Select Committee on Health Sixth Report


3  The Summary Care Record

Introduction

43. In this chapter we examine the development of the national Summary Care Record (SCR) under the following headings:

Description

GENERAL

44. The SCR is intended to provide a summary of key health information, which can potentially be accessed by clinicians anywhere in the country. An SCR will eventually be created for every NHS patient in England, provided they do not choose to opt out of having a record. Unlike the Detailed Care Record (DCR), every patient's SCR can be made accessible in all parts of the NHS to users with the appropriate level of access. Information held in the SCR will be extracted from existing GP records, and later from other sources, and uploaded to and stored on the National Data Spine.

45. The SCR is one of the main Spine applications being developed by BT and works alongside another Spine application, the Personal Demographics Service (PDS). PDS data will be used to determine all of the patients for whom an SCR is to be created and to ensure that duplicate records are not created. Use of the SCR requires NHS organisations to be connected to the Spine via the N3 network.[50]

46. Patients will be able to access their own SCR data on the internet using a website called HealthSpace. HealthSpace will allow patients to view but not alter information, to add their own notes and comments to the SCR record, and to access more detailed background information, for example on diagnoses and treatments.[51]

CONTENT OF THE SUMMARY CARE RECORD

Officials' views

47. Determining exactly what information would be held on the new NCRS systems was one of the main aims of the Committee's inquiry. However, the information and explanations which we received from Connecting for Health about the content of the SCR changed markedly during the course of our inquiry. Initially, in its memorandum submitted in March 2007, the Department told us that:

At first, the Summary Care Record will contain only basic information such as known allergies, known adverse reactions to medications and other substances (e.g., peanuts) acute prescriptions in the past 6 months and repeat prescriptions that are not more than six months beyond their review date…In due course more information will be added about current health conditions and treatment.[52]

48. However, when questioned in detail on 26 April about the content of the SCR, Connecting for Health officials described the content as "customisable at a local level", implying that different information will be placed on the SCR in different parts of the country.[53] Dr Gillian Braunold, National Clinical Lead for GPs at Connecting for Health, stated at the same evidence session that some information from hospital records will be placed on the SCR.[54]

49. Officials provided more detailed and somewhat different information at the evidence session on 14 June. Dr Simon Eccles, National Clinical Lead for Hospital Doctors at Connecting for Health, described three distinct sets of information that could be placed on the SCR:

  • Information on allergies, adverse drug reactions and recent prescriptions, described as "life-saving" information, derived from the patient's GP record. This information will be placed on the SCR when it is created;
  • More detailed information about basic medical history, key operations and procedures, physiological and lifestyle details, which can subsequently be added to the SCR, again derived from the GP record; and
  • Basic details of hospital visits including discharge summaries, outpatient clinic letters and A&E summaries, which can be placed on the SCR from 2008.[55]

Other views

50. Witnesses expressed concerns about the Department's changing descriptions of the content of the SCR. In addition, some argued that the inclusion of more and more data would erode the value of the record as a brief but clinically useful summary.[56] Other witnesses thought that patient consent systems would be undermined by the expansion in the content of the SCR, something we consider in more detail below. Dr Paul Cundy, Chair of the General Practitioners' Committee Joint IT Committee, stated that,

We are aware that there are already, even before the evaluation of the pilots is completed, suggestions that the Summary Care Record should also collect data from Choose and Book (i.e. referrals data) and also possibly the electronic prescriptions service. So it is already looking like far more than just a summary record.[57]

51. Other witnesses were scathing, particularly about the perceived inconsistency of the information received from Connecting for Health. Joyce Robins of Patient Concern commented that, "the grave impression is that they are making it up on the hoof".[58]

USES OF THE SUMMARY CARE RECORD

Officials' views

52. The way in which the SCR will be used depends upon what information is included. It is not surprising, therefore, given the uncertainty about the content of the record, that a number of different uses for the SCR were described to the Committee. Dr Gillian Braunold told the Committee that:

The Summary Care Record is intended to be a first cut of information to help clinicians who have no access to any other records in the first instance who are unfamiliar with the patient, to help them to get started so they are not working in an absence of information.[59]

53. Officials suggested that the SCR would be of particular value in providing care to the following patient groups:

  • patients travelling regularly around England;
  • unconscious patients receiving emergency care;
  • unscheduled care for frail, elderly patients in the community; and
  • patients being treated out of hours.[60]

54. Subsequently, Dr Braunold also described plans to use the SCR to provide continuous care for patients with long-term conditions as well as supporting unscheduled care. She commented that:

…one of our early adopter PCTs…is planning to use the Summary Care Record to help the people who are looking after patients with diabetes in the community, as well as in hospital and general practice; and they want to ensure that the content of the Summary Care Record will help to manage that care, and will have in it the recent results and the recent visits to the various members of the team.[61]

55. Dr Braunold went on to argue that the SCR could be used to fulfil some of the functions of the DCR while the latter is being developed:

My personal belief is that the amount of information in the Summary Care Record will start growing bigger and then go smaller again as the Detailed Care Records become the actual way that in the locality people start to share information…[62]

Other views

56. However, other witnesses expressed serious concerns about widening the uses of the SCR in this way, arguing that such practices would undermine both consent systems and security procedures. Dr Martyn Thomas, Professor of Software Engineering at Oxford University, stated:

The notion that you could introduce a Summary Care Record and then use it as the Local Care Record, because it had the flexibility to enable local care groups to upload whatever information they wanted to and could agree to actually share amongst themselves, looks to me like a specification creep that is highly likely to undermine the security policies that are being put in place…[63]

HealthSpace

57. Officials were at least somewhat clearer about the intended use of the HealthSpace website. Patients will be able to use the site to gain access to their SCR and to look at more detailed, generic information about their conditions and treatments, as well as general health information. Patients will also be able to add their own notes and comments to their HealthSpace record.[64]

THE BENEFITS FROM A SUMMARY RECORD

Critical views

58. The evident confusion over the content and likely uses of the SCR led some witnesses to question the value of having separate national SCR and local DCR record systems. One witness described the separate record systems as "an ill-defined fudge".[65] Frank Burns, author of the 1998 Information for Health strategy, argued that the introduction of the SCR before local DCR systems have been implemented represented "an enormous distortion of priorities".[66] He argued that:

…it [the SCR] is of less value clinically and less value to patients than the deployment of clinically rich functional technology supporting doctors and nurses on a day-to-day basis.[67]

59. Dr Paul Cundy thought that the development of two separate records systems represented a departure from NPfIT's original plans which envisaged a single, integrated record, available nationally:

…your Committee is recognising the volte-face of the programme, because certainly it was true in 2003, when it was first announced as a national programme, it was going to be a single record accessible to anyone anywhere…We now have a very different description…[68]

Officials' views

60. Officials disagreed, however, arguing that the goals of the NCRS have been consistent since the inception of NPfIT. Richard Granger told the Committee that the development of a separate SCR and DCR:

…is not a change of direction; that is the details of plans which were documented in Spring 2002…That document set out very clearly that there needed to be more widely accessible summary information and detailed local information…[69]

61. More importantly, officials stressed the clinical value of the SCR dataset, particularly "life-saving" information about allergies, adverse drug reactions and prescription information.[70] Harry Cayton, National Director for Patients and the Public at the Department of Health, stated:

…there seems to be quite a clear consensus, certainly around clinical people, that this small data set…is a significantly useful data set in clinical terms.[71]

62. Richard Granger also pointed out the value of the SCR in supporting local unscheduled care:

The summary care record is going to be the first port of call for the 115.5 hours a week when the GP practice is shut, so I think it is quite a useful instrument to have regardless of whether you stay in one place or move around...[72]

63. Lord Hunt, then the Minister responsible for the NPfIT programme, stressed the unique value of giving patients access to their SCR record through HealthSpace. He commented:

…the great advantage of HealthSpace is…there will be a whole host of information about health, and my own view is that it has huge potential in helping people take control of their own health.[73]

64. However, Dr Paul Thornton, a GP, highlighted the need to protect vulnerable patients from being coerced into giving others access to their SCR through HealthSpace. He warned that:

Vulnerable patients will find it difficult to resist pressures from "friends", abusive spouses, and parents to access and divulge the contents of their SCR.[74]

Progress and implementation

The early adopter programme

65. The first pilots of the SCR were originally planned for December 2004. However, delivery of the system was postponed following delays to the delivery of the National Data Spine.[75] Consultation about what should be included in the SCR and how the system should be implemented also took longer than originally planned.[76] A Ministerial Task Force was established in July 2006 "to resolve the ethical and practical differences" between different stakeholders including Connecting for Health, NHS bodies, professional organisations and patient groups.[77] The Task Force reported in December 2006 and pilots of the SCR began in Spring 2007, around two years behind schedule.[78] Richard Granger acknowledged that the delivery of the SCR has been delayed by two years because of "a mixture of software complexity and an extended consultation period".[79]

66. The report of the Ministerial Task Force recommended that Connecting for Health should "make haste slowly" with the implementation of the SCR, piloting all of the different functions, including patient access through HealthSpace, in its early adopter sites, and evaluating pilots carefully. The Task Force also recommended more training for staff in the use of the SCR applications and a concerted attempt to improve public understanding of the SCR and its benefits.[80] Following the Task Force report, the SCR system was launched in March 2007 at two PCTs in the Bolton area. The first patient information was uploaded in May 2007 and will be available to out-of-hours service providers from August 2007.[81] Connecting for Health announced in April 2007 that the SCR early adopter programme would be independently evaluated by University College London.[82]

Wider implementation of the SCR

67. It is not clear exactly how long it will take to implement the SCR across England. Connecting for Health has stated that the full roll-out will take "several years" and separately that it will last "up to 2010".[83] The evaluation of the early adopter programme will run until April 2008 and its final report will be published in summer 2008.[84] The Department told us that "the subsequent national roll-out is expected to commence in financial year 2008/9.[85]

68. Despite the delays to the initial implementation of the SCR, officials assured the Committee that the amended timetable will prove reliable. Richard Granger commented that:

BT have delivered every one of their central software drops on time for the past 18 months. There was lots of delay before that, but this has become quite a reliable delivery environment now.[86]

69. Officials also predicted that there will be genuine enthusiasm amongst clinicians and patients for the SCR system to be rolled out. Dr Braunold stated:

I have no doubt that the value of a coded record on the summary…will have GPs and patients crying out for the Summary Care Record faster than we can deliver it.[87]

70. Some planned features of the SCR programme are not available at present but will be added later in the early adopter phase. For example, we were told that electronic "sealed envelopes" to allow patients to restrict access to particularly sensitive information are due to be available from April 2008.[88] In addition, patients will be able to access their personal information on the HealthSpace website some point during the early adopter phase.[89]

Consent systems

71. One of the key areas examined during the Committee's inquiry was the degree to which patients will be able to control what information is contained in their SCR and who is able to access it. This has proved a complex and controversial subject with considerable media and public debate surrounding the first trials of the SCR. Witnesses stressed that consent systems are important and require careful planning and communication if trust in records systems is to be maintained.[90]

INITIAL PLANS: AN OPT-OUT CONSENT SYSTEM

72. In its initial submission to the Committee, in March 2007, the Department of Health stated that patients who did not wish to have an SCR created would be able to opt out of the scheme:

Individuals who have concerns can choose not to have a Summary Care Record created for them. They will be advised to inform their GP of their views and to request that a note be made of their concerns and the choice they have made. The GP practice may ask the patient to sign a form indicating that they understand and accept that it may not be possible for the NHS to provide them with the same care as others...[91]

73. Harry Cayton stated that the opt-out consent approach was in keeping with the recommendations of the Ministerial Task Force on the SCR, of which he was the chair. He described it as "the most practical, ethical and appropriate way forward" and commented that members of the Task Force had agreed unanimously on the opt-out model.[92] Richard Granger argued with conviction that the opt-out approach would strike an appropriate balance between protecting patient privacy and taking advantage of the practical benefits offered by electronic records systems:

…some people would like all information to be available everywhere; and then at the other end of the spectrum there are the privacy fascists who would like to dictate that nobody has any information available anywhere. We have been trying to forge a path between those extremities.[93]

Legal objections

74. Some witnesses, however, argued that the opt-out approach could be subject to legal challenges. Press for Change, the UK's largest representative organisation for transsexual people, predicted that:

The uploading of data without [explicit] patient consent would leave General Practitioners open to prosecution.[94]

75. Douwe Korff, Professor of International Law at London Metropolitan University, told the Committee that the opt-out system would not be compliant with European law, regardless of whether it met the requirements of the UK Data Protection Act.[95] He concluded that:

If one uploads the summary care record or the more elaborate care records without making that distinction one is extremely likely to break European law… I would be happy to take a case to the European Court of Human Rights in Strasbourg which has also become increasingly aware of and strict in the support of data protection principles.[96]

76. However, the legality of the opt-out approach proposed by the Department was supported by evidence from the Information Commissioner's Office, the organisation which regulates data privacy.[97] Jonathan Bamford, the Assistant Information Commissioner, told the Committee that:

If patients are informed that they can exercise a proper choice over what happens to their information on the basis of transparency, and they have the opportunity and time to make that choice, it is consistent with the requirements of the Data Protection Act to provide it on an opt-out basis.[98]

Mr Bamford also argued that the opt-out consent approach was consistent with European legal requirements.[99]

Ethical objections: should an opt-in system be used?

77. Other witnesses argued that the opt-out consent model was unethical and would be likely to reduce patient choice and empowerment. Joyce Robins of Patient Concern stated that:

We were active in the Department of Health's consent initiative four years ago. Since then we and many other groups have worked very hard to try to give patients the confidence to play an active part in their own healthcare. The care records scheme with its assumed consent policy drives a tank through the whole thing. We are back to the old paternalistic idea "We'll do what's good for you; don't you bother your confused little heads."[100]

78. Andrew Hawker, an NHS patient, commented that even if the number of patients choosing to opt out of the SCR programme proved very low, their wishes should be respected. He regarded Connecting for Health documents describing the risks to patients of not having an SCR as "ominous" and "over the top".[101] Mr Hawker concluded that:

…we have to come back to whether or not an individual patient has the right to say, "I do not want information handled in a particular way", and I was very disturbed to hear the sort of argument that says 98% of people are going to come round, therefore these other troublesome people should be swept aside.[102]

79. Ethical objections to the opt-out consent model were expressed by clinical as well as patient groups. Amongst those advocating an opt-in or explicit consent approach were the British Medical Association (BMA), the Royal College of Psychiatrists and a number of individual GPs.[103] The BMA stated that:

…it is for patients to decide, in discussion with a healthcare professional where appropriate, the extent to which their clinical information is placed on electronic systems…The BMA's policy is for explicit consent to be obtained before any healthcare information is uploaded onto the system.[104]

80. Dr Paul Cundy argued that an opt-in or explicit consent approach would be a more effective way to build patient trust in the new system. He suggested that consent could be gained by GPs during routine consultations:

When the patient next comes to see their GP you can discuss whether you want something going on [to the SCR], you can do it slowly over time, and in taking that approach, which is a default opt-in approach, you slowly build the system and that allows time for trust in the system to be developed.[105]

81. However, officials expressed clear objections on 26 April to the use of an opt-in consent system. Harry Cayton argued that an informed consent system would be impractical, estimating that "100 years of GP time" would be required to offer informed consent to every patient in the country.[106] He also thought that an opt-in system would tend to disadvantage vulnerable groups:

…if you have an informed consent to be part of the system, then large sections of society, particularly some of the most vulnerable people in society, do not take part. They do not take part because they do not know how to give informed consent, they do not take part because they do not understand what is being asked or offered and they do not take part because of physical immobility…[107]

SUBSEQUENT PLANS: A HYBRID CONSENT SYSTEM

82. In spite of these comments, the Department of Health subsequently outlined more detailed consent proposals for the Summary Care Record, which included the addition of a significant opt-in element. A supplementary memorandum, received on 12 June 2007, explained that:

…the assumption of implicit consent (i.e. the opt-out approach) relates only to the initial setting-up of the Summary Care Record and the inclusion of medication, allergies and adverse reactions. The next stage of adding the patient's significant medical history will occur only after a discussion between the patient and their GP and therefore requires explicit consent (i.e. opting-in) unless there is a lawful basis for recording information without consent, e.g. when a patient lacks capacity.[108]

83. At the subsequent evidence session on 14 June, Dr Simon Eccles confirmed to the Committee that information will be placed on the SCR in at least three separate phases with different consent models. Dr Eccles explained that:

  • The creation of the SCR and the addition of information about allergies, adverse drug reaction and prescriptions will take place by implied consent i.e. unless the patient chooses to opt out;
  • More detailed information such as significant medical history, key operations and lifestyle information can subsequently be added but only with explicit consent from the patient. Patients can view this information before it is added to the SCR; and
  • Hospital information such as discharge summaries, clinical letters and A&E summaries can also be added with explicit consent from the patient.[109]

84. The Department's 12 June memorandum also provided more details about patients' options for regulating access to the SCR. Three distinct consent positions were described:

·  The 'red' position: the patient chooses not to have an SCR created;

  • The 'amber' position: the patient chooses to have an SCR created but not accessible to clinicians other than their GP; the patient can subsequently choose to grant access to specific clinicians;
  • The 'green' position: the patient chooses to have an SCR created and made accessible to any clinician caring for the patient or with another legitimate interest in viewing the information.[110]

85. It is difficult to assess views amongst clinical and patient groups about the hybrid consent system eventually set out by the Department because the details of the system were only made clear to the Committee at the end of its inquiry. It is clear from the evidence received that most stakeholders believed that the opt-out consent model would apply to all information placed on the SCR. Patients in particular expressed concern about the lack of clarity about both content and consent.[111] Andrew Hawker, an NHS patient, offered an eloquent perspective on the situation:

I feel like a passenger boarding a plane. On board are technicians arguing about how the plane's controls should be wired together, and who should do it. The plane has not had many test flights, and some of those have crashed. Meanwhile, flight attendants are handing out brochures saying how safe it all is.[112]

86. Yet it is clear that the proposed hybrid consent system will help to address a number of the questions raised by witnesses by giving patients more control over their information and ensuring that more detailed information is only added to the SCR with explicit consent. Concerns that particularly sensitive information, for instance about sexual health, might be added to the SCR against a patient's wishes are to some degree addressed by using an explicit consent model for information about medical history. There are some clear exceptions to this rule, particularly prescription information, which will be added to the SCR with implicit rather than explicit consent. As FIPR pointed out, prescription information will often be sufficient to allow an educated guess of possible diagnoses to be made, a difficulty which is not addressed by the hybrid consent model.[113]

87. Similarly, concerns about large numbers of clinicians having potential access to the SCR are in part addressed by the 'amber' consent position which will allow patients to have an SCR created but not shared without their permission. Given the advantages of the hybrid consent system, it is perplexing that the Department has not done more to make the full details available to patients, clinicians and other stakeholders.

88. Moreover, the new consent system exposes contradictions in the Department's position. Officials have at times contradicted themselves and each other. The use of an 'opt-in' system for the majority of SCR information, for example, ignores the arguments made by Harry Cayton on 26 April that such an approach will disadvantage vulnerable groups.[114] Mr Cayton also argued at the same session that this approach was unsuitable as it would use up very large amounts of GP time.[115] Yet Dr Simon Eccles subsequently argued on 14 June that the impact on GP time is likely to be minimal.[116]

PATIENT OWNERSHIP

89. During its visit to France, the Committee learnt that French patients will legally own their Dossier Médicale Personnel (DMP), the equivalent of the SCR. This means that patients can use sophisticated controls to regulate access to the DMP and clinicians cannot access the record unless the patient is present and agrees. French officials argued that this approach had helped both to make the DMP more popular with patients and to safeguard information privacy. The importance of patients having greater ownership of their SCR was stressed during our inquiry by the NHS Alliance and the Royal College of GPs.[117]

SEALED ENVELOPES

Description and progress

90. Another planned feature of the consent system is the introduction of "sealed envelopes", which will allow patients to restrict access to specific pieces of information which they consider particularly sensitive. Such systems are planned for both the SCR and for local DCRs. The Department explained that two different types of "sealed envelopes will be available to patients:

91. "Sealed envelopes" are not yet a functioning part of the SCR system and are not available to patients in the first early adopter sites. However, officials told the Committee that this functionality would be available by April or May 2008.[118] This date was confirmed by BT, the suppliers of the SCR system.[119] However, it was not clear when DCR "sealed envelopes" would be available.[120]

92. The Committee heard during its visit to Paris that controls similar to "sealed envelopes" (and known as "masquage" systems) will be available to protect information in the Dossier Médicale Personnel. French officials told us that "masquage" systems have already been completed.

Questions and concerns

93. Unsurprisingly, witnesses expressed concern that the software to create "sealed envelopes" has not been completed before the start of the SCR early adopter phase. Dr Peter Gooderham, a GP, complained that:

…"sealed envelopes" have been advanced as an important method of protecting patient confidentiality. However, the technology was not in existence at the time the Department of Health described them… This appears highly unsatisfactory.[121]

Professor Douwe Korff commented that:

I would not buy a car if the engineer told me he was still working on the brakes but by the time I was a few miles away he would probably have sorted it out.[122]

94. Questions were also raised about how effective "sealed envelopes" would be at protecting confidentiality. The Assistant Information Commissioner told the Committee that his organisation was concerned about whether sealed information could be accessed in an emergency and whether patients would be able to see audit trails showing who had accessed this information.[123]

95. However, officials defended the efficacy of the planned systems. Dr Gillian Braunold told the Committee that "sealed envelope" systems had been demonstrated to a conference of sexual health clinicians, a group which she described as "the most challenging…of all that exist" and "the most sceptical" about plans for protecting sensitive information. Dr Braunold explained that exactly half of this group expressed positive support for the NCRS in light of planned consent arrangements.[124]

96. Other witnesses expressed concern that information in "sealed envelopes" would be made available for research and other purposes via the Secondary Uses Service. Professor Douwe Korff argued that particularly sensitive information should not be accessible in this way, even following anonymisation or pseudonymisation, as this would breach European law.[125] The Department of Health subsequently clarified that while "sealed" information will be available to the Secondary Uses Service, "sealed and locked" information will not.[126] We consider these issues further in Chapter 5.

Security systems

97. Witnesses also expressed concerns about whether SCR data, and other information held on the National Data Spine, could be held securely. These concerns fell into two broad categories which we consider below:

TECHNICAL SECURITY

98. The SCR is one element of the National Data Spine supplied by BT. Access to the SCR is via the New National Network for the NHS (N3), also supplied by BT.[127] The Committee does not have sufficient technical knowledge to make specific judgements on the external security of these systems and the likelihood of illegal infiltration, nor did we seek detailed, technical evidence about security systems. However, the Committee did seek the general views of officials, suppliers and academic experts about the likely effectiveness of security systems.

Planned security measures

99. Officials acknowledged that no system of information storage can be considered entirely secure and stated that "different vulnerabilities" affect paper and electronic storage systems.[128] Richard Granger pointed out that security risks are being mitigated by the use of experienced suppliers who also work for the security services, by introducing functionality incrementally with thorough evaluation, and by ensuring compliance with HL7 international infrastructure standards.[129] Mr Granger also argued that the significant benefits of sharing information electronically outweigh the small but unavoidable risk of a security breach.[130] In a subsequent submission, the Department described the system's technical security apparatus in more detail:

The new systems will be protected by state of the art security measures capable of providing far greater protection than has ever been the case previously. The NHS patient database (the Spine) will reside within a fully private network known as N3. The Spine system and database can be accessed only from within this private network. Should an attacker somehow gain access to the NHS private network they would then have to break through three separate layers of tiered architecture—each tier being protected by twin firewalls (of different manufacture) to access the database. The firewalls are supported by intrusion detection systems and other multiple security measures, which monitor network traffic routinely and raise an alert on the detection of suspicious activity.[131]

100. BT, the supplier of the national systems, offered strong assurances about technical security levels, arguing that unlawful access to the National Data Spine would be "near impossible" without the assistance of a registered user, i.e. without a breach of operational security.[132] Patrick O'Connell, Managing Director of BT Health, told the Committee that BT has an ongoing programme of internal testing to ensure that systems cannot be infiltrated.[133] BT also stressed the inevitability of a trade-off between the level of system security and the practicalities of making systems user-friendly, particularly to busy clinicians:

…the specification of the system we are delivering achieves an important balance between value for money, operational effectiveness and ease of use, likely threat of infiltration and potential for damage through infiltration. Spine has not yet been penetrated.[134]

Challenges and criticisms

101. Some witnesses, however, raised doubts about planned technical security systems. Brian Randell, Professor of Computing Science at Newcastle University, told the Committee that suppliers had not provided information about likely security levels to Connecting for Health:

When I and colleagues met Mr Granger a year ago we were absolutely shocked to find that Connecting for Health did not have any documents stating things like the reliability and security guarantees. They said that they did not have them because they were regarded as confidential to the suppliers. I still find that absolutely gob-smacking.[135]

102. In its 16 July memorandum, however, the Department stated that:

Professor Randell was not told that NHS Connecting for Health did not have reliability and security documentation. He was told that this existed but that, for reasons of confidential and commercially sensitive content, they could not be disclosed to third parties…[136]

103. More worryingly, doubts were raised about the overall architecture of the electronic records systems and the decision to create a National Spine for storing and transferring information. Witnesses argued that the creation of a nationally accessible system, rather than a series of smaller, local systems, would increase the risk of security breaches. The UK Computing Research Council stated that:

…a single system accessible by all NHS employees from all trusts maximises rather than minimises the risk of a security breach. It increases the number of patients affected by the worst case breach…In short, it provides both a bigger target and a larger number of points of attack than a series of smaller systems.[137]

104. The British Computer Society took this point further, arguing that higher levels of security would be achieved by storing information in a "distributed database" rather than on centralised storage systems. Such a system would allow clinicians to search a range of local databases for information about a particular patient which could be drawn together into a "virtual" record when required, rather than being permanently stored in one place.[138] But officials were dismissive of this idea. Richard Granger pointed out that:

We did not want to, frankly, experiment with the very, very large distributed network. None of the leading suppliers of solutions in this space who are willing to bid and take financial and completion risk around the delivery came up with that architecture…[139]

OPERATIONAL SECURITY

105. Many witnesses stated that ensuring the operational security of the new electronic patient record systems is likely to represent a still stiffer challenge than maintaining technical security. This argument was applied particularly to the SCR system, which can in theory give access to clinical information about any NHS patient from any point in the country. The Medical Protection Society commented that security problems are most likely to be caused by "the human factor which is not subject to system controls".[140] BT pointed out that the "nature of the environment" in the NHS would make ensuring operational security difficult, for example because NHS buildings are freely accessible to the public and IT security is unlikely to be closely monitored in busy hospital departments.[141] The challenge was summarised by Symantec:

…technology alone cannot be relied upon when developing and implementing electronic patient records. Education and training of NHS staff, at all levels, on the importance of data management will also be required.[142]

Planned security measures

106. Evidence from officials and suppliers described a range of measures which will be used to maximise the operational security of the SCR system. Many of these measures will also be used to protect local DCR systems and some are discussed further in Chapter 4. The measures set out include:

  • Access to the SCR system requires users to insert a valid smartcard as well as entering a user name and password;
  • Receipt of a smartcard follows a registration process which requires users to present identification and to be sponsored by a senior member of their organisation (this process ensures that security complies with level 3 of the e-Government Interoperability Framework);[143]
  • Users accessing the SCR system will only be able to view information relevant to their job role, so an administrator will not typically be able to view clinical information. This safeguard is known as role-based access control;
  • Users can only access information about a patient after specifying a legitimate relationship with the patient, for example a clinician providing treatment or a receptionist recording the patient's arrival in clinic;
  • A full audit trail will be maintained by the SCR system, indicating who has accessed patient information and for what purpose. This information can be viewed by GPs and Caldicott Guardians and will be available to patients on request;[144] and
  • Attempts are being made to improve the enforcement of operational security systems by increasing the penalty for attempting to access information unlawfully. Support for stronger penalties has been expressed by the Information Commissioner's Office, the Department of Health and the General Medical Council.[145]

107. BT also described some technical features of the SCR system which aim to improve operational security, including automatic logouts if systems are left unused and programmes for detecting unusual or malicious accessing of SCR data.[146]

Challenges and criticisms

108. A number of doubts were raised about plans for maintaining the operational security of the SCR system. Professor Brian Randell was sceptical about how effective role-based limitations on access would prove:

If one has role-based access control with a very large number of complicated roles in a situation where there is a lot of changing roles it will be extremely difficult to deal with all the individual decisions that are being made as to who should have what role and what privileges…I am deeply suspicious of the practical efficacy of such a system.[147]

109. A number of witnesses raised concerns about the use of smartcards to access electronic records systems, and particularly about whether access would be fast enough.[148] However, such concerns did not relate specifically to the SCR system and so we consider them further in Chapter 4.

110. Regarding audit trails, Professor Brian Randell argued that monitoring access to the SCR was a good idea in principle but that the sheer volume of records created would make effective oversight difficult:

If…one has a system where it turns out that there are huge numbers of audit records being generated to the point where nobody is looking at them, that is a…system that is not being properly designed.[149]

111. Dr Martyn Thomas argued that security systems did not appear to have been designed with users in mind, meaning that people would inevitably "work around" security procedures. He stated that:

…in deciding what the specification for the technology should be, you actually need to start by looking at the specification for the overall social system and deriving the specification for the technology out of the way that people are genuinely going to behave when faced with the technology… The moment it appears to them that the systems are getting in the way of them doing their job, which they see as treating patients and running the hospital effectively, they start working around the systems.[150]

112. But suppliers disagreed, arguing that every effort had been made to ensure that security systems did not interfere unnecessarily with existing working practices. Guy Hains of CSC stated that suppliers were "super-sensitive" to the need to design systems which were both secure and practical to use.[151]

Conclusions and recommendations

113. The Committee is pleased that trials of the national Summary Care Record (SCR) are now going ahead following delays to the project. The SCR has the potential to improve the safety and efficiency of care and to make the health service more patient-centred. The SCR has the potential to improve the safety and efficiency of care especially in emergency situations when care is delivered by staff unfamiliar with the patient involved. The Committee supports the aim of introducing a nationally available summary record as soon as possible and deplores the delays and continuing indecision about its content.

114. The SCR has less comprehensive clinical value than shared Detailed Care Record (DCR) systems and is a comparatively straightforward application which extracts information from existing GP systems, whereas DCR systems must be built up from a range of complex and interdependent component applications. Given that there is expected to be clinical value from the SCR, its roll-out should not be held back by delays to DCR systems. We examine DCR systems in more detail in Chapter 4.

115. The Committee was dismayed, however, by the lack of clarity about what information will be included in the SCR and what the record will be used for. Officials gave different answers to these questions on different occasions. The Committee was told at various times that the SCR will be used for the delivery of unscheduled care, for the care of patients with long-term conditions, and to exchange information between primary and secondary care. It is little wonder that patient groups expressed confusion about the purpose and content of the SCR.

116. The Committee is aware of the Department's most recent plans but is concerned that the complexity of the SCR appears to be increasing. This will make the SCR more difficult to use, particularly in emergency situations. The Department must be clear about the purpose of the SCR, and it must ensure that the record is easy to use. To this end, we recommend that the SCR include a single standardised front screen to display key health information which is vital for emergency care.

117. The Committee has also received inconsistent information about the patient consent arrangements for the SCR. Initially, we were told that information will be added to the SCR with "implied consent", provided patients do not opt out. This approach was strongly criticised by clinical and patient groups. However, it subsequently became clear that while the creation of the SCR, and the addition of "life-saving" details such as prescription information, will require "implied consent", the addition of detailed clinical information will only take place with "explicit consent" from the patient. This hybrid consent system represents a much more satisfactory model but one which has not been well communicated to patients or clinicians.

118. The inclusion of prescription information on the SCR with only "implied consent" remains problematic, however. On the one hand, prescription information can often make a patient's diagnosis obvious. On the other hand, excluding some prescription information from the SCR would be clinically dangerous. If the Department of Health does use the "implicit consent" model for prescription information, it should make clear to patients the implications both for data privacy and clinical safety.

119. The Committee considers that much of the controversy over privacy and consent arrangements for the SCR would have been avoided if Connecting for Health had communicated its plans more clearly to patients. We recommend that Connecting for Health:

120. The arrangements for the SCR will be strengthened when "sealed envelopes" are made available to protect sensitive information and when patients can access their record via the HealthSpace website. It is unfortunate that these elements of the SCR are not yet in place, but the Committee understands and supports the decision to press ahead in any case with trials of the SCR. Connecting for Health must ensure that both "sealed envelopes" and HealthSpace are introduced as soon as possible, particularly so that their effectiveness can be assessed during the independent evaluation of the early adopter programme.

121. "Sealed envelopes" are a vital mechanism if sensitive information is to be held on the SCR. We recommend that:

  • The right to break the seal protecting information in "sealed envelopes" should only be held by patients themselves, except where there is a legal requirement to override this measure; and
  • Information in "sealed envelopes" should not be made available to the Secondary Uses Service under any circumstances; this will allow patients to prevent data being used for research purposes without their consent.

122. HealthSpace is an excellent addition to the SCR programme and has huge potential to improve the safety and efficiency of care by allowing patients to check the accuracy of their SCR and to access detailed information about their own health. In order to take fuller advantage of HealthSpace, we recommend that Connecting for Health:

  • Trial the use of HealthSpace for patients, particularly those with long-term conditions, to record their own measurements of key health information;
  • Ensure that HealthSpace allows patients to view audit trails, showing who has accessed their SCR record and under what circumstances, and offers mechanisms for investigating inappropriate access;
  • Promote the use of HealthSpace, monitor levels of uptake, and ensure that there is equitable access across the country and that coercive access is prevented; and
  • Commission an independent evaluation of HealthSpace once the system is widely available.

123. We note that in France patients will own their national summary record. This approach gives patients more control over who can access their record and more opportunity to influence and take control of their own care. We therefore recommend that Connecting for Health consider a similar model for the SCR in England.

124. The Committee does not have the knowledge or expertise to make specific judgements about the likely effectiveness of planned technical security systems at protecting the SCR from external attack. We received strong assurances from officials and suppliers about the quality of security systems, and we accept the inevitability of a trade-off between levels of security and the need to ensure that systems are user-friendly. We also acknowledge that no information storage system can be considered 100% secure.

125. However, serious concerns were expressed regarding the lack of information both about how security systems will work and about the outcomes of security testing. We agree with these concerns and recommend that Connecting for Health ensure that BT's planned security systems for its national applications are subject to independent evaluation and that the outcomes of this are made public.

126. Maintaining the operational security of the new SCR system is a substantial challenge. We acknowledge that Connecting for Health and its suppliers have made significant efforts to minimise the risk of operational security breaches. Individual smartcards, rigorous user authentication, role-based access controls, legitimate relationships and audit trails will all help to increase operational security, both individually and in combination. However, many of these measures are new and untested on the scale that they will be used in the NHS. As a result, their impact and vulnerabilities are difficult to predict. We therefore recommend that Connecting for Health:

  • Ensure that the evaluation of the early adopter sites examines both the individual and the collective impact of the new operational security measures for the SCR, commissioning a separate evaluation if necessary; and
  • Undertake a program of operational security training for all staff with access to the SCR, emphasising the importance of not divulging information to those who request it under false pretexts.

127. Operational security also depends on effective enforcement. The Department of Health and the Information Commissioner's Office have called for custodial sentences for people who unlawfully access personal information. The Committee welcomes this, and recommends that a substantial audit resource be provided to detect and prosecute those who access the system unlawfully.


50  
Officials told the Committee that there are now more than 19,000 N3 connections in hospitals, GP surgeries and other facilities across the health service: see Q2. Back

51   Q 568 Back

52   Ev 5 Back

53   Q 6 Back

54   Q 25 Back

55   Q 559 Back

56   See, for example, Q 85 Back

57   Q 80 Back

58   Q 246 Back

59   Q 6 Back

60   Q 4 and Q 7 Back

61   Q 6 Back

62   Ibid Back

63   Q 85 Back

64   Q 568 Back

65   Ev 132 Back

66   Ev 142 Back

67   Q 503 Back

68   Q 80 Back

69   Q 3 Back

70   Q 566 Back

71   Q 7 Back

72   Q 577 Back

73   Q 568 Back

74   Ev 188 Back

75   National Audit Office, Department of Health: The National Programme for IT in the NHS, HC 1173, p.4 Back

76   Q 3 Back

77   Report of the Ministerial Taskforce on the NHS Summary Care Record, December 2006, p.4 Back

78   Ev 9 Back

79   Q 3 Back

80   Report of the Ministerial Taskforce on the NHS Summary Care Record, December 2006, pp.9-11 Back

81   Ev 147 (HC 422-III), section 11.25 Back

82   Q 31 Back

83   See, for example, www.nhscarerecords.nhs.uk/patients/when-is-this-happening Back

84   Q 61 Back

85   Ev 147 (HC 422-III), section 11.25 Back

86   Q 69 Back

87   Q 56 Back

88   Q 66 Back

89   Q 23 Back

90   See, for example, Ev 75 Back

91   Ev 5 Back

92   See Q 59. Membership of the Ministerial Task Force included the BMA, the Royal College of Nursing and the Royal College of GPs. Back

93   Q 27 Back

94   Ev 87 Back

95   See Q 166. The European legislation referred to by both Professor Korff and Mr Bamford is Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Back

96   Q 166 and Q 175 Back

97   Ev 71 Back

98   Q 162 Back

99   Q 169 Back

100   Q 177 Back

101   Q 115 Back

102   Q 116 Back

103   See Ev 41, Ev 103, Ev 137, Ev 149 and Ev 186, respectively Back

104   Ev 42 Back

105   Q 118 Back

106   Ibid Back

107   Q 59 Back

108   Ev 120 (HC 422-III) Back

109   Q 559 Back

110   Ev 120 (HC 422-III) Back

111   See, for example, Q 196 Back

112   Ev 159 Back

113   Ev 63 Back

114   Q 59 Back

115   Ibid Back

116   Q 571 Back

117   See Ev 79 and Ev 94 respectively Back

118   Q 68 Back

119   Q 486 Back

120   See Qq 301-305 Back

121   Ev 153 Back

122   Q 218 Back

123   Q 221 Back

124   See Q 67. Dr Braunold described a survey in which members of the Sexual Health Conference were asked whether they would support their local service making use of NCRS systems, on the basis of consent systems which included the "sealed envelope". On a scale from 1 (not at all) to 5 (very much), exactly 50% responded with either 4 or 5. Back

125   Q 218 Back

126   Ev 120 (HC 422-III) Back

127   The combined value of the contracts for the National Spine and the N3 network is £1.15 billion. Back

128   Q 28 Back

129   See Q 31 and Q 34 Back

130   Q 29 Back

131   Ev 120-121 (HC 422-III) Back

132   Ev 49 Back

133   Q 498 Back

134   Ev 49 Back

135   See Q 316 Back

136   Ev 147 (HC 422-III), section 6.32 Back

137   Ev 125 Back

138   Ev 38 Back

139   Q 32 Back

140   Ev 78 Back

141   Ev 49 Back

142   Ev 118 Back

143   See Q 28. More details about the e-GIF standards can be found at www.govtalk.gov.uk/schemasstandards/egif.asp Back

144   More detail about operational security controls can be found at Ev 7 and Ev 121 (HC 422-III). Caldicott Guardians are responsible for internal protocols governing the protection and use of patients-identifiable information by the staff of each NHS, ensuring compliance with national guidance, policy and law. Back

145   See Ev 6. See also Joint guidance on use of IT equipment and access to patient data from The Department of Health, the General Medical Council and the Office of the Information Commissioner, 25 April 2007, which concludes that "…the law is to be changed to provide the possibility of a custodial sentence for those found guilty [of obtaining information unlawfully]." Back

146   Ev 50 Back

147   Q 286 Back

148   See, for example, Q 141 Back

149   Q 300 Back

150   Q 151 Back

151   Q 292 Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2007
Prepared 13 September 2007