| Previous Section | Index | Home Page |
21 Feb 2008 : Column 142WH—continued
“is an incident where a PCT-employed manager persuaded a district nurse to disclose her username and password. He used these to access patient identifiable information held by a GP practice, whose clinical system was hosted by the PCT, without the knowledge of the data controller (the GP Practice) or the consent of the patients involved. Other PCT employees were also similarly accessing patient data. Members of the local General Practitioners Committee contacted the PCT but to date, no action has been taken against the manager or the nurse involved.”
I should like to know from my hon. Friend the Minister what action is being taken about people in the NHS accessing information that they should not be accessing.
We often hear about celebrities’ records getting out into the open, and one can say the same about politicians and their families. Suddenly something comes out into the public domain, normally via the media, but what action is taken? How many prosecutions are made, and how many employers take action against people who access patient records, either electronically or by looking at Lloyd George paper records in a GP’s surgery? Such things are going wider than they should.
It is important in assuring patients about the scheme that they know whether the second case that I have cited is true—hon. Members know as much as me about it. If it is true, action should be taken against the manager, who seems to have used his position to access patient data that he should not have accessed.
That said, when we looked around at the new system’s audit trail—perhaps there is a better phrase—and asked questions about it, I was satisfied that it would flag up anybody who should not have looked at a patient’s record. It is difficult to stop someone doing that; the real issue is to find out who has accessed the record and why, and the new system allows such tracing.
We are not going to stop unauthorised accessing of records, but, sadly, we do not stop it now. If someone phones someone else in the health care system and says that they are from a primary care trust or a hospital, information may be given over the phone that should not be given. The problem is with the people who run the system, not the system itself. It would be interesting to hear from the Minister, if not now then at a later stage, what action is taken when people who should not look at patients’ records do so.
Dr. John Pugh (Southport) (LD): Did the Select Committee look into the procedures that are followed when cards are lost and reissued? I understand that they are slack.
Mr. Barron: I may be corrected on this by other hon. Members, but I do not believe that we looked at that in detail. There are issues around lost cards. I went to a doctor’s surgery in my constituency, and they were concerned about confidentiality. I had actually gone to look at choose and book, of which I am a big fan, as are my constituents. It was a five-handed practice, and they were complaining that there were 11 pass cards in the system. I said, “There are only five doctors here. Who has the other six?” The answer was, “The people who do the letters.”
That is how such systems work. We and patients have to accept—we are all patients at one time or another—that people other than the doctor are likely to access some of their records for purposes of looking after their interests and care. That is why I asked what action is taken if there is unauthorised access to information. The Government will have to consider that matter carefully, if that type of system and its benefits are to be accepted.
Jeremy Wright: On flagging up access to a patient’s record, the right hon. Gentleman will know Dr. Paul Thornton, a general practitioner who gave written evidence to the Select Committee—he is, in fact, one of my constituents. I have contacted him about this subject. He has told me that he has been able to change on the system a flag that indicates to those who look at the system that the patient does not want certain information disclosed. He was able to change that flag without notification. The right hon. Gentleman accepts that one of the crucial safeguards is that the patient in question should be notified if a record is looked at, which is even more important if a record is changed. Does he share my concern that that must be put right, if the system is not working?
Mr. Barron: The hon. Gentleman has put the matter clearly on the record. I hope that we will get a note from the Minister, when it has been investigated.
Before I move on to the third part of the report, let me deal further with the BMA and Richard Vautrey, with whom I had a meeting to discuss the issues. I shall pick up on some of the comments in a brief that he provided for today’s debate. I have no doubt that the BMA will think, “He would, wouldn’t he?” In the third paragraph, the brief states:
“In November 2007, 3000 patient details were lost when a GP’s laptop was stolen in Newport”.
That happens all the time. It happens in the Ministry of Defence and other places as well. With the people who use the system as opposed to the system itself being weak, it is difficult to know what to do. The brief states that
“in December, it was reported that a PCT had lost 160,000 patient details”.
I checked that up on the website. It was the City and Hackney PCT—a children’s trust—that lost an encrypted disc. The situation was not dissimilar, I suspect, to the discs that were lost—[Interruption.] I was not too sure about that. The major thing is that the disc was encrypted, although I do not know whether it was found.
The Minister of State, Department of Health (Mr. Ben Bradshaw): Yes, the disc was found. Of course, that was not reported.
Mr. Barron: Right. I thought that the Minister was going to say that it had been lost again.
The brief then states that the details of 25 million parents and children have been lost, which I accept. The issue involves management of systems and human interaction with them. Sadly, we can introduce all the legislation and regulations that we want, but we will always find problems within the system. My issue with
some BMA members is that that is not a reason not to go ahead with using information technology to bring health care into the 21st century.
We have online banking, and some 25 per cent. of adults now bank online—I do not, but 14 million people do. It seems that nobody really worries about that. We have credit card fraud. It normally occurs when a bill is paid in a restaurant and the customer is not standing nearby. Somebody photocopies or scans the card details and then sends them on. We have to worry about that.
In a sense, I worry about the BMA, or should I say its leadership. The brief states:
“Concern about the risks of patient data prompted doctors to call for ‘the BMA to advise all its members not to cooperate with the proposed centralised storage of all medical records as this serious endangers patient confidentiality’.”
I am not a clinician, but one could well argue that not having a central database could be a matter of life or death. If I am on holiday in Torquay and keel over in the road because of a long-term condition, it may not immediately be obvious what the problem is. In some parts of the world, they have systems where medical people can immediately find out what is wrong with someone.
The detailed care record is dealt with in recommendation 229. I shall not read it all out, but we started by saying that
“there is a perplexing lack of clarity about exactly what NPfIT will not deliver. It is not clear what information will be recorded and shared on DCR systems, nor the range of organisations that will be able to share information.”
We are years down the road of developing this system, but I have to say that there is a real question mark about the development of patient records in the United Kingdom since the venture began. I am pleased that the Government have accepted the recommendation. Their response states:
“There have been changes to NHS organisational boundaries and a review of the information-sharing arrangements is already under way with strategic health authorities (SHAs) and suppliers.”
I am pleased about that. Actually, I am sponsoring a Room in the House in a few weeks’ time for my own SHA, which will bring its IT people to show Yorkshire and Humberside Members of all political parties exactly what they are now doing. I know that we have had some restructuring of SHAs, but that should have been done years ago, and the public should have been seeing things like that years ago. I am pleased that that will happen.
I must revert to what The Independent called our “expensive” trip. We saw a detailed care record in situ in a hospital. Health professionals go to a single screen to start with. They can examine blood tests going back over weeks, if not months, and consider the issues, even if the patient is under anaesthetic in a theatre situation. We did not go that far, but we saw that they can access information, and we saw the amount of information that is held in a detailed care record. The improvement in patient safety is a really good thing.
The Committee and I were surprised that the detail of what will be on the care record has still not been agreed overall. However, we saw the interface at Homerton hospital, although Homerton was pre-this system. Two London hospitals are now up and running with the working detailed care record system.
Who will hold the detailed care records? Obviously, they will be held in general practitioner surgeries and possibly at the local hospital, too. However, if, for example, someone has an unusual condition and comes to London now and again to see a specialist, would the information be shared with that specialist? Such questions still abound. I do not have a problem, but we ought to know by now the exact make-up and shape of the detailed care records.
Mr. Richard Bacon (South Norfolk) (Con): I have been listening carefully to the right hon. Gentleman’s speech. The recommendation that he has just mentioned states that there is a perplexing lack of clarity about what exactly the national programme for IT will now deliver. It states that
“it is surprising that the architects of the DCR were not able to provide a clearer vision of what is planned.”
Most people would agree that it is nothing short of extraordinary that that should be so, six years after the Downing street meeting. In a sense, however, it is not the slightest bit surprising, because during 2002-03 the contracts were let at enormous speed before the Government had decided what they wanted to buy and before the suppliers knew what they were expected to supply. All the problems stem from that, so it is not surprising at all.
Mr. Barron: That matter can be complex. Presumably, the detailed care record kept by a clinician working in a GP’s practice would be a bit different from a GP’s care record in a local hospital, because not everybody goes into hospital. However, if someone were to enter hospital, additions would be made to that record.
The Committee has commented, although not in great detail, on the length of time that the programme has taken. The report states more than once that there is a lack of clinical lead in some of the relevant areas. The scheme has been left to techies on many occasions—don’t get me wrong; I am not against techies—which is why, in part, it has lost the support of some in the profession and some professional organisations, too. That should have been foreseen, and those responsible should have ensured that there were clinical leads.
The places that are up to speed, such as Homerton and others, are in that position because clinicians have taken responsibility from day one and said, “This is what we want to do. This is how it can help us, as professionals, and how it can help our patients.” Talking to people who have been involved like that has a different effect from reading press releases from the professional organisations and associations that represent those people.
David Taylor: Is it not the case with a mega-billion pound project such as Connecting for Health, the costs of which are £12.5 billion at the moment and still heading north at a fair old rate, that what is needed for a satisfactory, secure and effective system is intelligent clients in the NHS who are alert and familiar with major system IT concepts? The continuous outsourcing in various organisations within the NHS over a long period has meant that those building the systems have not dealt with such people, which accounts for some of the flaws.
Mr. Barron: We have not examined the technicalities. Outsourcing can be a great strength in the public sector. I will not go into great detail, but the Committee has examined one or two areas in which there could have been better management inside the NHS—let me say no more than that. In my view, leaving things in-house will not necessarily get things done. A few years ago, we investigated work force planning, which has not been subject to a debate yet. We found a lack of strategy and a lack of involvement by professionals in work force planning. When people arrive outside organisations, they move inside—it is not outsourcing as such; it is about bringing people in.
This is information technology, and the systems are not being built with equipment that was invented five years ago. As the system has been built up, new things have come on to the agenda, such as digital imaging. We now have a database of digital images, which is extraordinary, because it was not planned in the early days. That is an extraordinary advantage for both patients and clinicians.
We talked to clinicians in Homerton hospital who could look at an X-ray—not an X-ray as we know it, but a digital image—and discuss it with other clinicians in different places inside the hospital. So three or four clinicians in different places were looking at an image that they had accessed on their system and were discussing it without having to meet. We were told that normally it would take about an hour for everybody to clear the decks so they could meet in the same room, but somebody would still be wandering around the hospital looking for the X-ray. Some good developments that were not initially planned have taken place, and they are really helping our constituents and other people.
Mr. Bacon: I visited the Norfolk and Norwich university hospital in 2001 when it was scarcely open and saw its digital imaging equipment. They had not even pulled the polythene off the equipment, but they were proud of what it would enable them to do, just as the right hon. Gentleman has described. Will he acknowledge that that technology predates the national programme for IT in the health service, that it has nothing to do with that programme and that the picture archiving communications system was not added to NPfIT until September 2004?
Mr. Barron:
Yes, it was added. Any IT system anywhere, whether in the public or private sector, does not just start and evolve on one day when it is decided that this is how it will be; it evolves over many years. Beyond PACS, other things have been added. Choose and book was not massively thought of at the time, but the hon. Gentleman should talk to people who can now visit their GP and come out knowing which hospital they are going to, at what time and on what day, and which clinicians they will be seeing. Just a couple of years ago, they would have been waiting for a fortnight for a letter that would probably have given them a hospital clinician that they did not know about and a time it was impossible for them to make due to work or family commitments. Such things have moved on in leaps and bounds. We have to recognise that millions of people in this country are benefiting from some aspects of what is happening now that were not necessarily laid down and thought about when the
programme was set up. At that time, I assume that people were talking about the data spine and different types of patient records, for example.
There has been a call for a review of NPfIT, to which the hon. Member for South Norfolk was probably party, although I do not want to put words into his mouth. The report states:
“Whilst we understand the reasons for this, we do not agree that a comprehensive review is the best way forward. First, many of the questions raised by the supporters of a review would be addressed if Connecting for Health provided the additional information and independent evaluation which we recommend in this report. Secondly, the programme has already been scrutinised by the National Audit Office, the Public Accounts Committee and ourselves. We therefore recommend that...The implementation of DCR systems be addressed in the short term by increasing both the local ownership and the professional leadership of the programme; and...The ongoing review by Lord Darzi on the future of the NHS include in its remit the long-term prospects for using electronic systems to improve the quality of care, particularly for the growing number of patients with long-term conditions.”
The Government say not only that they accept the recommendation, but that they are
“pleased that the Committee recognises that a comprehensive review of the Programme at this stage is not necessary”.
One of the biggest critics of this programme, in its totality, was one of the Committee’s special advisers, Professor Ross Anderson, who had been campaigning against it for years, yet he advised the Committee in relation to its particular inquiry.
I shall move quickly to the secondary uses service. My hon. Friend the Minister knows what I said about sealed envelopes earlier, and I still believe that that is the case. The report states:
“The Department has acknowledged the need to take advantage of the research opportunities offered by”
“and has established a partnership with the UK Clinical Research Collaboration to achieve this. We welcome this, but researchers nevertheless told us that much more could be done to maximise these opportunities.”
We made several recommendations in relation to that. One was that we should
“Mandate the use of the unique patient identifier, the NHS number, in all health service interactions in England”.
The Government are committed to dealing with the issue and have accepted some of our recommendations, particularly on the NHS number. They have also accepted our recommendations on developing appropriate linkages between databases, and they have established the research capability programme to investigate the effectiveness of the process, the role of safe havens and third-party brokers, and appropriate governance arrangements, which is all to the general good.
In paragraph 284, we made the following recommendation:
“There is an urgent need to address these problems, especially as the amount and type of data potentially available through the SUS will proliferate rapidly in future. We recommend that the Department of Health conduct a review of both national and local procedures for controlling access to electronic health data for ‘secondary’ uses.”
We then listed the areas that the review should examine—again, the Government accepted that.
| Next Section | Index | Home Page |