Examination of Witnesses (Questions 240
TUESDAY 26 JUNE 2007
Q240 Chairman: The phrase "surveillance
society" conjures up a rather Big Brother image, which is
why we put a question mark at the end of the title to our inquiry
because we want to take a balanced view. Could I ask the two professors:
do you regard the sort of work that you are advocating as part
of a surveillance society? Do you feel happy with that tag?
Professor Wessely: It depends
what you mean. At the moment, we are carrying out health surveillance
into the health of the Armed Forces. We are looking at the rates
of post-traumatic stress disorder, the rates of cancer and the
rates of all sorts of other adverse outcomes. That is surveillance
because it is based on medical records, cohort studies and research,
but most people in that context would think that is a good thing.
Certainly the members of the Armed Forces think that is a good
thing and they are appreciative that this has finally been done.
It all depends on the context. Health surveillance is actually
a good phrase and we would agree with looking at the effects of
MMR vaccine or surveying the effects of the Vioxx drug, and we
are not talking about hidden cameras in supermarkets.
Q241 Chairman: Dr Forbes, we are
going to come to your evidence a little later on but do you have
any comments on that opening exchange?
Dr Forbes: I am delighted to hear
this positive use of the term "surveillance" because
I do not believe there is enough awareness of the way that society
is constantly `surveilled' by a range of systems, mostly governance
systems, to increase our knowledge of ourselves, to provide information
which leads to better knowledge and better insights to wisdom
so that we can make really quite crucial and large social decisions
based on the information that we provide by just living or dying.
This is a good example of how data can be collected, how it is
managed. If you think about the safeguards that attend to medical
records, they are extremely sophisticated. There is a worldwide
practice about how to do this and how to manage anonymity and
privacy, and yet it is used to be extremely constructive and to
provide us with the sort of data that we need and I think that
is missing in other areas of society.
Q242 Ms Buck: Can I pursue the line
about data? Are you confident that the medical research that you
undertaking requires analysis of databases rather than research
that would be done by using volunteers, for example?
Professor Dezateux: I think that
we need very large-scale evidence for a lot of the questions that
are facing us now. At one level, therefore, just approaching individuals
is simply not feasible. The reason we need large-scale evidence
is that we are dealing often with things that are quite uncommon
but about which it is important that we have reliable answers.
These could range perhaps from the association of birth defects
with certain drugs that are given to women in pregnancy to the
relationship to birth defects with power lines, mobile phones
or any of those sorts of things. Birth defects are a good example
because they are uncommon and you need data from the whole country.
It is clearly also obviously data that you are not going to be
able to go back to necessarily and get. The importance, from an
epidemiological point of view, is that our science is served by
giving answers that are not biased and that are not misleading
in any way, that are precise and timely and where we can also
compare groups of people who are not exposed to the thing we have
been asked to look at. All those things really support the need
to have large-scale evidence. I can give you any number of examples
of issues that in fact parliamentary committees have sat on, such
as assisted reproduction and so on, where we really are tied by
not knowing answers to the sorts of questions to which we should
have answers because we have not been able to get access to large-scale
evidence. The other point to make about this is that the kind
of research that epidemiologists do is concerned to get information
right at the individual level, but we are not concerned to identify
or know who that individual is; we are interested in that individual
because they are part of a group of individuals and we are interested
in things at the group level. From that point of view, large-scale
evidence based on patient data is one of the best ways that you
can look at highly sensitive information because it is possible
to have very good safeguards and security and you do not stand
the risk when writing to somebody of exposing to somebody in their
house that you know something about them inadvertently, as you
might do when you have to approach at an individual level.
Q243 Ms Buck: Professor Wessely,
you said earlier that there was a robust system of governance
for undertaking this kind of research but yet, at the time, problems
arise and research does not necessarily go ahead or there is controversy
over progress because people do not understand that. If it is
as good as you say it is, why is it that people then doubt it?
To what extent is that to do with concern over issues around individual
consent and the anonymisation of data?
Professor Wessely: First, most
research goes ahead with consent, and that is the default position
and you start from that. Obviously, for any interventional researchif
you are going to give people a drug, a new test or some procedureyou
have consent; if you do not, you are committing assault. We put
that to one side. Research based on data usually goes with consent,
where that is practical and possible. That is normally what we
do, so our studiesand I have just mentioned the surveillance
of the Armed Forcesare based on consent, but there are
times when that is not possible. If I gave you a practical example,
then it would make sense to you. We wanted to look at the association
between depleted uranium and cancer, and this may appeal to Patrick.
Therefore, we have 100,000 people who have been potentially exposed
in the Armed Forces to depleted uranium and many of them wanted
to know whether or not this had led to cancer. To do that study,
it is not possible to approach 100,000 soldiers, most of whom
have left the Armed Forces. Nobody knows where they live; they
do not use landlines because they tend to use mobile phones now;
they are almost untraceable and it would cost millions of pounds
and you would miss the very ones that you want to find. First
of all, you need ethics approval. In fact you need two sets of
ethics approval. You cannot do any research without ethics approval.
You need to use a system called the Caldicott Guardian. This is
for the people who hold that data, namely the MoD or the cancer
registries, to permit you to see that data. It is a very complicated
procedure which you have to go through. They hold the data and
they have to decide if this is a reasonable thing to do. You need
permission from something called PIAG, which is a Department of
Health committee, that oversees this system and adds an additional
layer of governance. You have to comply with the law. You have
to show that there is not any other way of doing it. You have
to show that no one is going to be upset or distressed by this.
You have to show that no one is going to get any individual detriment
from the loss of this data. You have to show that you owe a duty
of confidentiality and that there are sanctions in place if you
break that. That has never happened. There have been no instances
of medical researchers leaking confidential data. That is not
to say it will not happen but it has not happened yet. You have
to belong to an organisation that says that if you do that, you
are fired. There is a whole complicated system of checks and balances
in place before finally you are allowed to link members of the
Armed Forces and their rates of cancer. In fact, the answer was
that there is not an association. There is no other way of doing
that kind of research.
Q244 Ms Buck: What I do not understand
then is with so many locks on protection of the data, why it is
that anybody anywhere should ever raise concerns about proceeding
with particular research?
Professor Wessely: There is no
question that many people do not know this system. I think that
is quite clear from the Academy's report. A lot of people, and
within the profession itself, to be frank, are ignorant of this
framework, partly because it is very complicated. I think also
there have been instances of misconduct in research or misconduct
in the health services that tar every one with the Alder Hey brush,
if you would, which are not relevant at all to what we are talking
about but have created a climate of suspicion. Finally, having
said that, when you look at what the patient charities in heart
disease, Alzheimer's and Parkinson's want, unquestionably they
want this kind of research to go ahead.
Q245 Ms Buck: I am sure we will return
to many of these points, but as my last question: the Academy's
report criticised what it calls the over-rigid application of
the principle of "consent or anonymise". What you have
described to me is a system that has so many locks in it that
it does not seem to justify any deviation from this principle.
Why is it that you would be looking for, and what benefit would
there be from, a reduction in protection through consent or anonymisation?
Professor Wessely: First, "consent
or anonymise" was the principle, for example behind PIAG,
the idea that eventually you would either have consent or anonymisation,
but that is clearly wrong. The whole point is that there are many
times in research where you cannot proceed with that. Our study
of Gulf veterans could not proceed on that basis because if the
data had been anonymised, we would not know who they were and
we would not be able to link them up with their cancer rates.
So it was a flawed principle. Therefore, there are occasions when
you have to be able to proceed without consent and without anonymisation.
I have explained that that is unusual but it does happen. What
the Academy is saying is that, first, people are not necessarily
aware that these examples exist; they are not necessarily aware
of the governance framework; or most of them misinterpret it to
say it is "consent or anonymise", which is absolutely
not the legal framework we have. It is not the framework behind
Connecting for Health. It is not the framework envisaged in the
Data Protection Act or the law of confidentiality.
Professor Dezateux: The first
thing to say is that one person's anonymised data and identifier
is another person's research data, and so it is very difficult
to look at the same piece of information and make a clear decision
one way or another. Given that is the case, we have to use common
sense and we have to ask what are the safeguards when we use this
information to avoid disclosing the identity of a person while
still being able to answer the question that we think is important.
One of the interesting issues is that it all pins on individual
consent. We need to move away from that paradigm a bit and ask
what processes there are for community assent. It is ridiculous
that we cannot answer some of these questions because that is
the side on which we often find ourselves. The other thing that
I hope we will have a chance to discuss is the greater clarity
of the processes because with a lot of the public misunderstandings
and understandings, we could do with a better communication strategy.
That applies to people operating and interpreting these things
at a health service level. The sort of people we need to negotiate
with about access to data are sometimes also confused, and that
is not surprising. At a scientific level, there are many reasons
why we need to know things about people. Again, we are not interested
in who that individual is, where they live, but we need to know
certain things about them in order to practise better science
and to produce a more reliable answer. We need to know that we
are not double-counting. You need a couple of common identifiers
to make sure that you only count an individual once in your data.
We need to be able to follow people up in the very long term.
That is becoming increasingly important. We are interested in
diseases and treatments for things like cancers which might take
a long time to develop, and we need that kind of information to
be able to trace people. If the data are anonymised at the beginning,
we cannot do that; we cannot get back to them. We need to make
sure that the data we produced from our health services is respected
and that it is of high quality, and that when it says this person
has a condition, they really do have that condition. In fact,
we know that sometimes there are mistakes in the basic health
service data. Research can help the health service improve the
quality of its data by being able to what we call pseudonomise,
to have ways of getting back to say, "Was this really what
we thought it was? Do these people have this condition or have
they had this operation?" Then, as I mentioned right at the
beginning, without data that is potentially disclosive, such as
postcodes and so on, we are not going to be able to say whether
cancers are related to power lines or living near nuclear power
stations or any of those kinds of questions that I believe you
would have an interest in getting the answers to as well.
Q246 Gary Streeter: You have talked
about checks and balances but does it not worry you at all that
some of the information that you are overseeing the gathering
of is being used and will increasingly be used to produce some
of the genetic modification type science of the future? Does that
ever cause you sleepless nights?
Professor Dezateux: There are
serious issues that society needs to debate about the use and
application of genetic advances. I do not think that those issues
will be resolved by saying, "We are just not going to use
the data at all". Indeed, I think that where it is helpful
is for us for example to be able to link somebody's biological
data to their health and their future health status, you can begin
to put boundaries round your uncertainty about what the meaning
of this genetic change iswhether it is helpful to know
about it, whether it has any implications at alland then
inform the health services as to how appropriately we should be
using that test within the health service and, bearing in mind
that there is a very big private market in genetic testing, to
inform the public really about whether it is wise or advisable
to get tests that might identify a prediction for disease or not.
Professor Wessely: If you look
at the UK Biobank, which is an example of research in genetics,
60,000 people were approached and asked to take part and only
50 people objected and of those 50, 30 then consented to take
part in the study. So, within the framework of research, people
are confident in the use of genetic information to study disease
and are willing to participate.
Q247 Martin Salter: Professor Wessely
and Professor Dezateux, obviously you would be disappointed if
we had not put you under intense surveillance before you came
before us. Because we have a phalanx of staff, we have dug up
your interchange with Dr Richard Taylor at the Health Committee
on 7 June, which is very informative. My question relates to that.
Just to paraphrase, Richard was questioning your contention that
perhaps medical researchers should be given more access to patient
records than even the police. We want to give you an opportunity
to expand on that. It appears from the exchange that you were
implying that the public would trust you perhaps more than they
would trust the police. You may be right.
Professor Wessely: I am not implying
that. I think that is a statement of fact, is it not?
Q248 Martin Salter: And your evidence
Professor Wessely: I think I mention
it. We did a study around the polonium incident about who do you
trust to manage this incident, and doctors and scientists rated
much higher than the Home Office and the police force. More seriously,
there is a misapprehension there. If you want to look at personal
data, the Data Protection Act actually says quite specifically
that you cannot do that to make any decision about an individual
without their consent. The police would only want to access data
to make a decision about an individual: is he a crook, or whatever.
That is specifically illegal. You cannot do that and we cannot
do that, but that is not why we want to look at data. We are interested
in not one child with autism or one child who has had a vaccine.
We are interested in all children with autism and all children
who have had the MMR. In that sense, it is not a personal piece
of data about that individual; it is about all the children who
came under that category. That is the framework for which we use
that data, and that is the framework that is already permitted
by the law for the public good. That is the specific framework
that denies the police access to the same data for making individual
decisions. As a normal citizen, I can tell the difference between
wanting to find out if living near a power station causes leukaemia
and wanting to find out if I have been naughty with my taxes or
whatever it is. These are chalk and cheese and I think most people
accept and can understand that.
Professor Dezateux: The answer
is that both the police and biomedical researchers are subject
to constraints, and I do not think we have unconstrained access
to data. Simon has indicated quite how many approvals and permissions
we have to have. The issue of whether we should be constrained
in the same way as the police depends on why you are constraining
the police and why you would constrain medical researchers. I
suppose the thing that unites the police and biomedical researchers
is that we are both interested in the elimination of doubt and
the reduction of uncertainty but for our purposes, we need to
have large-scale unbiased evidence to reduce uncertainty and make
sure we have the right answer. The public's concern about the
police of course is that they will get the wrong answer and somebody
will go down who is innocent. In our instance, getting the wrong
answer has public implications that it is really important to
avoid. We do need that access but I think we should make the point
here that we are not asking for unconstrained access, and we very
much support the checks and balances that are there, but they
need to be looked at in a flexible way. Also, I hope we will be
able to come to discussions about how they can be improved.
Professor Wessely: You have already
foreseen this in the legislation by saying that personal information
cannot be used to that individual's detriment. If I was to do
thatI cannot think how I would or why I wouldI would
be breaking the law and committing an offence and I am going to
be in deep trouble. So there already is a framework to prevent
the Orwellian implications, as it were.
Professor Dezateux: May I add
that I think it is important that we are accountable. I consider
myself a public servant in my research, as a lot of epidemiologists
do. We are quite happy to be accountable for the work that we
do and our approaches. Indeed, we are audited and have had our
systems looked at in relation to the Data Protection Act and so
on on quite a regular basis within our university.
Q249 Martin Salter: Thank you for
your very full answers. How confident are you that medical researchers,
having navigated the various checks and balances that you have
in place, then are able to access for perfectly legitimate reasons
personal patient information? How confident are you that that
remains secure and could not be leaked to people who should not
Professor Wessely: There are two
answers. First, when we took evidence for the report, the Information
Commissioner confirmed that they had no reports to them of what
you are describing happening. They had had reports of receptionists
seeing things that they should not and all sorts of things within
medicine of data violations but not involving medical research.
I am not saying that will not ever happen but so far it has not.
The second thing is that if we were to do that, and particularly
in the new electronic health systems, you would leave a massive
electronic fingerprint all over the place. It is quite straightforward.
In my university, and I think in all universities, that is the
end of your job, and it is also the end of your career because
you would be up before the GMC. Even if you were to do that, you
would leave a trace and that is it.
Professor Dezateux: When I started
in research and I went into a primary care record, the Lloyd George
record, I could read everything about that patient just by being
handed the envelope, but now with technological developments,
there is access control and audit trails. I think the chances
of leaving a set of notes out on the table that somebody else
can read are very much less. The computing infrastructure is much
Q250 Mrs Dean: Moving on to the NHS
database, what opportunities will it open up in terms of medical
research and epidemiology and what safeguards are being built
in to protect unauthorised access to patients' records? Are those
Professor Dezateux: From what
we have said before, it is clear that electronic patient records
will provide a huge advance because they will allow us very effective
access to the large-scale data that we need. I will not rehearse
the issues about that. One of the things it allows us to do is
to be inclusive in our research so that we do not leave certain
sections of the population out. It can help us get swift answers.
It helps us look at areas of medicine that we are often criticised
for not spending enough time on in our research: rare disorders,
under-served populations. It helps us look at demographic change
in a dynamic way because we are a very changing population in
the UK. One of the areas that we are interested in is that it
allows us to link inter-generationally, so that a lot of the issues
that we are concerned about are what happens to mothers/parents
and their children and subsequent generations? You can be very
powerful in answering those sorts of questions by using electronic
records that can be linked by a single identifier. They are cost-effective.
I think that we need to understand that after the Cooksey Report,
there is a real recognition that unless we make the most of these
electronic health records, we will not be able to maintain globally
our competitiveness in terms of our science, and that will have
economic implications for society. That is not what I come to
work day to day to do but it is a very important issue, and it
is an important issue for trials and providing an infrastructure
for trials, just as much as it is an important infrastructure
for understanding the safety of medicines. There will be investments
in research that we will be able to attract if we are able to
get this right and use the electronic health records effectively.
The safeguards that are in place that we have described already
are quite sophisticated for the kind of research that we do, and
they would be appropriate for this kind of research with the electronic
health records. There are plenty of examples in Scotland, in parts
of England already, the Nordic countries, Australia, the US and
Canada where there are systems in place that allow the data to
be kept in its own home, as it were, but for the linkage to be
done by somebody who does not need to look at the data, so that
the researcher at the end of the day just gets the information
that they want and need on a need-to-know basis. I think those
kinds of safeguards are very important.
Q251 Mrs Dean: Do you have anything
to add to that?
Professor Wessely: I do not really.
On the technical side, I would rather hand over to our engineer.
Dr Forbes: I am not an engineer
but engineers become very nervous about single source databases,
which have to be used by a large number of people and have to
be designed for ease of input on a regular basis, and so there
is a large number of users. The compromises that need to be made
in engineering terms inevitably compromise the security of any
single database. They are concerned about that and they say it
is better to build in rather than build on. They say, "Let
us think about how this system could fail and will fail either
by misuse or by abuse or accident, all the ranges of human and
technical possibilities". That needs to be thought about
in advance. This has nothing to do with the way the research is
conducted or the way that the protocols for research are developed.
I am very happy with that. I am sure they are going to work very
well. It is just that the matter of a huge amount of data being
input by a wide range of users means that it is a single system;
it has greater vulnerability and that needs to be acknowledged.
It is a dilemma. You want the single database for all the social
benefits that become possible by having the single database but
that has to be weighed against the dangers. It is all about balancing
those things. The engineers would say you should think about this
in advance, design up-front, do lots of upstream thinking about
how any human system is going to fail at some point in some ways,
and work out what you are going to do about it when it does fail.
I do not think you can get any further than that. You cannot produce
a completely fool-proof system, so let us design it to assume
that it will fail in some ways.
Q252 Mrs Dean: When it is up and
running, how can patients be reassured that their own medical
details are kept confidential?
Professor Wessely: First, if you
read, for example, the Care Record Guarantee, which I think is
a very sensible and remarkably plainly written document, it talks
about the various checks and balances on confidentiality. Beyond
that, there is also the moral and ethical frameworkand
I am talking specifically about medical research now because that
is what I am interested in and patient care in particularin
which we work, and I do not think that climate has changed. I
do not think doctors have become any less concerned with confidentiality,
or the GMC has become less concerned with the advent of electronic
patient records. It is presenting new systems but the ethical
framework for the conduct of those systems is just the same. Personally,
if I had gone to my wife's surgery in Kennington a few years ago
to collect her, I could see on the desk the notes of everyone
she had seen that day. They were in a big pile. Now I cannot do
that; I cannot see them. We sometimes have a view of a rosy-tinted
past in which doctors clutched case notes to their bosom and never
let them out of their sight 24 hours a day. That is just not true.
I personally feel more confident in the security of electronic
matters and not least because again it is really important that
if I mis-use them, the constraints on the system and the recriminations
are so vast that that is a greater deterrent. In the past, I could
wander into medical records and, quite frankly, if I wore a white
coat, I could take out medical records; nobody would challenge
me. You are right, there will be mistakes. Of course there will
be errors but there is a system for correcting them and there
is also a system for governance to make sure that if those are
done maliciously, there will be severe penalties.
Q253 Mr Benyon: Before I turn to
Dr Forbes, a doctor in a surgery in my constituency received a
fax the other day from a hospital up north about a patient on
their register who had self-harmed. This was just attached to
his medical notes. The next time he came in, the doctor questioned
him about it, and it was perfectly obvious that they had got the
wrong person; he had the same surname and the same date of birth
but he was a different person. Should we be concerned that information
is floating around the country when mistakes are made of that
nature that can have a huge impact on that person's life and job
prospects if it became public?
Professor Wessely: Of course you
should be concerned about that but that has always been the case.
It has been far worse in the past. Notes could just get lost and
you would never see them for years.
Q254 Mr Benyon: I should clarify
that nobody seemed to know who should correct this information,
whether it was the hospital that had made the original error or
whether it was the GP surgery. There seemed to be no understanding
about who owns that fault.
Professor Wessely: That is a governance
issue. I am not au fait with how that works. I do know
it is much easier to correct that kind of mistake now than it
was in the past. It has always happened. Mistakes will be made
and there will be a lot of John Smiths with a certain date of
birth. Now, whoever it is, either the GP or the hospital, can
alter the record whereas previously the notes will be there in
perpetuity down in the bowels of the hospital and years later
they will turn up and nobody would know they were mistaken, and,
most importantly, the patient would not know that they were mistaken.
I am not going into how this happens but now I know that patients
will be able to check their records and they will be the first
people who will say, "That is not me. You have made a mistake".
Previously they would not know. They would have no idea what was
lying on discharge summaries all round the country in the bottom
Professor Dezateux: The electronic
health record will improve this because if we use a unique identifier,
then one John Smith will not be mixed up with another. That is
important. The second point is that you will not fax it so that
this terribly disclosive information is left for anyone to read;
you will send it by the existing system which works with Connecting
for Health, which is encrypted emails and messaging services.
Thirdly, to find that out, if you can access a single electronic
health record, the information on the spine is visible to the
person who cared for that patient and the GP who is looking after
them, so there is instant communication, and the patient who should
be able to access and look at their own record.
Q255 Mr Benyon: Dr Forbes, you have
set out six clear principles to govern the use of surveillance
data, the fourth of which says, "In general, public agencies
should not be allowed access to private databases". Should
the police and the security services be an exception to this and,
if so, what conditions should be put on those exceptions?
Dr Forbes: I would say there should
be no blanket exceptions. I would say there needs to be justification
for access to a private database by a public agency because when
I give information to a private agency, I am giving it to them;
I am consenting for them to use it for their common purposes.
There may well be cases where there needs to be or there is a
very good case for access to a private database. The case needs
to be made on a case-by-case basis. If, after a time, you think
that there are so many of these cases, we need to have a rule
or a rubric which would allow the police to invoke it, I do not
see any problem with that in terms of a governance procedure.
The NHS is a very good example that says, "This is what we
want to use this data for and we therefore generate a series of
mechanisms to make sure that it is not misused". They do
not say, "Do what you like with the data". I do not
think there is any case anywhere for saying, "There is data.
Do what you like with it" just because you are the police
or the security services.
Q256 Mr Benyon: Your fifth principle
is: "Public record databases should be under the control
of autonomous agencies, not government." What difference
does it make?
Dr Forbes: There is a huge difference.
The difference here is between the state and the government. I
do not mind providing information to the state which uses that
information for purposes which are about the collective good and
the benefits will be indivisible; they may or not come to me.
Governments have purposes for which I may or may not have consented.
I may have voted for them, I may not. They may be doing something
I like, or they may not. I think it is a good principle to say
that the government has to justify the use of the data of its
citizens. The government does not own me; it does not have any
right over me. It is the other way round in fact. It is there
because the people have put the government there. We consent to
the state and we elect a government, which we can get rid of.
I think that is an important principle. Public trust is very important.
Trust in governments goes up and down, this way and that way,
for good or bad reasons. If it also is going up and down in the
same way on the state, I think that is potentially damaging for
society and for politics in general because ultimately you want
people to honour their commitment to the state and do what they
like with the government.
Q257 Mr Benyon: Would you call the
NHS an autonomous agent?
Dr Forbes: Yes, it is an autonomous
agency. As far as I know, the government, cannot say, "Give
me that" and just have it.
Q258 Mr Benyon: Your sixth principle
relates to the penalties for misuse and you say that they should
reflect the damage and distress that the system failure or crime
causes. However, we all know that sentencing usually reflects
not only the consequence of the offence but the culpability of
the offender. Do you accept that?
Dr Forbes: Yes, I think that is
a fair consideration.
Q259 Mr Benyon: Do you think, for
example, that leniency should be shown in the case of a teenager
who is particularly skilled at hacking and finds his way into
personal data for kicks rather than for any malicious intent?
Dr Forbes: I do not know what
leniency would mean. I think that you would treat a teenager as
a teenager, first of all. I do not know about you but I am not
lenient with bad behaviour.