One of the most ambitious privacy-busting information grabs of the new century looks set to resume shortly. Following a minor reverse last year, the way is once more being prepared for “care.data” - a huge upload of GP/patient data to a central database, open in time to the private sector, planned to commence this summer.
Has NHS England now done enough to make patients sufficiently aware of the implications of this system?
Former shadow home secretary, David Davies, MP is not convinced.
Asked whether he thought enough was being done to make patients aware, his answer was direct and to the point: “No”.
Davies remains concerned about subsequent control of the data collected, and is looking for greater clarity in respect of access and the protection of privacy. The reality, though, is that the public may be unable to do anything about this until after the event – by which time it will be too late.
Meanwhile, the evidence suggests that the Health and Social Care Information Centre (HSCIC), the part of NHS England responsible for progressing the care.data project is merely paying lip service to demands for greater patient inclusion.
They got off on the wrong foot with the British Medical Association in January 2013, landing the project from on high. Nor did they help their case in the summer when they told GPs that they had just 8 weeks to make patients aware of the scheme. The proposed plan consisted mostly of putting up posters in GP surgeries and communicating through “routine communications” like newsletters (which not all GPs have).
As ‘data controllers’ legally liable for what happens to their patient data, doctors found themselves caught between a rock and a hard place: forced to choose which law they would prefer to break: the Health & Social Care Act, or the Data Protection Act.
In desperation, one
Oxford GP has opted all of his patients out of care.data, despite being
told it is against the law to do so.
GP’s were relieved, initially, when the Information Commissioner - responsible for overseeing the Data Protection Act - voiced concerns that efforts to inform patients had so far been wholly inadequate. The Commissioner made clear that as far as practically possible, all patients should be aware of the care.data upload, commenting:
“The Data Protection Act requires organisations to process people's information fairly. For the purposes of care.data this means making sure patients are informed about the new changes, how their information will be used and how they can object if they so wish.
“This will involve undertaking activities at a national, regional and local level to ensure that, as far as practicable, all patients are informed about these changes and how they can object.”
The Health & Social Care Information Centre responded with an announcement, in November, that NHS England would now be distributing leaflets, by doordrop, to all 22 million households likely to be affected: that exercise began in early January, apparently with distribution commencing in the south of the country and gradually wending its way north.
Door drops are blunt tools for increasing awareness. As a response to such a major potential intrusion into patient confidentiality, it was described by civil rights organisation, Big Brother Watch as “lacklustre”. They added: “this scheme to inform the public was arguably illegal under data protection law and goes against the Government’s commitment to give patients control over their medical records”.
They may be on to something. “Awareness” is, as far as marketing professionals are concerned, a measurable quantity. In market research, a commonly used measure of awareness is “prompted recall”, which is broadly defined in the textbooks as “a subject's ability to recall information about a given topic, when prompted to do so”.
So do NHS England have a target in mind? No. A spokesperson for NHS England explained: “We have worked closely with the Information Commissioner’s Office and they are content with our awareness raising plans. NHS England is surveying a sample of households to evaluate the effectiveness of the leaflet, which includes asking whether they recall receiving the leaflet and how much of it they read.
“This will ensure that lessons are learnt to incorporate in future national mailings. The household leaflet, however, is only part of a comprehensive range of awareness raising activities, which also includes: leaflets and posters in every GP practice in England; articles in newspapers; information on the NHS Choices website; and via social media; as well as information cascaded via 350,000 patient groups and charities.”
In other words, awareness is being defined by NHS England in terms of process, rather than result: so long as they go through the correct motions, they have done their job. Whether patient awareness is much increased as a result of all that activity is neither here nor there.
Former home secretary Davies doesn’t agree, and supported setting a quantitative target for measuring awareness. He told us, “Yes, but I would put it at higher than 50% - say 75%”.
Where does the Information Commissioner stand? It’s hard to know. Apart from knowing who to blame in the eventuality that patients should complain, the ICO role in this has been mostly hands off.
They will not commit to any quantitative awareness level. The law, as far as they are concerned, does not work that way. After the event – after data has been uploaded – if an individual feels they were not made sufficiently aware of the use to which their data might be put, it is open to them to complain or to take legal action against the data controller.
Does this matter? For some patients, perhaps not: but for many it most certainly will. Early implementations of care.data are fairly conservative in terms of what data can be shared with whom. However, change is already planned: requests to access the database will in time not distinguish between "a government department, university researcher, pharmaceutical company or insurance company". That is even without any widening of the project scope that the Secretary of State may impose without further parliamentary scrutiny.
Then there is the risk that certain patients could be identified. Even the scheme's advocates admit there is a "small risk" patients could be "re-identified" by commercial operators like insurers or private health companies, who could match their own medical or lifestyle data against the "pseudonymised" records.
Or patients could be identified by accident. The history of government and data protection over the last couple of decades has been an unhappy one.
GP’s, too, must now evaluate the risks. One GP who appears to be unimpressed by the arguments for care.data – and the information campaign now under way – is Dr Neil Bhatia, of the Oaklands Practice in Yateley. As his increasingly influential website points out, the campaign under way right now is not about “sharing your medical information with doctors, nurses and other health professionals outside of your GP surgery”. It is about care.data, even though, according to Dr Bhatia, this is never mentioned in the leaflet.
Bhatia is unhappy, not just with the project, but also at statements by the Information Commissioner that should patients complain in future they weren't made sufficiently aware of the care.data project and their rights to opt-out, the person legally responsible for that failure is their GP. It's as well, perhaps, that Dr Bhatia’s site is now providing simple information to patients and GPs on how to opt-out.
Like this piece? Please donate to OurNHS here to help keep us producing the NHS stories that matter. Thank you.