Implied consent set to be scrapped for SCR

Tags: CfH consent Scotland SCR Summary Care Record Wales

30 Jul 2008

The implied consent model for the Summary Care Record (SCR) looks set to be scrapped in favour of a simpler consent model following a recommendation from Connecting for Health’s advisory group.

Implied consent looks likely to be replaced by a model based on ‘consent to view’, providing a simpler more intuitive way for patients to decide who accesses their record.

The Summary Care Record Advisory Group, made up of key stakeholders for the SCR, has recommended that the NHS adopt a “refined consent model” for the SCR. The recommendation is now to be discussed with other stakeholders before a change is agreed, possibly by mid-September.

A spokesperson for NHS Connecting for Health (CfH) told EHI Primary Care: “We can confirm that our external stakeholder body, the Summary Care Record Advisory Group, has met and recommended that the NHS adopts a refined consent model, simplifying decisions for patients without removing the choices available. This would provide the protection they want over accessto medical records. We are discussing the recommendation with our key stakeholders to get their views about the proposed change.”

CfH is not releasing any more details on the proposed change but the advisory group was to hear recommendations from the SCR team including its views on the ‘consent to view’ model used for summary record projects in Wales and Scotland and highlighted by the evaluation report.

Dr Gillian Braunold, clinical director of the SCR, has said that she would find the ‘consent to view’ model acceptable as it would give wider control to patients who would be able to decide whether to give or withhold consent at every encounter.

The evaluation, which led to the advisory group reconsidering the consent model, found that the current consent model was too complicated for patients and the profession.

The existing ‘hybrid’ consent system used by CfH means that after information on patients’ medication, allergies and adverse reactions has been uploaded on an informed consent basis, further information on selected aspects of a patient’s medical history can be added in ‘phase 2’ with explicit consent.

The researchers reported: “There is a widespread desire from patients and staff for a simpler consent model.”

Fiona Barr

Reader's Comments

Hmmm 'Consent to View'...

30 Jul 08 17:07

I know that 'Consent to View' has not yet been publically endorsed as the way forward, but assuming it does become the new model then it raises some interesting questions.

Presumably 'Consent to View' is an additional check which follows a new explicit 'Consent to Create'? If it isn't then the only other way this can work is for EVERYONE to have an SCR - irrespective of any current 'opt out' - and the 'Consent to View' being the only access-check. I'm not sure that would please TBOO and many GPs!

If there is to be no additional 'Consent to Create' then that leaves those who've already opted-out in an anomalous position. Would their 'opt-out' be treated as an automatic 'No Consent to View'? If not, they could be asked for permission to view a record which they'd specifically said shouldn't be created.

Presumably the SCR will now incorporate some 'tick box' mechanism which indicates that the patient has 'consented to view'? Of course TBOO and friends may feel that that facility could be misused.

I shall watch developments with great interest.

Consent to view/share works

31 Jul 08 10:07

Assumed Opt in to share combined with implicit consent to veiw works well. It also gives full control of the record to the patient, the record owner, including the right to change their mind at a moments notice .. avoiding the scenario below

The Non-GP is with a patient "...before I start treating, just to make sure I'm treating you safely, can I look at the rest of your record?" Patient "Yes do" Non-GP " Oh dear I'm not allowed to you have not opted in, that's a blow"

Assumed opt in would be worrying

31 Jul 08 11:07

I really feel very uncomfortable with the idea of 'assumed' opt in, and I trust this is not going to be the model. The DPA says you should not share data without consent, and you have no way of knowing if the communication about the SCR has actually been received, let alone understood, for the patient to take a decision on opting out. In the summary care pilots, patients questioned on the street denied knowing anything about it, and on talking to a friend in one of the pilot areas, they had heard nothing either. In Scotland, bags of notification letters were found behind a hedge, because postie was too tired to deliver them all. So the model must be actual and informed consent to share, backed up with a request to view the records at each consultation, whether in OOH, A and E or a walk in centre. Would not need to apply in the registered GP surgery, this is the holding site for the records before they are shared, but many GPs now kind of ask this question when showing the patient the computer screen anyway. A patient will not be surprised to find their record isn't available if they have taken an informed decision not to share outside their GP surgery.

making it asy to upload

stressfreedave@hotmail.com

31 Jul 08 17:07

The issue seems to be how consent is obtained in large numbers. If patients were asked when they attend their practice (I think something like over 90% see their GP at least once every 3 years), it would mot only allow for expressed consent to be obianed it would allow a gradual upload rather than a whole lot at the same time. Regardless of how consent is obtained, the issue of informing patients about others with access (such as SUS) and who can access that database should also be given to patients.

I found it interesting when one reader pointed out that some GPs sort of ask for sonsent to view records in the practice as not only have I never heard of this happening but I was informed by the GMC and the ICO that a patient can not prevent the GP, nurse or secretary accessing clinical information or information that implies/reveals clinical information (for example a 30 year old patient can not prevent a nurse at an asthma clinic finding out about her termination at 15 and a male patient could not stop a receptionist knowing he is on Viagra). As for the DPA. When I contacted the ICO about data being shared, they made it clear that I had to prove that I did not give implied consent. So how do tou prove you were 'ignorant' of something?

No Quick fix to full consent...what would Einstein do?

31 Jul 08 19:07

Einstein's definition of madness: continuing to do the same thing, hoping for a different outcome.

We have to stop...think...listen...trust...act and having acted enshrine best practice where it exists and throw it away if it doesn't. Moreover if what we are dealing from a socio-political standpoint is an intractable problem then let's stop the madness and think again about the problem we are trying to solve (the patient themselves is an obvious place by the way)

That said if existing and acceptable best practice is to be found in Scotland, Wales or Denmark and it can be accepted by a majority as the 'right thing' then let's discuss it..agree a plan to try it to assess it but please let's not enact a knee jerk reaction to the excellent and pragmatic Greenhalgh report and attempt to spin our way out of a hole.

A 'mia culpa' moment would still be good (not sure who would provide it however - any takers?) and it could provide an ideal opportunity for a considered reflection on what is good and what is not so good about the existing implementation.

Bottom line however -- Let's not prove the bright bloke right about his madness theory!

Processing personal data

01 Aug 08 09:08

Some interesting points have been made here. However, I think it would be appropriate to reiterate what the DPA controls. It controls the processing of information and processing includes:

Holding Obtaining Recording Using Sharing (Shredding - although this is not included on all official models).

Therefore,in my opinion, if there is an assumption to upload the SCR onto the spine, and all the patient can do is prevent 'viewing', then the DP Act is already being breached as the information is being held without consent. In addition, the healthcare provider that uploaded it has breached the Act as the data has been shared without consent. All this makes the processing neither fair nor lawful.

Opt-in must be the way forward and patients (data subjects) must be able to give INFORMED consent that their personal data and sensitive personal data can be processed.

Is this clunky? Yes, but if the NHS is to comply with the law then that's the way it has to be (although I suspect a change in the law will happen before this solution is implemented - probably under the Health and Social Care Act which will place an obligation on Health Care providers to upload data onto the spine).

On a personal level, I will be opting out of having my details uploaded onto the SCR for the following reason; Since 1997 there have been approximately 1037 individuals articles of legislation giving the Government the right to access your personal data. I am concerned that the 1038th will be to create a national citizen database that will enable successive governments (of a Nationalist persuasion that we don't yet know about) to single out individuals. For those that say it won't happen, take a look at Zimbabwe, Yugoslavia as it was, Iraq, and that's without having to go back any further than 1990 (for those that hark back to 1939!)

DPA Act - Consent to Share - What

01 Aug 08 16:08

Where in the DPA Act does it state that there must be consent to data sharing - it is only one of 10 clauses under which data may be shared (see lift from act below). If it were as suggested, a GP would have to ask a patient for consent to send a referral letter - which is the sharing of sensitive personal data - which would be madness.

At last we have a proposal for a sensible and workable model that is consistent with other consent models in the NHS (i.e. consent to treat).

Backed up with the right to see your information and a right to see who has accessed it - at last we are getting to something that may work. I have never understood how anybody can forsee when they may wish another to see or not see their information (as per the current model).

This is a good news story that I suspect will yet again be attacked by the minority of people with extreme views who refuse to consider the potential life saving (or death avoiding) benefits of sharing patient data - whoops fell into the extreme view trap - or have I ?

SCHEDULE 3- CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF SENSITIVE PERSONAL DATA

1. The data subject has given his explicit consent to the processing of the personal data.

2. - (1) The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.

(2) The Secretary of State may by order-

(a) exclude the application of sub-paragraph (1) in such cases as may be specified, or

(b) provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

3. The processing is necessary-

(a) in order to protect the vital interests of the data subject or another person, in a case where-

(i) consent cannot be given by or on behalf of the data subject, or

(ii) the data controller cannot reasonably be expected to obtain the consent of the data subject, or

(b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

4. The processing-

(a) is carried out in the course of its legitimate activities by any body or association which-

(i) is not established or conducted for profit, and

(ii) exists for political, philosophical, religious or trade-union purposes,

(b) is carried out with appropriate safeguards for the rights and freedoms of data subjects,

(c) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes, and

(d) does not involve disclosure of the personal data to a third party without the consent of the data subject.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

6. The processing-

(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b) is necessary for the purpose of obtaining legal advice, or

7. - (1) The processing is necessary-

(a) for the administration of justice,

(b) for the exercise of any functions conferred on any person by or under an enactment, or

(2) The Secretary of State may by order-

(a) exclude the application of sub-paragraph (1) in such cases as may be specified, or

8. - (1) The processing is necessary for medical purposes and is undertaken by-

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(2) In this paragraph "medical purposes" includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

9. - (1) The processing-

(a) is of sensitive personal data consisting of information as to racial or ethnic origin,

(b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and

(2) The Secretary of State may by order specify circumstances in which processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes of sub-paragraph (1)(c) to be carried out with appropriate safeguards for the rights and freedoms of data subjects.

10. The personal data are processed in circumstances specified in an order made by the Secretary of State for the purposes of this paragraph.

RE: DPA Act - Consent to Share - What

stressfreedave@hotmail.com

02 Aug 08 22:08

When a patient is refered to a hospitial the patient is seen as given implied consent when the GP ask them about being referd. It is common sense that the doctor would be sending information to the hospital. That sort of implied consent is not the problem.

The problem that has arisen from the uploading of data with patients 'implied consent' is that patients are not informed to the point they can make a ballanced judgment. In fact the information given to patients and the ICO is wrong (yes, I can supply an email from the ICO and CfH that shows the ICO was given wrong information). It is true that consent is only one of the ways patient data can be shared but that would require the NHS to tell all patients that data would be uploaded regardles of what they say. CfH are claiming to have the patients consent, what has been shown is that patients are not giving their 'informed consent'. The ICO have also pointed out that a data subject can not give consent, even implied consent if they were ignorant of the data sharing.

Most of us that are against the way things are being done are nether in a minority, do not have extream views and can back up what we say. Some of us liked the original idea but due the amount of data sharing and the way the current goverment introduces anti-privacy laws, we have come out against it. There is also the other side of extream opinions on this. For example there are people (including a lot of doctors) that think patients should not be allowed to prevent them accessing their data and researchers have for years been demanding (and getting) access to patient identifiable data without patient consent or knowledge.

DPA - where does is say consent to share?

nhstechie@btinternet.com

03 Aug 08 17:08

I must be missing some subtle irony here, as you've answered your own question. Schedule 3 (d) "does not involve disclosure of the personal data to a third party without the consent of the data subject. "

The real argument is really over the definition of "a third party". At one extreme there is a school of thought that anyone who works for the NHS is part of the second party (this of course excludes GPs who are independent contractors), at the other anyone except for the data subject (patient) and the data collector in person (eg GP or another clinician).

Having helped investigate dozens of Sudden Untoward Incidents and having had to help provide written responses to Coroners queries I have personally yet to come across a single death or near miss caused by the inappropriate sharing of data (though I know of a handful). I have seen dozens where a failure to share information has at least contributed to a death or near miss.

Whatever the NHS comes up with needs to be evidence-based including an objective, evaluation of the balance of risk to patient health, personal liberty and to the public at large. We can't afford to leave it to popularist politicians, single-issue pressure groups or to CfH to decide - nor can we afford to wait for much longer!

The dissent model is probably the only pragmatic way forward, but begs the question of what to do with the records of people who choose to dissent?

Out of step with Europe

11 Aug 08 14:08

Doesn't a previous eHealthInsider say it all? http://www.e-health-insider.com/news/3992/european_court_fines_finland_for_data_breach