I recently recorded a piece for the Pod Delusion on care.data. If you like listening to podcasts, then you can find it here. The Pod Delusion is well worth a listen: apart from my own occasional contributions, it also unfailingly has a great deal of other interesting material.
But for the benefit of anyone who prefers the written to the spoken word, here is the text of what I said.
You may have had a leaflet through your door recently about a new massive government IT project called care.data. If you have, you might not have realised it was about care.data, as the leaflet doesn’t actually tell you that that’s what the plan is called.
You might not even have read the leaflet. It’s just a leaflet shoved through your door, not sent to you in a personally addressed letter or anything like that. You might have thrown it out, unread, along with all the pizza delivery leaflets. But if you haven’t thrown it out yet, I’d encourage you to read it carefully. It’s quite important stuff, though there are a few problems with the leaflet, which I’ll come back to in a bit.
But first, what is care.data? Well, it’s a new database that’s being created by the Health and Social Care Information Centre, a public body that was set up by the Health and Social Care Act 2012, a piece of legislation which I think we covered on the Pod Delusion more than once before when it was going through Parliament. But at the time, I think we were probably focusing a bit too much on opening up the NHS to private sector providers to notice that the Act also contained some pretty important stuff about the way your medical records are shared.
The database will contain medical records from primary care. Your GP will be asked to upload your records to the system. The data uploaded to the central database won’t include your name, but it will include your date of birth, NHS number, sex, and postcode, so you will be personally identifiable from the record.
There are undoubtedly many benefits to be had from this system. It’s really serving two purposes. First, it allows the NHS to get better data on what it’s actually doing, which should help it to plan its services better. It will be possible to link data from the primary care records to secondary care records, which should allow a more complete understanding of patient pathways within the NHS than is currently possible.
Second, the data will be available to researchers. It will no doubt be a fantastic resource for anyone wanting to do research on the care patients receive and their outcomes in primary care.
One other use of the system, which may not be welcomed by everyone, is that the data will also be available to private sector healthcare providers, such Virgin Care or Serco. The data will no doubt be very useful to them when they’re bidding for outsourced NHS services, helping them to run rings around NHS procurement managers. Good news if you’re a shareholder in a private healthcare company, not such good news if you’re a taxpayer or a patient with expensive needs.
So the system has benefits, but of course it also has costs. Great big government database systems don’t come cheap. So do the benefits outweigh the costs? I’d love to be able to tell you the answer to that, but I can’t, for the simple reason that the costs are a closely guarded secret. GP Dr Neil Bhatia, who’s taken a keen interest in care.data, tried to find out via a freedom of information request, but the request was refused. That’s a bit odd, don’t you think? After all, the government are always telling us that if you’ve nothing to hide, you’ve nothing to fear.
Incidentally, Dr Bhatia has produced a very helpful website about care.data, which you can find at care-data.info. It’s worth a read.
Anyway, I said I’d come back to the leaflet. It has a big title on the front page saying “better information means better care”. I think that’s a bit misleading. Care.data is absolutely not used as part of patient care. It is not a system for clinicians to share information about individual patients to make sure they are caring for them correctly. It’s purely about statistical information. Sure, good use of statistics can lead to general improvements in care, but I doubt that that’s how the man on the Clapham Omnibus would interpret the title of the leaflet.
Inside the leaflet is a brief statement saying that your choice about whether to opt out of the system will not affect the care you receive, but I really don’t think that’s sufficiently clear information, and I suspect it will be widely misunderstood.
The tone of the leaflet is overwhelmingly positive. It tells you a lot about the benefits of the system, but says little of the risks. The main risk, of course, is to the privacy and confidentiality of your medical records.
The leaflet tells us that the data will be stored securely. Right. A giant, government run database with confidential personal data. Forgive me if I’m not completely reassured. Remember when the entire child benefit database got downloaded onto a couple of CDs and lost in the post back in 2007?
But even if government IT bods have learned from that mistake and the database really is secure, that doesn’t mean there is no risk to your privacy. The data may be released to third parties in one of three forms: anonymised, potentially identifiable, and identifiable. It’s probably OK to share anonymised data. Anonymising medical records isn’t just a simple as removing your name. If you have a rare disease, then simply knowing your diagnosis and one or two other seemingly innocuous pieces of information may be enough to identify you. But I think that’s been thought of. I haven’t managed to find a detailed definition of anonymised data, but they do mention small numbers of patients with rare characteristics in the brief definition I saw, so probably no-one is going to know it’s you from the anonymised data.
Potentially identifiable data doesn’t include your data of birth or postcode, but as far as I can tell it does include most other things. Potentially identifiable is probably a pretty good description. Mostly, you won’t be personally identified from that dataset, but it can’t be ruled out, particularly if you have a rare disease. Potentially identifiable data will be shared with a wide range of researchers, although they will be required to keep the data confidential.
Finally, the full dataset, including your personal identifiers, may also be shared. This will, apparently, only be done under exceptional circumstances, and requires approval from the Secretary of State. However, the definition of what counts as exceptional circumstances is a bit nebulous. It has to be to improve patient care or be in the public interest, but I imagine you could think up quite a few circumstances where those things might apply. It’s often true that rules set up only for exceptional circumstances tend to become rather non-exceptional. In fact you may remember my talking about the UK Biobank project in Pod Delusion episode 130, where confidential NHS data were shared without consent because it was deemed to be in the public interest.
You can, if you wish, opt out of having your data uploaded to the system. You need to get in touch with your GP’s surgery to do this. If you’re lucky, they may have an opt-out form, but it’s more likely that an enquiry about how to opt out will be met, as mine was at my own GP’s surgery, with a quizzical stare. After a little discussion, they seemed to think that if I put my wishes in writing in a letter then they’d probably figure out a way to act on them. I shall be opting out mainly because I’m really not comfortable with the idea of my identifiable medical records being shared with unknown entities just because someone managed to persuade the Secretary of State that it was in a good cause.
What really bothers me about care.data is that it breaches the fundamental ethical principle of informed consent. Consent will be assumed. You have to actively opt out: if you do nothing, then your records will be included in the system. I’m always a little wary of assumed consent, though I appreciate that you can sometimes make a case for why it’s a good idea, and I don’t see this as a clear case when assumed consent is wholly inappropriate. But that consent does need to be properly informed. Telling patients about the system via a leaflet that may very well not be read, and which appears to be designed more to persuade than inform, does not strike me as a way to ensure that consent is informed consent.
Since I recorded the piece above for the Pod Delusion, I discovered that my suspicions that the "exceptional circumstances" stipulation for sharing confidential data might become anything but exceptional were well founded. It turns out it is surprisingly common for the NHS to share identifiable patient data without consent.
If you would like to opt out of having your own data uploaded to care.data, you can find a handy opt-out template here. I do think it's rather bad form that the NHS have not provided their own.