I have been a General Practitioner since 1989 and have been lead IT partner in taking two practices through to "paperless practice". I have a particular interest in patient confidentiality and privacy arising from a two year post in 1995-6 based in the Public Health Department of Coventry Health Authority with the remit to develop HIV care and prevention within General Practice and Primary Care. I was recruited to the Public Health working party of the Caldicott Committee, a DoH review of patient information use in the UK.

  A paper I prepared for the RCGP and BMA, when supported in part by the office of the Data Protection Registrar, was influential in amending joint guidance between the British Medical Association and the Association of British Insurers with regard to the content of reports provided by General Practitioners to insurance companies.

  I was subsequently nominated by the RCGP to participate in the Eurosocap[112] project, an EU sponsored multination, multidisciplinary working group charged to produce European Standards on Confidentiality and Privacy in Healthcare. The objective was to confront and address the challenges and tensions created within the healthcare sector between theinformation or knowledge-based society and the fundamental legal and ethical requirements of privacy and confidentiality of healthcare information.

  1.  I wish to provide the committee with:

—  an explanation for the established cultural vulnerability of existing UK medical records.

—  further information arising from a previous paper[113].

—  comments in respect of a recent "view" from the Office of the Information Commissioner. [114]This provides a pre[acute]cis of a new detailed paper that I have made available on the internet reviewing the extensive privacy and confidentiality issues that persist despite the opt out from the summary care record announced by Lord Warner.

  2.  In making these criticisms I wish to stress that I am not at all Luddite in these matters having taken two surgeries through the process of becoming "paperless". It is impossible to argue with the acknowledged need for better information handling in the National Health Service and clearly this must require the use of modern technologies. The secondary care sector needs at least bringing up to the standard of computerisation which General Practitioners had already achieved prior to the turmoil imposed by Connecting for Health.

  3.  There is a direct conflict between the sharing of information, even among health care professionals, and the protection of patient privacy. Patients divulge information to individuals, perhaps to teams, rarely to institutions and certainly not to the entirety of the National Health Service. The risk to privacy increases in proportion to the number of users of a database.

  4.  In a recent review of the CfH proposals, the British Computer Society[115] recommendation is to put the Personal Spine Information Service "on the back burner". In essence they recommend the development of secure local databases with good quality secure communication between them. They suggest systems which provide better privacy and confidentiality as well as providing better implementation, usability and care. The BCS recommendations are likely to provide better quality data for research and managerial purposes and merit wider critical discussion and debate.

THE ESTABLISHED CULTURAL VULNERABILITY OF UK MEDICAL RECORDS

  5.  Since 1917, the UK health service has had the nearest paper equivalent to a single record and this has already increased the vulnerability of patient information. We have a unique system whereby almost everyone at any one time is registered with a single identified General Practitioner who provides near monopoly access to all health care—NHS & private. The records created by the GP combine with copies of correspondence with specialists and other health workers to create an accruing record which passes to involved GP's throughout the life of the patient. In other countries, patients self refer to primary care and specialist doctors who may not necessarily communicate.

  6.  UK records provide a tremendously powerful foundation for efficient patient care and provide a resource for research. But the ease with which such complete records can be located makes them vulnerable to enquiry.

  7.  It has become routine in our society for secondary users, such as insurers, prospective employers, the courts and government departments e.g. the DWP and the DVLA to obtain information from those records. While such access is generally based upon consent, custom and practice is so established that the patient commonly does not have a valid choice over whether or not to give consent. Individuals who dissent are denied the advantages that might otherwise accrue from their relationship with the third party. Patients are treated detrimentally if they have communicated freely with their General Practitioner. Under UK systems, the consent of patients who have no detrimental information in their records effectively trumps the dissent of the stigmatized minority.

  8.  By definition, it is difficult for doctors to know what we are not being told, and particularly to research this. Indeed, given that so many patients do trust us and divulge so much sensitive information, it is easy even for doctors to perceive that there is no problem here.

  9.  There is good evidence that embarrassment and concern about confidentiality is already a negative contributory factor in the up take of services for young people and in delayed presentation in mental health and in cancer, with a direct effect on clinical outcomes and morbidity. Epileptic drivers commonly do not inform their GP's about the fits which they experience.

  10.  The problem became clearly manifest with the HIV pandemic. Patients with stigmatising risk behaviours, or confirmed infection, were able to self refer to departments of Genito-urinary medicine who respected the patients wishes that their information should not be shared, even with other involved clinicians such as the General Practitioner. The DoH accepted that the practice of insurance companies seeking reports from GP's inhibited HIV prevention, testing and treatment.

  11.  In other European countries, third parties have no option but to rely on information provided directly by the patient on their own behalf. They are dependent on the patient identifying the doctors that have been consulted and the conditions treated. As a consequence, there is no tradition of such information release by doctors to third parties and such enquiries that do occur are culturally recognized as intrusive. Protection is maintained less by confidentiality laws: the patient can still consent to, or request, the provision of information. Rather protection is achieved through privacy laws: society recognizes the need for medical information to be fully protected and the third party is not allowed to ask.

  12.  It is this historical emphasis on privacy rather than confidentiality that has given rise to a different perception, implementation and enforcement of the EU data protection directive, even though the legal texts are largely shared.

  13.  In the context of all the major public health dangers—alcohol, drug use, sexually transmitted infection & HIV, teenage pregnancy, psychiatric illness etc, the protection of a patient's privacy is essential. It is against that background that one should judge the proposals for a national database of the entirety of medical records. Computerisation should have provided a substantial opportunity to improve the privacy of medical records. We need bringing up to the European standard.

"ARE THE NHS DATABASE PROPOSALS LAWFUL?": FURTHER INFORMATION

  14.  I enclose a copy of my earlier report2 and some associated correspondence with Mr James Johnson, Chairman of Council at the BMA.

  15.  In short this confirms that Lord Warner sought a further counsel's opinion in respect of the arguments I had provided. So far as I am aware, that opinion has not been published.

  16.  The select committee may wish to obtain the Counsel's opinion in full, and provide an opportunity for that advice to be subject to informed scrutiny, from the perspective of patients who would choose to restrict the recording and dissemination of their information to the fullest extent.

  17.  Lord Warner has provided the BMA with two brief extracts from the Counsels advice.

Summary care record

  18.  "Officials have received reassurance from counsel that the planned process for uploading data to the summary care record is lawful". However, by that time it had been conceded that patients would be given an opt out from the Summary Care record which had not previously been intended. It remains my belief that the legal obligations that required that "op out" provision apply to the remaining components of the Connecting for Health proposals.

Patient Demographics Service

  19.  The department has provided a justification for a register of patient demographic details which has existed for many years. This may be lawful and such a database has been in existence for many years. The change is that this information has now been made much more widely accessible. Is such widespread accessibility lawful?

  20.  (In addition, The PDS is not just demographic information. For security purposes the PDS contains an audit trail identifying every one who accesses each patient's demographic detail. The unintended corollary of this is that the audit trail provides a list of all the clinicians consulted by the patient. This is of itself highly sensitive information. There is no clarity about who will be able to access that audit trail.)

THE INFORMATION COMMISSIONERS VIEW OF NHS ELECTRONIC CARE RECORDS

  21.  The Information Commissioner has recently published a response to enquiries from the public in respect of NHS care records. While it is guarded in tone, he is reported as being "content with their general approach."

  22.  However, the description of the approach adopted by Connecting for Health, as described by the IC's office, is contradicted by a review of the detailed technical papers that have been published by Connecting for Health.

SUMMARY CARE RECORDS

  23.  The information commissioner is at least clear that patients should not be obliged to have a summary care record.

  24.  "Patients will be informed of the intention to create such a summary care record and advised of their options to limit the future scope of the information on the Summary care record or the option not to have one at all." And further if information is uploaded on to the NHS Summary record, a patient will subsequently be able "to remove some or all of the information initially uploaded."

  25.  The limited information in a summary care record will be sufficient to cause a substantial risk of sensitive diagnoses being widely deduced.

  26.  However, the pilot summary care records commence today in Bolton. Connecting for Health will take information outwith the control of the GP, who is the registered data controller, and place it on a Department of Health controlled internet site. Ostensibly to allow patients to control their own records, this transfer of the data is taking place before patients have been advised of the proposal and before they have been given the opportunity to decline.

  27.  Vulnerable patients will find it difficult to resist pressures from "friends", abusive spouses, and parents to access and divulge the contents of their summary record.

  28.  While patients will be given a period to consider their options, unless the patient responds records that have already been placed on the internet site will be revealed on the national NHS Summary Care Records database.

  29.  In the recently published "view", the Information Commissioner gives the impression that he accepts that "the initial upload will take place without explicit consent", and acknowledges that "explicit consent is only one of the conditions required for processing sensitive personnel data in schedule three of the data protection act". However, he then observes somewhat obliquely that "Connecting for Health are confident they are able to meet the requirements of one of the other conditions." Does this imply that while CfH are confident, the Information Commissioner is uncertain? Have Connecting for Health stipulated the DPA condition(s) which they believe renders their processing lawful in the absence of consent?

  30.  It is difficult to reconcile the Commissioner's contentment with Connecting for Health's "general approach" with very recent confirmation from his office that guidance issued by his predecessor, Mrs Elizabeth France, remains in force and has not been rescinded.

  31.  In 2001, Mrs France insisted "It is clear, however, that for consent of any sort to be given, there must be some active communication between the parties. It would not be sufficient, for instance, to write to patients to advise them of a new use of their data and to assume that all who had not objected had consented to that new use." [116]

  32.  Having acknowledged that legal and ethical obligations require that patients are allowed to opt out of having a summary care record, it behoves the Information Commissioner's Office to confirm that a patient should similarly not be obliged to have their sensitive medical information transferred on to other components of the Connecting for Health systems. In the conclusion of the report, the Commissioner places great emphasis on patients being provided with choice. There must remain the choice for records to remain solely in the care of the registered data holder that has provided care. If needed the option for paper records must be allowed to persist, but stand alone computerised records would be preferable.

SECONDARY USES DATABASE

  33.  Particularly, the IC understands from Connecting for Health that "no records are currently being up loaded to the new England wide database". This fundamental observation is incorrect.

  34.  Substantial sensitive patient data is already being collected and stored in identifiable and accessible form by Connecting for Health on to the "Secondary Users Service". The secondary uses services is intended to provide information for NHS management, research, clinical audit and management.

  35.  This national database is not anonimised. It is designed so that the data can be processed and then the patient re-identified. These patient records are being collected by a diversion of established, hidden, managerial data flows and by lifting data from the new messaging systems, "Electronic Transfer of Prescriptions" (ETP) , and "Choose and Book" (C&B). The Secondary Users Service database will harvest data from Summary and Detailed Care Records as they are developed, without patient consent and without the involvement of the professional who records the information. Even if the promised safeguard of metaphorical sealed envelope software can be made to work, patient wishes asserted using sealed envelopes will be ignored by the Secondary Uses Service data collection.

  36.  It is here that the most fundamental misrepresentation of CfH's intentions has crept in to the report from the Information Commissioner's office. His office acknowledges there are circumstances by which information that has been uploaded to the NHS care records service can be released beyond the NHS without explicit consent. The release may be "allowed" or "required"—the distinction is important. It is however claimed that such requests for information will be dealt with in the same way as requests are handled today. This is not correct. There is no provision in the CfH proposals to prevent such information being released by anyone who has access to the system.

  37.  Currently, requests for information are made to a professional who has direct knowledge of the patient, has existing lawful access to the information and who is qualified to determine if the information requested meets the DPA requirements, particularly for fair processing, necessity, relevance and non excess. They also have the authority to with hold information pending court order while defending the patient's right to privacy.

  38.  Against that background, it is reasonable for any patient to dissent for their information to be recorded on the Connecting for Health databases.

DETAILED CARE RECORDS

  39.  The proposed access to "Detailed care records" (DCRs) seems to have been misconstrued by the Information Commissioners office. DCR's will be accessible more widely than simply "your GP surgery along with the other care providers you may be referred to, such as your local hospital." The national database is devided into geographical areas called clusters and then further subdivided into groups of service providers which share IT infrastructure known as "instances". Information recorded in any one "instance" will be accessible to staff working in any other organisation using that "instance". If the proposed safeguard of "sealed envelopes" is ever established it is intended that staff in the same instance will be able to over ride the patient sealed envelope provisions. Each "instance" will include a large number of service providers over a large geographical area.

  40.  Paradoxically, however, General Practice Detailed Care Records and the Detailed Care Records created in nearby hospitals are likely to be quite separate for many patients. GP services and hospital services are likely to be set up as part of separate "Instances". Certainly DCR's will not be shared where patient care crosses the boundary between "clusters". In such circumstances the system can never provide the level of detailed data sharing which would be necessary for shared care. Additional systems that provide for the proactive messaging of detailed information between involved clinicians, and only involved clinicians, will be needed—the IT model which should have been adopted from the outset.

  41.  All the above observations are clarified in more detail with supporting references in the enclosed report. The NHS Database: Lord Warner's opt out decoy. A review of persisting privacy and confidentiality issues[117].

SUGGESTED QUESTIONS FOR THE INFORMATION COMMISSIONER

  Given that the records of a consultation can be made on paper or on a GP controlled computer system then,

  A.  If patients instruct a GP, or any other independent registered data holder in the NHS, not to transfer information on to a DoH/CfH controlled database, is there any obligation on the data controller to over ride the patients mandate in every case?

  B.  What circumstances would require a registered data holder within the NHS to override the wishes of a patient by placing their information onto any Connecting for Health/Department of Health controlled database?

  I hope this is of assistance to the committee. Please do not hesitate to contact me if clarification of any points is required. I would be please to meet with members of the committee or the supporting secretariat if that would be of assistance.

Dr Paul Thornton

16 March 2007

http://www.ardenhoe.demon.co.uk/privacy/NHS%20database%20proposals%unlawful.pdf

http://www.ico.gov.uk/upload/documents/library/data_protection/introductory/information_commissioners_view_of_nhs_electronic_care_reco%E2%80%A6.pdf

http://www.bcs.org/server.php?show=ConWebDoc.8951

http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/health_data_ -_use_and_disclosure.pdf

113   Why might National NHS Database proposals be unlawful? Back

114   The Information Commissioner's view of NHS Electronic Care Records Back

115   The Way Forward for NHS Health Informatics; Where should NHS Connecting for Health (NHS CFH) go from here? Back

116   "USE AND DISCLOSURE OF HEALTH DATA:Guidance on the Application of the Data Protection Act 1998" Information Commissioner May 2002 Back

117   http://www.ardenhoe.demon.co.uk/privacy/decoy.pdf Back