Blog

Better information means better care

The Care.Data Programme closed in 2016

Since this blog was published, certain details have now been superseded (for example, the safeguards for pseudonymous data have been strengthened).  Please read the more recent care.data blogs for further details.


Dr Geraint Lewis, NHS England’s Chief Data Officer, explains why patients can be confident in agreeing to allow their health records to be shared:

Over the course of the next four weeks, every household in England will receive a leaflet, ‘Better Information Means Better Care’.

The leaflet explains how the NHS is upgrading its data systems and what people should do if they have any questions or concerns.

If you believed everything you read in the newspapers about this upgrade, you would think the NHS was either about to give away everyone’s confidential data free of charge or flog it to the highest bidder. Needless to say, we are doing no such thing: to do so would be unethical, illegal, and unconstitutional. But what actually is the plan?

Upgrading our Existing Data Systems

As the OECD reported recently, the NHS has some of the best health information systems in world.  Dating back to the 1980s, we have been collating information about every hospital admission, nationwide. By pulling this information together and then analysing it in de-identified formats, analysts can compare the safety of different NHS hospitals, monitor trends in different diseases and treatments, and use the data to plan new health services.

At the moment, we are missing this type of information for much of the care provided outside hospital. We do not collect it nationally from all GP practices, for example, nor from ambulance trusts or community health services. As a result, we know worryingly little about how all the different parts of the NHS are working together to provide safe, joined-up care for patients. As the Chief Inspector of Hospitals put it, the NHS is currently “flying blind” in this regard.

So the purpose of the care.data project, which has secured support from the BMA and the RCGP, is to address these shortcomings. Building on the successes of our existing hospital episode statistics (HES) system, we will bring together all of this missing information in order to obtain a more rounded and more complete picture of the care being delivered by the health service.

Protecting Privacy

As we’ve been doing for decades with hospital data, information from GP practices and other care settings will only be extracted as a series of codes, not as words and sentences. These codes will then be linked with a patient’s hospital codes using an automated system before being made available in three different data formats (see below). Each format is protected by a different suite of privacy safeguards as specified by the Information Commissioner’s code of practice on anonymisation. For simplicity, I refer to these formats as green, amber and red data, although their technical names are “anonymous or aggregated data”, “pseudonymised data”, and “personal confidential data”, respectively.

Green, Amber, and Red data

Green data are where we will publish the average values for large groups of patients or completely anonymous figures. For example, we might compare Ashford versus Bury in terms of the average time between presenting to a GP with bowel symptoms and having an operation for colon cancer. Green data are published free of charge for all to see. So before publishing green data, we take extra care not to publish information about rare conditions or any combinations of characteristics that might identify individuals from the data.

Amber data are where we remove each patient’s identifiers (their date of birth, postcode, and so on) and replace them with a meaningless pseudonym that bears no relationship to their “real world” identity. Amber data are essential for tracking how individuals interact with the different parts of the NHS and social care over time. For example, using amber data we can see how the NHS cares for cohorts of patients who are admitted repeatedly to hospital but who seldom visit their GP. In theory, a determined analyst could attempt to re-identify individuals within amber data by linking them to other data sets. For this reason, we never publish amber data. Instead, amber data are only made available under a legal contract to approved analysts for approved purposes. The contract stipulates how the data must be stored and protected, and how the data must be destroyed afterwards. Any attempt to re-identify an individual is strictly prohibited and there is a range of criminal and civil penalties for any infringements.

Over the years, many of the most innovative uses of amber hospital data have come from outside organisations, including universities, think-tanks and data analytics companies. We think it would be irresponsible not to make the maximum use of amber data for the benefit of patients. In future, we want charities and small academic units to be able to use amber data for the benefit of patients. Likewise, we think it would be wrong to exclude private companies simply on ideological grounds; instead, the test should be how the company wants to use the data to improve NHS care. And, as Polly Toynbee put it, if “it aids economic growth too, that’s to the good.”

Finally, in a few exceptional circumstances the HSCIC will make red data available where legally required to do so, for example in a public health emergency such as an epidemic. In the future, red data may also be made available to an organisation that has obtained the patient’s explicit consent or has been granted legal approval by the Secretary of State for Health or the Health Research Authority following independent advice from the Confidentiality Advisory Group (CAG).

CAG considers each application in great detail against the legal framework and recommends whether approval should be provided together with any conditions. Applicants for red data would need to demonstrate (i) that the research was in the public interest and for the benefit of the health service; and (ii) that it is not possible to use information that does not identify patients; and (iii) it is not possible to ask patients for their permission.

Patients have a choice

We want to make the most of the information that the NHS already collects. By drawing it together from all parts of the health service, not just hospitals, we will better be able to understand the causes of ill health, learn how to treat patients more efficiently, and find out what happens to patients after they leave hospital.

However, we are giving people a choice. If a patient is happy for their information to be used for these purposes then they do not need to do anything: there are no forms to complete and there is nothing to sign. But if they have any concerns, they can talk to their GP or contact the dedicated patient information line on 0300 456 3531

Ultimately, this is an opportunity for all of us to help the NHS deliver high quality care for all by making the most of the information collected about us.

Geraint Lewis

Geraint Lewis is the Chief Data Officer at NHS England and an Honorary Clinical Senior Lecturer at University College London. He trained in medicine at the University of Cambridge and holds a Masters degree in Public Health from the London School of Hygiene and Tropical Medicine. Geraint began his career in acute and emergency medicine, working at hospitals in the UK and Australia over an 11-year period.

After completing his higher specialist training in public health medicine, he was appointed Senior Fellow of the Nuffield Trust (an independent health policy think-tank), then as Senior Director for Clinical Outcomes and Analytics at Walgreens in Chicago, before returning to the UK to take up his current post.

A fellow of both the Royal College of Physicians of London and the UK Faculty of Public Health, Geraint is the lead author of the postgraduate textbook Mastering Public Health and has published over 40 peer-reviewed articles in journals in including Health Affairs, JAMA, Milbank Quarterly and the BMJ. Geraint was a 2007 Harkness Fellow in New York, during which time he received the National Directors’ Award at the U.S. Department of Veterans’ Affairs. In 2008 he was the “overall winner” of the Guardian Newspaper’s public service awards. In 2011, he was awarded the Bradshaw Lectureship of the Royal College of Physicians of London. Previous recipients include Sir Liam Donaldson, Dame Sheila Sherlock, and Sir Magdi Yacoub. More recently, he has served as an external adviser to the World Bank, and he leads the Care Model Design work-stream of NHS England’s New Care Models Programme.

35 comments

  1. David Short says:

    This may be good, but I have doubts. There have been many cover ups, data loss, and of course there is the increasing risk of hackers targeting the NHS website. How can anyone be sure that although this could be of benefit, somewhere down the line the information is used, for how shall we put this, nefarious uses. It has happened before so cannot be ruled out. Until people in power can be trusted completely they should not be given complete power or information. I would like to know how strong the software protection is and how to stop this information being used for anything other than what this was designed for. The NSA in the USA for example put themselves above human rights and the law and have investigated thousands if not millions of private emails, what is to stop them or anyone else of demanding data they are not entitled to?

  2. stephen mckinnon says:

    I have been looking for some time now and NOWHERE is a critical piece of information; WHO (or more accurately what kinds of institutions) might be given access to this information.

    Perhaps naïvely I don’t have concerns about the data being anonymous. What I do have HUGE concerns about is the data being shared with the pharmaceutical industry. But not because they may use the data to create new drugs – it is that industry’s record on NOT SHARING the results of their own testing that concerns me.

    Medical research is LITTERED with hundreds of examples of PHARMA creating drugs and conducting trials, but not publishing most of the data for all sorts of reasons. For that reason I will OPT-OUT of providing my data until the following conditions are satisfied by PHARMA
    1. ALL TRIALS must be registered with an appropriate authority before any research is undertaken
    2. THE MAIN OUTCOME OF ALL TRIALS must be make explicit before commencement of the research
    3. THE RESULTS OF THE TRIAL MUST BE PUBLISHED within at most one year of completion of the trial
    4. A NAMED INDIVIDUAL from within PHARMA must be identified as being responsible for ensuring #1-3 above
    5. ALL REPORTS must be publically available, with confidentiality ensured

  3. Jane. says:

    Hi,

    I contacted my GP Surgery, last week, to ask how to Opt Out of the scheme.

    Surprisingly, was told by Reception Staff that “We know nothing about this leaflet. We don’t know anything about it at all.”

    Now, either I’m being lied to, or not all of the GP Surgeries have been informed about the latest Care Data Scheme details.

    Having read all of the comments, here, I am still no wiser about Opting Out procedures; this, in itself, seems detremental to my wish to do so.

    Why is this?

    Why is a straightforward answer on how to Opt Out not available on this Website?

    That we only have one month to sort this out, is not right either.

    If an able-bodied person is not able to discover how to Opt Out, then what chance have the less-able.

    I think it is a digusting state of affairs – one which should be rectified asap.

    Jane.

  4. Jane says:

    It is now February 16th. We have not yet received the care.data leaflet, nor have several neighbours on our street. I am confident that we have not all mistaken it for advertising literature; even if we had, this represents a failure to inform the public effectively. NHS information on websites and in the media has been partial and confusing [ hands up who knows whether the NHS number is considered ‘identifying’ , or will be released in pseudonymised datasets?]

    [it won’t].

    The opt-out system relies on informed consent I am broadly in favour of NHS data sharing, but the way in which this has been done is shamefully inadequate. I face a dilemma- do I opt out, in protest; or allow my data to be used for what I believe to be fundamentally good and useful purposes?

  5. Holly Boyle says:

    How will you track that the contract you release Amber data under has been adhered to?

    If a patient suspects that Amber data about them has been released, cross referenced with other commercial datasets, and that they have been re-identified and their data used for the purposes of selling (or withholding) products or services, to whom can they complain?

    Who will investigate this complaint, and how will the released data be re-captured, deleted from 3rd/4th/5th/xth party owned datasets, and re-secured as private and confidential data?

    Who will be punished and how, for what types of data breach?

  6. Bob Halloway says:

    Having the whole country’s medical data in one location is just handy for the next step…the privatisation of the NHS.

  7. Melow Meldrew says:

    You state if we have concerns we can use the patient Information line ? As deaf we cannot use that line. And,you do not state if we can REFUSE to allow our patient data to be shared with non-health systems. There are concerns we have data sold to private areas to be bombarded with unwanted communications and adverts. In wales e,g. The donor issue ignored deaf people totally and they were not even asked if they wanted to opt out or not, and the Assembly there has agreed to them all opting IN,without consultation.

    • NHS England says:

      Hi, the dedicated patient information line (0300 456 3531) also has a text phone number you can use. This is 0208 742 8620.
      I hope this helps.

      See the NHS Choices website for more about Care.data info in accessible formats.

      Beth, NHS England

  8. I don'tbelieveaword says:

    We the corporate up for sale mugs have to opt out rather than you running a system of opt in. In a democracy those who believe their argument is overwhelmingly for the greater good would have no fears of using the latter rather than the former. Clearly You and Hunt are not convinced of your own argument to carry the day and have therefore chosen the Stalinist position on democracy for the people you are supposed to serve. Shame on you!
    Therefore, I, nor my medical records are for sale to the corporate vultures you encourage to feed off OUR NHS.
    So with no regrets I’m out!

  9. Ian Peters says:

    A few specific questions:-
    1) Green data: What is the minimum group size for aggregated data. For example, stats for a 20k person town is one thing, whereas for a 5 household postal code is something very different
    2) Red data: Will patients be made aware when their data is shared? How can they find out?
    3) Amber data: Can patients audit/view all contracts under which their data may be shared? There’s a big difference between pseudonymising(?) all people born in 1981 under a single identifier, and having a different identifier for every day/month/year. The devil is in the detail as to how the pseudonymising is performed.
    4) Amber data: What civil and criminal protections are you referring to? Is it primarily the Data Protection Act?
    5) Data Protection Act: According to 7(2) the NHS, as a data controller, only needs to provide me information about what information is shared about me, to whom, following a written request. Should I therefore be sending you a DPA request every week? Or are there better mechanisms by which I may find out that information?
    6) Amber Data: Related to (2) and (5), do you have a list of what purposes you have approved, and what you would/wouldn’t approve in the future? Your statement implies that the ‘approved purposes’ would always be in the patients’ best interest – how may I be sure of that?

    Thanks for your time,

    Ian

  10. noname says:

    Please state your technical qualifications that show you know what you are talking about. I am an IT security professional, in the industry for 20 yrs. This system will be abused, and will not deliver the benefits ascribed without compromising the individual. My advice as a technical expert in this field and as someone who has inside knowledge of the technical architecture is to OPT OUT!!

  11. noname says:

    As a software engineer involved in security and designing databases and high value systems for investment banks, i can assure readers that no attempt has been made to allay my concerns over how the data is stored, or how future changes such as privatization of segments of the NHS will be handled. The so called pseudo-anonymization of data is a joke, reverse engineering this data to personally identify people is easy to do, especially if any accidents or previous claims are known. By whom? well how about the insurers for a start. This program is ill thought out and dangerous, i urge anyone reading this to opt out, the so called benefits to medical science are being greatly exaggerated, further said benefits can be achieved without tying your personal data into a bundle (which identifies you regardless if your name is on it or not). Here is an example how:
    Insurance company A knows you had a claim due to bad back caused by a car accident two years ago and you fell down the stairs last year at work and made a claim the dates and claim value enable the company to identify your ‘anonymized’ records. In a couple of years the NHS has decided to privatize to the point that private medical insurance is desirable/necessary (like it is in the USA and many other countries) in that year you decide to start personal medical insurance and bizarrely to your shock and horror, you find that your premium is 300% higher than your neighbor who has a similar medical history, wow, i’m basically un-insurable what did i do different to my neighbor? oh that’s right, my neighbor was concerned about privacy and opted out in 2014…….

  12. ploryn says:

    As a Software Engineer involved in designing and maintaining databases, I will definitely be opting out of this.

    I have seen no details anywhere on how or where this data will be stored, in what kind of system, nor how access to it will be controlled.

    What are your technical qualifications relating to databases?
    Can you prove that the work of your technicians will follow precisely the bold (and in my opinion, worthless) assurances you’re giving?

  13. J Hughes says:

    WHERE CAN I OPT OUT – I haven’t seen an NHS doctor for about 15 years?

    Given the tawdry record of NHS IT contracts and contractors, all the wasted money, I simply don’t believe ANYTHING the NHS claims.

    Insurance companies L-O-V-E health data – as proved in the USA. Only strong legislation, with severe penalties for executives – will keep data safe. The ONLY thing more valuable than health data is DNA data.

    The words ETHICAL and INSURERS are not commonly associated with each other.

    • NHS England says:

      Hi,

      Only GP records for the previous four months will be extracted initially. If you have not visited an NHS GP in the last four months you do not need to do anything to opt out. However, if you have used other NHS services e.g. hospitals, then you can sill object to that data being shared in identifiable format by the HSCIC. Because you cannot use the established objection mechanism via an NHS GP you will need to contact the HSCIC directly to have your objection recorded. You can contact them at enquiries@hscic.gov.uk

      Xanthe, NHS England

  14. Gillian says:

    I am quite happy to have my data shared within the NHS; I can see the benefits of this. But I do have concerns that private companies will profit from this. I would not want to see my medical information freely given to some multinational company which then uses it to produce a product or service that is then sold back to the NHS for profit.
    Will data collection and storage be ‘offshored’? Can we really trust the security of it?

  15. Steve Halliday says:

    Geraint,

    This is an excellent blog – very clear.

    There is a fine balance between patient confidentiality on the one hand and making well informed decisions and plans on the other. While there are no absolute right answers, an entirely risk averse strategy of no data sharing at all, would be quite wrong, in my view.

    In the interests of long term patient care, I think the crime of NOT sharing data is greater than the crime of sharing data. So long as it is done securely, ethically and constitutionally, as you describe.

    Perhaps you might say a little more about the Social Care aspects of the Health and Social Care Information Centre (HSCIC) plans?

  16. Steve says:

    Patients should consent for the release of any data or information, the GP’s or NHS are not the owners of this information, they are just guardians. Data protection and the information governance within the NHS have failed to protect our information. Irrespective of the use for the information this should be the right of the patient to consent not for your organisation to accept consent if you don’t hear back from patients.

  17. Helen says:

    When I went to to my GP practice yesterday to opt out, the receptionist admitted that they hadn’t known anything about CareData before people had started handing in opt-out letters earlier that day.

    Add that to the lack of publicity, hiding the leaflet in the junk mail, not providing an opt out form – and you wonder why people are suspicious?

  18. Philip says:

    Why was there no mention at all of “red” (identifiable) data in the leaflet, which gives the impression that all released data would be anonymised? How can the ICO allow this programme to go ahead with that grave omission? Releases of “red” data without patient consent are already hardly “rare” – there have been 31 such “section 251” releases since April 2013 http://www.pulsetoday.co.uk/your-practice/practice-topics/it/revealed-independent-experts-overseeing-caredata-have-approved-31-releases-of-identifiable-patient-data-since-april/20005572.article. None of this is a good start for a programme based on trust.

  19. Karen Miller says:

    I, along with most of the country probably, have a supermarket loyalty card, bank accounts etc. Do you really think these companies don’t link our data to everything they can? The only reason the NHS is in the news so much is because they chose to be open about what was happening and has in fact been happening for many years. You only need look at the HSCIC website to see that linking health data is old news.

    I think anyone taking advantage of a state funded service forfeits their right to object to administrative data being used in this way. How else do you expect services to be improved? The fuss GPs are making about this only makes me think they have something to hide. Hospital doctors have had their data subject to scrutiny for decades and the resultant improvement in patient outcomes has been immense. I personally look forward to the GP data being used to identify poor performers as I certainly wouldn’t want my care provided by a GP who has a tendency to allow his patients to die!

    • Holly Boyle says:

      Do you think the people at Nectar know if you had an abortion?

      Or if you were prescribed antibiotics for an STD?

      Or if you had a test for HIV/AIDS?

      Or if you attended a Drugs and Alcohol advisory service?

      Or if you were abused as a child and referred to counseling services?

      They don’t know this information now, but if they can buy pseudonomysed data from NHS England and cross reference it (by postcode, DOB etc) with what they already know from the Nectar database, they might might well be able to identify you, and will know your private medical history.

      Would you be happy about that?

  20. CS says:

    According to the leaflet: ‘If you are happy for your information to be shared, you do not need to do anything.’ I am concerned that if a person does not contact their GP to opt out, it will be assumed that they have opted in. My leaflet was delivered in the middle of a whole load of junk mail. I very nearly chucked it straight in the bin as I couldn’t immediately see that there was anything more important than a flyer for Domino’s pizzas. I appreciate that there are other ways in which you are making people aware of this change, but none of these methods can offer universal coverage. I think it is unwise to make ‘opting in’ the default position when you cannot ensure that everyone has been informed, especially over such an important issue which may or may not affect personal privacy. This assumption in itself represents a potential infringement of an individual’s rights and liberties.

  21. Mr J Palmer says:

    Dr Lewis,
    Having read your blog, I’d make the following comments.
    Whilst you may believe and intend that highly confidential and personal data from patients medical records, shared with third parties will be used solely to improve services and will never be released or used for other purposes, I doubt that you can guarantee that.
    In addition once data has been collected and stored it will be at the mercy of future changes in legislation and no one, not you nor any current official have the power to prevent this.
    We are all still reeling from the spying revelations where personal email, phone calls and other communications have been shared with both domestic and foreign intelligence services, hacked by Newspapers and sold to insurance companies and no-win -no-fee solicitors. No data collected and stored, especially data shared with third party organizations is ultimately safe from hacking. There will be leaks, there will be breaches in the privacy guaranteed by you and I suspect that we will all be watching you on a TV news report answer questions about these invasions of privacy in the years to come.
    I certainly wouldn’t put my reputation on a guarantee as you have, you must be a very brave man.
    J Palmer

  22. david peach says:

    I understand you will not sell any information, but will the data be safe and be kept within the NHS . I would not like it to be distributed to none NHS companies

  23. J Brown says:

    I do not want my NHS data to be made available to any organisation outside the NHS, particularly when you admit they would then have the option to sell the information on to a third party like the pharmaceutical industry. Why can’t patients opt out through this website or one of the leaflet phone numbers? Doing it through my GP practice is going to be a pain as everyone there is always so busy.

  24. Richard Evans says:

    Some points on which I require further clarification.

    – I am unclear about what I am giving permission for. If I opt out is my data removed from Green, Amber or Red uses?

    – if an organisation obtained any form of monetary benefit from use of the data. Does the NHS get a cut of the profits? It should in my opinion.

    – How does the NHS ensure that all GP practices are applying the rules on data use to the same standard.

    • Stephen Duckworth says:

      Xanthe

      Would you please review your reply of 11 February on red data. My understanding is that the flag of 9Nu4 on my GP records will as you say prevent HSCIC releasing red data in a clearly identifiable form. However by also applying a flag of 9Nu0 this will ensure that no personal confidential data from my GP record is uploaded to care.data. Therefore if I wish to retain maximum confidentiality I should ask for both these flags to be applied.

      It is unfortunate that this is not made clear in any NHS England source I have seen.

  25. Roger Perry says:

    Will there be a reply to the serious points raised below, none of which is addressed in the delivered leaflet.
    Specifically:

    Nowhere does the leaflet say whether private companies will be able to buy NHS data. Presumably they will so why disguise the fact?

    Why has it been made so difficult to opt out?

    Why has delivery of the leaflets been so poorly organised?

  26. Ken Webb says:

    If the government or one of it’s agents requested data, for example: A list of all patients suffering from fybromyalgia, would this data be given?

    There is already enough fear amongst the disabled population about the so called ‘demonization’ of them, could tis information be used as a form of selection process?

  27. Jonathan says:

    Just one care.data leaflet was posted through our shared front door – a door to a house that has been converted to three flats (and, therefore, three households).
    Most of the houses in my long road (house numbers go up to about 260) have been similarly converted. So it seems more than possible that in just this one road, several hundred people will not have received the leaflet. What opportunity will those people have had to make an informed decision about opting out?

  28. Martin Patrick says:

    I am concerned that private companies will benefit from this resource without any guarantee of a reciprocol benefit to the public. Should not all private companies be prohibited from using the database until they can demonstrate that they freely share all non-commercial scientific data. This is not to be ideological but rather to recognise the need to persude big pharma of its responsibilities to the public sphere.

  29. James Wright says:

    Why are you making it hard to opt-out?

    I shouldn’t have to talk to my GP to opt-out of this service. There should be an online resource where I can opt-out.

    You might say it’s not hard to talk to my GP, but I don’t have to talk to BT if I want to go on the TPS.

    James.

    • NHS England says:

      Hi,

      As data controllers, it is for GP Practices to determine their own local process as to the different ways in which they wish to receive objections so there is no national online process for this.

      Xanthe, NHS England