In December 2013, NHS England directed the Health and Social Care Information Centre to establish a system for uploading and linking GP patient coded data with identifiers, using its new powers in Part 9 of the Health and Social Care Act 2012. In February, after an effective campaign by the British Medical Association, the Royal College of General Practitioners and medConfidential, a six-month delay was announced.
In March the government sought to amend the Care Bill in the House of Commons in a bid to allay concerns about patient confidentiality. Its amendments, however, were criticised as inadequate, and the Bill is due to come before the House of Lords on 07 May. The fiasco and the rushed legislative response are symptoms of the government’s privatisation agenda trumping patient confidentiality and the need to collect and use data for public health research, planning and audit.
We set out below three proposed amendments to the Care Bill which we consider are needed to help restore public trust in the handling of patient information.
Proposed amendment 1: retaining control and management of confidential information
This amendment would ensure as a general rule that disclosure to and use of confidential information by commercial organisations involved in health and social care is not permitted. Three clear and mainly consent-based exceptions to this general rule are proposed; and, in addition, it would not apply to future “section 251 approvals” or to drug trials.
Proposed amendment 2: putting the Independent Information Governance Oversight Panel on a statutory footing
This amendment would place on a statutory footing the current non-statutory Independent Information Governance Oversight Panel chaired by Dame Fiona Caldicott and set up by the Secretary of State with the main function of advising on information governance across the health and social care system.
Proposed amendment 3: independent oversight over certain directions and the accreditation scheme
This amendment would revoke the directions made by NHS England in December 2013 in order to implement the Care.data programme, and ensure independent oversight of the Secretary of State’s and NHS England’s directions to the Health and Social Care Information Centre, and of the awaited Secretary of State’s regulations to establish an accreditation scheme for private sector information providers.
We set out and explain further each of the proposed amendments below.
Proposed amendment (1)
Retaining control and management of confidential information
Insert the following new section into Part 9 of the Health and Social Care Act 2012-
Control and management of confidential information
(1) Subject to subsections (3), (4) and (5), nothing in this Part shall permit or require the collection, analysis, publication, dissemination or other processing of confidential information by or to any person which is a relevant commercial organisation.
(2) Subject to subsections (3), (4) and (5), any confidential information held at the date this subsection comes into force by any person which is a relevant commercial organisation shall not be processed and shall be held subject to directions from the Secretary of State.
(3) Subsections (1) and (2) shall not apply if and to the extent that the confidential information has been disclosed to the relevant commercial organisation:
(a) by the individual to whom the information relates, or
(b) in the lawful exercise of a statutory power and not in breach of any professional regulation,
and, in either case, one of the three conditions set out in subsection (4) applies.
(4) The conditions referred to in subsection (3) are:
(a) the purpose of the processing has been previously disclosed to the individual to whom the information relates and his prior express consent has been obtained, or
(b) the individual to whom the information relates is dead or is a minor, the purpose of the processing has been previously disclosed to his next of kin or his parent or guardian, as the case may be, and their prior express consent has been obtained, or
(c) previous disclosure and prior express consent was reasonably and manifestly impracticable and the organisation holding the information acted reasonably in all the circumstances.
(5) This section does not apply to aggregated information provided to a person which has been designated an accredited information service provider under section 267.
(6) In this section:
“confidential information” means information which—
(a) identifies any individual to whom the information relates who is not an individual who provides health care or adult social care, or
(b) enables the identity of such an individual to be ascertained.
“processing” in relation to information has the same meaning as in the Data Protection Act 1998; and “processed” shall be construed accordingly;
“professional regulation” means any regulation, rule, standard, advice, guidance or recommendation applicable to the person disclosing the information and adopted by a regulatory body listed in section 25(3) of the National Health Service Reform and Health Care Professions Act 2002;
“relevant commercial organisation” means:
(a) a body which is incorporated under the law of any part of the United Kingdom and which carries on a business (whether there or elsewhere) relating to health and social care,
(b) any other body corporate (wherever incorporated) which carries on a business, or part of a business, in any part of the United Kingdom, relating to health or social care,
(c) a partnership which is formed under the law of any part of the United Kingdom and which carries on a business (whether there or elsewhere) relating to health or social care, or
(d) any other partnership (wherever formed) which carries on a business, or part of a business, in any part of the United Kingdom, relating to health or social care.
The purpose of this amendment is to ensure as a general rule that disclosure to and use of confidential information by commercial organisations (as defined by the Bribery Act 2010, section 7) involved in health and social care is not permitted.
The general rule is in two parts. The first part is set out in subsection (1) and applies to the future. It would apply to confidential information which might in the future be processed under the new provisions in Part 9 of the Health and Social Care Act 2012. It would not apply to processing under future approvals under The Health Service (Control of Patient Information) Regulations 2002 (commonly referred to as “section 251 approvals”). This reflects the higher level of trust in the longer-established s.251 approval process.
The second part is set out in subsection (2) and applies to the past. Because of the present lack of transparency as regards which private companies already hold confidential patient information, for what purposes (including internal corporate group use), under which legal powers and subject to what legal restrictions, this subsection would apply to confidential information held by companies at the time the subsection came into effect. Before the subsection came into effect, the intention is that the Secretary of State would investigate, publish and consult on these aspects, and thereafter give directions to the commercial organizations concerned as to how they should deal with the confidential information.
Three categories of exception to the general rule are proposed. First, it would not apply where the organisation (such as a GP practice operating in partnership or as a limited company or a private health company offering publically-funded GP or other services) had obtained the information from the individual himself or herself, the purpose of the processing was previously disclosed to the individual, and his or her prior express consent was obtained.
Second, it would not apply where the information was disclosed to the relevant commercial organisation in the lawful exercise of a statutory power and not in breach of any professional rule or standard (for example, established by the General Medical Council or similar professional regulator), the processing purpose had been previously disclosed to the individual and he or she had given express consent.
Third, it would not apply to aggregated information provided to private sector information service providers accredited under regulations which the Secretary of State may make under section 267 of the Health and Social Care Act 2012, on the assumption that such regulations would be adopted after approval by The Independent Oversight Panel or under the super-affirmative resolution procedure (see Proposed Amendments (2) and (3)).
If individuals have died or are children, their next of kin’s or parental consent should have been obtained. Consent and previous disclosure would not be needed where this would have been reasonably and manifestly impracticable, provided the person holding the information has acted reasonably in all the circumstances (which could involve, for example, having advertised the intended use and made attempts to identify and locate the individuals concerned).
This amendment is not intended to apply to the pre-marketing trials of new drugs, which require participants’ consent, or to post-marketing surveillance and pharmacovigilance obligations of drug companies under drug regulation law.
Proposed amendment (2)
Putting the Independent Information Governance Oversight Panel on a statutory footing
Insert the following new section into the Care Bill –
The Oversight Panel
(1) There is to be a panel known as the Independent Information Governance Oversight Panel (referred to in this section as “the Oversight Panel”).
(2) The main duty of the Oversight Panel shall be to provide independent advice on all matters relating to the governance of information in relation to health and adult social care services.
(3) In exercising its main duty, the Oversight Panel shall:
(a) provide advice and make recommendations and proposals on such governance to the Secretary of State, and report annually; and
(b) provide advice on such governance to any other person or body in relation to health and adult social care services.
(4) Any person or body who is advised by the Oversight Panel pursuant to this section shall have regard to that advice.
(5) The Secretary of State may by regulations make provision about the Oversight Panel relating, in particular, to appointment of the chair and other members, terms of appointment, establishment and membership of committees or sub-committees, its proceedings and payment of remuneration, allowances and expenses.
This amendment would place on a statutory footing the current non-statutory Independent Information Governance Oversight Panel chaired by Dame Fiona Caldicott and set up by the Secretary of State, as well as its present non-statutory terms of reference. It would also require persons and bodies across the health and social care system to have regard to its advice.
Reinstating independent statutory oversight of information governance is a prerequisite for public trust, after abolition in the 2012 Act of the National Information Governance Board. The Panel’s currently non-statutory annual reports and functions to advise and challenge would become legal duties to which regard must be had.
Proposed amendment (3)
Independent oversight over certain directions and the accreditation scheme
Insert the following new section into Part 9 of the Health and Social Care Act 2012-
Revocation and independent oversight
(1) The Health and Social Care Information Centre (Establishment of Information Systems for NHS Services: Collection and Analysis of Primary Care Data) Directions 2013 are revoked.
(2) Directions of the Secretary of State and of NHS England under section 254(1), and regulations under section 267 shall not be made without the approval of The Independent Information Government Oversight Panel.
Subsection (1) of this amendment would revoke the directions made by NHS England in December 2013 in order to implement the Care.data programme.
Subsection (2) would ensure in the future independent oversight of the Secretary of State’s and NHS England’s directions to the Health and Social Care Information Centre under section 254 (1) of the 2012 Act, and of the regulations that the Secretary of State is empowered to make under s.267 to establish an accreditation scheme for private sector information providers, by requiring the previous approval of the Oversight Panel.
If the Oversight Panel was not to be put on a statutory footing (along the lines set out in Proposed Amendment (2)), we would propose that subsection (2) should read:
“(2) Directions of the Secretary of State and of NHS England under section 254(1), and regulations under section 267 shall not take effect unless an order has been made by the Secretary of State in accordance with the super-affirmative resolution procedure under section 18 of the Legislative and Regulatory Reform Act 2006; and the provisions of Part 1 of that Act shall apply to such an order as if it was to be made and was made under that Part.”
08 April 2014
On 08 April 2014, the House of Commons Health Select Committee is hearing evidence on the handling of NHS data from Kingsley Manning, Chair of the Health and Social Care Information Centre, and Max Jones, its Director of Information and Data Services.
In February, NHS England announced a six month delay in implementation of its programme for uploading and linking coded patient information with identifiers from general practice IT systems. Since then, the government proposed in the House of Commons a number of amendments to the Care Bill, but these were criticised as falling short of being sufficient to restore public trust. We understand the matter will come before the House of Lords on 07 May 2014.
Following the announcement, a conference was organised on 05 April 2014 at Queen Mary University of London by Prof Richard Horton, editor of The Lancet and Prof Allyson Pollock of Queen Mary University of London, and chaired by Prof Horton. They wished to hear a spectrum of views on a complex issue and to consider ways forward. It was attended by about 50 participants, including doctors, patients, medical professionals and researchers, academics, statisticians, IT experts, and campaigners.
Afterwards, a letter was written to Sir Andrew Dilnot, chair of the Board of the UK Statistics Authority, asking him to consider making a statement of the Board’s position in relation to the care.data programme and the Centre.
Conference outcome statement – 08 April 2014
Clear and widespread calls were made for extending the “pause” in implementing the programme, in light of the complexity and sensitivity of the issues involved and the damaging implications of getting the legal framework wrong.
Concern was expressed that NHS England’s attempted roll-out of the programme had so far been inept and had not encouraged trust, and that insufficient time was being given for considering the many, differing, and sometimes conflicting needs and interests that a health information system must properly address. It was felt that the government’s rushed and cosmetic amendments to the Care Bill would close down rather than open up that consideration.
Concern was also expressed about the longer term operational difficulties in accessing data experienced by public health staff who have moved to Public Health England and local authorities under the Health and Social Care Act 2012. The more recent moratorium by the Health and Social Care Information Centre (HSCIC) on giving access to data is causing problems for researchers who have gained the necessary permissions but are unable to proceed in their work.
Prof Allyson Pollock, professor of public health research and policy:
Patients entrust their personal medical information to the medical profession and do not expect it to be sold on to commercial companies for exploitation and profit. Data are essential for planning and medical research and for monitoring patients’ access to care. The government has jeopardised the trust and it can only be restored by restoring public accountability and putting robust systems in place to prevent HSCIC from selling on data.
Prof Alison Macfarlane, professor of perinatal health at City University:
The hasty and incompetent way in which NHS plans to implement care.data, without first gaining public confidence and ensuring adequate safeguard means that the opportunity to derive important information for public health practice and research is being lost. It has prompted an opt out campaign which could undermine the quality and completeness of other data already being used by public health practitioners and researchers. The recent embargo on releasing data to researchers who have obtained all the necessary permissions to use the data in secure environments means that national research funds are being wasted.
Phil Booth, coordinator of patient privacy group medConfidential:
The clear sense emerging was that patients, medics, researchers and professional bodies will simply not accept knee-jerk legislation from the government or NHS England pushing ahead on a completely arbitrary schedule. This is far too important to get wrong and the cost of rushing would be to permanently damage trust.
Peter Roderick, barrister and senior research fellow at Queen Mary University of London:
National, EU and international laws, as well as professional rules, protect patient confidentiality. Using patients’ information beyond their direct care are exceptions to those laws, but there are good reasons for them, such as public health research. Part 9 of the Health and Social Care Act 2012 allows the Information Centre to obtain information about patients and to pass it on outside the NHS, but the full implications of doing so are only now becoming clear.
For more information contact
Prof Allyson Pollock
020 7882 5637 / 07976 978304
The Health and Social Care Information Centre was set up in 2005 as a Special Health Authority. It was abolished by the Health and Social Care Act 2012, and re-established as a body corporate and Executive Non Departmental Public Body with effect from April 2013.
In December 2013, using its new powers under Part 9 of the 2012 Act, NHS England directed the Centre under The Health and Social Care Information Centre (Establishment of Information Systems for NHS Services: Collection and Analysis of Primary Care Data) Directions 2013 to collect and analyse information about patients from GPs as part of the care.data programme.
The NHS England leaflet ‘Better information means better care’, sent to every household in England, has triggered a campaign to encourage people to opt out of the new care.data system by telling their GP that they do not want their health records uploaded to it.
Opting out will undermine both the new system and our existing national statistics, while playing into the hands of the private sector, as it means data will be inadequate to assess the impact of government policies to privatise the NHS.
The aim of care.data is to link together coded records from general practice with data from other national data systems, starting with linkage to the Hospital Episode Statistics. The plans are to provide ‘linked data, that will eventually cover all care settings, both in and outside of hospital.’ This is explained by the Health and Social Care Information Centre and NHS England. England is well behind Scotland and Wales both in data linkage and in engaging with the public about it.
Care.data should not be confused with Summary Care Records , the purpose of which is to share clinical information between individual patients and the professionals who provide care to them. There are no plans to upload these records into care.data.
Although England has had NHS hospital data analysed at a national level for a long time, this has not been the case with data from general practice, where most care takes place. Because of this, the GP Extraction Service was set up in 2011 with a budget of £40m to extract data from general practice systems and analyse them at a national level for England. If this and the further data linkage works, it would provide valuable population-based statistical information for commissioners and public health officials, and for researchers allowing us to, for example, monitor inequalities in access and unmet need and changes in rates of heart disease and cancer.
The care.data system will cost over £50m and its web site gives no indications of any routine analyses to be done in-house. Meanwhile cuts of £9m to the Office for National Statistics include cuts of £1m in its statistical outputs, which will lead to the loss of a range of highly regarded health statistics. The future of the decennial census, which dates back to 1801 in England and Wales and is essential for public health as it provides data on the whole population, is also uncertain.
There are justifiable concerns that the government is preparing the way for the commercial exploitation and use of our NHS data and that the private sector will have priority in accessing the data for analysis. The person in charge of care.data, in his role as National Director for Patients and Information at NHS England, is former Sunday Times journalist, Tim Kelsey, founder of Dr Foster, which was the subject of a critical parliamentary Public Accounts Committee enquiry. Dr Foster analyses NHS patient data and then sells back the analyses to the NHS organisations that collect the data. Roger Taylor, co-founder of Dr Foster, has been appointed to a senior role in the Care Quality Commission, and Kingsley Manning has been appointed Chair of the Health and Social Care Information Centre. He was founder and managing director of health and information consultancy firm Newchurch, which provided advice on PFI and sell off of NHS assets, and former head of health at Tribal (now part of Capita). These corporate appointments are akin to putting bankers in charge of NHS hospitals.
To make matters worse, clinical commissioning groups do not analyse data in-house to inform their decisions. Since the Health and Social Care Act came into force, vital information functions have been outsourced to commissioning support units, organisations that have no basis in law and that are temporarily hosted by NHS England. Plans to float these organisations on the stock market have been suspended in favour of turning them into social enterprises, staff mutuals, customer controlled social enterprises, or joint ventures. Clinical commissioning groups should demand that these information functions and the associated NHS funds and staff be returned to them before any privatisation takes place.
Campaigners are concerned that pharmaceutical industry and health insurance companies will be simply ‘given’ the data, although Section 251 of the NHS Act 2006 requires them to state what uses will be made of data and how they will be stored securely. They will also have to answer similar questions from the Health and Social Care Information Centre’s Data Access Advisory Group. While applicants do not get ownership of the data they are able to use them and this raises serious questions about the purposes to which the data will be used and the extent to which analyses may be sold on. There is still no clarity or transparency about the ownership and control of the data, how the data will be accessed and used by the private sector, or how statistics about NHS funded private care will be made available to all.
We need reassurance from government that the data will be used to produce and publish national statistics in line with the National Statistics Code of Practice. The Code, overseen by the UK Statistics Authority, is designed to be observed by all the public bodies that produce official statistics. It is considered to be central to maintaining a unified statistical service that meets the needs of government and society and is both trustworthy and trusted.
As the government is privatising health care, it is crucial to have complete and high quality data to monitor the impact of these policies. The private sector has a poor track record for data collection. The atrocious quality of private sector data returns made it impossible to monitor contract compliance for independent sector treatment centres, the government’s £4bn programme for elective surgery, where NHS funds were diverted to for-profit providers. General practices owned by private companies such as Virgin and Serco will be protected from scrutiny if their patients opt out, as there will be no data about them – as is already the case in nursing and residential care homes.
Instead a public campaign is needed to promote public data and oppose privatisation of both our healthcare services and data functions. Patients and the public need to make clear to NHS England that their consent for medical records to be uploaded to care.data is conditional on it not being used for commercial purposes or handed over to third parties such as drug companies and health insurance and health care corporations. Such a campaign must make links between opposing the privatisation of the data collection and analysis systems and opposing the privatisation of our health services, and must ensure that NHS England and Care Commissioning Groups oppose both.
Prof Alison Macfarlane
Professor of Perinatal Health
City University London
44 (0)20 7040 5832
Prof Allyson Pollock
Professor of Public Health Research and Policy
Queen Mary University of London
44 (0)20 7882 5637