Skip to main content

NHS Patient Data

Volume 578: debated on Tuesday 25 March 2014

I am pleased to speak in this debate with you in the Chair, Ms Dorries. Other Members may not know that we made our maiden speeches together, so we have always been inextricably tied in that way.

I am raising issues today because I want the Minister, NHS England and the Health and Social Care Information Centre to appreciate some of the real concerns about past and current uses of NHS patient data. I will talk about concerns about a lack of transparency in decision making, the commercial use of patient data and the lack of consent for that use.

The chair of the HSCIC talked last week about the organisation’s having an “innocent lack of transparency”. That was an inappropriate description of an organisation that is causing serious concern about its handling of NHS patient data. A lack of transparency cannot be tolerated in the part of the NHS that is trusted with safeguarding patient data and I do not accept the description of “innocent” for that lack of transparency.

At a recent meeting of the Select Committee on Health, Members asked questions about decision making on data releases from the NHS Information Centre. The panel members, who included the Minister, were asked how many of the key decision makers from the NHS Information Centre, which released patient data to insurance actuaries, had later become decision makers in the HSCIC. Max Jones, director of information and data services, said:

“The executive directors of the HSCIC with responsibility for this area were not part of the old information centre.”

When asked again whether the individuals who made the decision on transferring data to insurance actuaries became decision makers in HSCIC, he replied that

“the very senior management in the HSCIC is not the same as very senior management that was in the”

information centre.

The Minister has recently given me an answer to a written question that directly contradicts that and I am concerned about that. I asked him about the numbers and levels of staff who had transferred to the HSCIC from the NHS Information Centre. His answer stated that, of the 11 members from the management board of the HSCIC:

“Three of the non-executive directors and two of the executive directors were previously members of the NHS Information Centre management board. One of the executive members is graded as a very senior manager post and the other transferred as a senior doctor.”—[Official Report, 17 March 2014; Vol. 577, c. 457W.]

Given that that directly contradicts Max Jones’s answers to the Select Committee, will the Minister ask Max Jones why he gave those incorrect answers?

Dr Mark Davies, one of the senior executive directors, joined the NHS Information Centre in 2008 and transferred to the HSCIC when that was established. Indeed, an article last August described how Dr Davies sits in the exact same office in Leeds that he occupied when the HSCIC was the NHS Information Centre. He is the director of clinical and public assurance—a post that, surprisingly, is being made redundant this month. Will the Minister tell us why a senior post on public assurance is judged to be redundant, given the lack of public confidence in the plan for and the many questions being raised by me and others about commercial uses of patient data?

I congratulate my hon. Friend on securing this timely debate, which is raising some important issues that we need clarity on. We have just come from a seminar in which the Health Committee had some expert witnesses. Does she agree with the conclusions put forward there about the need for clarity before we go ahead with this data collection? I am thinking particularly about the cyber-security review, safeguards on anonymous or pseudo-anonymous data, separating out purposes for controls, a tighter definition of the care data—

Very much so. I must tell the Minister that we have not had time to absorb all of what has happened at the HSCIC, but we are disturbed by much of what we have learned. It seems as if there has been a proliferation of organisations and committees and that, as the use of that data and commercial data has burgeoned, the NHS has lost control of what is going on. That is of real concern.

I congratulate the hon. Lady on bringing this matter to debate and on her perseverance at every stage. Does she agree that although the commitment given regarding a patient’s right to their data will be respected, perhaps patients in the NHS see this issue from their own points of view? They do not see the IT implications of what is taking place; because of that, there need to be more assurances for the patient on what happens.

I very much agree. Last night I tweeted that I was to have this debate today and I was astonished with the response I got—an awful lot of people are very concerned about the issue. I will come on to opt-out in a moment, but let me conclude the point I was making about the director of public assurance’s post being made redundant. There will be considerable interest from Parliament on the basis for and the terms of that redundancy. I hope there will be no suggestion of a compromise agreement or gagging clauses. There are serious questions to ask about some of the activities.

While Dr Davies is still in post, there are a number of questions to ask about his role and those of his colleagues in the NHS Information Centre that later became the HSCIC. Dr Davies has been the chair of the four-person data access advisory group. Having two senior HSCIC employees on the advisory group on sensitive data releases, including its chair, brought criticism about a lack of independence. As chair of the group, Dr Davies also had the right to approve data releases unilaterally from the HSCIC, outside the committee. He was therefore in a powerful position. Indeed, it was reported in The Guardian last year that Dr Davies used that power to release to the Cabinet Office the confidential medical records of teenagers taking part in the national citizens service.

Perhaps more recently, Dr Davies’s views were becoming out of line on some aspects of the Government’s stance on care data. The Guardian reported in January that Dr Davies said that there was a “small risk” that certain patients could be “re-identified”, because insurers, pharmaceutical companies and other companies had their own medical data that could be matched against the pseudonymised records. He said:

“You may be able to identify people if you had a lot of data. It depends on how people will use the data once they have it. But I think it is a small, theoretical risk”.

The risks in this area have been rightly getting much attention and the Health Committee heard more about them this afternoon. Examples can be taken from the websites of both Harvey Walsh, a company that boasted of having more than a billion linked patient-level records and an ability to track patients over time, and OmegaSolver, the company with the patient analyser tool that it claimed can track patients throughout their hospital care.

In the case of OmegaSolver, its website held example screens showing use of its Patient Analyser tool, which it said could track actual patients within every hospital in England, providing up-to-date information for every disease area.

My hon. Friend is making an essential point. Whole data sets from the hospital episode statistics have been handed over to third parties, and that is absolutely reckless. We need those data to be deleted to restore public confidence in who has got the data and for what purpose.

Indeed, and I say that they “held” that information because websites such as those that I mentioned were suddenly altered when attention was drawn to the capabilities that those organisations claimed to have when it came to tracking patients. The Minister and hon. Members may have seen reports about how the medical histories of people in public life could be tracked using online tools of that type. Widely reported accidents or medical procedures undergone in NHS hospitals clearly provide enough information to spot one patient event in the records and then read across to every hospital visit for that individual.

I ask the Minister not to echo the mantra he has used before or the one the HSCIC used when asked about OmegaSolver—that only aggregated patient data are used and that that does not represent the experience of an individual. It is clear that commercial companies granted commercial reuse licences have claimed that they can track

“actual patients within every hospital within England”.

As I said in the recent debate on the Care Bill, the hospital episode statistics database was originally an administrative database. When did any of us sign up to having our data used to recalculate the cost of insurance cover or by pharmaceutical companies as customers of OmegaSolver? I do not recall signing up to that and I am sure that other hon. Members did not, either.

Does the Minister agree that perhaps we should go back to thinking that patients should have the option of having their data used only for clinical care and for commissioning that care? In his response in the Care Bill debate on these issues, the Minister said that

“people can, at any time, object or change their mind, and the Health and Social Care Information Centre must respect their wishes and remove their data from records.”—[Official Report, 11 March 2014; Vol. 577, c. 206.]

At the time he said those words, I thought, “That is not currently the case.” I understand that deletions are not permitted and, once a patient’s record has been extracted, they cannot get it removed from the database. If it is in fact a new development that patients can change their minds and request that their data be removed from the records held by the HSCIC and by commercial companies, that will be welcomed, but I really look forward to the Minister telling us how that happens.

I gave the example of Harvey Walsh. They have described themselves as main suppliers of hospital episode statistics and NHS data to the pharmaceutical industry. Can the Minister tell me how an NHS patient can have their records removed from Harvey Walsh’s AXON database or any of the other databases that are outwith the HSCIC?

In the Care Bill debate, the Minister was also asked a question about whether free text would be uploaded from patient records either now or in the future, and he answered:

“As things stand at the moment, free text is not going to be used. That is the reassurance given by the HSCIC”.—[Official Report, 11 March 2014; Vol. 577, c. 206.]

However, Professor Julia Hippisley-Cox and Professor Ross Anderson have pointed out to Health Committee members that researchers already make use of free text from GP patient records. Indeed, medical students and computer science postgraduates at the university of Sussex and at Brighton and Sussex medical school have begun work on analysing doctors’ notes for data from free text.

The data being used come from the Clinical Practice Research Datalink, and Select Committee members were told that those patient data are being used without specific patient consent or section 251 support—it is section 251 of the National Health Service Act 2006. If the HSCIC has given the Minister an assurance that free text from GP records will not be used, can he tell us whether and when the use of free text from GP patient records in the CPRD will be stopped, particularly given that that appears to be happening without patient consent? Patient consent is important, and I still get the feeling from the HSCIC that individuals are somehow being labelled as selfish if they have concerns about sharing their data.

I want to come back to concerns about the existence of the commercial reuse licences granted by the HSCIC. I have tabled a written parliamentary question on this, but I also put the question to the Minister now. He has confirmed that the HSCIC has granted commercial reuse licences. Will he now provide me with a list of each past and present holder of a commercial reuse licence granted and, for each licence holder past and present, will he list the purpose or purposes for which they applied and were approved to use NHS patient data from the HSCIC and its predecessor, the NHS Information Centre? As patients of the NHS, we deserve to know in which places and with which organisations our data are sitting and what they are being used for.

My hon. Friend is being very generous about interventions. Again, she makes an excellent point. We need an effective audit trail. If these data sets are being sold on, we need some effective control. That should be stopped. I hope that the Minister—

I, too, hope that the Minister will address that.

I want to give an example of data use approved by the Data Access Advisory Group of the Health and Social Care Information Centre, because I think that it is instructive. Minutes from the group’s July meeting show that the advisory group approved the use of hospital episode statistics data for HSpot Ltd and its FindMeHealth application. HSpot Ltd had requested HES data, including consultant codes, with the intention of publishing those data online to enable patients to compare procedures by hospital and clinician. Online information about FindMeHealth says that it is

“a new independent UK comparison site offering choice…to the growing number of people who are choosing to self-pay for private healthcare.

FindMeHealth compares prices across the top self-pay procedures and gives users access to the very latest data from NHS and private sources”.

What we have here is a kind of “Go Compare” website for private health care.

Much was said about uses of patient data in the debate on the Care Bill. The Minister said that information from the HSCIC

“may be disseminated for the purposes of ‘the provision of health care or adult social care’ or ‘the promotion of health’.”—[Official Report, 10 March 2014; Vol. 577, c. 136.]

Does the Minister think that the definition that he gave us extends to the HSCIC granting the release of patient data so that commercial companies can run comparison websites on the top self-pay procedures?

We need much greater transparency, and I thank hon. Members present for the questions that they have put on this matter. We need greater transparency from the Health and Social Care Information Centre, but we also need it about the other data sources and the other places where data are held. The chair of the information centre, Kingsley Manning, said in his speech last week that one of its key measures of success might have been that it was

“safely below the radar of public attention”,

but that organisation is no longer below the radar of public attention. Indeed, the organisation has become the story because of the errors that it has made, which mean that hon. Members and the public have discovered just how their confidential medical data are being used by insurers, by commercial companies and even on systems in the United States.

If people look at social media, as I did last night, they will see that there are many comments about just how much distrust people now feel towards the HSCIC. The organisation, as I said at the start, has claimed an “innocent lack of transparency”, but others accuse it of evasiveness and half-truths. As I have detailed, giving misleading answers to the Health Committee on established facts about who works for the organisation does not help.

All that has to change. Hon. Members, including me in this speech, have talked about ways in which the situation should and must change, and I hope that the Minister understands the vital need for that.

It is a pleasure to serve with you chairing the debate, Ms Dorries. In some ways, I wish that we had new issues to discuss; many of the issues that we are discussing today we have thrashed out on a number of occasions in the Care Bill Committee and the Report debate earlier this month, so I am not convinced that there is a lot of new information that I can bring, other than giving further reassurances along the lines of those that have been given. However, it is important to make two points at the outset.

I congratulate the hon. Member for Worsley and Eccles South (Barbara Keeley) on initiating the debate and on her ongoing interest in this topic, but if she has concerns about a witness not giving correct information to the Select Committee, it is of course at her disposal to speak to its Chair, my right hon. Friend the Member for Charnwood (Mr Dorrell), and ask him to take that up with the witness. If she has those concerns, I suggest she does that. Of course, it is very easy to take comments—a few sentences—out of context. It may be that that is the case here; it may be that there are genuine concerns, but if the hon. Lady has those, it is for her to take them up with the Chair of the Committee and ask him to take the matter further.

I will give way in one moment. It is also the case, in relation to a number of the other issues and concerns that have been raised during this discussion, that some of the events and some of the evidence given to the Select Committee have of course been superseded by the amendments made to the Care Bill that we debated a couple of weeks ago, so it is difficult to see those points—

I am giving way to the hon. Gentleman’s hon. Friend in one moment. Let me complete the explanation and then I will be very happy to give way. Events have moved on since some of those evidence sessions, because of course amendments were made to the Care Bill that gave greater clarity and greater reassurance about the protection of patients’ data.

Before the Minister moves off the point about the misleading evidence given to the Health Committee, may I put this to him? The Minister was there with Max Jones and Tim Kelsey—they were there supporting him at the Committee—and I think that this really is down to the Minister. I have, of course, raised the matter with the Chair of the Select Committee, but if a Minister brings civil servants and NHS employees with him to a Committee and those civil servants mislead the Committee—giving incorrect answers not once but twice—I think that it is really down to the Minister to raise the issue as well.

The hon. Lady will recognise that NHS England is an arm’s-length body, so it has less accountability than—or certainly not the same accountability as—a civil servant does to a Minister, and it has a degree of independence. If there are concerns to be raised, as she has just outlined, it is for the Chair of the Committee to write to obtain clarification if he believes that to be appropriate. I am sure he will do so if he feels that that is right. It is not for me, as a Minister, to interfere with the workings of a Select Committee and I do not propose to do so.

No. I have listened to the same speech from the hon. Gentleman as did my right hon. Friend the Member for Chelmsford (Mr Burns). The hon. Gentleman is always very helpful in tying himself in knots and confusing debates. On this occasion, however, I will make some progress, because I have got 10 minutes left and I would like to put down some further reassurances. I may give way later on, time permitting.

Once again, I congratulate the hon. Member for Worsley and Eccles South on securing the debate, and I would like to say at the outset that we all believe to be a good thing. It is good news for patients, for improving transparency in health care and for improving the quality of research. Those are undoubtedly good things, and we must not lose sight of them in our discussion. The lessons of Mid Staffordshire point out that if we do not properly expose examples of bad care—if we do not have the data, and the transparency in the use of those data, to expose good and bad care in the NHS—bad things can happen to patients. That is a lesson that we must heed.

We must also recognise that if we had had better data sharing in the past, we might have been able to learn better how to recognise patterns in prescribing that were to the detriment of patients, such as the example that has been cited of the use of thalidomide during pregnancy. We might have avoided some very bad things happening to patients if we had had the necessary data. That is what our proposals are about.

This is not a sudden, big-bang change. Opposition Members have put it about that we are dealing with a big change in approach to the use of data in the NHS, but I remind the Chamber that in 1989, hospital episode statistics were first collected for in-patient data, in 2003 for out-patient data and in 2007-08 for A and E data, and primary care data are now being made available.

Of course we understand that the use of data can be concerning, so I want to reassure everyone that the right safeguards are in place, many of them established by the Health and Social Care Act 2012. The new body, the Health and Social Care Information Centre, must have regard to the safeguards put in place by the 2012 Act. The Government take the safeguarding of patient data very seriously.

The commercial reuse of licences was raised in the debate. The Health and Social Care Information Centre has confirmed that some reuse agreements remain in place for specific organisations in relation to approved purposes. The purpose of each application is carefully considered by the HSCIC before it is agreed. That consideration includes the application’s benefit to the health and care system, a safeguard established by the 2012 Act for the use of data.

I will give way in a moment; I am just going to finish this point. Following concerns expressed by the Health Committee in its meeting of 25 February, Sir Nick Partridge, a non-executive director on the HSCIC board, has agreed to conduct an audit of all the data releases made by the predecessor organisation, the NHS Information Centre, and report on that to the HSCIC board by the end of May.

Furthermore, a report detailing all data released by the HSCIC, including the legal basis on which those data were released and the purpose to which they are being put, will be published by the HSCIC on 2 April. That report will be updated quarterly. I reiterate that the HSCIC will release information for health and care uses only.

The Minister is arguing that the scheme is an extension of what happened before, but there is clearly a quantum difference. There is general agreement that it is a wonderful thing to have data sets for research and public health purposes. The difficulty that the public have, about which we need to restore confidence, is when that information is being used for marketisation—for marketing purposes—by commercial reusers. I am not reassured by the Minister’s comments, but he has an opportunity to correct the problem in the House of Lords.

It is difficult to reply fully to such debates when we have very lengthy interventions, of which the hon. Gentleman is very fond. I would like to spell out to him what the quantum difference is. The Government have, through the 2012 Act, put in place safeguards for data protection that the previous Government never had. In particular, under the 2012 Act, data can be used only for the benefit of the health and social care system. We have put in place the safeguard that people can opt out from having their data collected and used. Those safeguards were not in place when the previous Government—

No, it is important to make these points. The hon. Lady is very party political on the matter, and it is important that she recognises failings that existed in the past. I have mentioned the collection of in-patient data from 1989, out-patient data from 2003 and A and E data from 2007-08. I am not aware of any safeguards put in place by the previous Government to allow patients actively to opt out of the collection of those data. If she is aware of any, I would like her to clarify the record.

The Minister is talking about opt-out, but I asked him a specific question about commercial reuse licences. I understand that there are at least six of those—six massive copies of all hospital episode statistics data—out there. How does an NHS patient get their data deleted from those copies, which sit with companies such as Harvey Walsh and OmegaSolver? How does that happen?

The point is that people have the opportunity to opt out of the programme if they wish to. The HSCIC can also put in place contractual safeguards if there are sensitivities around data. Our amendments to the Care Bill created a “one strike and you’re out” situation for any companies that use data, whereby if there is any misuse of data, they will be struck off.

The safeguards established by the Government—those in the 2012 Act and the announcement by my right hon. Friend the Secretary of State that people could opt out of the collection and use of their data—are welcome. Such safeguards never existed under the previous Government, and we have made good progress in protecting patient confidentiality, although that is not to say that we do not need to reassure the public further.

We must make sure that we have rigorous processes in place. In the brief time available, it is worth outlining some of the strong measures in the 2012 Act, which established the HSCIC and set out the framework in which it will operate to ensure that data are being used appropriately. Under section 260 of the 2012 Act, the HSCIC must not publish the information it obtains in a form that would enable an individual other than a provider of care to be identified. That is a strong protection for individual confidentiality in the publication of data.

Under section 261, the HSCIC cannot disseminate or share data that could be used to identify an individual other than a provider of care except where there is another legal basis for doing so, which, as we have said, would be only in extreme circumstances such as a civil emergency. Under section 263, the HSCIC must publish a code of practice clarifying how it and others should handle confidential data. Under section 264, the HSCIC must be open and transparent about the data it obtains by publishing a register with descriptions of the information. The HSCIC is working now to ensure that it is transparent about all the data it has released to others.

Moreover, the Government have already introduced the commitment that if someone has concerns about their data being used in such a way, they can ask their GP practice to note their objection and opt out of the system, after which no identifiable data about them will flow from their GP practice to the HSCIC. Directions to the HSCIC under section 254 of the 2012 Act, which are separate from the amendments considered by the House as part of the Care Bill, will ensure that that commitment to patients has legal force.

There are strong safeguards in place, and Opposition Members would do well to recognise that the 2012 Act has put us in a much better place. Safeguards are in place that never existed when the previous Government extended the use of data sharing in the NHS. We all recognise the benefits of, and we must recognise that, with the additional safeguards in place, we will have a system that will help to improve health and care research and the quality of care available to patients.