SUMMARY

  The Care Record Guarantee (May 2006) lists worthy aspirations, but too many of them are qualified by terms such as normally and if possible. It assumes that NPfIT is being implemented perfectly and seamlessly, which is not the case. The Guarantee is not underpinned by credible procedures for control or redress.

  The plans for the electronic patient record reveal some contradictions in government policy. On the one hand, there is a strong emphasis on patient choice. Yet the demeanour of the DoH towards patients who would prefer not to be included in the CRS is one of suppressed hostility.

  The DoH is also expanding the use of outside contractors in many aspects of health care. But its policies on information governance do not reflect this.

  The DoH has recently adopted a very centralised, top-down approach to system implementation. This makes good sense for the procurement of core systems, in terms of economies and standards. But it does not follow that there has to be anything more than a unique patient identifier at the heart of the system. Nor does the centre need to operate (as opposed to monitor) more than a few minimal but strict controls once the system is in operation.

  At the very least, any implementation of the CRS should be deferred until the IT framework of which it is a part has been installed completely, and has been thoroughly tested for privacy protection (eg by tiger teams).

  In the numerous guidance documents issued by the DoH, more attention should be given to questions of the copying and retention of data within linked electronic systems. The documents themselves should comprise fewer generalisations, and more concrete examples.

SUBMISSION

  1.  This submission is made as an NHS patient. I have no connection with any medical or commercial body involved in the NHS.

  2.  I feel like a passenger boarding a plane. On board are technicians arguing about how the plane's controls should be wired together, and who should do it. The plane has not had many test flights, and some of those have crashed. Meanwhile, flight attendants are handing out brochures saying how safe it all is.

  3.  I have read through the Care Record Guarantee, and I have compared it with some other guarantees which cover appliances in our house. If these were written in the style of the CRG, they would assure me that the appliances were made with great care and that everyone had the best possible intentions. Actually, real guarantees are mainly concerned with spelling out exactly what remedies are available to me. They specify how I should make a claim, and any particular circumstances which might invalidate my claim.

  4.  From the CRG I learn that some key decisions may be made on my behalf without consulting me (p 5) and that there will be a complaints procedure via the PALS (p 6). My impression is that the PALS typically lacks the kind of IT expertise needed to investigate situations covered by the CRG. Caldicott Guardians were and are an excellent idea, but these people too need time, technical skills, and support from computer forensic services when and wherever they need them. They are only mentioned once in the entire document (p 5).

  5.  So, the reader is left with no clear idea about how compliance with the principles in the CRG is to be enforced. This becomes even more worrying when one considers the contracting out of medical treatment. How, exactly, will the compliance of outside contractors be checked? Will they be permitted to transfer patient records onto their own systems? If so, how long will they be permitted to retain them?

  6.  If, in the light of my concerns about the CRS, I wish to withdraw consent for the inclusion of my record, the DoH assumes that it must be because I am concerned and distressed (DoH standard letter). This is a strange choice of language. It seems intended to imply that I am a bit over-emotional. The DoH is apparently unable to accept that patients may simply lack faith in the assurances it is giving.

  7.  Other parts of the CRG imply considerable complication and bureaucracy. I can request a list of everyone who has accessed my records (p 7) and eventually check my own records on-line (p 9). I currently use on-line banking, and access my accounts once or twice a week. The banks I deal with have elaborate access controls, based on reference number, a check number, and key names and dates which can be requested at random. Such ID checks are expensive to set up and maintain, but make sense for a bank since it is much cheaper than having me take up the time of staff in the local branch. In the case of the NHS, most patients will only to want to pursue self-checking very infrequently, if at all. The proposed Home Office ID card will, as with many other on-line situations, be of no practical use. This whole area needs to be re-thought.

  8.  A much simpler approach is of course to make sure that each patient has a unique ID, but otherwise to keep patient data in as local and circumscribed a way as possible. The supposed benefits of the CRS owe more to clichés in the minds of politicians than to medical priorities. During my own encounters with the NHS I have often been asked to repeat details of my history, and occasionally to have tests re-done. Doctors are sometimes sceptical about what is already on the record, and this seems to me a good thing. The scenario of the unconscious patient in casualty with a severe allergy can be targeted by other technologies, at a much lower cost than a universal CRS.

  9.  If the DoH remains persuaded that the CRS is needed, then it should be phasing it in only when it can prove (rather than merely claim) that it is operating "in line with internationally approved information security standards" (CRG p 1). This proof should be provided by inviting sceptical parties (ie not the normal run of government consultants) to test the system. For example, experts in this field can be found at Cambridge University. Similar independent validation should be carried out of the resources and facilities available to the internal audit teams charged with overseeing privacy protection.

  10.  At the same time, the DoH should declare a moratorium on issuing prescriptive guides about good information governance. It is unrealistic to expect medical staff to wade through these, let alone digest them: (the good practice guidelines for GPs, for example, run to more than 70 pages). Instead, the DoH should be constantly inviting clinicians and others to submit examples of individual situations they believe to be problematic. These should be analysed and fed back into the design and monitoring of systems. And in the longer term, any advice could be much more interesting and effective if more of it were example-based.

  11   In the process of getting the new IT infrastructure up and running, the DoH is overlooking the quite stupendous scale of the data now being collected together, and the many different ways in which it is being stored. For example, it is unavoidably duplicated each time a back-up copy is taken or an email is sent and received. Hitherto, NHS policies on document retention have focussed on minimum times for retention. This has been because, in most instances, only one copy of the record has existed. In the new electronic era, these policies need to be revised to identify one root (authoritative) version of each element of a record, which would be subject to a minimum retention time. All other versions or copies would be subject to maximum retention times. In some cases, eg for outside contractors carrying out single operations or procedures, these retention times should be extremely short.

Andrew Hawker

12 March 2007