If you live in England, you might recently have received an NHS leaflet — white background with a blue and green design — with your junk mail.
If not, it is on its way.
It is called ‘Better information means better care’. Furthermore, it says no action is required on the part of the recipient.
As this pamphlet deals with personal patient data — yours and mine — two thoughts occurred to me. First, why wasn’t my surgery writing to me personally? Second, what about the opt-out of a few years ago wherein many English NHS users took the opportunity to prevent their records from going on the grand nationwide database, the Summary Care Record?
This leaflet discusses something different. There is a lot to read, so I’ll summarise it and leave you to further peruse the links provided.
The leaflet, which, no doubt, the NHS and Government hope you will ignore and discard with the accompanying flyers, is about care.data, even though there is no mention of it. care.data will eventually be sharing data with third parties — initially anonymous but not in subsequent stages — about our ailments, illnesses and lifestyle habits.
This, as will be shown below, has nothing to do with our treatment by doctors and nurses, whether in surgeries, clinics or hospitals.
And you can opt out by writing, not visiting, your surgery.
This is what the relevant NHS site says (much more at the link, emphases in bold mine below):
The role of the Health and Social Care Information Centre (HSCIC) is to ensure that high quality information is used appropriately to improve patient care.
NHS England has therefore commissioned a programme of work on behalf of the NHS, public health and social care services to address gaps in information. Our aim is to ensure that the best possible evidence is available to improve the quality of care for all.
It is important that the NHS can use this information to get a complete picture of what is happening across health and social care and to plan services according to what works best. The new system will provide joined-up information about the care received from all of the different parts of the health service, including hospitals and GP practices.
Your date of birth, full postcode, NHS Number and gender rather than your name will be used to link your records in a secure system, managed by the HSCIC. Once this information has been linked, a new record will be created. This new record will not contain information that identifies you. The type of information shared, and how it is shared, is controlled by law and strict confidentiality rules.
MedConfidential states that this is not really as harmless as it looks. In fact, a physician from Hampshire — Dr Neil Bhatia — provides more information on what this scheme really entails as well as opt-out forms you can send to your GP.
Under changes to legislation, your GP can now be required to upload personal and identifiable information from the medical record of every patient in England to central servers at the Health and Social Care Information Centre. Once this information leaves your GP practice, your doctor will no longer be in control of what data is passed on or to whom.
This information will include diagnoses, investigations, treatments and referrals as well as other things you may have shared with your doctor including your weight, alcohol consumption, smoking and family history. Each piece of information will be identifiable as it will be uploaded with your NHS number, date of birth, post code, gender and ethnicity.
NHS England – the body now in charge of commissioning primary care services across England – will manage and use the information extracted by the Health and Social Care Information Centre for a range of purposes, none of which are to do with your direct medical care. These ‘secondary uses’ include patient-level tracking and monitoring, audit, business planning and contract management. In September 2013, NHS England applied to pass on your information in a form it admits “could be considered identifiable if published” to a whole range of organisations that include – but are not limited to – research bodies, universities, think tanks, “information intermediaries”, charities and private companies.
Though you may be told that any data passed on will be ‘anonymised’, no guarantees can be given as to future re-identification – indeed information is to be treated so that it can be linked to other data at patient level – and NHS England has already been given legal exemptions to pass identifiable data across a range of regional processing centres, local area teams and commissioning bodies that came into force on April 1st 2013. The Health and Social Care Information Centre already provides access to patient data, some in identifiable form, to a range of ‘customers’ outside the NHS, including private companies.
If you prefer looking at flowcharts, this one — from one of the aforementioned sources — explains more.
Dr Bhatia’s Care-data site explains the scheme in more detail. Excerpts follow, so please take the time to read more privately:
- The information is not going to be available to doctors and nurses, and so will not be used to provide direct medical care
- The HSCIC will keep your uploaded information indefinitely – it will never be deleted, but continuously added to
- Your GP surgery cannot stop this extraction – but you, as an individual, can
- care.data is voluntary – you are under no obligation to allow your records to be processed in this way, and you have the right to opt-out
- You can prevent the extraction of identifiable data from your GP records by asking your GP surgery to put a special code in your GP records
- You can prevent the release of your identifiable data from the HSCIC by asking your GP surgery to put an additional special code in your GP records
- You cannot prevent the HSCIC from releasing information about you in anonymised, aggregated or pseudonymised formats (to ensure that, you must prevent the HSCIC from obtaining your information in the first place, by opting out now)
- If you opt-out of care.data (now), you can opt back in at any time in the future
- care.data is not the same as the Summary Care Record – opting out of one does not mean that you have automatically opted out of the other
This project, called care.data, is administered by the HSCIC using software and services provided by a private sector company (ATOS).
How much is care.data costing the taxpayer ?
Will doctors and nurses treating me have access to this information ?
Medical staff treating you in GP surgeries, hospitals, A&E, pharmacies and GP out-of-hours centres will not use, or be able to use, this database.
care.data is not about information sharing between healthcare professionals.
It is about data extraction, linkage and analysis: in other words, data mining.
Will medical staff with an NHS Smartcard be able to access my uploaded care.data?
NHS Smartcards are used to access software systems that help provide direct clinical care, for example the Summary Care Record, the Personal Demographics Service, Choose & Book and the Electronic Prescription Service.
NHS Smartcards will not permit access in any way to care.data uploaded to the HSCIC.
care.data is not about the provision of direct medical care by clinical staff.
Will my information be anonymised before it is uploaded from my GP surgery?
The information will be extracted from your GP surgery in a form that can clearly identify you as the patient that the data refers to.
In other words, it will not be anonymised, pseudonymised or de-identified before it is uploaded.
If it was anonymised, you wouldn’t be able to opt-out.
If it was anonymised, the leaflet wouldn’t state “If you do not want information that identifies you to be shared outside your GP practice, please ask the practice to make a note of this in your medical record.”
If it was anonymised, the HSCIC wouldn’t be able to link it to further identifiable data about you that it holds extracted from hospitals.
If it was anonymised, you wouldn’t be able to make a Subject Access Request for information that the HSCIC holds about you.
Later on, mental health records will be added, Dr Bhatia says. These are also scheduled to be released to interested parties.
It is appalling to think where personal information might end up and how many individuals will have access to it.
I also find it interesting that the UK’s oft-invoked Data Protection Act does not seem to be of use against this scheme.
One wonders how many people dumped this in their recycling bin without even looking at it?