I've moved!

I've moved! So my blog is now at jenpersson.com. Pop by. I'd be delighted to see you.

Growing up I considered becoming a creative designer or a forensic scientist. Aged six I wrote a chalk letter to the Queen which I posted secretly, stampless, asking her for world peace. In between then and now I didn’t do much about it. Now I better appreciate that if we want to see change, we need to make it happen. As a member of  English PEN I’ve been interested on and off in the areas of privacy and freedom of speech for some time. Daughter of a GP, the most recent transformation programme in the NHS and its approach to patient data and confidentiality, has led me to pay attention in the care.data arena. I attempt to capture my thoughts about that.

It may also be about other writing related things.  Sometimes art, clouds or bees.   Or anything else I feel worth adding to my scrapbook. Come on over to Twitter and join me in conversation.

Mostly constructive. Sometimes cross. Occasionally on target.

“Thank you for your consideration.”

care.data - Riding the Change Curve

I've been inspired by many people this week.

Shakespeare who is long dead. Another, less famous, we celebrated at her funeral after only a few weeks of living with diagnosed endocrine cancer. She would have turned 76 this week.

The change curve

Anyone familiar with the theory of grief, or more happily (as I am from my previous professional life) the similar theory for managing change, knows the stages along the curve we need to go through, to reach a new status quo after a process of adjustment.

After the initial shock and denial, there may be anger, frustration and fear before any acceptance or new optimism is possible.

Individuals follow the curve at their own pace. Some may not go through each stage. Others may simply be too upset, disagree early, give up with or repel the change, and never reach a comfortable position or commitment to a new status quo.

Whether it is grief or a business change, the natural initial response is emotional, and starts with loss. Loss of a person, of position, of something we cannot control. It can take a great deal of support, time and good communication to go through the journey.

(And yes, there's a comms lesson for care.data in here.)

Before we begin on a change we need to understand the point from where we are starting. And crucially, to understand that Change is about people, not technology or business process.

The change curve starts with shock

From many people's perspective, the concept of care.data, has been a shock. For those working on the project, or at NHS England, that is probably hard to understand. 'Why on earth all the fuss?', they may ask. It's easier to understand, if you realise the majority of the public had no idea our health data was used for anything other than our direct and indirect care. Much less may have been winging its way on the cloud across the Atlantic. It feels like data theft.

It's easy for those in a technology project to see coded health records simply as data. But don't forget to us, this is our irrevocable health and social imprint. Signposts to who we are, have been and perhaps, will be. It's personal and private. And as yet, we may have only shared those facts with our GP. Only our GP and not yet our partners, or parents. And then we find out global Health Intelligence companies might have our sexuality or pregnancy history, or complete picture of prescribed medicines, drawing on information from 100,000 suppliers, and on insights from billions of annual healthcare transactions. HSCIC is giving it away almost for free. To them it may be only data. To us it's intimate. But for the three of us in this marriage, it's information which has been used and shared with these third parties, and as far as we can see, only one of us really benefits from the deal. Identifiable or not, is only part of the story. It's our biography we didn't give you permission to read or tell.

The initial shock, fears, anxiety and general disgust that our personal details are sold (sorry) given away on a cost recovery basis charging to cover processing and delivering the service, should therefore be more understandable if you realise it was a complete surprise.

(The surprise may or may not be quite as great as the exploding whale posted via Wired at the end of this post. Go on, you know you want to.)

Change is the only constant. How can we progress?

The Change Curve based on the Kübler-Ross Grief model

So, what happens now? How can the public move forward, to get to a position of trust and acceptance, that this is what is already happening with our hospital data (HES), and planned to happen with the majority of our GP stored data in future (whether we like the idea or not)?

In order to move us along the curve, NHS England have a large task ahead. In fact, a series of tasks ahead, which are not going to happen overnight. How are change and communications working together?

As there's no detailed 'care.data progress' public communications easy to see on the top level of NHS websites I can only see other info as it comes out through online search alerts. And since it's my, my children's and all of us as citizens, whose data that is being discussed here, I think we should be interested and want to find out and question the ongoing status. The GP FAQs have gone or are hard to find, and the patient FAQs are still inaccurate IMO. This page should be top level leading, not six unsearchable clicks down. 

From the latest update in the care.data advisory group meeting notes, with much more concrete progress to see, it is good to see that communications features often, and note 'a comprehensive engagement plan is already underway.'

That plan will be interesting to see mapped out as time goes on, but I do wonder whether it is the right time to be looking at engagement, when so much for the care.data programme remains to be clarified or is undecided?

Questions remain how less raw data can be given away, further legislation, the 'one strike and out'  how to deal with data breaches, views on enabling small and medium enterprises (SMEs) data access, GP staff opt out understanding, public op out understanding, clarifying the narrative of risks and safeguards. Some steps to be reviewed not until 'over the summer'. And that's only a summary of a summary, I am sure only a glimpse of the foam on the top of the wave of what is being done under the surface.

An engagement plan can't have gaps. Communications is not one-way, that's PR. So we can only hope there is a real engagement underway of listening which will result in action, but not in 'transmit mode'. Engagement needs to be concrete to work from day one. We don't need a sticky plaster and pat on the head, we need fixes and facts to back them up.

Communications and Change

Why can comms not start now and be added to as we go along, you may ask? Whilst it can, and indeed most communications plans need some flexibility, a good Communications Plan needs to ride leashed tightly to the Change Management Plan.  And given that different individuals are each somewhere different on the change curve, at any given point in time, you need to be able to address questions that any of them may have, simultaneously, regardless of whether they have just heard the news, or are almost finished their change journey. For GPs, their staff, other medical professionals, citizens and patients.

Riding the wave of the change curve, some are nearly back on the beach, when others haven't yet entered the water. Some have got out and will not be persuaded back. Others may.

Therefore until many of the open issues are resolved, until governance and legislation is clear, unless it is focused on listening and resulting action, most communications can only be wasted PR rhetoric. Perhaps there are great plans. But Houston, we don't have a communications problem. Honestly. As far as I can see.

There is no communications issue, there are issues which need communication.

Why? Because folks who opted out already will not be sold on the benefits. They will only be convinced by a clear picture of known and well governed, legislated, mitigated risks AND benefits. Then they can weigh up a decision. (Assuming indeed, the Secretary of State is a man of his word and maintains the patients' right to object, which is not a legislative right.)

"The law is a statutory enactment which requires the disclosure of the data, which means the data becomes exempt from the main parts of the DPA." (ICO)

For the population not reached yet, however, there is a requirement to at least give fair processing, even if you can debate the fineries, all common sense says make the same mistake twice, and you're sunk.

The trickiest part in the communications, is to address different segments of the population who are at different points in the curve, at the same time. Some of whom are hard to reach.

I am sure there are many people working behind the scenes to bring about this managed change. Let's not forget, this programme was intended first to launch a year ago. Professionals are working on this, it's not new. But Dear God, please don't launch more communications along the same lines as before. September saw GP materials go out with no training and no measure of how well practices had understood the materials. A misleading poster and misdelivered leaflet for patients created more confusion. Which all went out before proper governance, legislation and technical solutions were in place to make it all work well. The advisory group minutes and Mr.Kelsey's letter indicate there is much work to be done in these areas still. Yet engagement activities are planned May-July.

To look at basics, I think these need resolved before you can talk about risk mediation:

1. Purposes and who accesses data:  the care.data addendum which sought wider purposes and third party access by think-tanks and information intermediaries is still to resurface, after being returned by the GPES IAG in February for amendment. Which means final data users remain somewhat undefined. And we're still pending the complete audit of past and current data recipients through the audit overseen by Sir Nick Partridge.

2. Amber is not Green - data protection: Why is potentially identifiable data and what really quite clearly, will be identifiable when so many companies sole purpose is to take a wide range of data sources and mash them together,  given no data protection in law and no clear choice over its use in HES release? It may for release from HSCIC be treated more carefully than green data only in so far as it is not publicly published on a website,and goes to committee review, but it may be provided to a wide range of commercial companies who then create information from it which they release. The raw data's nature can be sensitive to us and it's certainly personal, so that we would expect it to be kept confidential, and yet it is  shared and may be combined with recipient's other data sets are at individual patient level?  It feels like a great big whale in the room - it's not green, we can't protect it, but if we close our eyes it might go away. It's not conducive to trust, when it feels like a con. Just call me Ishmael.

3. Individual expectations - individual data control: Point 2 leads to a huge potential iceberg ahead which still needs resolved. Which of the UK and EU protection laws and their, the ICO and the HSCIC definition of anonymous and pseudonymous data apply and are not only legal, but feel just and fair to us as citizens. What rights does the individual have? How will GPs resolve their conflict of protecting patient confidentiality and complying with the new law requiring them to release it? Some GPs don't think it's a good idea. There will be some citizens who want no data stored centrally at all and even want their HES back out. What will they say to someone who point blank does not want any of their medical record outside their practitioners' control?

So, are we about to see a repeat of the same communications catastrophe - launching engagement, before we know what exactly what it is we're talking about? Surely not. But looking at the calendar...

As an outsider, I just wonder how can effective engagement begin, when questions may be asked which cannot be answered?

Workshops to separate truth from myth, risk going down as well as Ahab in Melville's story, if you have people who are upset, and you have nothing to offer them but unsupported 'reassurance'. I'd like to see a webpage or presentation of those myths, because I don't feel I've seen many myself. If anything, issues have been debunked by careful wording rather than straight talking.

Change and Trust

Change can't be done to us without huge resistance. Change has to happen with us, if we are to trust and adopt it. If collectively we get stuck in anger and fear, we'll not get to acceptance. And it actually has the potential, suggested Ben Goldacre, if not already done, to leave a negative wake on wider research & society.

There has to be trust in the change, that it is for widely acknowledged 'right' reasons.

There has to be trust that the terms of the change are defined and stable. Words such as currently, and initially, have little place in the definition of future agreements. 

There has to be trust that what we will lose, is in proportion and outweighed by what we'll gain from the new.

When we read global stories of how healthcare data is misused, and we can't see who has access to our own data on any real-time rolling basis, it leaves open the fear that data can be given inappropriately, without check and balance, for months. The recently released register is one good thing to come from the debacle so far, and the further audits are ongoing, expected towards mid-May, but any future register is only going to be publicly accurate 4 times a year. It's better than nothing, but surely not hard to update in real time.

Until the history is entirely transparent, it is a challenge to see how concerns about past use and lack of past governance, and the lack of trust those errors created will be possible to fix. The sensitivity of our raw data is likely only to increase as scope is broadened in future, and the scale of the requests is expected to increase as the era of Health Intelligence takes off and becomes ever more profitable for those third parties. 

Trust will need to increase if anything proportionately, as this scale and sensitivity increases. So any communications of future releases and their governance needs to be sustained. It's not an afterthought of 'what we've done'. It's the key to being allowed to carry on doing it.

Change Managers need to understand an individual's own story, values and what makes them tick, to have an expectation of what the change impact (possibly negative) will be for individuals or groups and what's in it for them (the positive) and any wider impacts, for example considering the Public Interest. And all leaders, need to have available from the start, the information which will answer the questions for people in each of these groups, at every stage of the curve.

Decisions in the public interest, may be subjective. Jeremy Hunt has said that we,

'will “get through” the heated public debate this scheme has caused regarding patient privacy and the potential for the data to be re-identified."

I'd like to hope we get more than 'through it.' To say that, underestimates the task ahead.

It's not a tunnel or a final destination, but a process. And the longer the data is shared over our lifetimes, the more likely it will be re-identified with all the other passive and other Big Data which is shared in our future. So there's no patch, pop up and coast to the beach. I can only think this is a one time chance, and the leadership comments seem to understimate it.

It must be done correctly now, to set up a framework which will be robust enough for the future size and complexity of the future Big Data vision.

Legislation to build a solid Future foundation

There are still many unknowns it reads from the meetings, from opt out, to wide ranging governance issues, to securing watertight legislation.  The scale and sensitivity of the data and how it has been handled in the past, shows how the current model is not fit for purpose.
 
This week there is still crucial legislation being considered which will help to fundamentally cement or fail public trust.

Trust not only in how our data will be governed, but in common sense in our governing bodies. The legislation addresses:

• Retaining control and management of confidential information
• Putting the independent Information Governance Oversight panel on a statutory footing
• Independent oversight over certain directions  and the accreditation scheme

etaining control and management of confidential information - See more at: http://www.allysonpollock.com/?p=1820#sthash.No8G7kcT.dpuf

retaining control and management of confidential information - See more at: http://www.allysonpollock.com/?p=1820#sthash.No8G7kcT.dpuf

I'm no legal beagle, but it appears to make excellent sense and the detailed wording (via Prof. Alison Pollock's page)  is very straightforward.

I hope it is clear that patient choice and public interest complement one another in these proposals. Just as Dr. Mark Taylor, Chair of CAG, outlined in an excellent essay,

"the current law of data protection, with its opposed concepts of ‘privacy’ and ‘public interest’, does not do enough to recognise the dependencies or promote the synergies between these concepts."

If the Lords support Life Sciences' interests, as many in the chamber do, they will need to support the proposals in order to ensure the public remain opted in to care.data.

Without these governance amendments, many more will opt out I am certain from talking to people on the street, and the value of the population-wide database will be undermined. So, the theory on paper next week, will have a crucial role in the practical outcome of the care.data implementation and its lifetime value.

No one said, change is easy.

Importantly, in any theory one does well to remember the practical reality. Each response is unique to an individual. No one model will fit all. Each person commences the journey of a changing situation, from a different starting point. We each begin the process from a different level of baseline knowledge. We each have our own ways of dealing with loss, and experience different levels of anger or fear. There are early and late adopters.

Some things are difficult, but have to be gone through. For me, Tuesday was a day of looking back at wonderful memories. Someone whom the wider-world did not know, but who inspired her corner of it in a very positive way. She made all the decisions about the funeral herself, because the outcome was unavoidable and she had some time to plan.

One of the other people who has inspired, and given me joy, this week, has been Stephen Sutton and his fundraiser page raising money, hand over fist, and reading the positive comments he has received and seeing him discharged (yet again) for another unknown time period.  I can't imagine how he goes through a process of acceptance of his changing circumstances, but he seems to have a wonderful outlook on life.

We also sometimes need to accept what cannot be changed. When the time comes, I support the idea that we can live with a disease and dignity, not just the label that we are 'dying'.

My final inspiration of the week, Kate Granger articulated this, so much better than I could, last week:

"I cannot imagine a human society free from cancer, no matter how much money we invest. As a cancer patient who will die in the relatively near future, I believe rather that instead of reaching for the traditional battle language, [life] is about living as well as possible, coping, acceptance, gentle positivity, setting short-term, achievable goals, and drawing on support from those closest to you."

What a truly dignified approach. Possibly the biggest change we can ever expect to prepare for. Yet inevitable.

On living with cancer specifically, from another POV, I've just read Chris's insightful post and his feelings on the challenges as an individual and the wider impacts on society of 'survivorship'. These three really know what it is to live with change.

Whilst well, we are often busy doing, we can forget to just be, and appreciate what we have, without trying to change anything.

I've always liked the prayer; "God grant me the serenity  to accept the things I cannot change;  courage to change the things I can; and wisdom to know the difference."

care.data too, requires courage from all the parties involved, because everyone is going through a certain process of change and compromise. Even those who planned the now delayed launch, need to recognise a need for change and why we've got to put a solid, not rushed foundation in now, and be in it for the long haul to get it right.

With lasting legislative powers, we public can better entrust our faith and data to the system, not just today, but into the future. With a proper independent Governance and oversight process we can hand you our trust for safekeeping with our records in good faith. We can only trust these proposed changes make not just waves, but make real progress.

If nothing really substantial changes in the pause, and we don't see increased measures to create trust, all that will happen is a build up of frustration and pressure of all the people who can't move forward from the initial anger and confusion. They will opt out. And there's a risk public opinion will burst under pressure. No one will want to support health record sharing and there will be an explosion of opt outs. Like a dead, washed up whale. (Which you really don't want to happen. Really. It's not pretty viewing, don't say I didn't warn you. But it's kind of fascinating too and all the number crunching too.)
 
Plus ça change, plus c'est la même chose. Two months into the pause, are we seeing changes taking effect, or more of the same talk?   

I look forward to better information on how and where our data has gone in the past. I think only after that will it be possible to get the history aired and resolved for improved future procedures once we have the complete audit picture, including that under Sir Nicholas Partridge, due towards the end of this month. The further governance and independent oversight issues will be best resolved in legislation, which would help them be free of political change and create a framework worthy of the big data vision for the future.

I pray the Change Management is as carefully thought out as communications and engagement is based on substantive steps before it.

I realise much of this post addresses how I feel, and the feelings I have picked up from others discussing it on the street and school playground. Emotions have a role to play in this discussion, but better facts will go a long way to making objective informed decisions. And crucially, our decision making must be allowed to be objective and free from emotional coercion.

I'm cautiously optimistic and look forward to seeing public materials to get the GP profession and public on board and riding the care.data change curve each at their own pace. There is clearly a tonne of work to be done. It's not going to be glassy, by any stretch of the imagination, but perhaps we need a few rough times to remind us what matters most to us, and why.

It makes us engage. The question is, in the coming weeks and months, is NHS England prepared for genuine change and engagement with the public, not just PR?

An ode to care (dot) data

To be or not to be, that is the question.
O, what men dare do!
Two gentleman of Verona
Measure for measure
and in a Midsummer’s Night’s Dream
And like the baseless fabric of this vision
imagined there would be much ado about nothing.
Mum's the word!
But this denoted a foregone conclusion.
Open-eyed conspiracy!
Wherefore are these things hid?

Oft expectation fails, and most oft there
Where most it promises.
The plan would be a winter’s tale.
But as you like it
or as not
Damn’d be him that first cries, ‘hold enough’!
These tedious old fools!
The tempest doth make delay.

Will the work done be love’s labour lost?
Will the storm nay be calmed?
Sigh no more, ladies, sigh no more,
Men were deceivers ever.

Would they want that chinks be earned
Gold? Yellow, glittering, precious gold?
No, Gods, I am no idle votarist!
All gold and silver rather turn to dirt!
As 'tis no better reckon'd, but of those
who have want.
"Shylock, we would have moneys," you say so
the pound of flesh which I demand of him
is dearly bought. ‘Tis mine.

What might be toward, that this sweaty haste
Doth make the night joint-laborer with the day:
Who is't that can inform me?
Friends, Romans, countrymen, lend me your ears!
Who bare my letter, then, to Romeo?
The letter was not nice but full of charge,
Of dear import, and the neglecting it
May do much danger!

Ignorance is the curse of God;
knowledge is the wing wherewith we fly to heaven.
No legacy is so rich as honesty.

For all this same, I’ll hide me hereabout.
His looks I fear, and his intents I doubt.
And exempt from public haunt,
finds tongues in trees.
You are thought here to the most senseless and fit man for the job.
Alas poor Yorrick
a fellow of infinite jest, of most excellent fancy.
Conscience doth make cowards of us all.

And enterprises of great pitch and moment
With this regard their currents turn awry,
And lose the name of action.
What’s more to do,
Which would be planted newly with the time,
How poor are they that have not patience!
Yet, do thy worst, old Time: despite thy wrong.

Don't trust the person who has broken faith once?
The quality of mercy is not strain'd
I have spoke thus much
To mitigate the justice of thy plea
If we should fail -
We fail!
But screw your courage to the sticking-place,
And we'll not fail.
All’s well if all ends well.
Love all, trust a few, do wrong to none.

Now this overdone or come tardy off,
though it make the unskillful laugh,
cannot but make the judicious grieve,
the censure of the which one must in your allowance
o'erweigh a whole theatre of others.

What’s done can’t be undone.
Forget, forgive, conclude, and be agreed: Our doctors say this is no time to bleed.

*****
Words taken in tribute,  from the works of Shakespeare (26 April 1564 - 23 April 1616). 
All his words, not necessarily in the right order.
Celebrated on the date of his 450th birthday, on 23rd April Metro considered, what if Shakespeare had Twitter?

Care.data - Getting the ducks in a row

Good Friday has different meanings and traditions across the cultures. For some the most sombre day of their church calendar. For others, another Bank Holiday and start of the long weekend in spring. For Mr.Cameron this year, getting stung by a jelly fish abroad.

For me, visiting family in a small nordic village, it's the day of the annual duck race fundraiser.

2,000 numbered plastic ducks are thrown into fast moving water high upstream, and the public waits and watches anxiously as the toys approach the central village bridge and race beyond. The first to hit the finish line net at the weir after an arduous course, is the winner.

There are lots of obstacles along the route and some ducks get stuck. Children are allowed to pick up those off-track in side eddies and hurl them back into the main channel. As a parent, you inevitably lose your child at some point in the crowd, fret they may have joined the ducks for a swim, and the whole race always takes longer than we expect.

So, it feels, as a citizen and patient, is the current progress of care.data.

There was a misjudged start. There's lots of obstacles still to overcome. It looks like the finish line is getting clearer. And some believe it might take longer than first thought.

Whilst on holiday I've taken time to read over the recent letter, to colleagues, from Tim Kelsey & NHS England. It's addressed to colleagues, which I'm not, so perhaps it feels a little like looking over someone's shoulder on the train, but hey, It's the only update we've got.

Looks like some positive acknowledgements and steps are in progress:

• We will work with stakeholders to produce support materials, such as an optional template letter for patients and ways of making opting-out more straightforward
• We need to do more to ensure that patients and the public have a clear understanding of the care.data programme
• This work is continuing and we will update you on these changes separately 
  
• We want to hear your views and suggestions so we can take action to improve and build confidence in the care.data programme. We will also be engaging with patient groups, GPs and other stakeholders through local and regional engagement events

Notably, it's the first time NHS England has said opt out. In the past it has only ever been an objection. As a linguist, language is important to me. And the two are not synonymous no matter how often I may be told by NHS England that they are to be used interchangeably.

It's the first time there really feels like more give, and less we'll take without asking you first.

And it's the first mention towards offering local and regional engagement.

There are some new hints which need explanation, such as a change towards who may use the data - described always as for secondary uses, clinicians and patients using it is new:

"Care.data is an initiative to ensure more joined-up data is made available to clinicians, commissioners, researchers, charities and patients."

And there are some ideas which are making progress, but seem a little stuck.

"In addition, steps have already been taken in making changes to the law"...

Whilst changes have been put into the Care Bill, other rather sensible ones, such as legal penalties for data misuse were rejected. And the purposes are still so loose as to be possible to give data for a wide range of 'health purposed' clients. That was the day in which it appeared fewer than 50 MPs were in the chamber to hear the Care Bill debate in which nearly 500 came in to vote. (How they can reasonably and effectively vote on something in which they did not hear the debate, I don't understand.) These are legal changes I believe which need hurled back to Parliament to get them on track again.

Experts much wiser than me, have made a proposal of comprehensive amendments, and seem, from my lay understanding, both really positive and practical.

The "optional template letter for patients" may be something GP practices could consider using to contact individuals where they know that leaflets were not delivered. Even Dame Fiona Caldicott did not receive hers. (BBC PM listen from 33:30)

If centrally, it is known where they did not reach patients, it would be helpful for GP practices to then be able to evaluate if there is an additional need to contact their patients. For example, in my area, no one I have spoken to received a leaflet.

Perhaps that might seem trivial now, and in the past, but for trusting the scheme I believe it is really important to know why that was. Because since no opt out was originally planned I want to know that the intention was truly to tell us all. Did they print enough? Distribute enough? Follow up at all? I've asked to find out.  After all, it was our state money that paid for it. A previous Freedom of Information request, on the status of its distribution with Royal Mail, from Phil Booth of MedConfidential appears to contradict ministerial mutterings that said an exception was invoked. I know that for myself, I had not opted out of junk mail, yet I still didn't get one. I knew to look out for it and inspected my pizza flyers and dog walking leaflets in every post in January. No leaflet and all of my friends were the same.

If the experts such as Dame Fiona, the GPES advisory group which in September had:

"major concerns about the process for making most patients aware of the contents of the leaflets before data extraction for care.data commenced" 

and ICO felt the leaflet went out with the wrong content and was rushed then I want to know why, so that the same people are not making the same decisions, and will cost us time and trust again. Why it went ahead against every expert's better advice is important to understand. "Regrettable that you are not now able to take any of our comments into account" was ICOs comment and the sentiment seems echoed by Dame Fiona on today's radio broadcast.

Even a lay person like me, could see it was a disaster about to happen.

My suggestion, was that role-based patient communication would be much more understandable. Take some stereotypical sample citizens, map their 'day-in-the-life' using HSCIC data systems, show how these interactions send data to HSCIC and map them to show what data is extracted and where it goes, is stored and may be viewed and distributed by whom. There are an awful lot of individual scenarios so no model may match any real patient experience, but looking at it backwards, take all the HSCIC systems and extract a situation which would send the data up. A&E, School nurse, Electronic Prescription Service, Choose&Book, GP screening. Mental health call centre. It would be possible.

People should know what data, is extracted when, why and who will use it. Visuals are better than words. The leaflet failed in the case of care.data, but would an individual letter have achieved more, in just a few sentences?

More has been achieved to raise our awareness of the Health and Social Care Information Centre and Government uses of our health data, through all the hoo-ha in the press, and the re-tweet by David Nicholson of the care.data downfall parody, than by the original leaflet. Perhaps the leaflet's measure of success was not intended to be a 100% reach at all. I hope we'll understand more soon.

(** for updated thought 19th April see note below.) Should we presume an 'optional template' means that no paid letter will be provided from NHS England to all? GP practices may decide to use the 'optional' template to send out letters now. Professor Mathers had called for one. But I wonder if GPs themselves will be expected to bear the cost, of an imposed central initiative for which there is no choice to participate and yet the GPs are legally liable Data Controllers for complaints? If no funding is offered, and GP practices decide not to send letters out, it would seem a risk trade off. The risk of a patient complaining or indeed legal action, if they did not know their data was going to be extracted and and potential risk for harm ensued. Yet fair processing should be a Data Protection Act requirement. But is it for care.data?

This week also saw the list of number of patients published by GP practice. Helpfully with postcode. So if my practice were to want to post a letter to every patient in my area, at 53p second class, it would cost around four thousand pounds. I don't know if they get any bulk discounts and one per household might reduce numbers. But that's a lot of money - but perhaps (**) it may be covered centrally after all, though the letter does not indicate that? (I now also know how few over 90 yr old men are registered, if interested).

It seems like there is much positive going on in the undercurrents of the care.data developments, which the general public cannot see, such as the care.data advisory group work-in-progress.

There would seem much which needs work in a very short space of time for relaunch in autumn. But if Dame Fiona Caldicott, Chair of the panel set up to advise NHS and Ministers on the use and governance of patient information, said she thinks we need longer, then I am sure she is right. To take as long as is needed to get it right would seem sensible. To rush and fail a second time, would be irretrievable. Surely, her advice would not be ignored again?

The HSCIC this week also released the Framework Agreement between the Department of Health and HSCIC. 

It will be interesting to see if this affects and changes the HSCIC roadmap. In my opinion, it should. The care.data addendum to widen commercial uses was pushed back but is still to resurface. There is still no clarity around commercial re-use licenses. These commercial drivers should come out if Mr.Hunt's rock solid assurance is to be believed which, "puts beyond any doubt that the HSCIC cannot release identifiable, or potentially identifiable, patient data for commercial insurance or other purely commercial purposes."

At the moment I would hope the HSCIC roadmap would change in its commercial focus:

"especially in relation to the potential sale of data". 

"Help stimulate the market through dynamic relationships with commercial organisations, especially those who expect to use its data and outputs to design new information-based services."

It remains to see if it does.

That framework is a good read with a hot coffee (and a short snaps if you are where I am). What's missing for me, is any reassurance at all that the HSCIC will remain public. There is a large chapter on what process would need to be followed if it were to change structure or be merged. And therefore does not rule out a private owner of the single central repository for our health, social care, research and recipient of integrated ONS data in future.

"Any change to its core functions or duties, including mergers, significant restructuring or abolition would therefore require further primary legislation. If this were to happen, the Department would then be responsible for putting in place arrangements to ensure a smooth and orderly transition, with the protection of patients being paramount."

It would appear to me, that a future intent to privatise the ownership of care.data and more could remain open. Certain aspects of the day-to-day functions were potentially to be outsourced in a past ISCG roadmap. I would hope the core will remain firmly State owned.

Bizarrely, duck races are not treated equally across the globe. Wisconsin recently repealed their ban. It seems almost as bizarre, as the idea of selling our taxpayer financial and VAT data. Or our school pupils personal details. I wish I could say, one of these stories were not true.

What the duck is going on with Government's attitude to our personal data?  The Cabinet Office seems to be failing to give out legally required Freedom of Information responses, and yet happily selling the knowledge of our health, wealth and our children?

"These regulations also allow the department to disclose individual pupil information, subject to the Data Protection Act 1998, to named bodies and persons who, for the purpose of promoting the education or well-being of children in England are conducting research or analysis; producing statistics; or providing information, advice or guidance. The department may decide to share pupil and children’s information with third parties on a case by case basis where it is satisfied that to do so would be in accordance with the law and the Data Protection Act, and where it considers that such disclosure would promote the education or well-being of children."

So if McDonalds wants to run a healthy eating campaign, would they qualify?

Open Data does not equate (must read) with being open with all of our data. Tables and summaries at aggregated level of statistics are nothing to do with individual level data. Before any Government body considers if they should enable private and other organisations to use data more freely and effectively, and their stance on charging and profit from use of data, they should think twice.

Remember the daft Deregulation Bill 162? It revokes the need to sell pre-packed knitting yarn by net weight and other nonsense. Perhaps it is the 'Exercise of regulatory functions' which is the root cause of much of these  issues on the monetisation of our data:

Clause 63 provides a power for a Minister of the Crown to issue guidance on: how regulatory functions can be exercised so as to promote economic growth;

Sections 60-67 of the Deregulation Act currently passing through Parliament allow the removal of any regulation that conflicts with the interests of a profit-maker. If your body manages data, there's really only going to be one way to meet the obligations of Bill 162. Sell it.

Someone needs to tell all the departments, if you have any chance at all of getting care.data through to the finish line, stop giving away or selling any of our personal data which we trusted you with for an entirely different original purpose.

Whilst there are many people working on many manoeuvres to get all the ducks ready to relaunch for care.data, the Government has to pay attention to the whole race. If we lose faith in the Government to make wise decisions on what will be done with all data we share for a given purpose and find later it is given to others without our knowledge, we won't trust it with our health data. If the data warehouse may one day be sold off, then all the gameplanning and rules in between will appear to have been pointless.

This is not a race to the finish with the least bad option. Care.data needs to be exemplary if it is to have any chance of reaching the podium as the world leader in patient data-sharing management. It's got one second chance to get a relaunch.

Without public trust it will flounder. Without GPs to patient communications thoroughly thought out it and funded, it is destined for a rough ride. Without further legislative changes, it's not going far enough to be convincing of real commitment to change.  Without these three, it will not reach the finish line.

The best summary of why we need still much work and how to respect so many of these under good governance, came out this week, from the Chair of CAG. "However, we cannot expect to have all of the answers in six months time. The commitment must be an ongoing one to continue to consult with people, to continue to work to optimally protect both privacy and the public interest in the uses of health data."

So between Dr. Taylor and Dame Caldicott the wise seem to indicate more than 6 months is needed.

There are encouraging signs, but many issues don't seem to be addressed yet at all, from the recent NHS England letter nor Framework Agreement. Above all, in common with the tax data sharing, pseudonymous is not equal to anonymous. It's not only what HSCIC currently determines as identifiable, which we need vital improved governance to protect.

In any upcoming public communications, I pray don't patronise the public saying that 'name and address will not be extracted' as the last FAQs and poster did. Explain instead what the Personal Demographics Service stores already, educate us how the PDS and linkage works and why. Details like this must not get lost in any rushed relaunch.

And other departments' decisions must not put it in jeopardy.

Whilst care.data is getting its ducks in a row, the wider Government approach to data management seems to have gone, I can't help but say, absolutely quackers.

-------

** 19th April Update: Reliable comment says if GPs get patient letters made available they only have to address them to send to their patient list. Will this happen in this case? Good news for informed communications? Let's hope so. 

No Security Blanket - why consent packages fail our children - care.data and more

From Al.com via Scott Stantis 2007

As a mother, I want to know that my children's personal data, when it is collected by any organisation, will be kept safe and used in ways I would expect. I see it as my responsibility safeguarding my children today, to also think of their future. 

But it feels as though the world around us in England has gone mad on giving their personal data away and with it, their future autonomy.

Here's five recent case studies and why they fail our young people.

The Department of Education’s National Pupil Database & Personal Demographics Service

What About Youth is using contact details directly from the Personal Demographic Service (PDS) data stored at HSCIC and the schools' database, the Department of Education’s National Pupil Database, and giving them to IPSOS Mori, the poll research organisation to carry out the What About Youth? study on behalf of the Health and Social Care Information Centre, funded by the Department of Health. To contact our 14-16yr olds directly.

"Your contact details were taken from NHS Registration data, held by the Health and Social Care Information Centre and the Department of Education’s National Pupil Database, which contains details of every pupil in England. The NHS Registration data has been used as it is a reliable source of details such as name, address, date of birth and NHS Number. It does not include any medical data so we don’t know anything about any illnesses or conditions you have had or received treatment for.

We have received approval to use your contact details only for this study. We won't be using them for any other purpose, nor will we share them with anyone else. "

I don't know that any parent would find that an expected use of their personal contact details to be contacted by the third party directly.

How is the questionnaire coded I wonder, whilst "the answers will not have the child's name and address on, so no-one who sees them will know whose they are," the "aim of the study is to make it easier for doctors, nurses and local authorities to help young people." So it would appear Local Authority is going to be coded at least. And your individual postcode. And child's age and gender and ethnicity and more.

If the child (14-16yr olds) agrees to being re-contacted, I would want to know as a parent exactly how, when and for what. But parents are encouraged not to influence the child completing the form, so we may never know. The survey asks about all sorts of insecurities, not all of which I believe every 14 year old will have yet considered. Is it right that the State should intrude with these topics into my child's private time and thoughts? The content deserves scrutiny from parents before the children are involved. At least, not done in school, we get a letter and know about it at home.

But how can the project ethically ask my child to give their consent to share intimate details not only about themselves but about our whole household and potentially agree to future contact, whilst expressly asking me not to be involved in the decision?

I wonder how pupils will feel whose parents suggest they would prefer their child does not complete it?

Surely if the Department of Education’s National Pupil Database is obligatory it should not assume OK to give out personal contact details to anyone? Some families choose to be ex-directory. Does the cross-purposes use of the Personal Demographics Service make that now impossible?

Should our children and parents, who trust that their personal details are used for registering for the basic rights of health and education, not be allowed to trust those contact details are held in confidence, rather than shared with third parties?

What is the government thinking about, as it manages our young people's data privacy?

The National Citizen Service and Health Data stored at the Health and Information Centre

While I was looking more closely at the DAAG (HSCIC) minutes this week as related to care.data, I looked at the approval for consent advice and request for future data linkage with the National Citizen Service (NCS) project, open to all 16 and 17-year-olds in England. The request checked that the consent was appropriate for future sharing of Mental health and Hospital Records with the Cabinet Office.

While I was at it, I took a look a close look at the NCS sign up process. At the bottom of the online register in small print was the required check box to proceed:

I agree to my personal data being stored, shared and used by the NCS Trust and other organisations to inform me of NCS and graduate opportunities and to support the delivery of NCS and its graduate programme. I agree to the NCS Terms & Conditions and Privacy Policy.

Then you need to click down twice, to the T&C and Privacy Policy. 
From the Terms&Conditions we need to take another step:

Information about you : We will never pass any details you provide to us on to anyone other than those specified in our privacy policy. 

You also need to go to the separate Privacy Policy. which turns out stating there is virtually nothing private about managing your personal data after you enquire at all - but is in fact a  'Data Sharing Policy':

 "By submitting the Expression of Interest form you agree to your personal data being stored, shared and used by the NCS Trust (the data controller) and the following organisations: NCS contractors and their sub-contractors, government bodies, strategic partners of NCS, fraud detection organisations, organisations supporting the delivery of NCS or other organisations (including any organisation running or supporting all or part of NCS in the future)."

You must agree or cannot proceed with the application.

Where does the consent to link to a child's medical Mental Health and Hospital records get asked I wonder? Does it get expressly asked later in the project or on paper because it does not get asked online in the Young Person nor the Adult/Guardian's sign up. Is this the consent process the DAAG approved? Is it just meant to be included in the blanket "government bodies"? Perhaps the wording is still to be amended?

Sign the child (and your own 'Guardian' details) up for NCS and there is no choice but to accept that data sharing agreement. You must accept it to sign up for the programme but there is an open ended who, when and for what in the blanket consent ..."supporting all or part of NCS in the future." The NCS sign-up and consent doesn't explicitly mention sharing data with named sub-contractors anywhere either.

The charities involved may do great work. But why Serco? Is this the organisation that we would wish to be managing our young people's personal data? Think I agree with Navca on this one. By signing away rights ..."in the future," we have no idea WHO will own the data  later.

Should our children who need this NCS programme most, not be allowed to particpate unless their personal and potentially medical details go to all these unknown future places?

UCAS and student applications - further education

When I read recently in the Guardian about Ucas selling student records of our under 18s applying to university I was equally surprised.

At a time when teen deaths from alcohol consumption often mixed with energy drinks appear regularly in the news, it is highly irresponsible to me as a parent, to know that a commercial company promoted new energy drinks by sending cans to 17,500 selected students in order to create a "social media buzz". I know from my own experience, university is often the place we are first exposed to a regular bar life. And so does business.

This goes far beyond the scope of what our teens signing up should expect their data to be used for. Who will decide what products and what uses of data will be acceptable in future?

I am fed up of these blanket consent approaches which deny a service unless we also sign away the knowledge of our personal habits and preferences for others to commercially exploit.

This mixing of purposes in which data privacy is to one’s disadvantage, is an abuse of trust. And it is the importance of trust and exploiting mixed purposes, which for me, has been so starkly highlighted in the management of our medical records.

Dental Service - the NHS Business Service Authority


When I signed the form to pay for my recent dental treatment I read the small print. The Dental Admin Assistant shared my surprise to find that the data processing takes place outside the UK, and requires data sharing with processors in 'India or Sri Lanka." WHO WILL USE IT WHERE and FOR WHAT PURPOSES? I am required to sign the form to agree to pay for my treatment. It gives permission to share with Dept of Work and Pensions, HM Revenue and Customs, local authorities and CCGS (then PCTs). But why should the one signature to bind them all, mean sending my personal confidential data abroad, outwith EU data laws even?  

Is there fair processing on this form, does it indicate properly for what purposes the wide ranging bodies will be given access? Surely they don't all need it for "fraud prevention and to ensure correctness" about my dental check up? 

If the government bodies are all working together and can share data at will under these blanket assumptions, without our explicit consent or knowledge, then a great number of people will be rightly concerned. I am concerned by powers this Memorandum gives NHS Protect and the Border Agency from 2011 and I am a legitimate resident. " To provide a centre of excellence for NHS anti-crime work by applying a strategic, coordinated and intelligence led approach."  I only went for a scale-and-polish!

This default to wide sharing seems to be increasingly seen as the norm. Surely it should be assumed that the minimum data should be shared with the minimum necessary recipients? Current policies seem to have confused a drive for Open Data with giving away our privacy.

How could it be done differently? If I sign a form to pay for my dental treatment, surely it should be only that. If you want other permissions, ask in other check boxes. I believe our NHS should be managing our NHS data within our borders, but that is a separate debate.

This blanket consent approach excludes the service unless you are happy to give open ended access to your personal data to Government and its contractors.

Should I not be allowed to have NHS dental treatment, for which I pay on completion, unless my personal details go to all these other places?

Let's consider an alternative. Enable the ability to say yes to paying for my treatment, without sharing fully identifiable data with other government bodies or sending it abroad.

It is one thing to share truly anonymised data. And quite another to extract identifiable personal details for at minimum ten years or longer. Time limit the consent.

If the 14-16yr old on the What About Youth questionnaire agrees to 'future contact' they presumably are agreeing to  having identifiable data and contact data kept with their answers, to enable that future contact.

If children agree to the NCS blanket sign up, they are signed up for an unspecified time. These sign ups remove our children's autonomy later in life, and they can never get it back.

Right now, I wouldn't let my children's personal data anywhere near any of these systems if I wanted to retain any future control of it at all. But do I have a choice? My children are in school, and that will mean in the Department of Education’s National Pupil Database. And they will have NHS records. I see some subject access requests ahead.

Given past historical purposes of the ONSET project at the Home Office, Contact Point and DWP I would want to keep my kids' data free from all of these.

Some may ask, why does it matter?

Because this joining up of services is interweaving systems whose aim is on the one hand compassion and care, with those on the other which are punitive and controlling. Their aims are not aligned. And inevitably it is the systems which shout loudest, under any government of the day, whose opinion tips the balance of purpose and decision making. And recent claims of micro managing in Health show, top down control usually wins.

Because I believe the earlier we label our children the harder it is for them to become anything more.  Inevitably labels shape expectations. Not only for the individual but those who interact with them. It is only the very best educators and social care staff or police or medics who manage to put those aside and see the individual in each episode of contact. The future intent for care.data is integration of data sharing between medical contact, social care and education, under local authorities, health and wellbeing boards and more. How far would the impact of one wrong label spread in a child's lifetime, in different places?

Because our children should enter adulthood with as few restrictions placed upon their development and self-determination as possible. Even, I would argue, those children who need the contact with all those organisations. I could argue, all the more so, precisely because they have those extra needs and contact. They may need excellent care and transition between youth and adult services. They need it facilitated first and foremost by qualified individuals who are trusted to do the job they trained for and have a vocational passion to complete. Yes the staff need data, but proportionate to the individual need, for the time period it is needed. We need to protect the extra vulnerable in many extra ways.

And we also need to protect the fundamentals in the Universal Declaration of human rights for all. Everyone in the community should find the free and full development of his personality is possible. Everyone has the right to work, to free choice of employment. In effect, these basic human rights seek to prevent discrimination and interference.

Our young people don't care about the risks of personal data sharing?

Our young people are more savvy than we give them credit for. In a world of shared selfies and social media, it can be wrongly assumed that they are careless with their own privacy. This  Electronic Patient Records work run by the Academy of Engineering in 2010, with support from the Wellcome Trust, came out with a report and seven key questions p.39 which are very pertinent today. The young people identified themselves the risks of prejudice and discrimination. The concerns they raise are no different from concerned adults. Our young people are switched on to the risks of personal data sharing.

When it comes to our children's data, organisations should be going the extra mile to be transparent. I believe they should carefully consider how the public will perceive anything that looks hidden. Consents should be all up front on the top layer of sign up forms. One consent per sentence. If you want to contact my children, ask me first. And if you offer a public service, would you consider first not piggy-backing a commitment to sharing with other bodies or commercial companies on to the consent package?

Why these blanket consents fail our children

These blanket consents are ubiquitous in modern data sharing, from the obvious supermarket sign ups, to which even David Cameron does not consent, to the totally surprising in education and health. Yet he happily signed us up under a blanket assumed opt in to be 'willing research patients.' This mixing of purposes under one blanket consent, in which looking after your data privacy is to one’s disadvantage, or criticised as selfish, is an abuse of trust. And an abuse of our children's future freedoms. They fail to give proper governance of who will own the data once shared. They fail to give proper information of what it may be used for. And they fail to clearly limit the time period for which the consent is given, and after which data will be destroyed.

Not only trust, but the needs of genuine purposes in the public interest are undermined by mixing all these purposes into one consent. Worse still, assuming yes for all these conflated uses unless you opt out. If there had been singular purpose, care.data would have been easier to understand and less likely to have failed to win our support.

I for one, am fed up with blanket consent. We can do it differently. We can do better for our children.

care.data - Transparency and Remit vs Truth and Responsibility

A year ago Big Brother Watch wrote that an opt out right had been won from the original plan to extract all our GP records without any choice. Caught trying to avoid the DPA and Fair processing, ICO recommended the need for a public awareness campaign.

At that time, I was a merry mother unaware of the machinations of our civil society. Then the powers-at-be closed my local mini blood mobile (I had just started as a donor) and decided to sell off our plasma supply, which was considered a rather poor idea so I read all the Annual Reports and asked questions about it. And I started to pay rather more close attention to what was going on in health. Now I listen to Radio 4 not 2, I buy papers (actual, printed versions) and would you believe, watch Parliamentary TV. And if you want more scandal which actually matters more than your average soap, you should too.

On the 8th April the Health Select Committee (at least part of it) interviewed Sir Kingsley Manning and Max Jones from the Health and Social Care Information Centre. The hope for us, as citizens and patients whose data this current debate is about, is that we will gain insight and understanding into how our medical records have been used in the past and are being so now. This will enable us to trust in the intent of how HSCIC will handle our patient data in the future, whether under the care.data or any other label.

If HSCIC and Government wants to achieve this, they seem to be going a backwards way about it.

Stop talking transparency and remit, and start talking truth and responsibility.

The question was asked how decisions are made within HSCIC by their Data Access Advisory Group about our patient data management. Specifically, it discussed the subject of an application from last summer by the Cabinet Office OC/HES/030 - Project National Citizen Service Data Linkage Project. It was included only 6 months later in the January 2014 minutes.

The very application title, reveals its intent, to link the mental health and hospital records of our young people who take part in the National Citizen Service together with their NCS project gathered data.

Caught with this concrete 'Out of Committee' governance approach, the HSCIC staff were both adamant in response to the MP's question in insisting that no data was shared. 

"Q230 Barbara Keeley: What was requested was linkage of data, wasn’t it? It was linkage to medical data.

Kingsley Manning: No, he was asked by the Cabinet Office to give professional advice on the consent model they were considering. He gave that advice, which was a perfectly sensible thing for him to do. That was the end of the matter."

Well, I'm sorry but I've read the document, And the DAAG minutes say clearly "The intention was to link to HES/MHMDS in the future." I paste it below.

So, that was not the end of the matter, but is in fact the beginning. The intent is for future data sharing. Our young people at the start of their adult lives, by the very fact of taking the initiative and enquiring to take part in the Activities / Community Project-based work of the NCS, will find their intimate health records linked with the project data, with an unspecified end date.This is a real and active request which was approved, not some past mistake to dismiss. It was and still is approved, "for future data sharing."

Whilst I may believe HSCIC that no data was shared last summer,  and I might believe you were trying to be factual in answering the question, I do not believe that even you could think that consent advice was the sole intent of the DAAG approval, had you read the minutes of your own DAAG meeting. And clearly you had or would not have been so adamant in the answers.

The Guardian article Mrs. Keeley MP mentions, also had their own opinion of the relationships between the parties involved.

Bizarrely almost, we are repeatedly told as reassurance that any organisation with access to pseudonymous health data, which tries to re-identify the individuals whose data it was, would be doing so illegally. Yet the Cabinet Office wants to take medical records and match it to known individuals on their youth programme and keep and share those enriched records without it seems, any qualms at all?

Our trust needs to be based on absolute truth, not manufactured transparency. Truth is bigger and complete with background intent. Not just scraping out the minimum facts in carefully worded language to be legally compliant.

To increase our public trust, we have been told we will know who has had our data in the past, when and for what purposes. In Parliament on March 25th Dan Poulter Health Minister said,  "a report detailing all data released by the HSCIC from April 2013, (including the legal basis under which data was released and the purpose to which the data are being put), will be published by HSCIC on April 2."

It didn't happen. HSCIC made available only some. Those made under some sort of data agreement. What of those with direct access to HES at their site, or the police, others have asked?

The Commissioning Board NHS England, tells us repeatedly that they contacted every household in England by leaflet to tell us about care.data and our 'choice' to object.

It didn't happen. Many did not get a leaflet, not just those who opted out of junk mail. Tim Kelsey said he was looking into it. With urgency. Two months later, not a cheep!

So far, we have no report or indication there will be any. Why there were not enough or not delivered leaflets? What they are doing to fix that? It cost the equivalent of at least 50 nurses' annual salary and the best publicly avaialble information we have from the Information Commissioner's Office, is that it should never have gone ahead at all. 

So who is taking responsibility for that? Over £1M of public money junked through some letter boxes for the dog to eat. Which no one could understand because it was deliberately obtuse.

And so we come to our future Data Controllers HSCIC. Who seem to have no control at all.

Based on their own admission they have no idea where our medical records are being used, by whom today, and yet we are expected to trust them to use care.data wisely in future?

Barbara Keeley: So have you got the information because I have asked for it twice, but not been given it? For all those 249 organisations with a commercial reuse licence, can we know who all the end users of our data are?

Kingsley Manning: No, because they are using it and putting it into additional services. So, for example, a company such as McKinsey or KPMG would have used it to support Monitor or the NHS TDA in advising on the transformation of health care services.

The Chair of the Heath and Social Care Information Centre has no idea know who has our medical and personal confidential data or what they are using it for.

You get the feeling now, that they are only looking into all of this because they got caught having had no audits in the past of data recipients. Sir Nick Patridge is now leading a review due in a couple of weeks. I sincerely and respectfully hope that his review is more transparent than the last.

Who has taken responsibility for where we have got to in the last year?

Government? Mr. Poulter, Hunt or Cameron, whose plan is this anyway? There has been nothing but dismissive comment which fails to address serious issues and party political point scoring, or no comment at all but how "fantastic for humanity" it will be. Yet care.data is meant 'only for commissioning.' See why we're confused Mr. Hunt and Poulter when you both claim care.data has entirely different purposes? Where is the truth we can trust?

NHS England? Mr. Kelsey now seems to be hiding behind a tree. Or perhaps playing jazz as he tweeted the night before the Public Health Select Committee the last time. Whilst I appreciate it was at a health conference, Nero and Rome sprang to mind. I've asked nicely and been ignored, what happened and who is fixing it? Will there be some sort of public progress announcement from NHS England, perhaps from Ciarán Devane, who is on NHS England Board and now chairing the Care.data Advisory Committee trying to latch the stable door? There's just been stunning silence since the pause announcement.

HSCIC? Clearly nothing to expect from them. Because Kingsley Manning and Max Jones seemed to believe everything was in their remit, legal, and not their fault if the directions from government and NHS England allowed sharing data with all comers. And their Get-Out-of-Jail-Free-Card, they shared concern with the Department of Health about the publicity campaign. (Admittedly, 3 months after the GPES advisory group and others had done so).

Amazingly, Kingsley Manning seemed to thrust the opt out rate from HES into the arena as some sort of achievement. "in terms of the number of people who have acted to opt out, it is 14 over the past four years."

Which only confirms how few of us knew HSCIC stored it and could link Secondary Uses data with Personal Demographic data on demand. (Compared with how many are opting out now we know, of care.data).

And whilst until this whole debacle I and most of the public did not know our hospital records were shared with any other organisations, beyond the NHS and legitimate public research, we now find the gradually closing net around our health data uses, means understanding it has gone to all sorts of commercial organisations. And clearly HSCIC has been caught doing something which now feels wrong even if legal, the HSCIC defended not the action, but their legitimacy for doing so:

Kingsley Manning: We operate according to the Act as it has been passed. We make decisions on the basis of the current regulations. It is not our job to make a judgment on whether we agree or disagree with the nature of a commercial organisation. That is not a criterion on which we act.

Q270 Barbara Keeley: So you are prepared to release even sensitive data out to organisations that just want to do a price comparison website on different pay procedures between different hospital consultants. That was what you did.

Kingsley Manning: I am terribly sorry, but we are bound by the law and the regulations. Under the current regulations that is perfectly legal and legitimate. Indeed, it is arguable that it is a benefit to the health and social care system as a totality. That is an argument that you, Parliament and the public will have to consider.

As part of the public, I have considered it. Too often in the last 8 months. Even whilst making yellow pea soup today, I was thinking how wrong it is for the government to sell our confidential data without having asked us if they could have it in the first place. To take something without asking, we teach our children, is wrong.

Not one person responsible for their part in the execution of the care.data rollout has yet said they are sorry as an apology. I am terribly sorry here, was interchangeable with 'well, pardon me.' 

But a true apology for such an almighty mess (Ben Goldacre said so on twitter in better words on February 22nd, but I try and keep readable above a PG rating), would at least be an admission that there is room for improvement. Improvement we can hope to build trust upon. Right now, we have vital Public Health research which it appears, is now on hold and costing money, because it is lumped in with all these commercial uses.

People are opting out of clinical research. And withholding information from their GPs.

Between the three of your organisations, Government, NHS England and HSCIC, if you want us to trust your intentions for the handling of our NHS patient data in future, try harder. Try to seem truthful and seem like you care. And mean it.

Because right now, it only looks like you're sorry you got caught. You're playing pass-the-parcel with responsibility. And using our public money to do so.

Kingsley Manning said previously, we should have "intelligent grown up debate" around care.data. Please, lead the way. For right now, it feels like kids squabbling in the back of the car, hoping we'll just muddle though to get to October and they can ask, "are we there yet?"

As anyone with kids will know, that doesn't make for happy parents.

********* For reference, the Health Select Committee extract about the Cabinet Office OC/HES/030 - Project National Citizen Service Data Linkage Project *********

Barbara Keeley: There was a lot of saying, “It’s nothing to do with us, guv; this all happened in the past.” You answered the question in that way when this person was a very senior manager, to the extent that he accompanied the Secretary of State on a trip to the United States to sign a data-sharing memorandum of understanding, and, to me, it is astonishing that you should say that the person who had been the chair of the DAAG did not have that responsibility and that you are still wriggling to try to get out of that now. I am not happy with that answer, Chair; I just do not think that is acceptable. 

Kingsley Manning: I am sorry. We are trying to be as transparent as possible.

Barbara Keeley: I don’t think so. I really don’t think so.

Kingsley Manning: May I just talk you through the history of this so that you can get a sense of it? [see full text for history] At that point, we knew that Dr Davies was redundant. He had been made redundant on the abolition of the information centre, and we put in place a plan to deal with that. He was in post. We were not in a position—

Q222 Barbara Keeley: Sorry—you had a plan to make him redundant last year?

Kingsley Manning: No, no. He was made redundant by virtue of the abolition of the NHS IC. It was not our decision.

Q223 Barbara Keeley: So you kept him on for eight or nine months?

Kingsley Manning: We kept him on because we needed to have cover on clinical governance and on clinical advice.

Q224 Barbara Keeley: In fact, he was a very senior manager, and he did accompany the Secretary of State on the visit when they shared the memorandum of understanding. And—

Kingsley Manning: He did. I was there also.

Q225 Barbara Keeley: Let me say a bit more. This is the person that you were making redundant, but you let him chair the DAAG, and he made a number of controversial decisions, including the decision out of committee to release the sensitive medical records of individual teenagers—

Kingsley Manning: I am sorry; that is not true, I am afraid.

Q226 Barbara Keeley: It was reported to be true—

Kingsley Manning: I think you are referring to the fact that he was asked to give advice by the Cabinet Office. He had actually worked for the Cabinet Office on the matter. He gave advice on the consent model that they were going to use. We never released any data and we have not been asked for any data by the Cabinet Office on this matter.

Q227 Barbara Keeley: This was reported last summer by The Guardian newspaper that the sensitive medical records of teenagers on the National Citizen Service were released. That was apparently “an out-of-committee decision” by the chair. Dr Mark Davies was allowed to make decisions out of committee as the chair, and that decision was apparently taken last summer.

Max Jones: I can clarify that Mark Davies did provide advice, as is one of DAAG’s functions, on the consent model, which was being considered by the Cabinet Office, but we have not received a request for that data, nor have we provided any data. The discussion that Mark had was referenced and recorded in the January—I think it was January; I’ll check in a minute—DAAG minutes.

Q228 Barbara Keeley: At least six months after the discussions took place.

Max Jones: That may be the case.

Q229 Barbara Keeley: So this is the person that you are going to make redundant—

Max Jones: No data was requested nor shared. Advice was requested on the consent model, which was given.

Q230 Barbara Keeley: What was requested was linkage of data, wasn’t it? It was linkage to medical data.

Kingsley Manning: No, he was asked by the Cabinet Office to give professional advice on the consent model they were considering. He gave that advice, which was a perfectly sensible thing for him to do. That was the end of the matter.

 Max Jones: And that was recorded in the minutes of DAAG held—

Q231 Barbara Keeley: Yes, I have a copy of that in front of me. You talked earlier, and it is quite important, about transparency. To have recorded this six months after it happened and to then be trying to change something—I am not aware that The Guardian was challenged on the fact that data had been released. It seems there is a very hurried after-the-event style of things happening here, and that is not good for transparency. This is being talked about quite a bit. People’s confidence in what you do has been really undermined by this and the fact that there could have been any suggestion of linkage to medical records for those people taking part in the National Citizen Service. For heaven’s sake, there are all kinds of undertakings made to them as they sign up to that service, and quite rightly. They even have an opt-in for their personal data, so to even consider that, and not to have documented what was happening until six months after the event, just makes you look shady.

 Kingsley Manning: I agree, but we did not have a data request. I absolutely agree, by the way, with your essential point, which is the sensitivity of linking these data in any way with receipt of data—benefits and all the rest of it.