Can anyone patch up care.data, or is it too late?

Every government reassurance about care.data just brings more questions. The bottom line - in whose interests is the government acting when handling England's medical records - just won't go away.

Care.data has had a bad seven days. Last Tuesday it received a serious mauling by the Commons Health Committee. On Friday, Health Secretary Jeremy Hunt came sailing to the rescue with an announcement of new laws that will bar the NHS from selling personal medical records for insurance and commercial purposes - though care.data boss Tim Kelsey had told us it was already “a criminal offense”.  

Will this be enough to save the once proud flagship of this Government’s shiny new NHS? Or is it too late for patch and mend?

Today, another blow - Tory MP Sarah Wollaston questions how the entire hospital patients database had been uploaded to Google Servers, allowing PA Consulting to create “interactive maps” of the data. Phil Booth of medConfidential, which campaigns on medical privacy, said every day another instance of "whole population level data being sold emerges which had been previously denied".

Perhaps the real issue is that once the public woke up to what care.data was all about, it was always going to be a difficult sell. Care.data’s survival has not been helped by a perfect storm of political ineptitude and managerial arrogance.

Before 2013 an established framework existed for processing patient data. Section 251 of the NHS Act 2006 set out precisely what data might be processed, and carried significant sanctions and fines for breaching patient confidentiality. Data protection law imposed its own significant criminal sanctions where section 251 has been breached. And Human Rights legislation, imposing serious privacy obligations on public bodies, created a triple lock on patient confidentiality.  

This basic structure was complicated by the Health and Social Care Act, which took full effect in April 2013. Whereas previous legislation enabled primary care trusts to use data for planning purposes, key data handling responsibilities were not passed on to the new commissioning groups. They still have planning to do, but - according to eHealth Insider - no legal cover for the data processing they need to carry out to achieve it.

Instead, Section 254 of the Act established that the NHS’s new data centre, the Health and Social Care Information Centre, may collect patient data and pass it on to others where the Secretary of State “otherwise considers it to be in the interests of the health service in England or of the recipients or providers of adult social care in England”.

So almost all data handling must now pass through HSCIC which, before the ink was dry on the new structure, was talking up care.data – a major new initiative that took data sharing to lengths unimagined in previous legislation.

On Tuesday in the House of Common Health Minister Dan Poulter assured us that the latest legislation put in place unprecedented safeguards around patient data.

This is true only in the sense that a law enabling a new 200mph car on UK roads and limiting it to 70mph provides unprecedented safeguards. There would be no need of such safeguards if government and NHS had stuck with the status quo.

The HSCA 2012 is one of those monstrous modern pieces of legislation that reads more like a computer spec than law. It sets out what various government bodies MAY do. It has clauses about quality indicators and information standards and registers and, bizarrely, issues such as who may be allowed to propose a quality indicator.

What it does not have is any re-statement of legal penalties for those who mis-use the data.

This might be less of an issue if there had not been a simultaneous loss of trust over both our privacy rights, and waves of NHS ‘reform’ and management double-speak.

Addressing the committee, Tim Kelsey, NHS England IT Director blamed a “confused media environment”. He argued that all that was needed to put matters right was better, more intense communication. He had, he assured us, been a firm believer for years in the principle that “patients own their own data” – though that sits uneasily against his own assertion, four short years ago, that “no one who uses a public service should be allowed to opt out of sharing their records”.

Care.data boss Kelsey - who founded private health data company Dr Foster a few years back - has delivered a series of defences which haven’t quite convinced.

He claimed that the care.data information leaflet was delivered to every household when, demonstrably, it hadn’t. On Radio 4, on 19 February, Kelsey was emphatic in re-assuring listeners that data sharing with insurers was ‘criminal’ – even though a week previously the HSCIC team had quietly downgraded its website notice on the status of such activity from ‘illegal’ (which is not necessarily criminal) to merely ‘prohibited’.

All this became less than academic with the latest wave of revelations that revealed earlier sets of patient records HAD been released to insurers, albeit under the auspices of the previous legal regime.

The inept communication makes it so much easier to dismiss as bluster the assertion, also by Kelsey, that if care.data suffers 90% opt out it would be “all over for the NHS”.

This tendency to play word games may win debating points, but it is losing the bigger game of public confidence. The trust gap matters.

For government has implemented a radical change in the laws governing patient data. It needs unprecedented safeguards, because it is taking an unprecedented step. Putting additional legal safeguards in place will help: but if the public – and patients – continue to distrust those administering the new system, it will make no difference. Is care.data doomed to sink ignominiously beneath the waves of public distrust?

It’s perhaps unfair to pick solely on Kelsey - the government also seems to suffer from an impulse towards word games.

Daniel Poulter MP claimed on Tuesday that data sharing would only be allowed where that would is in the interests of both “recipients AND providers” - in other words, both patients and health organisations, public and private.

But Poulter was wrong. As he previously read correctly from the Act, the test is what benefits “recipients OR providers”.

It’s a small difference but one which, critics fear, could allow a world of data exploitation.

Besides, as the Department of Health team gloss over, “benefit”, in the current law, is whatever the Health Secretary defines it to be.

Safeguards? Or just more words that mean whatever NHS senior bosses want them to mean? We shall see.

About the author

Jane Fae is journalist and campaigner on IT, the law and sexuality. She writes extensively on  individual privacy in the face of creeping state intrusion, for Register (the leading IT industry website), the Guardian and the Independent.