Evidence submitted by Dr Paul Thornton
I have been a General Practitioner since 1989
and have been lead IT partner in taking two practices through
to "paperless practice". I have a particular interest
in patient confidentiality and privacy arising from a two year
post in 1995-6 based in the Public Health Department of Coventry
Health Authority with the remit to develop HIV care and prevention
within General Practice and Primary Care. I was recruited to the
Public Health working party of the Caldicott Committee, a DoH
review of patient information use in the UK.
A paper I prepared for the RCGP and BMA, when
supported in part by the office of the Data Protection Registrar,
was influential in amending joint guidance between the British
Medical Association and the Association of British Insurers with
regard to the content of reports provided by General Practitioners
to insurance companies.
I was subsequently nominated by the RCGP to
participate in the Eurosocap
project, an EU sponsored multination, multidisciplinary working
group charged to produce European Standards on Confidentiality
and Privacy in Healthcare. The objective was to confront and address
the challenges and tensions created within the healthcare sector
between theinformation or knowledge-based society and the fundamental
legal and ethical requirements of privacy and confidentiality
of healthcare information.
1. I wish to provide the committee with:
an explanation for the established
cultural vulnerability of existing UK medical records.
further information arising from
a previous paper.
comments in respect of a recent "view"
from the Office of the Information Commissioner. This
provides a pre[acute]cis of a new detailed paper that I have made
available on the internet reviewing the extensive privacy and
confidentiality issues that persist despite the opt out from the
summary care record announced by Lord Warner.
2. In making these criticisms I wish to
stress that I am not at all Luddite in these matters having taken
two surgeries through the process of becoming "paperless".
It is impossible to argue with the acknowledged need for better
information handling in the National Health Service and clearly
this must require the use of modern technologies. The secondary
care sector needs at least bringing up to the standard of computerisation
which General Practitioners had already achieved prior to the
turmoil imposed by Connecting for Health.
3. There is a direct conflict between the
sharing of information, even among health care professionals,
and the protection of patient privacy. Patients divulge information
to individuals, perhaps to teams, rarely to institutions and certainly
not to the entirety of the National Health Service. The risk to
privacy increases in proportion to the number of users of a database.
4. In a recent review of the CfH proposals,
the British Computer Society
recommendation is to put the Personal Spine Information Service
"on the back burner". In essence they recommend the
development of secure local databases with good quality secure
communication between them. They suggest systems which provide
better privacy and confidentiality as well as providing better
implementation, usability and care. The BCS recommendations are
likely to provide better quality data for research and managerial
purposes and merit wider critical discussion and debate.
OF UK MEDICAL
5. Since 1917, the UK health service has
had the nearest paper equivalent to a single record and this has
already increased the vulnerability of patient information. We
have a unique system whereby almost everyone at any one time is
registered with a single identified General Practitioner who provides
near monopoly access to all health careNHS & private.
The records created by the GP combine with copies of correspondence
with specialists and other health workers to create an accruing
record which passes to involved GP's throughout the life of the
patient. In other countries, patients self refer to primary care
and specialist doctors who may not necessarily communicate.
6. UK records provide a tremendously powerful
foundation for efficient patient care and provide a resource for
research. But the ease with which such complete records can be
located makes them vulnerable to enquiry.
7. It has become routine in our society
for secondary users, such as insurers, prospective employers,
the courts and government departments e.g. the DWP and the DVLA
to obtain information from those records. While such access is
generally based upon consent, custom and practice is so established
that the patient commonly does not have a valid choice over whether
or not to give consent. Individuals who dissent are denied the
advantages that might otherwise accrue from their relationship
with the third party. Patients are treated detrimentally if they
have communicated freely with their General Practitioner. Under
UK systems, the consent of patients who have no detrimental information
in their records effectively trumps the dissent of the stigmatized
8. By definition, it is difficult for doctors
to know what we are not being told, and particularly to research
this. Indeed, given that so many patients do trust us and divulge
so much sensitive information, it is easy even for doctors to
perceive that there is no problem here.
9. There is good evidence that embarrassment
and concern about confidentiality is already a negative contributory
factor in the up take of services for young people and in delayed
presentation in mental health and in cancer, with a direct effect
on clinical outcomes and morbidity. Epileptic drivers commonly
do not inform their GP's about the fits which they experience.
10. The problem became clearly manifest
with the HIV pandemic. Patients with stigmatising risk behaviours,
or confirmed infection, were able to self refer to departments
of Genito-urinary medicine who respected the patients wishes that
their information should not be shared, even with other involved
clinicians such as the General Practitioner. The DoH accepted
that the practice of insurance companies seeking reports from
GP's inhibited HIV prevention, testing and treatment.
11. In other European countries, third parties
have no option but to rely on information provided directly by
the patient on their own behalf. They are dependent on the patient
identifying the doctors that have been consulted and the conditions
treated. As a consequence, there is no tradition of such information
release by doctors to third parties and such enquiries that do
occur are culturally recognized as intrusive. Protection is maintained
less by confidentiality laws: the patient can still consent
to, or request, the provision of information. Rather protection
is achieved through privacy laws: society recognizes the
need for medical information to be fully protected and the third
party is not allowed to ask.
12. It is this historical emphasis on privacy
rather than confidentiality that has given rise to a different
perception, implementation and enforcement of the EU data protection
directive, even though the legal texts are largely shared.
13. In the context of all the major public
health dangersalcohol, drug use, sexually transmitted infection
& HIV, teenage pregnancy, psychiatric illness etc, the protection
of a patient's privacy is essential. It is against that background
that one should judge the proposals for a national database of
the entirety of medical records. Computerisation should have provided
a substantial opportunity to improve the privacy of medical records.
We need bringing up to the European standard.
NHS DATABASE PROPOSALS
14. I enclose a copy of my earlier report2
and some associated correspondence with Mr James Johnson, Chairman
of Council at the BMA.
15. In short this confirms that Lord Warner
sought a further counsel's opinion in respect of the arguments
I had provided. So far as I am aware, that opinion has not been
16. The select committee may wish to obtain
the Counsel's opinion in full, and provide an opportunity for
that advice to be subject to informed scrutiny, from the perspective
of patients who would choose to restrict the recording and dissemination
of their information to the fullest extent.
17. Lord Warner has provided the BMA with
two brief extracts from the Counsels advice.
Summary care record
18. "Officials have received reassurance
from counsel that the planned process for uploading data to the
summary care record is lawful". However, by that time it
had been conceded that patients would be given an opt out from
the Summary Care record which had not previously been intended.
It remains my belief that the legal obligations that required
that "op out" provision apply to the remaining components
of the Connecting for Health proposals.
Patient Demographics Service
19. The department has provided a justification
for a register of patient demographic details which has existed
for many years. This may be lawful and such a database has been
in existence for many years. The change is that this information
has now been made much more widely accessible. Is such widespread
20. (In addition, The PDS is not just demographic
information. For security purposes the PDS contains an audit trail
identifying every one who accesses each patient's demographic
detail. The unintended corollary of this is that the audit trail
provides a list of all the clinicians consulted by the patient.
This is of itself highly sensitive information. There is no clarity
about who will be able to access that audit trail.)
OF NHS ELECTRONIC
21. The Information Commissioner has recently
published a response to enquiries from the public in respect of
NHS care records. While it is guarded in tone, he is reported
as being "content with their general approach."
22. However, the description of the approach
adopted by Connecting for Health, as described by the IC's office,
is contradicted by a review of the detailed technical papers that
have been published by Connecting for Health.
23. The information commissioner is at least
clear that patients should not be obliged to have a summary care
24. "Patients will be informed of the
intention to create such a summary care record and advised of
their options to limit the future scope of the information on
the Summary care record or the option not to have one at all."
And further if information is uploaded on to the NHS Summary record,
a patient will subsequently be able "to remove some or all
of the information initially uploaded."
25. The limited information in a summary
care record will be sufficient to cause a substantial risk of
sensitive diagnoses being widely deduced.
26. However, the pilot summary care records
commence today in Bolton. Connecting for Health will take information
outwith the control of the GP, who is the registered data controller,
and place it on a Department of Health controlled internet site.
Ostensibly to allow patients to control their own records, this
transfer of the data is taking place before patients have been
advised of the proposal and before they have been given the opportunity
27. Vulnerable patients will find it difficult
to resist pressures from "friends", abusive spouses,
and parents to access and divulge the contents of their summary
28. While patients will be given a period
to consider their options, unless the patient responds records
that have already been placed on the internet site will be revealed
on the national NHS Summary Care Records database.
29. In the recently published "view",
the Information Commissioner gives the impression that he accepts
that "the initial upload will take place without explicit
consent", and acknowledges that "explicit consent is
only one of the conditions required for processing sensitive personnel
data in schedule three of the data protection act". However,
he then observes somewhat obliquely that "Connecting for
Health are confident they are able to meet the requirements of
one of the other conditions." Does this imply that while
CfH are confident, the Information Commissioner is uncertain?
Have Connecting for Health stipulated the DPA condition(s) which
they believe renders their processing lawful in the absence of
30. It is difficult to reconcile the Commissioner's
contentment with Connecting for Health's "general approach"
with very recent confirmation from his office that guidance issued
by his predecessor, Mrs Elizabeth France, remains in force and
has not been rescinded.
31. In 2001, Mrs France insisted "It
is clear, however, that for consent of any sort to be given, there
must be some active communication between the parties. It would
not be sufficient, for instance, to write to patients to advise
them of a new use of their data and to assume that all who had
not objected had consented to that new use." 
32. Having acknowledged that legal and ethical
obligations require that patients are allowed to opt out of having
a summary care record, it behoves the Information Commissioner's
Office to confirm that a patient should similarly not be obliged
to have their sensitive medical information transferred on to
other components of the Connecting for Health systems. In the
conclusion of the report, the Commissioner places great emphasis
on patients being provided with choice. There must remain the
choice for records to remain solely in the care of the registered
data holder that has provided care. If needed the option for paper
records must be allowed to persist, but stand alone computerised
records would be preferable.
33. Particularly, the IC understands from
Connecting for Health that "no records are currently being
up loaded to the new England wide database". This fundamental
observation is incorrect.
34. Substantial sensitive patient data is
already being collected and stored in identifiable and
accessible form by Connecting for Health on to the "Secondary
Users Service". The secondary uses services is intended to
provide information for NHS management, research, clinical audit
35. This national database is not anonimised.
It is designed so that the data can be processed and then the
patient re-identified. These patient records are being collected
by a diversion of established, hidden, managerial data flows and
by lifting data from the new messaging systems, "Electronic
Transfer of Prescriptions" (ETP) , and "Choose and Book"
(C&B). The Secondary Users Service database will harvest data
from Summary and Detailed Care Records as they are developed,
without patient consent and without the involvement of the professional
who records the information. Even if the promised safeguard of
metaphorical sealed envelope software can be made to work, patient
wishes asserted using sealed envelopes will be ignored by the
Secondary Uses Service data collection.
36. It is here that the most fundamental
misrepresentation of CfH's intentions has crept in to the report
from the Information Commissioner's office. His office acknowledges
there are circumstances by which information that has been uploaded
to the NHS care records service can be released beyond the NHS
without explicit consent. The release may be "allowed"
or "required"the distinction is important. It
is however claimed that such requests for information will be
dealt with in the same way as requests are handled today. This
is not correct. There is no provision in the CfH proposals to
prevent such information being released by anyone who has access
to the system.
37. Currently, requests for information
are made to a professional who has direct knowledge of the patient,
has existing lawful access to the information and who is qualified
to determine if the information requested meets the DPA requirements,
particularly for fair processing, necessity, relevance and non
excess. They also have the authority to with hold information
pending court order while defending the patient's right to privacy.
38. Against that background, it is reasonable
for any patient to dissent for their information to be recorded
on the Connecting for Health databases.
39. The proposed access to "Detailed
care records" (DCRs) seems to have been misconstrued by the
Information Commissioners office. DCR's will be accessible
more widely than simply "your GP surgery along with the
other care providers you may be referred to, such as your local
hospital." The national database is devided into geographical
areas called clusters and then further subdivided into groups
of service providers which share IT infrastructure known as "instances".
Information recorded in any one "instance" will be accessible
to staff working in any other organisation using that "instance".
If the proposed safeguard of "sealed envelopes" is ever
established it is intended that staff in the same instance will
be able to over ride the patient sealed envelope provisions. Each
"instance" will include a large number of service providers
over a large geographical area.
40. Paradoxically, however, General Practice
Detailed Care Records and the Detailed Care Records created in
nearby hospitals are likely to be quite separate for many patients.
GP services and hospital services are likely to be set up as part
of separate "Instances". Certainly DCR's will not be
shared where patient care crosses the boundary between "clusters".
In such circumstances the system can never provide the level of
detailed data sharing which would be necessary for shared care.
Additional systems that provide for the proactive messaging of
detailed information between involved clinicians, and only
involved clinicians, will be neededthe IT model which should
have been adopted from the outset.
41. All the above observations are clarified
in more detail with supporting references in the enclosed report.
The NHS Database: Lord Warner's opt out decoy. A review of
persisting privacy and confidentiality issues.
Given that the records of a consultation can
be made on paper or on a GP controlled computer system then,
A. If patients instruct a GP, or any other
independent registered data holder in the NHS, not to transfer
information on to a DoH/CfH controlled database, is there any
obligation on the data controller to over ride the patients mandate
in every case?
B. What circumstances would require a registered
data holder within the NHS to override the wishes of a patient
by placing their information onto any Connecting for Health/Department
of Health controlled database?
I hope this is of assistance to the committee.
Please do not hesitate to contact me if clarification of any points
is required. I would be please to meet with members of the committee
or the supporting secretariat if that would be of assistance.
Dr Paul Thornton
16 March 2007
112 http://www.eurosocap.org/ Back
Why might National NHS Database proposals be unlawful? Back
The Information Commissioner's view of NHS Electronic Care Records Back
The Way Forward for NHS Health Informatics; Where should NHS
Connecting for Health (NHS CFH) go from here? Back
"USE AND DISCLOSURE OF HEALTH DATA:Guidance on the Application
of the Data Protection Act 1998" Information Commissioner
May 2002 Back