On 22 November I asked a straightforward question of NHS Connecting for Health which runs part of the NHS’s £12.4bn National Programme for IT [NPfIT].
The question: Could you let me know, by end of today please, if the possibility is being considered of having patient data processed abroad? If so could I have a statement please?
NHS CfH’s answer was straightforward: “No,” said its spokesman.
He passed my question to the Department of Health because it involved policy. The Department’s spokeswoman was unable to reply promptly because she said the answer to my question needed to be cleared by the minister.
Eventually, after phone calls and emails, I received the Department’s “cleared” reply. It said: “NHS organisations are legally responsible for complying with data protection laws”.
That was it: 11 words signed off by a health minister that didn’t answer my question.
The Department of Health has more than 30 press officers. It takes 1,000 calls a week from journalists. If most of the Department’s answers bear little relation to the questions, or are incorrect, or are misleading because they omit relevant facts, one has to ask whether the cost of the press office is worthwhile.
When my article was followed up by national newspapers and other media including, BBC Radio 4’s Today programme [broadcast at approx. 6.55am on 27 November 2007], the Department of Health issued a slightly longer statement – one it hadn’t given to me.
Its statement to the national news media suggested my article had been fabricated.
This is the department’s statement:
“Patient data is not currently sent abroad. There is no review, and there are no considerations relating to the National Programme for IT for patient data to be processed abroad in future. NHS organisations are legally responsible for complying with data protection laws and patient records can never be put at risk in compliance with these laws.”
[It’s usual for government press offices to respond to articles in the media by saying what is not happening, not what is].
But the department’s statement appeared to contradict a document issued by NHS Connecting for Health which said a review was underway into the possibility of patient data being processed overseas.
The document gave advice to NHS organisations on the issuing of smartcards for access to systems that are due to be rolled out under the NPfIT. Smartcards are being issued to hundreds of thousands of NHS employees. Inserted into a reader, and used with a passcode, the smartcards will give the user access to such systems as Choose and Book and, perhaps in future, the Summary Care Record – a summary electronic medical record on potentially every patient in England.
The Connecting for Health document said:
“Organisations should be aware of a current review into the possibility of NHS patient data being processed overseas by approved organisations. While the review is considering the requirements for, and implications of, such possible arrangements, NHS organisations should not register any personnel of a non-NHS organisation (e.g. Independent Sector Healthcare Providers) that transfers patient data overseas.
“Further guidance on the processing/transfer of data overseas will be provided in due course.”
The document was dated August 2007 and has not been updated.
So is there a review or not? Or was there a review that the Department of Health seems to deny any knowledge of?
I emailed a copy of the Department of Health’s denial, and its context, to GP Mary Hawking who regularly asks good questions on the NPfIT and comments knowledgeably on it.
“It sounds as though the DH [Department of Health] has no idea as to what is going on – and, faced with a reasonable enquiry based on a published [within the NHS] unrestricted document, went straight into denial mode rather than looking at whatever
was going on.”
She added that officials who had briefed the minister should have been aware of the facts and if the review had never existed they should have explained why the information was in the NHS CfH document in the first place.
If the review had existed, the minister should have been briefed on the reasons for it and the results, said Hawking.
In January the Chief Executive of the NHS David Nicholson said that NHS Connecting for Health was too defensive. He referred to its “bunker mentality”. So when it comes to do with the National Programme for IT Nicholson, as the leading senior responsible owner of the programme, has the chance to make the Department of Health an exemplar of openness. He has instead joined NHS Connecting for Health in the bunker.
Why do his officials say there “is” no review if they know that one has already taken place? They want to be perceived as candid – but when they say there “is” no review after one has taken place they are making a political game of answering questions from journalists, a game of disparaging articles they don’t welcome without saying anything semantically untruthful.
Our readers in the NHS and beyond are entitled to know why their money has been used to pay for a review of processing patient data abroad. They are entitled to know:
– the outcome or whether the review is continuing
– what is meant by “processing” data overseas? What processing is envisaged?
– what are the benefits and disadvantages of medical records being sent overseas?
– what patient data would be sent overseas?
Too much happens in secret in government. Which is one reason that the CDs at HM Revenue and Customs went missing. There is so little external scrutiny of departments that some officials have adopted a relaxed attitude towards the confidentiality of personal information on citizens. It should not have been possible for one official to download onto CDs copies of the child benefit database.
It’s this lack of external scrutiny that has also enabled the Department to launch unseen, without the knowledge of Parliament or anyone else outside NHS Connecting for Health, a review into the possibility of processing patient data overseas. We just happened to find out about it.
The department’s denial shows that it regards being held accountable for what it does as an object so far in the distance that it cannot be seen with the naked eye.
The denial didn’t stop the national media from following up an important article – this time.
Ian Brown: Biometrics are not a panacea for [HMRC] data loss