The UK government has decided to hold off on plans to upload GP records onto a central database for six months. But it may have to drop the plan permanently unless it can provide satisfactory answers to the uncomfortable questions that have been raised about the types of organisations already getting access to health information.
The official motivation for the delay to care.data is the indisputable lack of awareness among the public about their records being involved in the scheme and how they can opt out. The Department of Health and the NHS are stubbornly sticking to the line that a better publicity campaign will iron out all problems.
This is not the view elsewhere though. Anxiety about how the care.data scheme is being run is spreading. Serious questions are being asked by MPs from all parties in an ongoing series of special debates at Westminster. Worryingly, ministers appear to have been badly briefed for these, making a number of incorrect statements about past and future sharing of health records with third parties.
Few people are questioning the health and research benefits of sharing health records but serious concerns continue over how the information is managed and what security and safeguards will be in place.
The furore around care.data has exposed the fact that some NHS data is already being shared with third parties, and has been for some time. Care.data may not actually be up and running but a host of organisations, from universities to data analytics companies to insurance firms are already getting access to the Hospital Episode Statistics (HES) database. The link is unsurprising – the core of care.data is HES with GP data merged into it, and HSCIC manages both. The public is now seeing what third parties are already doing with HES, and they don't like it, which is bad news for care.data.
Who's getting our data?
It seems that data analytics companies have had access to sensitive information through perfectly legitimate means. A company called PA Consulting turned out to have collaborated with NHS England, using a tool called Qlikview and Google's Big Query to produce a "cloud" version of the HES database.
Google does not have cloud servers resident in the UK, so this means the UK health database was likely copied to servers in the US. This is potentially problematic in terms of the Data Protection Act. Official advice from the Information Commissioner's Office about sending data out of the country is available but it is currently unclear whether this advice was properly followed.
Either way, revelations about mass surveillance mean that people are right to feel jittery about information ending up on Google servers, whether the letter of the law has been followed are not.
Then, there is a consultancy firm called Beacon Dodsworth, which says it can use HES records to help companies with their social marketing campaigns, although HSCIC now states that this company only ever received anonymous aggregated data.
Reassurance on insurance?
Next come the insurance companies. HSCIC has repeatedly stated that using care.data information for insurance purposes would be prohibited or illegal but it turns out that HES has been used exactly for that.
Partially anonymised HES data has been used to establish more accurate actuarial estimates for insurance purposes by the Staple Inn Actuarial Society in a report called Extending the Critical Path.
There were fears that this data was not all that anonymised. Socio-economic classification information had been merged into it, which would not have been possible at the claimed level of anonymisation. It eventually became clear that the extra information had been added by HSCIC before the data was sold to the SIAS. But it would still have been possible for the SIAS to obtain enough information to re-identify many of the people in the HES database should it have wanted to, having paid only around £20,000 for the privilege.
Altogether, it is now clear that a wide spectrum of commercial companies appear to have had some association with HES data and are using it in ways that do not provide any obvious health benefits and barely acknowledge – until the bad PR starts flowing – that it's our confidential medical data they are dealing with.
How do they decide who to share with?
In response to these reports, there has been demand from MPs like Conservative GP Sarah Wollaston and others for HSCIC to come clean about its data sharing arrangements. We already know that advisory groups DAAG and CAG take the decisions about sharing sensitive or identifiable confidential personal data, and they keep registers of past applications for access.
However, applications to access data that is considered "anonymous" are handled internally by HSCIC, which is, for many, not a transparent state of affairs, particularly since HSCIC has its own definition of anonymity that includes non-anonymous data if suitable controls are in place. That essentially means that any data could potentially be shared through this route, whether anonymous or not.
Concerns that HSCIC has the power to just make up the rules as it goes along led to a Freedom of Information request from Phil Booth of MedConfidential. HSCIC's response confirmed they had such discretion. In the enduring absence of any Code of Practice for HSCIC (required according to the 2012 Health and Social Care Act) how can we argue with that?
Even more worryingly, HSCIC said in the FoI response that it is "unable to state whether any organisations we have provided data to are providers of insurance since this is not a question asked when an application is submitted".
So HSCIC asks an organisation what it intends to do with the data and then just stops asking questions after that. Then if a company provides medical services, it can apply to access data, and if it also just so happens to provide insurance services too, it doesn't actually have to alert HSCIC of a need to regulate and monitor against possible sharing within the business. This is quite a naive stance for HSCIC to have.
All in all, we badly need HSCIC to come clean about past and future sharing, through a register and a code of practice. For full reassurance on care.data, further legislation on sharing may be unavoidable.
Explore further: What safeguards are in Australia's data retention plans?