On its website,Footnote 5 the NHS states that it has developed the care.data programme as an initiative “to ensure that there is more rounded information available to citizens, patients, clinicians, researchers and the people that plan health and care services”, and “to ensure that the best possible evidence is available to improve the quality of care for all.” Among the benefits of the scheme are mentioned: the possibility for researchers to “identify patterns in disease and the most effective treatments”; the possibility “to find more effective ways of preventing or managing illnesses; advise local decision makers how best to meet the needs of local communities; promote public health by monitoring risks of disease spread; map out pathways of care to streamline inefficiencies and reduce waiting times; determine how to use NHS resources most fairly and efficiently.”
The potential positive impact of the care.data programme has been acknowledged by various organisations. The idea of better use of existing data was already advanced in 2013 in a joint statement of the Royal College of General Practitioners, the British Medical Association, NHS England and the HSCIC: “Greater transparency and better use of data to improve the quality of patient care are ambitions we can all support. Anyone making healthcare decisions needs access to high quality information: doctors need it to inform their clinical decision making; patients need it when deciding which treatment is best for them; and commissioners need it when making decisions about which services are right for their populations.”Footnote 6 In a separate press release in December 2014, the Royal College of General Practioners acknowledged that: “care data is a vitally important project that has the capacity to bring enormous health benefits to patients up and down the country”.Footnote 7
However, the scheme has met with a lot of opposition. In Autumn 2013, NHS England had set up a care.data website where citizens could record their concerns, and an information leaflet on care.data had been sent to all English households in early new year 2014. The leaflets resembled junk mail and were binned unread by many. However, public concern rose, as did concern among GPs. Many patients began to take advantage of the opportunity to opt out that the Secretary of State for Health had offered (even though the HSCA does not itself provide for the opportunity for opting out and there is no certainty that the offer might not quietly be withdrawn one day).
With many GPs showing concern, and with one Oxford-based GP in particular threatening to opt all his patients out of the scheme, the government decided to delay GP data harvesting until Autumn 2014 to allow NHS England the opportunity to persuade GPs, healthcare workers and patients that the care.data scheme was valuable and that sufficient safeguards had been put in place. Again, just in time since in June 2014 the Partridge ReportFootnote 8 on worrying data misuse by the forerunner to the HSCIC was published.Footnote 9
Moreover, it was decided to begin GP data harvesting within a group of ‘pathfinder’ areas in England,Footnote 10 and to initiate a series of public discussion sessions with the Care.data Advisory Group. A recent report suggests that data harvesting might begin as early as June 2015.Footnote 11 An earlier report from the same source indicated that, initially at least, data would go not to the general research database of the HSCIC but to a ‘quarantined’ half-way house.Footnote 12
GP support for the care.data scheme seems to be weak, with a report in August 2014 of a survey of GPs showing one-third likely to opt their patients out if NHS England rejects the call by the British Medical Association (BMA) for the scheme to be based on patients opting in:
Almost a third of GPs say they intend to opt their patients out of the care.data scheme if NHS England doesn’t accept calls for the scheme to be run on an opt-in basis.
Pulse’s survey of more than 400 GPs reveals that 31 % of respondents said they would opt patients out - despite this being unlawful - while only 32 % said they would not be opting patients out. …
Many GPs also said that inadequate safeguards and lack [of] clarity of where data can be shared and what it can be used for were behind their decision to opt patients out. …
… a GP in Crawley said that … : ‘Care.data is a fantastic research tool and used properly could help drive change that will benefit us all. The problem is that the central bureaucracy of the NHS has ignored the rights of individuals.’ …
… a GP in Ecclestone, Lancashire, said: ‘Initially most patients are willing to join the scheme as they feel it is a good idea if the emergency doctors knew about their medical conditions.’ ‘But once [we have] explained that their records could be seen by non-medical people and could be used for pharmaceutical research purposes, they seek to withdraw consent.’Footnote 13
The BMA’s position on care.data, adopted at the Annual Representative Meeting in July 2014, is as follows:
That this Meeting agrees that the care.data system should not continue in its present form as:
it lacks confidentiality and there is a possibility for individual patient data to be identified;
it carries the risk of GPs losing the trust of their patients who may feel constrained in confiding in them;
the future potential users of the data are not well defined;
it should be an opt-in system rather than an opt-out one;
the data should only be used for its stated purpose for improving patient care and not sold for profit.Footnote 14
The amendments to the HSCA passed in the Care Act 2014 go some way towards addressing the concerns regarding confidentiality and inappropriate use of patient health data, not least by specifying in Section 122 that Section 261 HSCA is amended to allow data release only: ‘for the purposes of—the provision of health care or adult social care, or the promotion of health.’ However, the precise boundary imposed by this amendment is unclear. It seems clear that the amendment excludes making the data available to actuaries for the purpose of determining life insurance policy terms. However, it clearly does not prevent the data from being made available to drug researchers and pharmaceutical firms.
It is appropriate therefore to question just what information is to be harvested from patients’ GP records, and indeed whether a patient has any right to block such use. In this regard, the advice to GPs given by NHS England itself is of interest:
Under the Health and Social Care Act 2012, NHS England has the power to direct the HSCIC to collect information from all providers of NHS care, including general practices. … Guidance will support General Practices by explaining how patient information will be collected, anonymised and used by commissioners so they can better understand the true outcome of care provided to patients and continuously improve health services for all.
The General Practice Extraction Service (GPES) will be used to extract GP data each month. The identifiers to be extracted are: NHS number, date of birth, postcode, and gender which will allow patients’ GP data to be linked to their hospital data. No free text will be extracted, only coded information about referrals, NHS prescriptions and other clinical data.Footnote 15
Moreover, the GP readers were directed to a blog, on NHS patient information and the Data Protection Act (DPA), of the Information Commissioner’s Office (ICO), i.e. the official body set up to enforce and oversee data related legislation. The ICO explains that:
GPs holding personal information about patients is nothing new and is covered squarely by the DPA. Generally everyone understands what’s happening: you give personal information to your GP who then records that information as your medical history. This record may include information from other health services and allows your GP to track your health throughout your lifetime.
The changes begin with some of the personal information included in that record going from GPs to the Information Centre. This happens under the direction of NHS England, which is allowed due to a new law, the Health and Social Care Act 2012.
This law gives NHS England the right to direct the Information Centre to collect certain sorts of data from the medical records. The law is a statutory enactment which requires the disclosure of the data, which means the data becomes exempt from the main parts of the DPA [Data Protection Act].
Because the main parts of the DPA are exempt it means that neither GPs (as data controller) or patients (as data subjects) have the right to stop that information being taken into the Information Centre – there is no legal ‘opt out’ under the DPA.
But while the DPA doesn’t give patients a right to object, the Secretary of State for Health has offered patients an option not to have their information used in this way. But as this option isn’t covered by the DPA, we can’t regulate it, and we don’t set the rules on how it works.Footnote 16
As is clear, the option to opt out of care.data is not overseen by the Information Commissioner’s Office, and, as we noted earlier, this option is not guaranteed by law.
Moreover, the legal basis for the care.data scheme ‘trumps’ key provisions of the Data Protection Act.Footnote 17 The 2012 Act (the HSCA) allows all patient data to be used for purposes that extend beyond patient care (e.g. for research) without any consultation, i.e. without the patients’ knowledge. Thus, the law makes it impossible for patients to prevent their data from being used for research. Yet under the Data Protection Act 1998 (S 2(1)(a), Part II, Schedule 1), any health professional gathering personal information directly from a patient has a responsibility to advise the patient of the intended uses of the information, unless this would be impracticable. As Jamie Grace and Mark Taylor have convincingly argued, in this regard the Data Protection Act may be overridden by the HSCA, since the direct recipient of the information from the patient, the patient’s physician, is obliged to forward such information to the HSCIC which itself is not
to inform the patient of the use of such data once ‘anonymised’.Footnote 18 This has far-reaching consequences:
[T]he Information Centre will have the power, under Section 259 [of the HSCA], to require confidential patient information (and other information) from health and social care bodies…Footnote 19 [A] disclosure to the Information Centre, in response to a requirement that it be provided,… will not constitute a breach of the common law duty of confidence and will satisfy the requirement that there is a lawful basis for the processing of sensitive personal data under Schedule 3 of the Data Protection Act 1998.Footnote 20
Consequently, as observed by Grace and Taylor, the right of a patient to object to processing of his personal data on the basis that it would be likely to cause ‘substantial damage or substantial distress to him or to another, and that damage or distress is or would be unwarranted’ (cf. Section 10 of the Data Protection Act 1998) is simply
removed as a result of the HSCA:
[T]he responsibility to consult the patient and provide her with the opportunity to object] is lifted in relation to both the Information Centre and health professionals if disclosure of the information has been required by the Information Centre.Footnote 21
Following long-existing UK government practice in relation to governmental ICT schemes, both the HSCICFootnote 22 and NHS EnglandFootnote 23 have produced ‘Privacy Impact Assessments’ in relation to the potential impacts on patient privacy of the operations of the HSCIC and of the care.data scheme respectively. These are particularly of concern on two points—the extent to which citizens’ registered opt-outs will be honoured and the awareness of NHS England of ethical concerns extending beyond the potential for harm if medical confidentiality is breached. These Privacy Impact Assessments will be returned to below.
As shown in this section, key elements of the discussions regarding the care.data scheme are focused around the following topics: appropriate consent mechanisms for data collection and use; the right to object to processing of personal data; the extent of the data collected; and the uses of the data by the NHS or third parties. Various of those concerns were also raised by citizens, as we will see in the following section.