be re-identified as being about a specific patient, but there can be no guarantee.

It’s also clear that there are times when identifiable data (aka ‘Patient Confidential Data’ or PCD) will be made available – we will come back to that later. The next step here is to discuss what ‘anonymisation’ means and why it is such a misleading term.

NHS #4 ‘Anonymisation’

If you’ve ever played ‘twenty questions’, you will already know how easy it can be to identify an individual from a relatively small amount of information. Each question narrows down the field, and the more unusual the person’s attributes, the easier it becomes to guess who it is.The same principle applies to data. If we say that someone is male, that tells us only that he belongs to a group that represents one half of the population. By adding that he is aged 42 we reduce the size of that group, but we’re still not going to guess his identity.

Such general information isn’t likely to be of much use to researchers either. They are approaching their research from a different angle: they are likely to be investigating the unusual and are therefore looking for certain characteristics in their study subjects. The rarer those characteristics or the more of them in combination, the easier it becomes to identify individuals within the study. Consider, for example, a study examining the prevalence of skin disorders caused by exposure to the sun in red-headed males aged 40-45 who live in Devon and Cornwall.

The more data that can be linked together about an individual, the easier it becomes to find out who they are. Journalists and private investigators already know this – and so do large companies. There is a huge industry around data-matching aimed at identifying those who can be targeted with specific advertising and products.

Removing or obscuring pieces of information that most obviously identify a person doesn’t make data about them ‘anonymous’. And in any case, despite claims it will only ever share ‘anonymised’ data, NHS England has already applied for and been granted permission to pass around patient data in identifiable form. (We’ll explain more about that later)

So does it matter if you can be identified? Your answer might well depend on whether you suffer from a condition, or live in circumstances, that you would prefer to keep as a secret between you and your doctor. It might also depend on whether you are actually asked if you will participate in a research study. Probably most red-headed 42-year-olds would be happy to contribute to research that could conceivably help them, although even then they might want to draw some lines about what exactly is released.

The point is, people generally regard their medical records as private and want to keep control of access to them. They can talk to their doctors about highly sensitive and embarrassing things like sexual health problems, worries about their erratic moods or their alcohol intake precisely because they believe they are talking in confidence. If they are to continue talking to their doctors, they need to know that they will be asked for permission before that confidence is breached.

NHS #5: Consent

The burning question, then, is: ‘will your permission be asked before your medical information is uploaded?’ To which the answer is a straightforward ‘no’. The default position is that the uploads will go ahead unless you do something to stop them.

The original plan was that nobody would have any say about the use of their data. After concerns were expressed by doctors, NHS England agreed that there could be a ‘right to object’. Following our meeting with the health minister Jeremy Hunt, he announced that there would be a right to ‘opt out’ and that the 750,000 patients who had already opted out of the Summary Care Record would automatically have their existing opt-out respected.

On 29th May, NHS England published its guidance to GPs  which makes it clear that existing opt-outs will not be respected. Those who opted out of the previous, more limited upload of their Summary Care Record will now need to opt out all over again.

NHS England is currently in discussions with the Information Commissioner. The Information Commissioner’s Office is obviously concerned that patients should be made aware of the data-upload plans, informed of their ability to opt-out and given sufficient time to exercise it. It should be noted, though, that the ICO’s powers are limited by the way in which the legislation has been framed.

NHS England has prepared posters and leaflets for GPs to display in their surgeries. You may feel that these are short on detail. More informative is the patient leaflet prepared by EMIS one of the main suppliers of GP surgery systems.

Pilots of the system are imminent. They will be taking place in 82 GP surgeries dotted around England. Meanwhile, all GP practices in the north of England have been told to be ready for the full roll-out within the next 8 weeks.

NHS #6: ‘’ is the name of NHS England’s programme to extract information from GP surgery systems and from health and social care providers, and to link it all together. It is a massive undertaking. At the moment we are concentrating on the first stage of this programme – collecting patient data from GPs – but ultimately all health and social care will be drawn into the system. Hospitals have been told to be ready by 2014; social care will join in by 2015. We’ll talk about that later on.

The first request has now been agreed. This is a set of coded instructions that tells each GP system what information should be uploaded. The full specification for the first upload of can be seen in Appendix A (p.22) of this document.

Here’s how it works:

  • NHS England applies to the HSCIC to have the information ( extracted from GP systems.
  • HSCIC puts the application through the ‘customer’ procedure that we will outline in blog #8. It then actions the request and instructs GPES  to go ahead and take the information from each surgery system
  • The collected data is passed on to a regional Data Management and Integration Centre (DMIC) which sends it to a number of places – like a giant traffic-direction system.

For now, we’re going to focus on just one of these traffic flows: the data that goes back to the HSCIC.

The information is stored on the HSCIC system, still in identifiable form – ie with NHS number, date of birth and the other identifying details attached to the diagnoses and treatments. It is used to create regular reports but ‘customers’ can also request linked data. In the words of the HSCIC  this ‘often contains patient level information‘ and ‘When stringent Information Governance controls allow‘ they can ‘provide extracts of linked data sets in an identifiable form’.

Tomorrow we will look at those ‘stringent’ controls in more detail.


NHS #7: ‘Stringent Information Governance Controls’ and Section 251

We have already touched on the issue of ‘anonymisation’, but that isn’t the only problem. Confidential information that identifies an individual can be processed – gathered, stored and passed on – without any consent at all if there is a lawful provision for doing so.

Section 251 of the NHS Act 2006 is just such a provision. It: ‘…was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practicable, having regard to the cost and technology available.’  (Health Research Authority)

To put it simply, if an organisation has been granted a s251 exemption by the Secretary of State, they don’t need to worry about getting patient consent to use identifiable information.

The GPES FAQs say that: ‘Normally, data extracted will be anonymised, however where data that could identify patient is requested, it will only be released where a legal basis for disclosure exists (e.g. explicit patient consent)’ …but another example that hasn’t been given in the FAQs would be where an organisation has that vital s251 exemption.

Although NHS England is the ‘boss’ of HSCIC, insofar as it can direct it to do pretty much what it wants, it is also a ‘customer’ of HSCIC. Because of this, NHS England needs a legal basis for processing and passing on information gathered via the extraction without seeking patients’ consent.  In May, NHS England’s application for s251 exemption (or ‘support’) was approved, initially for six months: ‘The approval has been given subject to conditions until October 2013 at which point NHS England can provide a report for consideration to CAG to identify the requirements for continuing and or amended support.

This means that identifiable data gathered under NHS England’s ‘’ request – the extraction of identifiable patient information from all GP surgery records – can be passed on to a range of bodies without patients’ knowledge or consent.

Tomorrow we’ll look at the process of becoming a customer of HSCIC.

NHS #8: How do you get to be a ‘customer’?

The first step is to complete an application form here BUT, as the HSCIC information tells you‘If you wish to apply for personal confidential data you will need one of the following:

  • The consent of the individuals to whom the data relates. In this case you will need to provide evidence of the consent of the individuals concerned, i.e. the consent form and consent information literature. These will be reviewed by the HSCIC to ensure they are appropriate and, where necessary, approval will be sought from the Data Access Advisory Group (DAAG).
  • Approval under section 251 of the NHS Act 2006  In this case you will need to provide evidence of approval under section 251, i.e. a letter from the Health Research Authority Confidentiality Advisory Group (HRA CAG).Or,
  • The appropriate statutory regulation covering your organisation for the work required. In this case you will need to provide evidence of the statutory regulation concerned. This will be reviewed by the HSCIC to ensure it is appropriate.

…and now it becomes rather Byzantine. We’re reasonably certain this is how it works, but if you think we’re wrong, please explain it to us and we’ll correct it. We are quoting throughout from the descriptions of each group’s function that appear on their official web pages.

If you apply for a ‘bespoke’ set of data, i.e. information that isn’t contained in the regular statistical bulletins, HSCIC forwards your application to its ‘Independent Advisory Group’ (IAG)

‘Acting as an advisory group to the GPES Business Unit, the IAG will consider requests for information from customers that could be collected and provided by GPES and recommend an appropriate course of action to the Information Centre.’

If you are applying for patient confidential data and you have each patient’s consent, or if there are reasons to believe that individual patients can be identified from the apparently ‘anonymised’ information you are requesting, your application will be passed to the Data Access Advisory Group (DAAG) – also hosted within the HSCIC.

‘The Data Access Advisory Group (DAAG) is an independent group hosted by the Health and Social Care Information Centre that considers applications for sensitive data.
This ensures that the use of patient data for research purposes and for improving patient care is done in a controlled environment where the risk of disclosure is minimised.’

If you are relying on s251 ‘support’, i.e. you have an exemption from seeking patients’ consent (see yesterday’s blog #7), or if DAAG believes the information you are seeking might identify individual patients, your application will go to the Confidentiality Advisory Group (CAG) of the Health Research Authority.

‘CAG has been established to provide independent expert advice to the Health Research Authority (for research applications) and the Secretary of State for Health (for non-research applications) on whether applications to access patient information without consent should or should not be approved’

NHS #9: Who gets to see your information?

What this all amounts to is a number of ways in which massively increased amounts of information from your medical record can be accessed by a range of organisations, including private companies.

One stated intention of GPES is to “drive economic growth through the effective use of linked data” [PDF, p6] with which researchers, public bodies and commercial organisations could match records at patient level, based on information they already hold. And NHS England’s chief data officer has revealed plans to reduce the cost of access to the ‘pipeline’ of pseudonymised patient data to just £1!

This on top of the register of customers already approved by the DAAG, including companies like Dr Foster and BUPA, who may pay a fee for direct access to “sensitive or identifiable” patient data.

Under the new arrangements a whole host of new commissioning-related organisations will be also able to access what is now being called personal confidential data (PCD).

While information from your medical record may initially go to HSCIC or one of the regional Data Management Integration Centres, it doesn’t stop there. As we mentioned before, NHS England has been given a Section 251 exemption to pass identifiable – not just anonymised – data on to its Area Teams, to Clinical Commissioning Groups and Commissioning Support Units. This, despite the conclusion of the Caldicott2 report that anonymised data should generally be sufficient for commissioning.

‘Commissioning’ itself covers a wide range of purposes – e.g. monitoring, surveillance and service planning, targeting treatment, even invoice reconciliation – not only expanding the number of people with access at local, regional and national level but creating a market for analysis and consultancy companies to sell services to the commissioners and their support organisations.

This commodification of your medical records means the default is to make them accessible to more and more people less and less directly related to your medical care, constrained not by the professional duty of confidentiality that most patients presume but by data protection compliance or contract terms and conditions.

And, of course, the merging of health and social care means ever more sharing between healthcare providers, social services and education. Following the abolition of the PCTs, local authority Public Health Teams have now taken on regulated public health functions such as the weighing and measuring of schoolchildren and providing some sexual health services, and may use data to target and drive additional discretionary services such as tobacco cessation, obesity initiatives, etc.

While it makes sense to integrate care delivery around those with particular needs, the direction of travel is towards a culture of universal health surveillance and ‘integrated’ records – whether you choose them or not.