On 21 July, the Department of Health took the extraordinary step of posting on its website three letters that were addressed to Computer Weekly and were critical of our coverage of a health IT conference at the NEC in Birmingham.
The department published the letters twice: on the websites of its Information Policy Unit and its Information Authority.
Such a decision by a government department, to publish a series of independent letters to a magazine, before that magazine has had an opportunity publish them, is unprecedented.
The conference in Birmingham had been organised by the British Computer Society’s Health Informatics Committee and Assist, the Association for ICT Professionals in health and social care. Its main purpose was to gather the opinions of delegates on a £2.3bn national programme for IT in the health service, particularly on the issue of electronic medical records, the official term for which is Integrated Care Records Service (ICRS).
Richard Granger, director-general of NHS IT, had asked the BCS and Assist for their views on aspects of an all-important sequence of documents called the Output Based Specification [OBS]. Comprising about 600 pages, the OBS provided a specification for companies that were bidding for contracts under the NHS’ national programme for IT.
The three leading specialists in their field who have sent strongly-worded letters by e-mail to complain about Computer Weekly’s coverage of the conference were David Young, clinical adviser to the Information Policy Unit at the Department of Health, Glyn Hayes, a family GP and chairman, Health Informatics Committee of the British Computer Society, and Marlene Winfield, head of patient and citizen relations at the NHS Information Authority, part of the Department of Health.
Before publishing the letters, which attack Computer Weekly’s ethics and professionalism and one of which says we committed a breach of trust, the department gave us no opportunity to respond. We have published this week a detailed explanation for our coverage of the conference in which we set out the rationale behind Computer Weekly’s NHS campaign. We also publish the three critical letters from Young, Hayes and Winfield, together with other letters from delegates at the conference who support our coverage.
In addition, we give a point by point response to the critical letter from Marlene Winfield.
“As one of the people responsible for patient confidentiality policy in the NHS, I want to correct errors and misunderstandings in Tony Collins’ article (Doctors express alarm at plans to store patient data without consent, Computer Weekly 15 July).”
There is not a single error or misunderstanding in the article mentioned.
“He spoke of ‘secret plans’ to put health data into a ‘data spine’ system. They are only secret insofar as they have been discussed at major conferences (NHS Confederation, Carers UK annual general meeting).”
It is agreed that plans to put health data into a data spine system is not secret. However the letter takes only part of a sentence and criticises it out of context. The story actually said that there were “secret plans to put sensitive health data about up to 50 million people into a national ‘data spine’ system, whether or not patients give their consent.” In support of this sentence the Department of Health’s Output Based Specification, which was secret at the time of the BCS/Assist conference (1 July 2003), discloses that:
- The plan is for the data spine to hold summary records on about 50 million people by 2010 and that
- Patient data will be held on the spine whether or not patients give their consent. “A patient will not be entitled to refuse that their personal data is made available to the spine,” says the OBS.
That the OBS was a secret series of documents until the department decided to publish them on its website on 17 July 2003 was evident from:
- The Department’s refusal to let us see or have a copy of the OBS, at the same time insisting that its contents were not secret.
- The markings on every page of the various documents that form the OBS, which are “Restricted - Commercial” or “Commercial in Confidence”.
- The password-protected access to the OBS.
- The covering letter sent by the department to its selected recipients of the OBS which made threats about the consequences should they not maintain the document’s confidentiality.
- Criticisms of the Department of Health at the BCS/Assist conference for marking the OBS confidential and limiting its circulation. At the conference several delegates said during a debate on the national programme for IT that the department’s restrictions on the circulation of the OBS were impeding public debate of the programme. For example the following comments were made at the conference:
- “The restrictions (on the circulation of the OBS) are making it difficult to get constructive debate and conversations going.”
- “Our CIO [chief information officer] has been told not to share the OBS. I explained that I had already shared it within my trust to various people on a confidential basis. I was told: ‘Do not share it’. I have sat on it for nearly two months because I was told to, and then I have come to this conference and everybody has been allowed to have a copy.”
- “It has been made clear at the top that the OBS should not be shared. I sent an e-mail around to people saying, ‘Has anyone got a copy?’ and one fell onto my computer.”
In quoting selectively from a sentence to criticise a point we did not make, the department may make itself open to the charge that it has committed the errors of judgment and presentation of which it accuses Computer Weekly.
“Moreover, the ‘data spine’ contents were decided in a series of discussions with clinicians and representatives of patient and citizen groups. They have also just been the subject of research with patients and the public conducted for us by the Consumers’ Association. Not a definition of secrecy I would recognise!”
Our article did not discuss the circumstances under which the department determined the contents of the “data spine”. The issues raised in the story concerned the secret plans in the OBS to put sensitive data on about 50 million people into a national "data spine" system, whether or not patients gave their consent.
The story focused on the lack of public debate and did not question whom the department consulted, or whom it decided not to consult, in determining the contents of the data spine. The article’s purpose was to facilitate debate and inform our readers.
The department’s inference that it has consulted widely over the contents of the data spine has no relevance to the confidentiality of the OBS. A government department can consult widely on a particular topic and still classify its findings as confidential. We note that the department did not inform our readers, and doctors generally, of the contents of the OBS until 17 July 2003, the OBS having been made available, under password protection, to a selected audience since early June.
We also note that the BCS and Assist were given copies of the OBS only so that they could provide feedback to Richard Granger. Copies of the OBS were not distributed generally or even to all of those at the BCS/Assist conference.
“Your author neglected to mention that at the British Computer Society meeting that prompted the article, it was announced that the supposedly secret Output Based Specification, which ran to many hundreds of pages, would soon be made public in a summary version. Many who attended the meeting were given access to the complete version beforehand and parts of it appeared in a PowerPoint presentation at the meeting.”
A response to this is covered in full above. Every page of the OBS is marked Restricted – Commercial or Commercial in Confidence. Until 17 July 2003 when the documents were published on the Department of Health’s website, the OBS comprised a series of documents that could not be opened without a password supplied by the department.
That it was made available to some people for the department’s purposes does not make the OBS an open document. Indeed the department had refused to supply a copy to us, and had not, until 17 July 2003, made it available generally to the 20,000 or so IT specialists whose work could be affected by its contents.
Winfield writes, “Many who attended the meeting were given access”, which suggests that some were not.
Any announcement that the department intended to make public a summary of the OBS would have rendered the original series of documents less of a secret, but a secret nonetheless. A summary could have comprised as little or as much as the department had wished, and possibly in its own words. This would not have made the OBS an open document. Indeed, although published on the department’s website, the OBS is described on the website as a “closed” document.
If the department has nothing to hide, and clearly this is implied in Winfield’s letter, one wonders why it took the department several weeks to decide to publish the OBS.
The Department of Health has told us in the past that it did not wish to make the OBS public because of its length. As it was in the form of Word documents, we did not see that the size of the Word files could be a consideration in whether they were made public or not. Indeed size has not now proved an obstacle.
“The impression is given that a national database of patient identifiable information will be available without patients’ consent. That is not the case.”
It is regrettable that Winfield makes an incorrect assertion about the impression given in the story and then seeks to refute that impression by summarising the facts as we put them in the story. At no point did we say that identifiable patient data would be available without the consent of patients. The OBS said, “A patient will not be entitled to refuse that their personal data is made available to the spine.”
On the basis on this sentence in the OBS, we published in our article the fact that patient data would be put onto a national data spine whether or not patients consented. This is a correct assertion. Indeed we also made it clear in the story that the data would be in “pseudonymised” form if patients refused their consent. Again, this was based on a statement from the OBS. The OBS also said that the process of pseudonymisation could be reversed, which we also made clear in the story.
On these points the OBS was specific: “It must be possible to reverse the pseudonymisation process under strict access and privilege control arrangements, eg in circumstances where patient identification may be necessary to support their care... Data about all patient events may be routinely communicated to the spine without the consent of the patient. It is only the release of the personal data held within the spine for the purpose of clinical care that requires the patient's one-off agreement…
The OBS went on to say, “If a patient has refused or not given consent, then their records will not be made available through the spine in an identifiable form for individual clinical care, other than in exceptional circumstances (to be defined by NHS policy)… In exceptional circumstances, a clinician can decide to access the patient's personal data that are available through the spine without the patient's consent.”
“Identifiable ‘spine’ records will not ‘go live’ until each patient consents individually.”
We feel this assertion in her letter is misleading because it does not explain the various caveats in the OBS, for example the fact that the pseudonymisation process may be reversible in special circumstances, and that “in exceptional circumstances, a clinician can decide to access the patient's personal data that are available through the spine without the patient's consent.”
Nor does the assertion respond to the many concerns of delegates at the BCS/Assist conference that encrypted but potentially identifiable data from a patient’s data will be uploaded to the spine, whether or not the patient consents, although decryption will take place only if the patient consents, except in special cases when the pseudonymisation process can be reversed without the consent of patients.
“We do, however, admit to ensuring that clinicians explain to patients the consequences of having and not having an identifiable ‘spine’ record. We are guilty as charged of wanting patients to have informed consent.”
The statement above is disingenuous in view of the various special circumstances, as referred to in the OBS (not all of which have been explained) which allow identifiable record to be made available without the consent of patients.
“A patient will not be entitled to refuse that their personal data is made available to the spine” was considered at the BCS/Assist conference to be one of the most controversial messages of the OBS - a message that, it was felt, has not been the subject of any general public debate.
Computer Weekly does not necessarily oppose any of the principles behind the provenance issues in the OBS. We felt the need to air the issues in public because the OBS had not at the time been released publicly.
We note that the complainant admits to “ensuring that clinicians explain to patients the consequences of having and not having an identifiable ‘spine’ record” but we note that Winfield does not respond to the concerns of clinicians about their needing extra time to explain to patients the consequences of having and not having an identifiable spine record. This time penalty for clinicians and whether it will be sufficently offset by savings in other areas is a controversial issue, and is one reason we raised such concerns in our front page coverage of the BCS/Assist conference.
“The records of patients who do not consent to their ‘spine’ record going live will be used for authorised planning and management of health services and for research that has ethical approval.”
This statement was not disputed by us, nor was it disputed directly by anything said in our coverage of the BCS/Assist conference. However Winfield’s letter does not take into account the concerns expressed at the conference including the following comments of delegates:
- “What sort of access controls will there be on the police and security services? So much legislation has gone through in recent years which gives massive access with relatively little control – I think that is an objection to having data on a national database.
- “Government feels that we need to make it easier for agencies to access information. That is one of the really worrying things. There are perhaps not large numbers of people who come here with multiple problems from other jurisdictions who could easily be identified from a national database. That information given for your health care could be accessed by the security services for very different purposes means tightening up privacy legislation not loosening it.
- “They [patients] trust us now because we cannot share information very easily. We are talking about a where at the press of a button you’ll be able to share vast amounts of info with vast numbers of people. The risks are magnified.”
- “Let's not underestimate the problem. ID theft could be possible. We all have a major concern about pulling records together.”
- “Authorised access to personal data [that has been accessed with the consent of patients] does not necessarily leave a footprint.”
A letter to Computer Weekly this week from Dr Paul Steventon, one of the delegates at the conference, also referred to this topic.
Steventon says in his letter, "The complete records and encrypted identities of all NHS patients will be uploaded into the ICRS [Integrated Care Records Service, the official term for electronic medical records] spine without consent. The private keys meant to secure the encrypted patient identities are also held by government. These keys will be used to reverse the de-identification of patients without their knowledge or consent in ‘special circumstances’. The definition of these special circumstances remains unclear.
He continues, "The location and tracking of individuals of interest to police and security services, such as asylum seekers, illegal immigrants, terrorists, drug smugglers, and paedophiles will certainly be possible using the ICRS. The list of ‘interesting people’ in Britain is arbitrary, set by government, and liable to change without either notice or parliamentary debate."
The opinion as stated by Winfield lends no support to her contention, as set out at the beginning of her letter, that she wished to correct errors and misunderstandings in Collins’ article. Our articles made it clear that patient data would be held in a pseudonymised version unless consent was given.
“No one will be able to see the full record except in rare circumstances such as a medical emergency, and even then under extremely strict conditions which would generate live alerts.”
This is not disputed, nor was the point misstated or misunderstood in our articles. The “rare circumstances”, one example of which was given by the complainant, caused some concern at the BCS/Assist conference because it was felt that not all of the rare circumstances had been spelt out in the OBS.
“This kind of access is fully in accord with the Data Protection Act and is provided in the interest of patient care. The data will be held under very strong security appropriate to the risks involved, as it always the case in a good security design. We must also admit to being honest with patients and the public about hackers. If the Pentagon is not safe from hackers, then we cannot give absolute guarantees either. We can, though, use state of the art protection and explain what measures we are taking to protect people’s information.”
The comments are noted. However more than one delegate expressed concerns at the BCS and Assist conference that the security services would have access to the records. There were no denials on this point from the representatives of the Department of Health present at the conference. Indeed we put this to the Department of Health and received no denial.
In addition, there were concerns expressed at the conference about hacking. We reflected those concerns in our article. Indeed as the complainant explains in her letter, no networked systems are absolutely safe from hackers.
“Our research with the public consistently suggests that while they have some concerns about security, their highest priority is good health information being available to them and those treating them.”
This is not disputed. Indeed we strongly support the statement. However it lends no support to the claim at the beginning of Winfield’s letter, that she wished to correct errors and misunderstandings in Collins’ article.
Contrary to the impression given, the police will have no more access to patient records than now and probably less.
It is regrettable that Winfield makes a subjective assertion on the impression given in the story and then seeks to refute that impression by speculation: “The police will have no more access to patient records than now and probably less.”
At the conference, concerns were expressed about the birth of a national database of medical records, as opposed to the information being held locally at present. GPs at the meeting did not raise the issue of the police obtaining medical records at present from individual GPs or practices. The issue they raised was that of a national database which, some felt, was far more vulnerable to the abuse of governmental power.
The point was made that an authorised agent of government could, sitting at a secure, networked computer in their office, access a national database of medical records. This cannot happen at present.
One delegate at the conference, from the Department of Health, told a workshop: “In the future there is going to be more and more potentially damaging statements in their records such as a prediction of what their whole health is going to be life in future based on their genetic fingerprints. Whereas care used to be simple and ineffective, and now it is complex and highly dangerous. It is the same with the information so we have to take the necessary safeguards.”
Another delegate said: “What sort of access controls will there be on the police and security services? So much legislation has gone through in recent years which gives massive access with relatively little control – I think that is an objection to having data on a national database.”
Winfield’s comment that the “police will have no more access to patient records than now and probably less” could, in the light of concerns expressed at the meeting and the existence of a national database which has hitherto not existed, be regarded as lacking context.
“A Confidentiality Code of Practice will be published in the autumn giving NHS staff clear instructions about when they must and must not give information to the police. And as was made very clear at the meeting, clerical staff will find it much more difficult to sell information to private detectives when electronic records greatly restrict their access to clinical details in patient records. Another thing the author neglected to include.
The point made by the complainant, that health records on new national systems will be more secure than present files, provides a basis for future debate.
“You also report elsewhere that some clinicians are concerned that the measures to protect patient confidentiality might be too rigorous. It seems we cannot win!”
As explained in response to the letter from Glyn Hayes, of the British Computer Society, who made a similar point in criticising Computer Weekly’s coverage, we agreed that we reported, in separate articles, concerns among clinicians that a national database would be too secure, or not secure enough.
The two concerns are not mutually exclusive. The perennial security problem with all computer systems is that there is a trade-off between security and flexibility. You cannot have the highest levels of security and at the same time the highest levels of flexibility. A system with no security may be easy to use because it has no access controls. Conversely a system with too much security may not be easy to use – and may not be used at all – because there are too many access controls.
That there needs to be an informed debate in order to strike the balance between encouraging the use of the systems and the need for security is one reason for our coverage. A national database may require more security than a local system because the risks of a breach are greater. A local system will hold a much smaller number of records and there will be considerably restricted access. A national database will hold millions of records and must necessarily be available to a wide number of clinicians. If it proves impossible to balance security and flexibility there should be open debate on whether a national database is too ambitious a project to undertake.
“The confidentiality policy that underpins the technical specification for the integrated care record was largely devised by patients (including those with particularly sensitive health problems) and then widely and publicly consulted on with all interested parties, who gave the proposals an 86% approval rating.”
These figures seem somewhat selective. A survey by Medix of 1,000 GPs and other clinicians, as reported recently in Computer Weekly, indicated that a third of doctors were unaware of the national programme for IT. If so many doctors were unaware of even the generality of the programme, how could it be that the general public in England have been widely consulted on the minutiae of issues surrounding patient consent?
At the conference it was said almost universally that there had been too little consultation with IT specialists, clinicians and indeed those who were directly affected by the OBS.
“A press release issued after the meeting by the British Computer Society said: ‘The mood of the meeting was one of considerable enthusiasm for the overall plan and optimism that the vision it describes could, if appropriately developed, fundamentally improve patient care in the NHS.’ Somehow, that was left out of the article reporting on the meeting.
This is incorrect. The allegation ignores the fact that Computer Weekly published a summary of the British Computer Society’s press release in which we quoted a spokesman for the BCS as saying that the national programme for IT would “if appropriately developed, fundamentally improve patient care in the NHS". Indeed, under the headline “Ground rules for NHS IT success” we cited the details in the press release.
“I for one am at a loss to understand why Computer Weekly allows itself to print scare stories which may sell a few more copies but at the cost of frightening patients needlessly and some might say cruelly.”
This statement is incorrect. Computer Weekly sought to bring into the public forum information that IT professionals in general had been denied because the OBS comprised a series of secret documents.
It is denied that anything we have said has frightened patients and indeed this allegation is not supported in the e-mail. If the proposals as they exist would not frighten patients if they knew the full facts, we believe that the Department of Health should be more open in the publication of all the documents that have been given to suppliers, and all the relevant internal research material. Were all this information put into the public domain, we assume it would show that the public has everything to gain and nothing to lose by the implementation of the national programme for IT.
In summary, there is not a single error or misunderstanding in the articles mentioned.