Liveblog – launch

I’m at the launch in London of the new campaign for medical privacy, Sam Smith and I will be liveblogging the day’s events in comments below. For background, see here, here, here and here. Most of today’s audience are from groups for whom medical privacy is particularly important, such as charities dealing with rape victims, substance abuse, sexual health and child wefare.

10 thoughts on “Liveblog – launch

  1. Phil Booth gave an introduction to what NHS IT systems look like and how their governance has changed since the first of April. The Population demographics service (PDS) is an address book for all of us, of interest to stalkers, private eyes and anyone else who wants to track people; 812,881 NHS staff have smartcards to access it. But how many of them have been lost? In 2009 the NHS decided not to know that! The GP extraction service (GPES) has an extraction demon on each practice PC and a central query engine that fetches data for customers; until April 1st the GP had control over what went up. Now at the Information Centre can require (rather than request) what it liked and the typical GP does not pay attention to what’s going on. The quality and outcomes framework (QOF) which determines part of GPs’ pay used to depend on doctors compiling aggregate data and sending it in; in future GPES will be used to hoover everything up. It’s not been switched on yet; it’s reckoned it will take 6–8 weeks to get it all coded and ready to roll. Yet the NHS has not told the public! The IC has two applications in progress under S251 Health & Social Care Act to pass around identifiable data, and has already published price lists for selling medical data to researchers and others. It’s claimed that outputs will not be identifiable in the first release. Anyway, our medical records are being commoditised; “information is the new oil”.

    In questions, the senior responsible owner of GPES admitted they’d be extracting Read codes but no text at all. The first extractions would probably be for QOF, and the first extract is planned for July. How the confidentiality will be handled will depend on what the Caldicott committee announces on information governance on Friday, and what the Secretary of State says then. Would it be pull or push? Most will be pull, and all other cases will require GP opt-in. The GP can also use the GPES tool to look at their own stuff. Will go by the law in terms of asking patients for consent; where data are collected via S251 processes, they can object. They won’t be asked, but if they find out about it they can stop it. The code set will be published next week. Another person mentioned that CPRD makes 53 million patients’ hospital and prescribing records available to pharma researchers, and that you can opt out if you know about it. Their mission is to collect data “from sperm to worm”. Another from a consumer organisation complained that it can take up to £50 and 40 days to get access to your own record; it’s easier for just about everybody else.

    Terri Dowty raised the issues of patient access to online records. The biggest is coerced access: what chance to victims of domestic violence have of not getting their records taken? And it’s legitimate for young people to to use sexual health or substance misuse services without parental consent, so how do you shield part of the record? What about the transition from a 12-year-old whose parents can access the lot, to a 14-year-old with a record of STI treatment that he/she wants to block? There are similar issues around the transition from independence in old age, when you might not want your kids to be see everything. The slogans about “joined-up care” are strident and all pushing in the wrong direction; the draft Care and Support Bill puts duties to cooperate on local authorities, police, prisons, probation and “such person or persons of such description as regulations may specify”. The Children and Families Bill currently before parliament has clause 25 duty to ensure integration of special education provision with healthcare provision and social care provision. There will be an “Education, Health and Care” (EHC) plan around a child. Records are supposed to follow individuals “with their consent” to any part of the health or care system. For consent to be valid in law, it must be informed, freely given, and by someone with capacity. Yet all of us who’ve worked in children’s services have found that services are denied to kids who fail to cooperate in the CAF process. She also FOIed all council’s information sharing policies; only three passed muster, with many considering a consent refusal to be grounds for suspicion (so they can use the “risk” criterion to share the information anyway and maybe even instigate a S47 “child a risk of harm” investigation). Further tangles arise around young people’s evolving capacity: the Department presumes competence from age 12 (yet the judges in Gillick were against an age cutoff) and they interpret it as meaning that adolescents should consent on their own rather than being encouraged to draw on parents for support if they want to decline. So how will online access evolve for everyone who isn’t a capable middle-aged man?

    In questions, Fleur Fisher recalled from her time as an Air Force doctor that many men would not be happy with their wives knowing what was in their medical records after they came back from trips.

  2. Presentation from Ross Anderson.

    “Our brains are not evolved to conduct principal components analysis.” — “The opt-out is like Facebook: the defaults are wrong, the privacy mechanisms are obscure, and htey get changed whenever a lot of people learn about them”

    Health Privacy is under threat everywhere, with tussles in country after country… @medconfidential

    The medical industry is looking to get exceptions to legal requirement for consent, and use it for various purposes: drug companies, insurers… Iceland tried, but has a very well known family tree, and the Icelandic High Court required opt-in. 11% had previously opted out… Finish nurse who was HIV positive, and hounded out of her job because coworkers could see records…

    An emergency care record system in Scotland let curious people browse celebrities’ records.

    Scope creep.

    After the 2010 election, the childrens’ databases were all stopped. The HSCIC is now trying to revive those plans under their own control.

    Public opinion since the 1960s has a similar pattern – stable for years. > 50% of people oppose. People are willing to have their data used in research when asked, but if they’re not asked, they’re against.

    Catholic Bishops’ Conference (theologically) believe that a woman must have the right to forbid their records from use medical research.

    Cameron’s policy was anoymised data available to researchers, but with opt-out.
    Anonymisation can work for restricted purposes, but generically there become problems.

    One past idea: NHS numbers would be anonymised only if the person was HIV+, which would have leaked whether a DoB/postcode was HIV positive…

    On reasonable assumptions. privacy trackers exist for all sensitive statistics that can generally be produced (semi-)interactively. Outliers fall if someone can do arithmetic (in 1995, there was only one HIV positive patient in Chichester; the one female Prof in the CL).

    The VA published data that they thought was adequately scrubbed; researchers found data for the Governor of Massachusetts.

    Live data attacks – if you can see how systems change, data releases etc,

    This is ongoing, and statistical processes can not protect interactive data of 50m people. That doesn’t seem to stop civil servants trying…

  3. Helen Wallace of has been working on genetic privacy since 2001 and reports plans promoted by Tim Hubbard of the Wellcome and John Bell of Oxford to sequence 10 million of us and attach a variant file of genetic data to our med records (the human genomics strategy group wanted the whole population). The plan is to make it all open except our names and addresses; but your DNA is a biometric that identifies you, up to monozygotc twins. (The police use STRs and med researchers use SNPs, but the latter are getting numerous enough for identification, and some will have whole-genome data.) “There will be no such thing as secrets about paternity any more.” The Human Tissue Act 2004 forbids the processing and storage of DNA without consent, but allows the secretary of state to regulate exemptions for research, which the Academy of Medical Sciences is urging him to do. The proposed weakening of the DP regulation will allow all research and statistical use. The database will allow all to be identified; the Mafia are now taking DNA from insiders in case they ever go on witness protection. The removal of the right to know who’s using our genomic data breaks the Helsinki declaration. Instead of having well-considered screening programs, with downsides assessed, we’ll have everyone screened for everything and the results used for marketing. Tony Blair’s “Science matters” speech, 2002, embraced this. Will babies and children end up being sequenced without consent? It’s being argued that it’s “necessary for public health”. Yet public health genomics was pioneered by the tobacco industry from the 1950s under the misconception that if the 1 in 10 who’d get cancer could be recognised in advance and warned off, the rest could smoke with impunity! The food, chemical and nuclear industries later joined in as a means of shifting risk focus away from their products. The key lobbyists and Mark Walport, John Bell, Richard Sykes and Paul Nurse; unis and companies approved by Biobank spread from the USA to China. Yet only 7% of people opted in to Biobank; what can you reasonably infer about the others?

    Helen Wilkinson has been operating The Big Opt Out since 2006 with Phil Booth after she tried to opt out of the summary care record and found she couldn’t. Despite having worked in the NHS for 20 years she couldn’t find out what was happening to her data. She’s been dealing with real patients since then, with real problems. For example, a woman in the North has a potential cancer and does not dare speak to her GP for confidentiality reasons. TBOO does some campaigning but the patients take up most of the time; it respects confidentiality completely, destroying your phone number once your issue’s been dealt with. Some databases are very hard to opt out of, such as HES; when she got the secretary of state to agree that she would not have an NHS number, she was denied hospital case. However she can give advice on how to get anonymous care by seeking emergency care or using a walk-in centre; the Department confirmed that people could access care using any name.

  4. In the early afternoon there were four separate sessions. In the one I chaired, Essex GP John Cormack described the erosion of confidentiality in general practice since the 1990s when health authority staff started checking up on surgery records to verify item-of-service claims; John got a patient of his who was a barrister to complain and eventually got an admission from the then minister William Waldegrave that patient privacy should be respected. Recent developments in GPES persuaded John that secondary uses should be opt-in not opt-out, so he wrote to 2700 patients in December 2012 saying that consent to sharing would not be assumed; they were invited to reply saying yes or no. 31 agreed to releasing the lot; 51 to a summary only; while 597 explicitly refused consent to sharing.

    In discussion, Dave Roberts (the GPES SRO) asked whether he’d be sending any QOF returns; John said he’d written asking what to do, and has not received a substantial answer, so maybe he’ll remove the GPES gizmo from the server? Dave apologised; that was just imcompetence, plus waiting for Caldicott to announce what rights patients will have. There are other surveys such as the diabetes clinical audit which hoovers up confidential information without patient consent from 6000 participating practices. There are also PCTs extracting confidential data (illegally) at present and that’s wrong. One of the reasons for setting up GPES was to set up a way of extracting data that’s open, transparent and honest. Lots of bad things happen because information governance mechanisms are defective or absent. NHS England (the commissioning body) can now in law demand data; there your argument is with MPs. The function of GPES is to eliminate a lot of very bad practice. He believes there has been movement on the position Caldicott will take following representations by PI, BBW etc since October.

  5. Reports back from other sessions: Sue White’s group on the Single Care Plan challenged the assumption that we needed ever-more sophisticated electronic proxies for conversation, and that the cause of high-profile failures like Baby P was “the system” or “failures to share information”. Not many enchanted with the techno-magic vision of ever bigger databases.

    Ian Brown’s session discussed anonymity versus pseudonymity, the legal framework here and in Europe (DPD, DPR, ECHR).

    Phil Booth’s session focussed on discrimination, and discussed the various groups of people who could suffer as a result of information sharing (black people, mental health cases, smokers). There was also discussion of literacy, from people not understanding what’s happening to not knowing how to talk about it. Also, what does success look like for a campaign like this? If health and care are going to merge, as all parties now say, we’ll have to do it across care services as a whole. Our opponents try to drive wedges; they’ll blame the GP for releasing data even if they forced him to.

  6. In the final session, Shami Chakrabarti offered Liberty’s support and solidarity for the campaign, and for old comrades Phil Booth and Terri Dowty who run it. Britain has a real ambivalence to privacy, perhaps more than to any other fundamental right, and people often let it be trumped by any other public good. How can strange loony privacy geeks get in the way of medical research, they say? We’re up against sloppy thinking and sloganising, as we saw in the debates around the DNA database. We’re also up against the idea that cool technology is irresistible; if we can do it, we must. However we can’t have any other right or freedom without it. How can you have freedom of thought or religion without private space, or the right to a fair trial without the right to have a private conversation with a lawyer? Without it, how can we have intimacy, or dignity, or trust, or a healthcare system in which all can participate? So this is also about the right to healthcare. Is the disrespect for privacy not accompanied with a disrespect for the right to healthcare? Many people value the NHS above other parts of the postwar political settlement, even more than their civil or political rights. Although the local courts have not been vigilant about Article 8 ECHR, it’s very hard to see how Strasbourg law can be squared with the current proposals. To reverse ownership of medical records, then even in domestic law there should be primary legislation and a proper public debate – and even then it wouldn’t be immune in Strasbourg, as we saw with DNA in the end. Anonymity is questionable, and some data are to be passed to NHS and non-NHS bodies in identifiable form. Yet civil rights are under threat; “even today No 10 was briefing against the EHCR on my old friend Abu Qatada who follows me around like a bad old boyfriend”. Human rights must be protected not just by debates and activism but in law. We have a crisis in trust; first the executive with the Iraq war, then MPs who were happy to wag fingers at us while rifling the till, then bankers, then journalists – do we need a crisis of similar magnitude in the NHS? Let’s stop that disaster before it happens. We hope this campaign will be as hard, and as successful, as the one you ran on ID cards.

    Wrapup: 80% of people are probably on our side, so let’s get the word out.A newsletter will launch shortly; we reckon most people can handle an email a fortnight.

Leave a Reply

Your email address will not be published. Required fields are marked *