Alongside pizza flyers and estate agent adverts, you may have received a leaflet on Care.data.
This April, GP surgeries were going to upload data from GP records onto a national HSCIC database – unless you opted-out. The leaflet had no opt-out form or Freepost return address.
If you don’t opt-out, medical data, including prescriptions and your conditions, will leave the surgery and go to HSCIC. HSCIC then centrally pseudo-anonymise it – removing your name. Your birthdate and postcode stays.
HSCIC’s own risk assessment warns patients could be identified if the pseudo-anonymised data was joined up with other easily-available data. And centrally kept data, whether by HSCIC or other organizations, would be attractive to hackers. We already know the NHS has had two million data loss incidents.
Facing concerns from the Royal College of GP’s, BMA and Healthwatch, NHS England have delayed the roll-out until autumn.
I don’t dispute this database will be useful for medical research. It’ll help manage NHS resources. But it’s the spirit of assuming consent that’s worrying.
As a doctor, I know how important patient autonomy is.
“No decision about me without me.”
So it was worrying to hear Prof Claire Gerada, NHS Clinical Chair for Primary Care Transformation, tell The Times, “Part of the compact to get a universal, free health service is to allow data to be used to monitor diseases, plan services and look at trends in new and old illnesses. The risk of a breach is minimal.”
We should convince individuals, not resort to paternalism. Surely it’s for patients to decide if the risks are worth it for their own data, not a central organization to assume it. Worryingly, a Nature editorial suggested the initial plan was not “to allow individuals to opt out”.
Often, patients ask me “will this stay between us?” before disclosing something they consider extremely private. What they say can be vital for their treatment.
What matters is they trust me enough to tell me. It could be about mental health, a certain type of cancer or history of abuse – whatever’s sensitive for them. If there’s doubt in their mind on privacy, they’ll stay silent.
So what can we do? At Spring Conference there’ll be a Public Services Consultation.
The consultation paper says Lib Dems generally believe “any information held by a public service about them, such as […] their medical notes, should normally be their own property, not that of the service”. It asks whether it’s better for users to “directly control” their own data and how this can be reconciled with the power of data to improve services.
Central organizations shouldn’t act as though they own our data just because we use public services.
We must keep consent central when changing how we use people’s medical data. A principle of individual opt-in for changes to how GP data is kept or used shows we take people’s views about their information seriously.
Once lost, trust is hard to regain.
So please make your views known at the consultation.
* Dr Mohsin Khan is the Chair of Lib Dem Campaign for Race Equality. He is also a directly elected member of Federal Policy Committee
23 Comments
Mohsin, have you read Ben Goldarcre’s article in the Guardian on Saturday (http://www.theguardian.com/society/2014/feb/21/nhs-plan-share-medical-data-save-lives)? Similar data form Acute Trusts (Hospitals) have been in operating for some time with no know leakes.
‘Sharing data saves lives’ sounds awfully like ‘if you have nothing to hide, you have nothing to fear.’
I wonder if anyone read the article in yesterday’s Telegraph to the effect that all NHS hospital patient data over the last decade has been sold to private insurers.
it really is beginning to look like the only way to guarantee patient privacy is a return to paper, and a ditching of IT altogether. Until somebody grasps that simple point we are all doomed to live in The Truman Show.
It strikes me that most legitimate uses for exported data (including the example given by Ben Goldacre) could be done faster, more cheaply and with greater credibility using a set of standard queries on the HSCIC itself. Third parties would then only get access to genuinely anonymous statistical results unless they could prove an extraordinary need to access data in a more direct form in which case they would receive only required fields (which would hardly ever include postcodes)
“We already know the NHS has had two million data loss incidents.”
Reading around the relevant sentence in the Computing article suggests that it’s two million records lost rather than so many individual incidents. It also doesn’t claim any particular level of actual harm.
If the system depends on people opting in then it will have a very small data set which is not much use, and yet the optout system does make me a little uncomfortable.
Offering organisations access to the data should be on the basis of strict vetting, registration of each research project (and its results) and recording of each search performed. It should only be via an HSCIC portal; nobody should “get the data” as such. It is obviously possible that pseudonymised data could be used to get information on specific individuals, but that is only a problem if access is given to people who are motivated to do so.
Overall security concerns are the same as for any big data project and require money and careful design.
The fact that ATOS is involved in the existing project is not likely to improve people’s opinion of the proposal.
And the Telegraph article referred to above blows another hole in the already patchy assurances.
http://www.telegraph.co.uk/health/healthnews/10656893/Hospital-records-of-all-NHS-patients-sold-to-insurers.html
Tsar Nicholas, sharing data allows drug companies to develop better, cheaper treatments which benefits them, and it benefits us, and it benefits the NHS by lowering costs.
Paper based patient privacy, unfortunately, means higher research costs, fewer drugs and thus higher costs.
The questions we should be debating relate to informed consent, anonymisation of data and sanctions for breaches of data security.
http://www.computing.co.uk/ctg/news/2327824/when-is-an-opt-out-not-an-opt-out-when-its-a-caredata-opt-out
” all patients’ clinical data will be uploaded as a single record, with only name, date of birth and postcode removed…The non-opt-out is required because care.data will also be used to pay bonuses to GPs for hitting central government healthcare targets.”
In other words, even if you opt out, the data will still be uploaded, and will still not be anonymous NHS number is a unique identifier, so it’s relatively trivial to connect it up.
I’ve been campaigning on this in my ward; if you want to opt out, lots of good resources including a downloadable letter at http://www.medconfidential.org Having said that my colleagues think I’m mad to run with it, but if we’re serious about liberty of information then we should encourage a full choice.
The letters that went out were useless; they were sent before the decision was made on who would be eligible to buy the data, and didn’t include any way of responding other than to see the same info online or to contact your GP.
Delighted it’s been pushed back 6 months but wish our party spoke with a stronger voice on this.
Leon Duveen, thank you for your comment and the Goldacre link (hadn’t had a chance to read his piece before today).
Hospital data already analysed centrally vs GP data (bits of which are analysed centrally now, but not as in-depth as proposed):
1. Some patients make a crucial distinction between how open you are with your family doctor who you see again and again for years vs what you tell a junior hospital doctor you never see again/specialist you see twice a year (I exaggerate). Emotionally the GP relationship tends to be closer and feels more private. Haven’t got any peer-reviewed evidence on this to hand just now but can find some if you wish.
2. More of us have more contact with our GP than we do with hospitals.. Everyone has a GP. Not everyone sees a specialist and most don’t do see them quite as much as their GP.
This means the database has so much MORE information for each citizen. Keeping that centrally with weak anonymisation (postcode, age range, gender, list of conditions? Link that up with the Electoral Roll and away you go!) is a much more attractive target for hackers etc than what we currently have.
Sure, if there’s a data breach there might be no actual harm done. But going forwards, I’d like a clear message to the public that if there are changes to how such data is kept and used (inevitably, over the next few decades there will be) the wishes of patients as individuals will not be treated as minor inconveniences or something that patients shouldn’t be bothered too much about. Patient consent should be key. It’s the paternalistic attitude – or the attitude that this data is the State’s and can be used by the NHS/State as it sees fit – that I wish to protect against.
There will always be some patients who have good reasons for being wary about how their personal medical information is kept and distributed – it’s maintaining their trust in the system that I’m concerned about. Remember the loss of Child Benefit information in 2007?
tpfkar – Yes, I’ve used that medconfidential letter myself. There could be an established principle that if you are going to have an opt-out change to information kept by your GP, NHS England should have to send an addressed envelope to all patients individually, with a response form enclosed. They did that with the Summary Care Record in the last adminstration.
I wonder if amending the NHS Constitution might be the way forward? I’d welcome thoughts – it says “You have the right to be informed about how your information is used.” and “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where
your wishes cannot be followed, to be told the reasons including the legal basis.” Have your objections considered – hmm?
Data Protection law in this country is amongst the strongest in the world. As long as they stay within the law then a project like this can only be a good thing in my view.
I wonder hw John Snow would have got on in the current climate … he was a doctor working in Victorian London, when regular outbreaks of cholera killed thousands. By collecting data about the locations of cholera deaths, he was able to establish that cholera was carried in the local water supplies. His work contributed to the building of London’s sewers and improvements in water quality. Thousands more might have died if he had not been able to collect the relevant data.
You will notice that Snow did not need to know the victims’ names – he just needed their address and what they died of, and who supplied their water. The data the NHS is asking for will be anonymised, but some information (e.g. postcodes) will be passed on. (The data would, of course, be useless without geographical information.)
What would our Victorian forebears have said – “Leave them alone and let the poor buggers die in peace!”?
I’ve opted out, not because I don’t support the use of the data – the benefits are obvious – and not because I am particularly concerned about the possibility of my data being identifiable. I opted out because no one asked me for my permission, I didn’t get the leaflet and having now acquired a copy from my GP surgery, I can see that it is partial and mendacious.
There are massive potential gains to be made by insurers if they can hack or otherwise get hold of this information. Impaired life annuities, whereby those who aren’t expected to live long can be offered higher annual payments, are big business.
If you are an insurer, you are playing by the rules, and you think your competitor might be stealing a march on you by buying hacked data, what do you do? Try hacking yourself?
Or perhaps you start by appealing to the moral high ground. You have just sold impaired life annuities to a lot of cheats, who have lied to you about their medical records and exaggerated their illnesses. Please Mr Care Data, why shouldn’t I be allowed onto your system so I can catch the cheats out?
Dangerous business, databases. Yes, of course there is an upside. It shouldn’t be pursued without good precautions against the downside.
I find it rather amusing how people have got all up tight about this, but then quite happily use Facebook et al. where the contract is they (Facebook) own the data you load and have the right to do practically whatever they like with that data; but you get to use Facebook for free. I bet if we could come up with a Facebook style proposition: upload your data and get free medical care, people would be queuing up to upload their data!
@David Allen – I think you will find the raw data is of little real use to insurers in individual cases other than to possibly detect fraud. My medical records for example don’t contain any details of possibly inherited conditions that have not been investigated. However, for all recent insurance applications, I’ve had to undergo a medical examination and given my permission for the insurer’s medical expert to access my medical records.
However, in the longer-term and with linked multi-generational datasets it will become possible to identify those families with inherited conditions and hence offer poorer terms to those from families with an inherited condition, but the condition hasn’t become manifest in the individual and may never become manifest.
About the only people I can see who will have an active interest in ‘exposing’ medical records will be the press…
Tim P, the Health and Social Care Act 2012 exempts parts of the uploading process from Data Protection Act safeguards. It removes the legal right to opt-out for GP’s or patients (which the Government has separately chosen to offer to patients – but this cannot be regulated by the Information Commissioner as the DPA right to opt-out has been removed by statute).
Roland, thank you for your comment. We’re not forced to use Facebook. We can choose whether to use Facebook or GMail or Twitter.
GP’s are a different matter. Unless you’re very rich or very healthy, you can’t go private for every consultation and escape an NHS GP (as the private prescription cost would be huge if you had even just a few conditions needing treatment. Private GP’s can’t give out NHS prescriptions.) Even private insurers like BUPA don’t offer insurance to cover regular private GP use.
So almost all of us are locked into using an NHS GP, even if we can use private hospital specialists for our hospital care. That’s even more reason why empowering GP patients is key, making sure their views always matter when we change how GP data is used. A “No decision about me without me being clearly and simply told about it” approach would be better.
It should be strictly illegal for insurance companies to use the information or other information to discriminate against people with pre-existing conditions. This should be enforced by undercover spies checking policies. Such a rule would allow people to share medical information for medical research purposes only without any fear that it may impact them in the pocket.
The Telegraph article linked by Ed Wilson (24th Feb at 11:03am) shows just how much this matters. Because, despite all the assurances, hospital data (as opposed to GP data) has ALREADY been sold to insurers. Some key quotes from the article.
“The medical records of every NHS hospital patient in the country have been sold for insurance purposes, The Telegraph can reveal.
…
Those in charge of the {GP data] programme have repeatedly insisted that it will be illegal for information extracted from GP files to be sold to insurers, who might seek to target customers or put up their prices.
…
{A report by a major insurance society] boasts that “uniquely” they were able to combine those details with information from credit ratings agencies, such as Experian, which record the lifestyle habits of millions of consumers. … resulting in increased premiums for most customers below the age of 50 …
Clearly concerns are well founded and someone senior in the NHS has some serious explaining to do given that they must have known the risks involved and the sensitivity of the data. Of course bona fide research is something I welcome and have taken part in (once I was satisfied about data anonymity) but that could be done equally well by having specialist NHS interrogate the database at the request of pharmaceutical researchers – for a fee of course.
Some commentators here have not understood what will be going with your medical records. Although names and house numbers will be deleted your unique NHS number, date of birth, gender and postcode will not be. When this information is eventually sold on to, say, insurance companies, your NHS number will be deleted but not the other information because the data will be useless if it cannot be profiled. Once that information is run though the company’s policy holder, past and present, database matches will be made. How many blokes with the same date of birth as me would be living in the same postcode area and been a policy holder of a particular company?
The NHS should make its case for the Care.data scheme and then invite enthusiastic patients to allow their medical records to be submitted. As with union members’ political contributions to Labour it should be opt in not opt out!
Goldacre’s excellent and informative article
http://www.theguardian.com/society/2014/feb/21/nhs-plan-share-medical-data-save-lives
certainly does not (as might have been inferred from the previous reference on this thread) dismiss the concerns. To quote Goldacre’s own summary:
“Care.data, the grand project to make the medical records of the UK population available for scientific and commercial use, is not inherently evil – far from it – but its execution has been badly bungled. Here’s how the government can regain our trust”
Goldacre then proceeds to describe numerous safeguards he thinks are needed, laments that they are not happening, laments that a brilliant idea is not being properly implemented, and concludes:
“It’s February. If you’re thinking of opting out, please don’t. But mark your diary for May.”
Dave Allen – Impaired life annuities are sold following the potential customer filling in a huge form and giving permission for a GP to release information if necessary. I’ve done it although I don’t actually know whether my life was accepted as ‘impaired’. On inherited conditions – my medical records would not show that I have many long-lived female relatives including a 93 year old mother.
Unfortunately, many people don’t know that impaired life policies exist and don’t explore the option. Lying about a medical condition would invalidate the policy in any case.