INVESTIGATION: Are we prepared for a release of information we’ve shared with GPs?

In December 2011, David Cameron announced at the London FT Global Pharma Conference, they were ‘going to change the NHS Constitution, so that the default setting is that a patient’s data is used for research, unless they want to opt out’.

We are already set as default to be willing participants for our hospital records. What’s new is the compulsory upcoming care.data extraction of our health records from GP practices, which was planned to begin shortly, and is now pushed back six months for a second time.

This gives us time to understand what that means for patients. care.data is assuming we have said yes if we do nothing at all, so it is important we know what we are signed up to.

Care.data (said ‘care dot data’) is the umbrella name of an initiative under which a number of activities will operate in different rollouts, planned over several years.

These activities involve our medical records currently held only by our GP, as well as hospital and other healthcare settings with the aim of having a complete picture of the whole care ‘pathway’.

In time, it is planned to include social care settings as well. You may not be aware of this, because the patient flyer ‘Better Information means better care’ appears not to have been delivered to every household in England. Even if you did get one, it may have been in your junk mail and did not mention the ‘care.data’ name. This alone makes it hard to discuss with friends and family when you have to call it, ‘the new GP patient records’ sharing programme’.

The patient leaflet says ‘You have a choice’. Unless we actively inform our GP practice of our choice to withhold the four personal identifiable (red) parts of our record from researchers (NHS number, DOB, ethnicity and gender) then this will be extracted in clear form, alongside diagnoses, prescribing, and lifestyle information, such as smoking and drinking habits. Free text notes are excluded as are some sensitive conditions or events.

This is different from the Summary Care Record which is for clinical care only. There are no approved plans for this care.data collection to be viewed by medics in your hospital care, for example.

Health and social care

The Health and Social Care Information centre, is the central non-governmental body responsible for health care information across the wide range of health providers, public and private, which give care to NHS paid-for patients.

The different sets of data are stored separately, as if in ‘silos’ from the set which contains personal and identifying information, the Personal Demographic Service. The Data Linkage Service at HSCIC enables the data from these different silos to be picked out, linked, and integrated on demand. “In return for a modest fee, organisations will be able to hire processing capacity in a secure environment, to use our data, often alongside data from other sources.”

‘England is rich in health and care data, but has not yet fully exploited these assets to the benefit of both the health and care system and the wider economy.’ HSCIC Roadmap 2013-15

These care.data non-clinical uses are called secondary uses, known as SUS. Their major purpose is to manage the commissioning - simplistically the planning, buying and payment for - medical care. Commissioning groups, known as CCGs, were established through the Health and Social Care Act 2012.

According to Senior Communications Manager, NHS Coastal West Sussex Clinical Commissioning Group, there is a risk in care.data if patients cannot see the benefits.

“If many patients opt out of care.data then it would mean the reports we get back from the national process would only reflect those patients who are included and therefore may not be representative of how our whole population is using health services - which in turn could affect our planning and how we ensure there are the right services in place for our whole population,” a spokesman said.

Payment by Results data comes from sets of data by provider and/or care type e.g. The Diabetes data set, which is an over-arching reference set, the Diabetes Continuing Care Reference data set (DCCR), brings together the combined monitoring data requirements of four national diabetes work streams.

The Secondary Uses Service (SUS) data warehouse is the same source as used for HES data. National data sets define a standard set of information that is generated from care records, from any organisation or system that captures the base data.

This Big Data as it is commonly known, is health intelligence and may be used in Public Health by Local Authorities to identify patterns of disease, in health population planning and for prevention and management schemes. Why does the State not yet have all the data needed already after over ten years of the NPfIT? Despite these big data collection advantages, there are also some important limitations, one of which care.data from GPs hopes to overcome. Hospital (HES) maternity data for example, does not capture risk factors such as body mass index, smoking and alcohol consumption so these factors cannot be taken into account in risk adjustment models. With the addition of GP data, that gap will be filled.

Has it been Communicated?

Phil Booth of MedConfidential campaigning for better data privacy and patient awareness of patient records’ sharing, argues that this rollout now would be ‘deeply irresponsible because it risks seriously undermining trust in what the NHS does with people’s data’.

He added that the care.data leaflets that were sent out to households across the UK followed by the jigsaw people animation, do not clearly tell patients what the programme is, or what patients’ choices are exactly or how to exercise them.

“It‘s clear the public know very little about what is planned for their medical records, and even less about their right to opt out.”

GPs were made responsible for the patient communications last summer, when a bland poster and flyer was sent to them for sharing in surgeries. If you were well, you are almost guaranteed to have missed it. Actually, it was so simplistic, you probably did even if you visited the surgery too.

This recent care.data delay is the second due to concerns over its rollout. The original planned launch was for last Autumn but the Information Commissioner’s Office (ICO) prompted by patient group MedConfidential showed that patients were largely unaware and called for better communication.

After the nationwide leaflet, over which the care.data communications manager agreed with me in October would a be a challenge for ‘those hard to reach groups’, it is infuriating to know it these issues were known last autumn and should have been easily avoided before a launch at taxpayer expense. The Secretary of State too, replied to my and others concerns, with little more than acknowledgement and rebuttal of each point made.

Members of the GPES IAG own project group on September 12th, raised major concerns for patients, the day before the NHS England Board signed off the directions for the care.data extraction.

Many with professional clinical expertise, even the BMA and Professor Sir Brian Jarman OBE, have called for changes and improvements. These include suggestions to:

n Deliver plain facts on why identifiable data is a requirement,

n Explain exactly how the objection codes work and clarity on what is extracted as a minimum data set and planned scope changes, for more data in future.

n Clear governance procedures of what data may be used where, for how long and by whom, before it is extracted. Not only after the event.

What care.data is not

It is important to clarify what care.data is not.

Care.data will not be used for our direct care so we must not confuse this with having access to our own health record online.

Another initiative, driven by George Freeman MP with a new organisation, ‘Patients4Data’ is supported by numerous Life Sciences companies including AstraZeneca to make it legally required to establish the right for an individual person to have an Electronic Patient Record.

But care.data is not approved for patient access. So whilst there may be a future vision to have Electronic Record Access by all and a paperless NHS by 2018, we need to base our current experience on current facts and past experience.

What information is already available?

Since 2010, we may have already given consent for our data to be shared between GP and HSCIC through the Summary Care Record, with health professionals across the NHS, in the hope of discharge summaries and joined up records for clinical use on the ground.

It has yet to be available to use in the majority of West Sussex region’s healthcare providers beyond the GPs whose data it came from.

There are only three hospitals which can uses SCRs and one of those is Lewes prison.

Whilst data is extracted from every NHS providing location to deliver data for top-down payment management and secondary uses, the clinical staff drown in paper on the ground. Why should we believe that even more data to be extracted now, will be used for the stated purposes when four years after SCRs, we are still looking back waiting on the benefit delivery?

How will data be used in future?

Looking forward, how our data may be shared in future?

We don’t really know, nor have any idea of how it may change over time. HSCIC and the Jeremy Hunt signed a Memorandum of Understanding with the US Department of Health and Human Services on January 23rd.

That includes, ‘open data initiatives and data transparency of secondary stores’, yet there is no public documentation on what that means for the sharing of our patient records cross-border, particularly EU-US.

Safety for our data

As a mother, I want to know, that when we donate our data, and that of our children, it will stay safe for the future.

That what we signed up for today, stays what we are signed up to.

I want to have fair processing of who, what and why others have our health records and how that knowledge will be used.

When I hear Tim Kelsey’s enthusiasm talking to Strata, in November, encouraging apps developers to be creative with how we can use health and other data even to look at ‘mashing it up’ with commercial loyalty cards, I love his vision and enthusiasm, I do. But at what potential cost to confidentiality and privacy?

He will undoubtedly make proviso for consent and choice, but fact is there has been no consent and no choice of whether our hospital data is held for the last 25 years.

Why have we not complained sooner, they ask? Because we had no idea it was used for anything other than our direct care.

And I’m not concerned about security breaches. It’s legitimate approved uses which my amber data may be used - that to me is a breach - I did not give consent for its extraction or sharing.

We cannot opt out from that HES data use in potentially re-identifiable, pseudonymised data form.

Show me the holes

To rebuild my trust they need to show me the holes in the system.

And show me what safeguards are in place for future ownership. It is not security breach I fear, but legitimately approved misuse.

The Confidentiality Advisory Group review applications for data use for research purposes, and documents very well in public detail, the requests it receives for what, by whom, approved and rejected.

The HSCIC DAAG approval list shows only a single line of text. For example, a generic ‘Cabinet Office’ application was approved last June but we don’t know what health records were used by whom for what.

We may trust the State implicitly to use personal or sensitive data wisely, but we give away our rights to control our data forever under care.data.

We have no knowledge of which future government or indeed governance procedures will be.

Can you opt out?

So, can we opt out? This is extremely unclear.

One Storrington parent, Kris Nutbeem, says she read about it via a friend on social media. “We’ve opted out. I don’t agree with it at all and I don’t think most people are aware of it.”

National spokesperson Siobahn Roberts said: “The care.data programme are responsible in partnership with HSCIC to ensure that patients are aware so they can object if they don’t want their data to flow in this way. It is only an objection, not an opt out.”

(ref: Paper NHSE130903)

“There is no objection to onward disclosure possible, because onward dissemination must be limited to fully-pseudonymised data, except where the law permits this to Accredited Safe Havens, so there is no need to make provision to take account of individual objections.”

Yet public facing communications, even spokespeople on radio and the Parliamentary Note from Dec 18th, talks of an opt-out. It abounds in the media and there has been no correction. So what does the wording mean?

More information

Where a patient wishes to prevent any flows of personal confidential data, patients can speak to their GP practice to ask for codes to be applied to their records.

The majority use codes 9Nu0 and code 9Nu4, but this has some variation depending on the local system each GP practice uses. Ask at reception, there is no need to speak to GPs directly or use clinical appointment time.

For further information, patients may visit the NHS Choices website at:

n www.nhs.uk/caredata

n Call the care.data helpline: 0300 456 3531 or for more details about how HSCIC looks after confidential information and how it may be used see their the website at:

n www.hscic.gov.uk/patientconf.