BillionPhotos.com - Fotolia
Another NHS IT project, another catastrophe – but for once, the project wasn’t riddled with supplier, technology or process issues. The problem, this time, was mainly a lack of focus on patient privacy.
Care.data has been shrouded in controversy since its inception several years ago, with concerns around sharing the sensitive medical data of citizens with commercial companies without gaining the explicit consent of patients.
The project aimed to extract data from GP surgeries to a central database, but after numerous delays, the departure of project leader Tim Kelsey, and continuous opposition from privacy campaigners and doctors, the programme was finally scrapped in July 2016 following recommendations by the national data guardian for health and care, Fiona Caldicott.
Sam Smith, coordinator at privacy campaigner MedConfidential, believes that the NHS thinks of Care.data as no more than a communications failure, and that by scrapping Care.data it is merely getting rid of a “toxic brand”.
He said: “One of the things they’d like to do is pretend that everything under Tim Kelsey’s reign didn’t happen, that the opt-out never existed. And what they want to do is continue to expand these programmes as they wanted to in 2012 without the public knowledge around opt-outs, branding and the politics around all of it.
“[The NHS is thinking] it didn’t work: people didn’t like it when we told them, so how about we don’t tell them?”
Neil Bhatia, a GP at NHS North East Hampshire and Farnham Clinical Commissioning Group (CCG), fears that even if the toxic Care.data brand is dead, sharing medical records on an industrial scale is still very much on the agenda.
Indeed, NHS England has suggested to Computer Weekly that the work carried out during the Care.data programme was invaluable, and will support new programmes that the National Information Board (NIB) will take forward.
But the organisation’s apparent acknowledgement that Care.data was a communications failure doesn’t necessarily mean that it is working on Care.data 2.0 behind closed doors. In fact, there is an open consultation after Caldicott’s recent review on what the NHS should do about data sharing.
No consent, no opt-out
However, MedConfidential’s Smith suggested that the questions being asked by the consultation aren’t focused on the right areas. “Two of the Caldicott review’s other findings are that existing GP opt-outs should go away, and that a new opt-out model should not cover already mandated data collections such as hospital episode statistics data, and both of those are controversial,” he said.
Indeed, Bhatia believes that if Caldicott’s proposals remain as they stand, it will instantly take the programme back to February 2013, when details of Care.data first leaked out and there was no opt-out.
“These proposals would take us back to mass extraction and uploading, without consent or a fair way of processing information, and without an opt-out,” he warned.
This, he believes, will mean the public will again lack trust in the NHS from a data governance perspective, and that will in turn be detrimental to those aspects of data sharing designed for genuine direct care such as medical research.
What about the opt-outs?
The main cause of concern for privacy campaigners over Care.data was the absence of any opt-out.
But the Caldicott report didn’t recommend a new opt-out or consent model; instead, it introduced several alternatives. The first of these is a full opt-out from the NHS Spine; the second has two sections – an ‘NHS data opt-out’ and a ‘non-NHS data opt-out’.
The first section – the NHS opt-out – covers data used by NHS bodies for running the health service, but also to companies that supply those NHS bodies. This, said Smith, raises concerns around commercial use of data. But there is also a second level, in which those companies that supply NHS suppliers also gain access to NHS data.
“This is where you get into the very dodgy commercial use, and you don’t get any transparency in what they’re doing because they’re not actually supplying the NHS, they’re supplying suppliers to the NHS and the only reason they’d [use data] is to maximise sales,” said Smith.
These suppliers of NHS suppliers may argue that patients would get the benefit of their products if they have access to certain data, but Smith isn’t convinced.
“While they may provide services to the NHS and have some NHS customers, most of the time they are supplying other people with custom data. For example, if a company is thinking of entering the health market, [these firms will tell them] where they should target their salesforce. That is not supplying the NHS, that is talking to people who will potentially be supplying the NHS and may [end up] never supplying the NHS,” Smith explained.
Neil Bhatia, GP
Most of the data uses in these instances aren’t public because the companies claim that their list of customers are commercially sensitive, he added. “They want the data, but they want it to remain a secret.”
What makes this opt-out model even more complicated is that academic research – an area in which many patients are happy to consent to their data being used – is included in the ‘non-NHS’ opt-out.
While it is just one consent model put forward, the fact that it is an option at all should raise concerns.
What should happen next?
Despite Care.data’s pitfalls, data sharing within the NHS is incredibly important in improving the lives of patients, and it is universally accepted that a project needs to be in place to enable this.
Jessica Figueras, chief analyst at Kable, believes the fundamental idea behind Care.data doesn’t need rethinking, but that the package around consent does.
“NHS England will have to be more transparent when it comes to setting up acceptable uses of data. It wasn’t really spelled out with Care.data where such data should be shared with third parties, and this created suspicion,” she said.
Bhatia said that the type 1 opt-out (whereby the only information leaving the patients’ GP practice would be for direct care purposes) or the type 2 opt-out (where no identifiable information held by NHS Digital would be passed to a third party) could still work as long as they were implemented properly.
For that to happen, he thinks NHS England should respect all existing type 1 opt-outs, preventing all but aggregated data being uploaded to the Health and Social Care Information Centre (now NHS Digital) if that’s what a patient wants.
Any record-level data, whether anonymised, pseudonymised or identifiable, should not be extracted. Bhatia also emphasised that type 1 opt-outs should apply to all organisations requesting data extracted from GP records for secondary purposes, and that if an organisation wants to extract data for dual purposes, then a patient should be able to determine which, if any, apply to their personal information.
Meanwhile, he said that type 2 opt-outs should ensure that all but aggregated data is blocked from being released from NHS Digital.
“It is not good enough to say that pseudonymised or ‘effectively anonymised’ data can still be released in the presence of that objection,” he added.
He also believes that type 2 opt-outs should be made directly to NHS Digital electronically rather than through GP surgeries, particularly because GP surgeries are not data controllers for information held by NHS Digital.
Finally, he believes that NHS Digital must develop a granular consent system to allow people to decide whether their data may be used by different types of organisations and for varying purposes. If the second consent model suggested by Caldicott’s report is implemented, then this is unlikely to be the case.
Digital Economy Bill
One factor that may change how Care.data’s successor programme or projects will use data is the Digital Economy Bill.
“For the first time now we’re starting to see a legislative framework for public sector data sharing which never existed before. Until now, public sector data sharing has been tacked onto the end of particular bills for particular purposes,” said Figueras.
She said that the bill will give public sector bodies more legislative backing to share data, and that this could create some uncertainty.
She also believes that NHS Digital could get privacy campaigners involved from the start of a new project.
“What they want from [a Care.data successor] is a project which patient associations can come out and be advocates of, so they should be involving these groups right from the start,” she said.
This would be a canny move, and would lead to clarification of the consent model and perhaps provide a clear strategy of raising the awareness of patients about what data sharing within and outside of the NHS means.
Meanwhile, parliament has said that the 1.5 million people who had already expressed a type 1 objection would have that objection respected.
But Bhatia believes that this will be a “time-limited offer”, and that after a certain date, citizens will no longer be able to opt out.
Either way, he believes that the technological solution “will not happen” to ensure that all opt-outs, whatever they may be, could be applied across the NHS.
“It’s another IT disaster waiting to happen,” he said. “Hospital trusts can’t even get their records migrated to electronic versions, so what hope is there for this?”
A Care.data timeline
- January 2014: NHS England expands patient data collection from hospitals to include general practice, raising data protection questions.
- February 2014: NHS England comes under increasing pressure from medical groups to reconsider roll-out of Care.data scheme.
- February 2014: NHS England admits to MPs that it has failed to explain the benefits of Care.data to patients.
- March 2014: Without Care.data, the health service will not have a future, says Tim Kelsey of NHS England.
- April 2014: Up to 500 general practices expected to trial the collection of patient data as part of the delayed Care.data project.
- May 2014: NHS England abandons plan to roll out controversial Care.data patient record sharing scheme by autumn 2014.
- June 2014: The British Medical Association voices concerns that the Care.data programme should be explicitly opt-in.
- December 2014: An independent NHS watchdog raises 27 questions about the Care.data project, saying they must be answered for it to proceed.
- December 2014: NHS Care.data scheme faces more delays due to concerns over lack of publicity and clarity of the proposed programme.
- June 2015: NHS England Care.data project set to restart, with trials to upload patient records to a central database ready to proceed.
- September 2015: Trials to upload patient data from GPs to central Care.data database put on hold for the fourth time as the government works on opt-out model.
- December 2015: Care.data chief Tim Kelsey leaves NHS England to take up a role with Telstra Health in Australia.
- July 2016: The government decides to shut down its troubled Care.data programme as Fiona Caldicott launches new opt-out model for the sharing of patient data.