Monday, 10 March 2014

Care.Data. Why Disabled People Should be Worried

In the eyes of the law, a government department, a university researcher, a pharmaceutical company, or an insurance company is as entitled to request and receive de-identified data for limited access as a clinical commissioning group, as long as the risk that a person will be re-identified from the data is very low or negligible. Furthermore, all such organisations can make good use of the data. Access to such data can stimulate ground-breaking research, generate employment in the nation’s biotechnology industry, and enable insurance companies to accurately calculate actuarial risk so as to offer fair premiums to its customers. Such outcomes are an important aim of Open Data, an important government policy initiative. 
HSCIC Information Governance Statement

When I wrote an article about the risks of Care.Data for disabled people a fortnight ago I put it on my own blog, because I didn't think it overlapped with the disability and benefits focus of Where's The Benefit. Unfortunately the last fortnight has absolutely changed my mind. I now think that not only is Care.Data one of the worst fiascos of the current government, but that it represents a very real threat to disabled people and particularly to the confidentiality of their medical records, so here is a briefing on Care.Data that hopefully will allow you to decide for yourself whether Care.Data is something you need to opt-out of.

This is quite a long piece, and an incredibly messy tale of woe, if you lack the spoons to read all the way through it, I suggest skipping down to the (almost) last section What Should I Do Now, where I give a recommendation on how to proceed.

What is Care.Data?

Care.Data (note the dot!) is a government scheme to integrate hospital and GP medical records in order to make it available for both NHS governance and planning, and research by outside organisations. This will take the form of a huge database to be run by the Health and Social Care Information Centre (aka HSCIC), an NHS agency that replaced the NHS Information Centre (NHSIC) after the Health and Social Care Act 2012 set all this in motion.

See A simple guide to for a more in depth background at Wired (when a technology magazine files a health service informatics story under 'Politics', you know things are in a mess). There is also the comprehensive which is run by a concerned GP.

(N.B. Care.Data won't include all the consultant's letters, scrawled doctor's notes and other stuff that tends to be haphazardly wedged into whatever kind of folder your GP uses for your records, it will just be the clinical codes that they type into their PC to indicate disagnoses, prescriptions, consultants and the like.)

So That's Good, Right?

In theory, yes. The study of mass health data promises to be absolutely revolutionary (and it's why personally I'm not quite giving up on Care.Data yet). What is an interesting anecdote in one patient's records, such as the slightly odd reaction I just had to Gabapentin, could become the key to understanding a major risk, or a major opportunity, when extended across the entire patient population of England - Scotland, Wales and Northern Ireland are going their own way on this, and Dr. Margaret McCartney (who was behind an excellent expose of the attitudes of Atos towards disabled patients) has an article on why their approaches to the same issue are better, which is available in the BMJ: why are Scotland and Wales doing it differently? Potential uses which have been discussed include not just pure statistical research, but using the data for recalls of medical devices (c.f. the 2011 breast implant scandal), and during healthcare emergencies. Less positive is the potential applicability of the data to 'NHS commissioning', i.e. privatisation.

So Why Am I Just Hearing About This?

Initially HSCIC seemed to be of the opinion that we shouldn't worry our little heads about this. The NHS England National Director for Patients and Information, Tim Kelsey, who has an extraordinarily convoluted background in this story, has openly stated in the past that people using a public service should not have the right to opt-out of sharing their data. Having been thumped a few times by, amongst others, the Information Commissioner's Office (ICO), responsible for enforcement of the Data Protection Act (which incidentally Care.Data has partial immunity from), HSCIC agreed to provide an opt-out and to send out a leaflet to every household in the country explaining the issues with Care.Data. This leaflet was duly distributed by the Royal Mail along with all the other junk mail, but most people either never received it or never noticed it, and it was eventually revealed that, unlike most other government mail shots, HSCIC had failed to sign up to the scheme that overrides junk-mail opt-outs. Amongst the people who never saw it was, rather ironically, the Information Commissioner who had insisted it be sent out in the first place. Nor was ICO happy with the content, stating on Today "We’re not sure without further explanation on the website and very clear views, that people will understand what that means”, a statement Tim Kelsey was forced to agree with. Which is hardly surprising as a leaflet supposed to brief people on what Care.Data was, the risks, and how to opt out, consisted solely of a PR puff-piece on how important Care.Data was, no mention of any risks, and an unexplained statement saying that if people wanted to opt-out then they should contact their GP

Assuming their leaflet was distributed at all, disabled people then faced the problem of accessibility. There were Braille, Large Print, Screen-Reader Friendly and Easy-Read versions of the leaflet available, which is good, better performance than we are used to from DWP, but to know about the Accessible versions you had first to read the small print on the non-accessible version of the leaflet.... How people intellectually unable to give informed consent to Care.Data are intended to proceed appears to have been left completely unaddressed. 

There are inline links to the screen accessible versions in the text above, for Braille you need to ring 0300 456 3531 or the text phone number 0208 742 8620 and request the Better Information Means Better Care leaflet, I believe a spoken word version should also be available through the first number. Quickest turn around on delivery of a braille version I've heard of was 5 weeks, other people are still waiting.

The Fiasco Unfolds

The first domino to fall was on Tuesday 18th February, when HSCIC announced that the gathering of Care.Data would be postponed from April to October as there were a few concerns over whether people had been provided with enough data. Computer Weekly, however reported Legal straits forced NHS delay on Care.Data, suggesting that the inadequate information provided to patients meant HSCIC had actually created a situation in which GPs might be in breach of the Data Protection Act if they allowed Care.Data access to their records (even though the Health and Social Care Act 2012 was supposed to have excluded Care.Data from most DPA provisions). Disturbingly there are reports of at least one NHS trust threatening GPs that they would be in breach of contract if they did not opt patients in to Care.Data and that a GP had been ordered to take down a statement on his surgery web-site saying he was concerned with the scheme.

Next domino to fall was on Sunday 23rd February, and it was a doozy. The Daily Telegraph reported that 13 years worth of all records of hospital in-patient admissions from HES, the predecessor to Care.Data, 47m records in all, had been sold to the 'Staple Inn Actuarial Society'  (SIAS), which it turns out is a combination of a) a trade body/professional society for actuaries (the people who do big-data number crunching for the insurance industry), and b) a convenient not-for-profit front for the insurance industry. The Telegraph went on to reveal that the data had been analysed and combined with data from consumer credit companies - meaning that they had been able to narrow cases down to at least post-code areas, to allow insurers to review their prices for health insurance in the case of various health issues (the threat warning sensors of any disabled person who has ever tried to get travel insurance, never mind life insurance, should be twitching already). SIAS's own report made it clear that they had been able to identify individual patients, by saying they were able to link multiple admissions, and then link those patients to consumer credit information, which would have required at least partial post-code matching, but this may have fallen a step short of full identification to a named individual. 

The first response from HSCIC was that the story involved their predecessors NHSIC and in any case was legal (first say it was someone else's fault, then claim there isn't a problem anyway, absolutely classic Cover Your Backside 101). The second response from HSCIC again emphasised that it was NHSIC at fault (never mind NHSIC became HSCIC), but admitted the transaction was illegal, though precisely how it was illegal it seemed to find impossible to explain (it now appears they may not even have taken legal guidance on the issue, so the legal situation is anyone's guess). HSCIC also tried to argue that this was all right as SIAS is a not-for-profit organisation, seemingly completely unaware that not-for-profits are often used as fronts for for-profit organisations, such as in the case of, oh, SIAS and the insurance industry. 

It was later revealed that SIAS paid precisely £2,220 (or should that be 2,220 pieces of silver?) for the data, suggesting no-one in government has the slightest idea of what this information would be worth to Big Pharma and the like (Care.Data apparently charges on a cost-recovery only basis). I don't like having my personal health information ripped off, having it ripped off for a fraction of its value does not make me feel better.

Suggesting a carefully timed story on the part of the Telegraph (and possibly a carefully timed leak by unknown parties), HSCIC was due in front of the Health Select Committee on Tuesday 25th February to discuss concerns over Care.Data, a session which was recorded and which is available here. The performance of Tim Kelsey, Max Jones, Director of Information and Data Services, HSCIC, and Dr Dan Poulter, MP, Undersecretary of State for Health, was thoroughly underwhelming (except when it was overwhelmingly arrogant), whereas the privacy advocates who also appeared were clearly passionate over patient confidentiality, openly accepting of the value of Care.Data and fully on top of their briefs.

The appearance by the HSCIC team was a car-crash, the minister appeared not to know his brief and all three were persistently evasive. It rapidly became clear that they couldn't answer questions on what was allowable because they hadn't yet written their code of practise (for a system supposed to go live in April), something which was required by the Health and Social Care Act 2012 when it created HSCIC and Care.Data. They blamed this on only (only?!?) having had 10 months since taking over from NHSIC. When asked to provide data on previous decisions by NHSIC they equivocated, despite it being the predecessor organisation from which they acquired staff, facilities, and records. When asked to provide access to NHSIC decision makers, who should largely still be working for HSCIC they were even more equivocal. Amid all this farce, being asked why, if it was a NHSIC decision, HSCIC had allowed their logo to appear on the SIAS report, was almost lost in the background noise. One particularly disturbing moment from the disability rights point of view was when Barbara Keeley, MP for Worsley and Eccles South, raised the issue of data referencing patient Mental Health being subject to substantial stigma, the possibility it might end up with potential employers and therefore surely requiring the same protection as AIDS or STD status, only to be told by Dr. Dan Poulter "That's absolutely daft". When the HSCIC team protested that any misuse of data would be subject to fines of up to £500,000 from the ICO, Barbara Keeley noted "That's small change to Big Pharma." (Incidentally the ICO were recently lamenting the inability of judges to understand the consequences of privacy breaches and their refusal to impose realistic fines). The appearance culminated in the witnesses being told by Rosie Cooper, MP for West Lancashire, that she had already opted-out because, pointing at Kelsey, Poulter and Jones, "I don't trust you."

To complete the farce, Public Health Minister Jane Ellison, having told parliament the data released by the HSCIC was "publicly available, non-identifiable and in aggregate form", none of which were true, but amply demonstrating the lack of understanding of Care.Data at ministerial level, had to raise a point of order the following day and apologise for misleading parliament, (at least she did apologise, which is a step up on the usual performance from IDS and the DWP).

As if one catastrophic data release wasn't bad enough, it then became apparent on Monday 3rd March that an even worse one had occurred, with PA Consulting (who have form for losing confidential government data, having once lost a data-stick containing unencrypted data on every prisoner in the country) admitting that they had uploaded the complete HES data-set onto Google in order to see what they could do with it:  NHS England patient data uploaded to Google servers Tory MP says. The fact that they were putting it onto data-servers that weren't protected by UK or EU data-protection law, in likely breach of the Data Protection Act, appears never to have crossed their tiny minds. Initial reports that the data was un-pseudonymised and un-anonymised are now being denied, however reference to producing maps from the data in PA Consulting's own report implies they had at least partial postcode data available.

Care.Data cock-ups appear to be running about one story a day at the moment: a company specialising in geographic information systems (potentially just about a perfect platform for breaking anonymisation) were offering access, for a price, to a system which would show you which hospital people seeking particular treatments had selected, with the implication that this was again HES data. HSCIC had them take the system down, but it was then claimed that they were only using mock data, which would make a) the fact they were charging for access, and b) the fact that HSCIC could make them take it down, particularly bizarre. Another company were offering HES data combined with their information on what sort of people lived in a particular post code. Both these operations would require at least partial post-code information to function, raising definite re-identification worries.

After multiple requests in parliament, HSCIC were finally forced to announce on 5th March that they would release an audit of all information released by themselves or NHSIC, with the HSCIC data out in April and NHSIC in May. 

Amendments have now been proposed to the Care Bill to patch up the Care.Data loopholes, but as the proposal allows releases "for the purposes of the provision of health care" it doesn't actually rule much out - even the SIAS case could have been phrased to imply it was to ensure people with particular illnesses weren't disadvantaged when applying for insurance. 

Pseudonymisation, Anonymization and Re-Identification
When it comes to release of data HSCIC has adopted a traffic-light system. "Green data" is anonymous or aggregated and should be immune from re-identification; "Amber data" contains individual data and is supposed to be pseudonymised before release, and "Red data" is personal and confidential information which is supposed to be anonymised if it is released at all. Both anonymisation and pseudonymisation are supposed to prevent data being reverse-engineered to reveal original identity, but the truth is that re-identification is possible, and in fact the nature of health data will make this rather easier than with other data sets due to the degree of individuality introduced by personal patterns of disability and other health issues.

Identifiable data is only supposed to be released with patient consent, however there is a provision to override this using a 'section 251 approval'. Even opting-out will not guarantee that data is inaccessible in these cases as the data will be harvested from GPs and delivered into the Care.Data database whatever your individual opted-in or -out status, it will simply have a flag applied once there to state if you have opted-out, which will restrict it from commercial and research disclosures, but not from a 'section 251 approval' or the law-enforcement back-doors into the database (it isn't clear if these are using section 251 or another mechanism). Rather disturbingly it came out during the session that there was a group within the NHS dedicated to advising how to arrange a 'section 251 approval' and openly tweeting that it can provide this service.

Transatlantic Data Sharing, Risks and Opportunities (for Lawyers that is)

The Data Protection Act makes it illegal to export personal data outside the European Economic Area (EU + EFTA), but 'Green' data doesn't count as it is aggregate not individual, and 'Amber' data might be exportable given pseudonymisation. There is already a memorandum of understanding in force between HSCIC and the US Department of Health with stated aims that include 'Liberating Data and Putting It to Work' and 'Priming the Health IT Market'.

In theory data exported to the US, which has notoriously lax data protection legislation, is protected under the Safe Harbor agreement between the US and the EU, which mandates that US companies holding data on EU citizens protect it to levels equivalent to EU law. Unfortunately the Snowden revelations have made it clear that the NSA has a tendency to treat US databases as an all-you-can-eat buffet, particularly if that data relates to non-US citizens, and happily shares that data back with its partners in the Five Eyes network (the US, UK, Canada, Australia and New Zealand). Cases of confidential medical data of Canadian citizens turning up in the possession of low-level US officials have already been noted (see Disabled woman denied entry to U.S. after agent cites supposedly private medical details). In practise Safe Harbor may be no safer than Pearl Harbor on the morning of 7th December 1941 and the EU is already considering suspending it to force concessions from the Americans over the Snowden revelations.

Specific Risks for Disabled People

I mentioned I had an odd reaction to Gabapentin earlier. It was actually so subtle I didn't identify it until I came off the drug and realised that there was a change in my behaviour, but in trying to get my GP to understand what it was, and why I wasn't prepared to go back onto Gabapentin, a note was made in my medical records, and that note was 'mild depression'. Now I hadn't once told her I was depressed, I certainly wasn't feeling any more down than usual, but my 'a psychologist would probably call it a lack of agency' wasn't a description she was comfortable with (I'm not sure she even understood it), even if it did describe the sudden fall-off in what I was getting done. So my medical records now say I've had an incident of mild depression, even though I haven't. There is a very real stigma attached to depression in the wider community. It is absolutely normal for people to imply that anyone with depression is inadequate, frequently tied into an allegation that depression isn't a real disability, which no doubt is commonly extended to any other disabilities the person in question may have.

God knows what other inaccuracies are in my medical records, the physical bundle is about six inches thick, and there is the electronic data on top. My GP often brings up potential diagnoses for my main disabilities which were considered and discarded years ago, in some cases decades ago (I stay with her because she's usually, eventually, willing to recognise that I'm an expert patient and know exactly what I need). There is, as I understand it, a theoretical right to examine your medical records and demand that inaccuracies are corrected, but for many of us that may be a right that is effectively impossible to enforce, for instance due to issues of Mental Health or Learning Disabilities, never mind the potential damage in patient-GP relations - always a worry for patients with long term disabilities.

Care.Data is supposed to pseudonymize (Amber data) or anonymize (Red data) individual data. The particular problem faced by disabled people over Care.Data is that many of us are uniquely identifiable by our individual combinations of disabilities. Take me: I have Dyspraxia, Hypermobility Syndrome, Chronic Pain Syndrome, and some of the symptoms of Aspergers, though apparently I don't quite qualify as an Aspie. Now that combination isn't unique, it's probably true for about half the hypermobile types I know, but people with that combination living in my postcode, with my age? Even if you broaden out the postcode (first three characters not all six) and smudge the age into a range, you're probably not going to get more than one hit. If you happen to know who my doctors are, then that data becomes even more identifiable, whether it includes my name and NHS number or not.

This might seem like a fairly obscure concern, but disabled people face massive discrimination in recruitment, making it a real concern as to whether or not we declare our disabilities, or all of our disabilities. Some we obviously have to declare, it's difficult to hide the crutches I walk into the interview room with, but with invisible disabilities this becomes a more nuanced decision. Declare, and somehow fail to get the job, or don't declare, miss out on the legal protection that declaring gives, and face problems when finally it becomes essential to declare? The 'Consulting Association' (and the 'Economic League' before them) famously ran a blacklist for major construction companies such as MacAlpine and Balfour Beatty, listing potential employees who were believed to be union activists, 'troublemakers', or dangerous radicals who wanted health and safety provisions enforced, and this only stopped when they were raided by the Information Commissioner's Office in 2009. It is reported one manager working on the Crossrail project made 900 checks against the blacklist in 2008 alone. With the open discrimination against disabled people by many employers and recruiters it is easy enough to imagine someone with a bootleg copy of Care.Data setting up a black-market disability check service for recruiters and HR execs to access under the counter: 'He declared X, I wonder if that's all? Depression? Oh, really? Well he's out, then...." Even anonymization may not be enough to beat this, breaking anonymisation for one record is difficult, for 65 million sets of records it's a minor automization problem, or a business opportunity. If they do it from the States it isn't even illegal.

The campaign group medConfidential have an article showing what's being done with some of the data that has been released. Full identification from the information shown would be comparatively trivial when done on a mass basis, or with background information on the individual in question.

Ben Goldacre gives an example of how to identify someone even without a prominent disability in his article The NHS plan to share our medical data can save lives – but must be done right (the article is in favour of Care.Data but predates the Telegraph revelations, Goldacre has to be complemented for admitting he was wrong in a second article Care.Data is in Chaos a week later)

GP Trust Issues

A point which has been raised by patient advocates, but seemingly failed to gain any traction in the debate between 'the great and the good' is that this system could result in a huge breakdown in trust between patient and GP. There are already tensions in the system when insurers can insist on access to medical records before issuing a policy, but the potential for outside commercial bodies, law enforcement, or DWP to gain access to extremely private medical data, such as AIDS or STD status, details of mental health or other disabilities, and other information towards which stigma exists such as abortions or teen pregnancy has the potential to cause irreparable loss of trust. Just today I saw a suggestion that Care.Data, and potential exposure of the results to insurers, provided a good reason for refusing to take the blood test for dementia that was in the news.

They're Excluding AIDS and STDs, but Nothing Else?

Care.Data apparently recognises that compromising the confidentiality of medical data indicating AIDS or STDs is potentially disastrous, so proposes to exclude it from release, but, as noted earlier, when asked by  Barbara Keeley on the Health Select Committee if that exclusion should not also be extended to mental health indicators, given the marked stigma around them, Dr Dan Poulter, the junior health minister, responded "That's daft!" 

Disabled people will be well aware that it is not just AIDS status, or MH status that may result in not just stigma but active discrimination, it is the possession of any disability of any kind whatsoever. HSCIC and the Department of Health appear either unaware of this, or simply not to care. Disclosure of any disability information whatsoever has the potential to stop a disabled person getting a job, or to destroy a career, and we urgently need Care.Data to address that.

They Gave My Data to WHO?!?

DWP are reported to have applied for access to HES, the Care.Data predecessor in order "to obtain access to confidential patient data to be linked to information about employment, tax credits and benefits claims". While it is possible that this was in pursuit of high level statistical information, the wording appears to specifically indicate that this was a clear attempt to gain access to individual medical records in order to cross-check with data provided during Employment Support Allowance applications, Work Capability Assessments, or DLA/PIP applications. Any discrepancy would likely then be followed by sanctions, or, in the worst case, prosecutions. HMRC are also reported to have requested and been refused access.

While it is encouraging that these initial requests were refused, the problem for disabled people is that the desire to access Care.Data on the part of DWP has been demonstrated, and HSCIC has shown a clear tendency to approve rather than deny access, associated with a wish to further extend the sharing of information. We cannot be sure that future attempts will be denied.

A Guardian article Police will have 'backdoor' access to health records despite opt-out, says MP, reports that former Shadow Home Secretary David Davis has established in a Parliamentary answer from Dr Dan Poulter that the police 'and other government departments' will be allowed warrantless access to Care.Data. 'and other government departments' most likely means the National Crime Agency and the Security Services, but it could mean DWP, or it could be extended to mean DWP. A backdoor for law-enforcement agencies is also very likely to include HMRC, who were previously expressly denied access to HES.

HSCIC have also stated: "Where informed consent is not feasible, a legal basis allowing the sharing of confidential information should be explored. ... Confidential information can be disclosed to support the detection, investigation and punishment of serious crime." Releasing information to support the detection of crime would appear to presuppose use of Care.Data in fishing expeditions where no crime has been demonstrated to exist.

Amongst other entities known to have applied for access to HES, the Care.Data predecessor, are private healthcare companies BUPA and Doctor Foster and the right-wing think-tank the Institute for Fiscal Studies. Some of these were refused, some were passed on the nod without ever going to the full authorisation committee. They do rather aptly demonstrate just how interesting the data is to a range of commercial interests. And all the while Big Pharma is waiting in the wings.

WHO Did You Say is Going to Extract the Data? Atos!?!

The contract to run the 'General Practice Extraction Service', GPES, which will pull the Care.Data info out of GP's medical records for transmission to HSCIC, has been given to Atos. In theory this should be an automated process and shouldn't involve anyone at Atos looking at any identifiable medical records, but in practise problems happen and programmers may need to look at raw data to understand what the issue is, and they may do that without ever realising it is an issue. In fairness to HSCIC they gave the contract to Atos two years ago and probably didn't have a clue how toxic Atos' reputation would be by now, but even allowing for that it is clear that just the possibility of Atos and their medical records coming into contact will be profoundly distressing to many disabled people. I'm certainly not happy with it, and that is as a software engineer who understands it is an automated process.

Interestingly the Atos CEO, Thierry Breton, is in the news after describing Big Data as "a digital gold mine, the oil of the future". 

The Proof of the Problem is in the People

A few select quotes from the NHS side of the debate:

Tim Kelsey, NHS England National Director for Patients and Information (and once upon a time founder of private health care informatics company Doctor Foster, for 50% of which the NHS paid £12.5m):

"No one who uses a public service should be allowed to opt out of sharing their records" Kelsey seems to have been forced to back away from this statement in his role at the NHS, but it likely remains his core belief, and that means any information governance system is likely to gain only grudging support at best. And a system which isn't supported by the man at the top is fatally compromised from the start.

"You can object and your data will not be extracted and you can make no contribution to society" Kelsey answers a critic on twitter and reveals that his thinking really hasn't changed very much, even if he has been forced to make concessions.

"If 90 per cent of patients opt out of, we won't have an NHS." Ridiculous hyperbole is such a compelling argument, particularly when made to the Health Select Committee, who immediately call you on it.

Doctor Dan Poulter, Undersecretary of State for Health:
"That's absolutely daft" on being told that there is a stigma surrounding Mental Health and that information on it needs to be protected. (In fairness he was addressing the need to develop additional information on MH, but he did it by dismissing the risk implicit in Care.Data).

HSCIC says access to individual patients records can "enable insurance companies to accurately calculate actuarial risk so as to offer fair premiums to its [sic] customers. Such outcomes are an important aim of Open Data, an important government policy initiative." This is in its own information governance assessment, which in effect means it thinks there should be full disclosure of identifiable patient information to commercial entities for their own gain, effectively no information governance whatsoever. Interestingly Kelsey has been described by Ben Goldacre as having "drunk more open-data Kool-Aid than anyone I've ever met".

Sarah-Jane Marsh, Chief Executive of Birmingham Children’s Hospital, speaking on a panel with Tim Kelsey at Health and Care Innovation Expo, just last week and after the fiasco became clear:
“Security trumps patient safety every time. It is our duty to challenge this principle." Er, no, it is your duty to implement both simultaneously!

Never Fear, Jeremy Hunt Will Save Us

Yeah, right, the Health Secretary has such an unblemished record on commercialization of the NHS - never an opportunity missed - that it seems odd that we should be reliant on him to put things right. Having watched the fiasco unfold, Hunt has decided to ban the release of pseudonymized 'Amber' data unless there are clear health benefits, and to ban the release of data for commercial purposes, while subjecting HSCIC to audit by the ICO. The problem is that HSCIC and its predecessor have repeatedly blurred, or deliberately obfuscated, the barriers between commercial purposes and health benefits, the SIAS release being a case in point. There is an upcoming EU General Data Protection Regulation that should be less subject to ideological bias towards business, however the Coalition, in the form of Lib Dem Justice Minister Simon Hughes, have been trying to systematically weaken this. However both of these fail to address the systematic security risks of concentrating all patient data in a single national database, creating a Holy Grail for hackers, security risks once the data is redistributed, and the whole re-identification issue. A complete solution to the risks these are not. Also, relying on Jeremy Hunt? Something of an oxymoron.

So What Should I Do Now ?

If you are a hopeless optimist like me, and see value in the basic aims of Care.Data then hang on for a few months in the hope that HSCIC pulls off a miracle and gets a proper system of governance in place. As this involves 1) Jeremy Hunt, 2) Tim Kelsey and 3) HSCIC, all of whom are currently in denial that there are governance issues at all, then just imagining the possibility of a miracle is probably hopelessly optimistic, in which case follow the instructions in the next two paragraphs at some point before Care.Data goes live.

If you are a realist, concerned about your medical confidentiality, concerned about any of the organisations listed above trying to access your medical data, or worried that your health means that you may not be in a fit state to make decisions in a few months, then my reluctant recommendation is that you opt out now, and that you opt out the rest of your family. There is an interesting ethical dilemma for anyone in a guardianship position, and I wonder if that doesn't mean they are ethically obliged to opt-out the person they are guardian to, whatever they decide for themselves.

Details of how to opt out of Care.Data are available at several sites, the clearest explanation I've found, additionally offering the opt-out letter in multiple formats, is on the Big Brother Watch site.

And Finally

If you read all of this, then you deserve a break, I recommend the excellent Care.Data Downfall parody.


  1. I've been following this quite closely but still found out new things from this blog post. Good work. I opted out several weeks ago.

    1. I was hesitating over opting-out, particularly as I didn't have clear info on how to do it, so went digging. Every time I went to look at it, it got worse. Hence the article

  2. Update: So, the European Parliament have given the new data protection regulations an almost unopposed reading (621 for, 10 against) - they aren't law yet, but they will greatly protect our online privacy once they are (we have Edward Snowden to thank for this, his revelations swung the tide against US lobbyists). Amongst other things, this allows fines of up to $100m, or 5% of turnover, whichever is larger. This is large enough to make even Google blanch, and as an EU-wide law actions can now be brought in whichever country is most convenient, rather than having to hunt firms down somewhere where they have a cosy relationship with government (aka Ireland). The EU Parliament also passed by overwhelming majority (544-78) a resolution calling on the European Commission to withdraw from Safe Harbor, which will suspend the current provisions allowing confidential data on EU citizens to be exported onto US data servers.

    Meanwhile in the UK, the Coalition voted down an attempt to make misuse of Care.Data a criminal act....

  3. Update: medConfidential have commented on the amendments to the Care Bill laid before Parliament as a supposed response to the fiasco: “The knee-jerk amendments the government has laid are so poorly drafted, they both threaten legitimate research and actually throw our health data open to exploitation by pretty much anyone.”

    Well, I did say if we had to rely on Jeremy Hunt....