Current data protection guidance and regulations are contradictory and not conducive to effective patient care according to a new discussion paper published by the independent CCIO and Health CIO networks.
The CCIO and Health CIO Networks discussion paper:’data sharing and data protection in healthcare’, considers the sensitive issue of the use of patient information, and was initially written in response to recent controversies over the data sharing model in TPP’s widely used SystmOne software.
The Information Commissioner’s Office in March announced an investigation into the TPP model over concerns it may contravene principles 1 and 7 of the Data Protection Act.
Members of the CCIO and Health CIO Networks drafted the paper based on online discussions and questions raised on their private community platform. A small working group then prepared the final discussion paper.
The paper addresses the issues and confusion around the regulation of data protection associated with data sharing, as applied to more broadly sharing patient records, within the sometimes contradictory current legal framework and guidelines.
The paper argues sharing data saves lives, and says clinicians are currently having to choose between the risk of non-compliance with the letter of data protection law or the danger of delivering sub-standard care to their patients.
“In my own view, I would rather be in the office of the ICO than in the coroner’s office,” commented Joe McDonald, CCIO at Northumberland, Tyne and Wear NHS Foundation Trust and chair of the CCIO Network.
“I think that’s the choice we face at the moment. Yes, we want better audit trails, yes we want citizens more in charge [of how their data is used], but in the meantime all information governance is imperfect.”
The CCIO and CIO Networks discussion paper: ‘data sharing and data protection in healthcare’, which is published today, calls on national bodies to create regulation which better reflects the information sharing that is now possible and desirable in healthcare.
Copies of the discussion paper are being sent to NHS CCIO Professor Keith McNeil and NHS CIO Will Smart.
Last year, Dame Fiona Caldicott published her third review of data security and information in healthcare. The government’s official response to it has been long delayed, however – most recently by the general election. The Conservative manifesto does promise to make good on a long-held desire to put the office of the national data guardian on a “statutory footing”.
4 July 2017 @ 16:35
So there is guidance coming on GDPR and consent but it is very difficult to answer until the derogations (The Data Bill that was in the queens speech) is actually written and produced. Consent for research can be broad, not explicit as some would want. However until the actual derogation states for research article 89.1 means this, no one can really say for sure. The actual GDPR would actually suggest you don’t need consent as there are plenty of legal basis to get data just has to be public interest. Also Consent for a Public Authority may not be considered legal under GDPR. (ICO Draft Guidance Consent,). As a patient with a rare disease I know how important my data for research is and I really do know the true meaning of #DataSavesLives and would love to share it but as an Information Security Professional I know its not as simple as that. We wait for more ICO Guidance and of course the Grand Data Bill to lead the way. Lets hope its not stopped by another general election. The clock is ticking.
4 July 2017 @ 20:16
all this discussion is fine but the priority should be to put the patient first … until patients have access to their data these discussions are academic, how can you expect a person to let others see their data unless they can see it themselves !
5 July 2017 @ 10:32
Having recently looked at the GDPR, I am seriously concerned that its implementation risks shutting down almost all data sharing within the NHS, especially that emanating from the primary care level. The regulations are so unwieldy, and the penalties so huge (how would a three-partner practice cope with a £20 million fine??) that I can see most GP practices taking fright and pulling up the drawbridge on data sharing.
Here’s what one well-respected observer recently wrote: ‘GDPR abolishes the concept of Data Controller and Data Processor, and replaces them with Joint & Several Liability. This would seem to mean that misuse – or alleged misuse – of e.g. GP data, even after it had passed through numerous other organisations, would remain the responsibility of the original organisation providing the data among others.
In the current litigious climate, I would expect GPs to be included routinely in any complaint about misuse or leaking PID ‘
Hence my fears that GDPR will curtail data sharing enormously – which is not to the benefit of the patient at all.
5 July 2017 @ 12:06
In the current market, there is no way on Earth that these type of health providers (GPs), which are under such enormous pressure, should be having to worry about the technical and the legal aspects of data sharing.My personal and honest opinion is that the responsibility and accountability for things such as breaches of Information Governance lay fairly and squarely either at the feet of the local CCG or NHS England (maybe ourNHS leaders would like to argue that one out !).
However, Doctors are the ones who should be discussing with their patients, whether or not they want to share their data i.e. what data and with which organisations.
Walk into you local branch of *** bank or shop, no one working there is worried about data, they are all trying to help the people they serve.
Time for health leaders to start living in the real world.
5 July 2017 @ 16:32
That part of GDPR is not new (the fine is!) you have to perform due diligence now. The big risk is the involvement of Third Parties – TPP, Deepmind, are examples where ICO are looking under current law and finding concerns and issues. The ICO findings are really interesting on the findings. Some because patients were not properly told or informed, others because of security issues. So as a patient being told or asked about how my GP is handling my data. So current law. Notifying people that you have a breach is usually containing in a DSA or ISA, its certainly already contained within the standard NHS contracts and has been for the past few years (Or according to your codes of practice should be.). So its not new and its not a GDPR thing.
My real soap box is resource for IG has to be bolstered for GDPR as its clear in SIGN meetings that areas are under resourced. GPs are especially a high risk group as few groups have an IG Specialist as part of the practice.
I would also echo the response that IG is demonised as its not fully understood. Then again if you don’t have enough IG experts around how can you call on them.
5 July 2017 @ 17:01
This is the bit that bothers me, repeated from my recent post, which I don’t think you’ve addressed. I think it is by far the biggest problem, because essentially it implies that you yourself are at risk for anything done by someone to whom you send your data.
GPDR has been described as the next money-tree for lawyers, after the claims for the mis-selling of PPI.
19 June 2017 @ 14:30
As I keep on saying, how do clinicians write in the notes ‘Is this girl being sexually abused by a relative…’ if the relative has access to her health record?
reply: A process is needed for this rare criminal event (eg immediate transfer of case from health to police), something (the xfer) should be digitally recorded on the persons eHR. You can’t ignore history, this country has had significant problems with child abuse in the past, if things had been digitally recorded then it may have saved a lot of time and money.
How do you record that a patient might just have a cancer when you know she is mentally very fragile, if not already suicidal?
reply: Who is “you”, what is your specialty, how do you know the person is mentally very fragile, if not already suicidal, are you the only person who is helping the person, is the “cluster history” on the person’s eHR?
How as a GP do you record that a patient is a psychopath, made worse by the street drugs he is using? (After all — and especially in the more rural areas — the patients know where we live and where our children go to school.)
reply: Who is “you”, what is your specialty, are you qualified to record that the person is a psychopath, or to maintain the cluster on the person’s eHR?
How do you record that a patient has been beaten up by her violent husband, if the husband had forced her to give access to her medical records?
reply: A process is needed for this rare criminal event (eg immediate transfer of case from health to police), something (the xfer) should be digitally recorded on the persons eHR
It is all very well having an approach of ‘I want to see my medical record’ — and in the vast majority of cases this will cause no problems at all – but this approach simply cannot happen until we have developed a system which allows information such as the above to be recorded in total safety for the patients, carers and healthcare attendants.
reply: In my personal and honest opinion, the above is all about the integration of health and social care, the ‘I want to see my medical record’ approach is right, and for reasons of efficiency (time and money) it needs to be got underway @ a national level now.
19 June 2017 @ 15:02
Check out the NICE guidelines for suspected child abuse – RECORD ! My own ideas: talk with the young PERSON, instantiate a PERSON pathway via an eReferral (automatically linked to a Care Model), talk with the child and explain that DATA on the PERSON pathway will, for the time being, not be shared with anyone outside of the NHS and the Police Force, if you are worried the xfer will not flag up with the Police Force immediately then phone them up and give them the PP ID. If you want me to expand I would be ‘appy to when I can find some time as I have a lot … to do.
20 June 2017 @ 11:22
Clive,
Just to be clear, I’m talking from the point of view of a GP and in relation to the record as a conveyor of information to myself in the future (i.e. as an aide-memoire), and to my clinical colleagues, among others, not necessarily within the same practice.
There are many occasions within medical practice when we have suspicions but no hard evidence – and indeed it would often be entirely counterproductive to be too certain about our suspicions, because they may not be founded in reality. On the other hand, we have a duty to record our thoughts and concerns, both to remind ourselves for the future, and in order to alert other clinicians, who come into contact with the patient, to our tentative suspicions.
I am of course well aware of what to do if a clear case of child abuse etc unfolds, but many situations are far from clear-cut – and indeed, if too much is done too early may greatly damage the doctor-patient relationship; lead to families being inappropriately split up, and provide the very opposite of the support we are supposed to be providing.
The same applies to violent and drug-abusing patients: we need to be able to record that a particular patient shouldn’t be left alone in a room with a female healthcare worker, for example; or that a patient may indeed be a psychopath. On the other hand, we need to be able to pass on messages like this without any fear of retribution or legal action from the patient simply for recording our concerns/suspicions. (And at the early stages, evidence may well be extremely tenuous.)
If these concerns aren’t addressed, then all that is likely to happen is that the patient record simply becomes a bland statement with all the important bits missed out (these have now been recorded on paper and reside in the drawers of the
GP’s consulting-room desk — which of course is the exact opposite of what is intended by a shared electronic medical record). It also means that the OOH service have not the vaguest idea that a particular child may be vulnerable when they see that child in an OOH situation.
My contention is — and always has been — that until and unless we have a clear, simple mechanism for recording contentious information then healthcare workers will be scared to record their real suspicions for fear of either legal action being taken against them personally; or physical violence; or the possibility of alerting a sexual abuser to the fact that they may have been ‘sussed’ (and will therefore be likely to register the victim with another unsuspecting surgery); and of course, children may become more vulnerable to abuse as a result.
20 June 2017 @ 11:54
I understand, I also believe a team approach is usually better than a hierarchical approach, especially when it comes to getting things sorted, but at some point things must be published so that the outside world nows just what is going on or not going on, as the case may be.
20 June 2017 @ 12:06
Just for clarity, let me be more specific, I was talking about the General Practice Team of which you are a member and which serves the patient. If anything (notes etc) goes outside of that Team, then it should be recorded/published.
In my mind, it is the Team that counts, not your Network of friends and/or colleagues.
19 June 2017 @ 13:45
As I keep on saying, how do clinicians write in the notes ‘Is this girl being sexually abused by a relative…’ if the relative has access to her health record? How do you record that a patient might just have a cancer when you know she is mentally very fragile, if not already suicidal? How as a GP do you record that a patient is a psychopath, made worse by the street drugs he is using? (After all — and especially in the more rural areas — the patients know where we live and where our children go to school.) How do you record that a patient has been beaten up by her violent husband, if the husband had forced her to give access to her medical records?
It is all very well having an approach of ‘I want to see my medical record’ — and in the vast majority of cases this will cause no problems at all – but this approach simply cannot happen until we have developed a system which allows information such as the above to be recorded in total safety for the patients, carers and healthcare attendants. And note — it’s not good enough to have a ‘private area which can be redacted’ if there is any indication to the patient that a private, redacted set of information actually exists.
Until we can collectively solve that problem, we won’t be able to record and share medical information safely, reliably and to the degree to which we need for safe clinical use of the shared medical record.
20 June 2017 @ 11:43
Therefore all patients should be denied access?
These are edge cases and simple processes and procedures that can be put in place to adress such matters. There are legal provisions too.
Many other health economies and ideed organisations in the NHS are achieving this.
What this demonstates is the lack of National in NHS and inability to share and adopt good practice.
16 June 2017 @ 09:16
Ow dear, this document really shows that the CIOs and CCIOs are not informed or particularly knowledgeable about data protection, which I find very worrying.
The DPA is not a barrier to sharing data – it clearly specifies what you need to do if you are planning to. If organisations are under resourced and see consent as “too difficult” or privacy notices as “not applicable to us” (Practice Managers and CGs, I’m looking at you) then that really says much more about those organisations than it does the legislative landscape.
Yes, we could remove the common law duty of confidentiality, which is what I am reading between the lines in every quip about data sharing, but other legislation would have to define the legal expectations and I don’t envisage how that could be more flexible.
The fact this article talks of outdated data protection sets the whole picture of what this document seems to be arguing for – the unrestricted and free flow of patient data around the NHS and social care (and possibly beyond).
I’d be intrigued to do know if this group has any competing interests and declarations of interest in place as I sense there is more to this than simple DPA bashing.
Time for such groups to consult with people who actually understand the DPA and other relevant laws rather than just being embarrassingly reactionary/defensive. Maybe NHS England could add some value here by setting national guidance to aid data sharing but I can’t see any pigs flying past my window at the moment… instead organisations without expert IG advice are left to reinvent the wheel and get very frustrated in the process of doing so. I understand that frustration but please direct it appropriately.
16 June 2017 @ 13:34
Worrying indeed. Most NHS organisations do not understand the current legislation and have very little (if any) idea about GDPR, and I’m talking about the people charged with understanding this stuff.
Data Protection Law is an enabler and it is very clear. The NHS with all its jobsworths, empire builders and conflicts of interest has turned it into a firewall.
Consent establishes the legal basis to share data. The problem is the NHS as a whole hasn’t bothered to implement consent and just made assumptions.
You can’t then legally share data based on assumptions, even if there was some implied consent when you first interfaced with a healthcare provider.
This is the root cause of all data sharing “issues”.
As a concrete example: I’ve been told countless times by NHS information governance teams that they cannot email me as a patient because the data protection act does not allow it or that I MUST complete a special SAR form and post it! This is wrong and lesson 101 of the DPA.
15 June 2017 @ 22:29
ourNHS is just one of many organisations that has provided care for me, or more precisely integrated health (physical and mental) and social care. With this in mind there is only one entity that I wish to be in control of MY HEALTH DATA and that is I. My message to health and social care leaders? I, and I suspect many others, do not wish to live in a nanny state and I would like to play a much bigger role in managing my own health ps note Google have a great approach to Data Security and IG.
15 June 2017 @ 22:31
(appologies but edit functionality removed) if you want to know more try Googling it …
16 June 2017 @ 09:19
It’ll be a pity when Theresa’s nanny state builds the big firewall of the UK and your data no belong to you as a data subject but to the Government… after all you are can’t trust anybody any more, can you?
p.s. have you read about DeepMind?
16 June 2017 @ 14:48
With regard to health, I trust the Doctors that treat me, (regardless of who they are contracted to work for), that’s pretty much it.
16 June 2017 @ 13:44
I don’t see why I shouldn’t have a complete record. By not having a copy the NHS is causing more harm than good and for what, the sake of an automated (consented) email?
If all that the NHS did was every time I saw a hospital they just emailed me a copy of my record from the encounter we would be a huge step forward and I would have a complete and accurate record of everything ever.
Instead, its distributed far and wide across the UK and “my GP” gets half-baked discharge summary missing lots of the detail, test results, imaging, etc.
And then next time “it would just be easier to give you another xray” than to get the previous one. One of many such statements I have been given on visiting hospitals.
Just give the information to me!
16 June 2017 @ 14:55
I stand firm next to you Dan but I would add … whether I use an NHS or non NHS provider my health data will usually end up with the NHS, that really gives NHS the upper hand / the power, which coming back to my earlier point and points that others have made is a little worrying.
16 June 2017 @ 15:13
I think times are changing legally and morally, the NHS is always behind.
GDPR will be one of the drivers for change but also the world is slowly coming round to the idea that it’s a basic human right (especially for healthcare) that individuals get more transparency and control.
Other health economies are much more switched on to this.
Besides at best my health record is a static snapshot a given moment in time. Pharma companies want to build relationships with individuals to understand more about their genetics, their lifestyle, behaviours, etc. over time.
Even my health outcome, the impact of treatment, etc. is more about me as an individual than it is about my health record data.
The old days of flogging rudimentary anonymous data out the back door are numbered.
15 June 2017 @ 20:02
I would agree that serious consideration of the management of sharing individual patient records for the direct care of the individual patient when the circumstances under which the information is needed – and relevant – is urgently needed, this paper does not address the issue of sharing individual identifiable patient records for secondary purposes such as management of the NHS or research.
When – if ever – can we have some discussion on the issues of:-
1. record keeping practices and data compatibility & quality? (care.data wanted to combine GP Coded data – great variation quality & completeness – with HES – retrospective ICD Coding for financial purposes)
GIGO
2. assuming all identifiable patient data is uploaded to NHS Digital as a “statutory safe haven”, what protection will be in place to prevent distribution of entire databases rather than limited access in a controlled environment (and measures to enable Trust that any schemes would be honoured long-term)?
Sharing records/integrated care records *is* a complex problem – and the paper is right: TTP ESDM does make all organisations using TTP Data Controllers In Common and therefore needing MOU between each & every organisation using it – but this is direct care – secondary purposes are another issue: it doesn’t help to use problems with one to justify the other.
15 June 2017 @ 11:16
ok, here’s a question for any EU GDPR experts out there, regarding NHS data sharing:
Where GP data is “viewed” by an outside organisation, i. e. *not* extracted/uploaded to a 3rd party database with therefore a new data controller, explicit consent is required (contemporaneously, at the point of viewing) . Isn’t that already GDPR compliant?
Where GP data is extracted and uploaded, from the GP record, to a 3rd party database, with then a new data controller, and currently under an “implied consent” basis, will such extractions now be unlawful under GDPR without unambiguous, explicit consent from the data subject prior to extraction/uploading? If so, what impact – if any – do people think would this then have on such existing schemes (e. g. the SCR)?
It’s not hard to see why data controllers within the NHS have concerns about data sharing. It’s not the sharing of data (which few patients object to in principle), it’s *how* the data is shared, who is/remains the data controller, and for what other secondary purposes their data is shared for, that concerns patients and those they currently trust with their personal confidential information.