For those of us who might not be in the UK, or have too many other things to think about, a brief reminder. Care.Data is the name of the programme in the UK that aims to bring together into a central database the patient data that is currently held distributed through the country at each separate GP surgery.
Conceptually the idea that it would be valuable to medical research if health data could be accessed more easily for analysis has existed for more than 25 years, with initial efforts such as collection of NHS hospital stays statistics data taking place in 1989. The concerted effort to establish a central database to collect data from all GPs was announced in spring 2013, with the name ‘care.data’. The plan was that this would allow data on patients who had not explicitly opted out of the system to used in anonymized form by health care researchers, managers and planners including those outside the NHS such as academic institutions or commercial organizations. In recognition of the fact that people’s health data is a sensitive matter, the government launched a public awareness campaign, primarily based on leaflets that were to be delivered to people’s home in January 2014. Based on a BBC poll in February 2014, however “as many as two-thirds of the public had not seen them come through their letterboxes.” The failure of the public information campaign contributed to growing complaints from a wide range of professional organizations and privacy campaigns (British Medical Association, privacy campaign group Big Brother Watch and the Association of Medical Research Charities) that there were insufficient safeguards to secure the data handling and protect people’s privacy. Most important however, were concerns that it was not clear who would be getting access to the largely anonymized medical records, especially if private companies such as insurance companies would be able to buy access.
Ultimately, these complaints resulted in the decision by NHS England (who were put in charge of running the care.data), in May 2014 to delay the data-sharing project by six months. In October 2014 the Cabinet Office Major Projects Authority concluded that the program had “major issues with project definition, schedule, budget, quality and/or benefits delivery, which at this stage do not appear to be manageable or resolvable”. In June 2015 a regional test was announced that would commence data extraction in Blackburn from September. This was again paused due to confidentiality concerns that remained unresolved.
Earlier this week someone posted to the discussion list of the Open Rights Group that apparently the NHS was circulating a survey (the survey closed on December 2nd and is no longer accessible) to poll peoples’ concerns about the use of information technology and reassure the public that their personal health and care data is being held and used securely. As stated in the introduction to the survey:
“The health and care system needs to earn the trust of the public and must be able to assure the security of confidential data.
This includes being clear with citizens and professionals about how personal health and care data should be used and the benefits of doing so, how privacy is protected and ways in which people can express a preference in terms of how data about them is used.
To address these concerns the Secretary of State has commissioned an independent review to:
- develop data security standards for health and care organizations
- propose a consent or opt-outs model for data sharing in health and care organizations
To inform this review we would like to invite patients and the public to answer the following questions about data security and data sharing in health and care.”
As pointed out in the Open Rights Group discussion forum, however, the survey itself already showed a number of problems with regards to data handling, and bias wording. For starters, the survey was hosted on SurveyMonkey, a service that is frequently used for commercial and academic surveys. Unfortunately, however, Survey Monkey is a US based company which means the data is being collected on servers in the US. With the collapse of the US-EU Safe Harbour agreement this could be problematic if the survey were deemed to contain personal data. In this no name or location data was asked and the demographic data was sufficiently coarse to probably not cause problems. The other questions also did not appear to be sufficiently fine grained to allow identification of respondents (provided that no IP address information is recorded by Survey Monkey). As an exercise in increasing public trust in the way their data will be handles, however, this was clearly a mistake.
Most of the questions were formulated similar to the following:
“13. Are you happy for information about you to be used to help the Government to develop better policies i.e. hospital data about road traffic accidents, for instance, might help the Department of Transport to identify and address particular accident hotspots.
- I’m not sure
- Yes if the information is anonymized (information like name and address removed from the record)
- Yes if I’m asked first”
It would be noted that in the case of medical records, simply removing name and address data is probably highly insufficient to achieve actual anonymization since people within the catchment area of a GP practice of hospital will mostly have very individual patterns/combinations of medical conditions. An insurance company for instance might easily re-identify people based on such patterns.
On the topic of the “measures in place to protect your confidential information and ensure only those authorised to see it can do so”, participants were asked to rate their confidence in the following measures:
- Network security: your information is communicated via a private network which can only be accessed by approved users who use a smartcard to gain access.
- E-mail security: any information that is sent via email is sent using a private mail system that can only be accessed by NHS staff.
- Legislation: there is legislation in place, such as the Data Protection Act, with financial penalties of up to £500,000 for anyone who breaches these rules.
- Rules: NHS organizations need to self-assess against national rules that set out how people should collect, use and access data about you. Social care organizations are independently assessed each year against these rules.
Given how vague each of the descriptions of the data protection measures is, there is no way in which respondents could provide any useful information about people’s actual concerns about the handling of confidential information.
Clearly this survey was an attempt to test ‘the waters’ for formulating the care.data re-launch strategy. The big question is, what is going to happen next?