Have you had one of these leaflets come through your door?
You should have; in fact you probably have had one but may
just not have noticed[1].
A recent poll for the BBC suggests that only 29% of adults recall receiving it.
In early January one came through my letterbox. It was inserted carefully
inside a leaflet for the Co-op supermarket, together with an invitation from
Talk Talk to sign up to their broadband package, and with some other assorted
pieces of paper that were of even less interest. If you are anything like me that sort of
collection of junk mail normally gets no more than a cursory glance before
being consigned to the recycling bin. So much for the fact that NHS England's statement
that its deal with the Royal Mail specified that the leaflets would not be wrapped
up in other mail! If the NHS were going to go to the expense of using the Royal
Mail, they might at least have put their leaflet in an envelope addressed to
their patients; we might have noticed it then. It was only the letters NHS in the top right
hand corner of the leaflet that made me give the thing a second look.
The proposals contained in the leaflet are that the NHS will
share data that they hold on you and me with "those who plan health and
social care services, as well as with approved researchers and organisations
outside the NHS, if this will benefit patient care." Now on the face of it
that is not too controversial. The idea behind the scheme is that the data will
be shared in order to find more effective ways of preventing and treating
illnesses, that the NHS will be able to manage their resources better and that
people at risk of a condition can be identified and offered treatment. All very
laudable and at first sight nothing to be too alarmed about. After all it makes
perfect sense for the NHS to use data it collects to manage patient care and
provide a better service...except. Except that not only is the intention that
this data be used within the NHS, but that it will be shared with "approved researchers and
organisations" outside the NHS, although quite who these organisations are
is anyone's guess. That is a little disquietening because although the NHS says
that data will be anonymous they also say that postcodes, National Insurance
numbers and dates of birth will be used, although that will be redacted before
data is released to outside organisations. The question that should concern us
is who are these other organisations and what would they do with the data?
It is difficult to have a great deal of confidence in
exactly how confidential the NHS will keep our data when you consider how many
data breaches the NHS has been responsible for. The Daily Mail recently reported more than two million breaches since
the start of 2011, an extraordinary figure that fortunately looks to have been
grossly overstated as figures published by health website pulsetoday.co.uk
suggest that breaches during this period number less than ten thousand,
although that is quite enough thank you. Breaches include paper records being
left in shops and car parks or thrown in litter bins in public places, of
confidential patient data being sent to the wrong addresses and of computers
being sold without confidential data being removed.
The media has been full of stories on the Care.data subject. |
For instance, NHS Surrey failed to completely wipe and
destroy 1,570 hard drives containing highly sensitive data on over 3,000
patient records before disposing of the computers containing those hard drives.
This came to light when a member of the public, who bought a computer online
(it is believed it was sold on eBay), found those records on the hard drive.
The NHS trust were fined £200,000 in July 2013 for that offense, which given
the parlous state of NHS finances, is a criminal waste of money for failing to
comply with basic data protection principles. Brighton and Sussex University
Hospitals NHS Trust were fined £325,000 in 2012 for similar breaches.
Apart from the alarm that the data sharing proposals have
raised with the general public, GPs have also raised concerns and some have
already opted their patients out of the scheme. Oh yes, the NHS mention in
passing that you have the option to opt out of the scheme, but to do so you
need to inform your GP (cue a large spike in appointments for GPs as patients
ask that they be exempted). In practice you do not need to see your GP, you
just need to speak to your GP practice, i.e. the receptionist (that helpful,
cheerful breed whose raison d'ĂȘtre appears to be to protect doctors from ever
coming into contact with patients).There is no form to fill in, nothing to
sign...which begs the question, how confident will you be that your wishes have
been complied with and how can you ever prove that you made the request if it
turns out that your data is used against your wishes? Why could the NHS website
not provide an option for patients to opt out online? If nothing else, why
could there not be a paper form that would become part of your record at your
doctor's surgery?
The NHS and other government departments do not have a great
track record with IT projects; not to put too fine a point on it they are
rubbish at them. Government departments have thrown good money after bad trying
to develop ill advised systems that have been scrapped or not been fit for
purpose. In some ways this current project, known as Care.data, is as likely to
founder as any other, like the NHS patient record project which was dropped
last year but only after £10bn had been spent on it. Other debacles include the
project that was meant to save the Department for Transport about £57m but
which actually cost £81m, the Ministry
of Defence project that even in 2010 was £180m over budget and eighteen months
behind schedule, not to mention the £5bn spent on the ludicrous National
Identity Card Scheme that was scrapped for a multitude of reasons. And they are
just the tip of a very big iceberg.
My reservations about the Care.data scheme are many fold.
Firstly the cost and the time involved that could probably be better spent by
the NHS on actually treating patients. I also fear that the perceived benefits
will be far less than has been stated.
Secondly, given their track record, I have absolutely no
confidence that the NHS will protect patient data. It is a near certainty that
there will be data breaches; patient data will not be anonymised properly. Data
containing full patient details will be lost or simply sold to organisations
who will use it for commercial purposes. Imagine the potential for insurance
companies to use this sort of data to either target potential customers for
health insurance, or conversely reject applications from certain people.
Thirdly, there is the fact that this is an opt out rather
than opt in scheme. The very fact that a BBC poll showed that only 29% of
adults could recall receiving the leaflet means that potentially a great number
of people who might have opted out of the scheme would have been blissfully
unaware of it. With a project of this magnitude and sensitivity the NHS should
have been asking patients to opt in and even once the NHS get their act
together and re-launch the scheme it is probable that a great number of people
will remain unaware of it and be opted in by default, whether they like it or
not.
The whole thing smacks of the NHS were trying to foist this
upon us without our noticing and that they are now somewhat embarrassed to have
been found out; the fact that the project is now in temporary abeyance suggests
that they realise that they have got this badly wrong. I was going to pop round
to my GP's surgery and opt out, but on balance I'm not sure if there is any
point; either they will still use my data anyway, regardless of my wishes, or just as likely the whole thing will be
consigned to the same bin as the Identity Card scheme.
[1] If
you have no recollection of receiving this leaflet and want to read it in full,
you can find it here:
http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Documents/NHS_Door_drop_26-11-13.pdf