GP calls for judicial review of NCRS consent

Tags: BMA Choice Confidentiality consent Database GP Information Commissioner RCGP Warwickshire

10 Jan 2006

A GP is calling for a judicial review of the government’s consent plans for the NHS Care Records Service (NCRS).

Dr Paul Thornton, a GP in Warwickshire with a special interest in patient privacy and confidentiality law, has prepared a nine-page document setting out why he believes the government’s proposals for the NCRS are unlawful and pose what he describes as “grave and imminent risks” to both civil liberties and public health.

Dr Thornton hopes that the paper will help to raise the debate on the legal issues. He says that a judicial review is “imperative” and claims that so far there has been little legal opinion from the viewpoint of the individual seeking to maximise protection of his right to doctor-patient privacy.

Dr Thornton’s document aims to focus on areas of concern in the law, including common law, the Human Rights Act and the Data Protection Act, which he believes provide grounds for judicial review.

The introduction to the document also highlights a draft consultation paper on sealed envelopes, one of the health department’s key tools in its confidentiality package for the NCRS, circulated in November by the Department of Health.

The draft reveals that technical constraints means certain types on information may never be able to hidden by a sealed envelope included information that is part of an image, such as scanned letters, information first recorded on IT systems with record structures that are not compatible with sealing and information recorded after a patient’s death.

Dr Thornton adds that a previously announced delay in creating sealed envelopes will in itself be unlawful. As things stand, summary records are due to start going live this year but sealed envelopes will not be ready until late 2007 or early 2008.

The document states: “Without the ‘sealed envelopes’ the proposals cannot be reconciled with privacy legislation. But even if the proposals are implemented with the access controls as originally described there would still be clear grounds to question their lawfulness.”

The document says ministers have given assurances that patients will be able to have their information excluded from the database entirely if they choose but says this choice is not protected in law and there is no clarification of how such an opt out will function.

Dr Thornton adds: “If the only alternative being recognised is the use of pen and paper records this would be detrimental to the care of patients and any consent could not be regarded as freely given. Alternative computerised options such as the use of local databases have been discounted by the Department of Health.”

The document also argues that plans to allow health workers to override sealed envelopes if justified by public interest, statute or court order are “fundamentally different” to the way heath professionals currently work.

It adds: “In established practice the clinician deciding whether patient confidentiality can or should be justifiably and lawfully overridden already has lawful knowledge of the information concerned. In this national database scenario the clinician making the decision does not already have knowledge of the information concerned and, explicitly, is one of the third parties from whom the patient wants to withhold the information.”

Dr Thornton, who is the Royal College of General Practitioners’ nominee to an EU working party investigating patient confidentiality and vulnerable patient groups, also argues that the Data Protection Act’s test of necessity for when data processing can be allowed without the consent of the data subject is not met by the present proposals.

Dr Thornton has sent his document to the BMA and RCGP and hopes these organisations will add to the pressure for a judicial review and for a change in approach from the health department and Connecting for Health.

He told EHI Primary Care: "There is a number of arguments in the paper and any one of them would be sufficient to oblige them to rethink their proposals."

Dr Paul Cundy, chairman of the British Medical Association’s GP IT committee, backed Dr Thornton’s calls for a judicial review.

He told EHI Primary Care: “I think this legal challenge is absolutely sound and I think Connecting for Health and the Information Commissioner have been rather devious in trying to avoid the issue.”

Dr Cundy said the BMA’s General Practitioner Committee will be debating the health department’s consent plans for the NCRS next week.

He added: “What we are recommending to the committee is that all data should be retained on an opt-in basis.”

The Royal College of General Practitioners ethics committee current recommendation is also that the College should back an opt-in model for the NCRS although the College has yet to decide on its stance.

Links

Dr Thornton’s document

GP calls for judicial review

peter.singleton@chi-group.com

10 Jan 06 22:01

I am sure that Dr. Thornton is well-versed in his subject, but statements such as 'Privacy and consent prevent us drifting into Stalinist psychiatry and the preventive medicine of the Third Reich.' do seem to be rather over-egging the dangers, especially when there are the expected health gains from an effective medical records system (or if not, then we should oppose it on those grounds rather than just privacy issues).

I do applaud his concerns for civil liberties even if I might disagree with his conclusions, but I do not think that he does anyone, least of all himself or his arguments, any favours by being quite so extreme in his comparisons.

The blind men and white elephant

11 Jan 06 12:01

These recurrent 'privacy' debates are futile in the absence of a clear public statement from NPfIT about exactly

1. what will be in the NCRS

2. when

3. updated by whom

4. used by whom and for what purpose

Such a statement is hard to come by even for the 'GP Summary' due this Summer 2006. Working in an area of critical importance to the latter, attending meetings regularly with suppliers, LSPs, NASP and NHS CfH we still cannot obtain this information.

The civil liberty argument

11 Jan 06 13:01

Peter,

Thank you for taking the trouble to read my report.

Friends have raised similar comments about that paragraph of the report which I had not appreciated might be perceived as particularly controversial. It is simply a historical reference to the origins of the post Nuremburg ethical codes from which evolved the current ethical standards and particularly European laws in respect of medical confidentiality. These took account of the way medicine was usurped as part of the process of migration from democracy to totalitarianism in pre-war Germany.

If I really have “over-egged” this component of the civil liberties dimension to the detraction of my overall argument then I would regret it, but I stil beleive the point merits mention.

I would welcome the thoughts of others, particularly the lawyers.

Paul

Dr Paul Thornton paulthornton@beeb.net

Resistance isn't futile

11 Jan 06 14:01

Having discussions and debate about the legal aspects to CRS is far from futile, even without clarity on some of the details. Many of these issues need to be resolved one way or another for the system to work. Dr Kingsnorth activities are useful to both sides of the debate in clarifying the issues, testing the legality of proposals and identifying areas where amendments to current legislation might be necessary.

Unfortunately, the first post was correct - trying to suggest that CRS is the harbinger of an Orwellian state has a whiff of hysterics, and certainly doesn't help his argument.

Data Protection Act technicalities unaddressed

11 Jan 06 16:01

Who is the data controller (in Data Protection Act speak) for the CRS? It's a relevent point that has not been clarified.

Patient wishing to see their CRS records, including sealed envelopes, or wishing to prevent processing of part or all of their data, must apply to the data controller. Is that their GP, PCT, the acute trust(s) who have cared for them, CfH, the DH ...? Patients wanting to take legal action for damages resulting from a breach of the DPA must likewise do so against the data controller. And who will the Information Commissioner pursue in the event of a breach?

Also, the Act is clear that when a data controller outsources the processing of its data to another party there must be a written contract between them covering DP and other matters. Do the individual healthcare providers have contracts with Accenture /BT /Fujitsu etc?

re: Resistance isn't futile

11 Jan 06 18:01

There are risk-benefit calculations which we cannot make until the technical capability and scope of the (evolving) solution are known.

At various times NCRS has been promised to deliver improvement of service delivery while eliminating 'postcode' prescribing, slashed medical error rates, elimination of waiting lists and patient 'empowerment'. At the same time it has been said to be not just cost neutral but money saving overall to the NHS.

If the confidentiality 'risk' associated with these benefits is that an outpatient clinic clerk discovers Mrs Miggins has a bladder infection (which she knew anyway) then this is one we can surely take. I for one would gladly sign a disclaimer on this basis as an NHS patient.

The lack of detail of functionality due out in less than 6 months suggests at best confusion and at worst obfuscation and a desperation to implement almost anything regardless of utility so NHS CfH chalk up another 'success'.

If that is what we are 'resisting', the last argument to have is how many data protection angels fit (securely) on the head of a pin.

As for civil liberties, the Home Secretary and MI6 will be in there whatever ;-)

Possible legal challenge over privacy of electronic health records

Rod@RodSpace.co.uk

11 Jan 06 23:01

I feel important issues are raised by this paper and I have put my comments on my blog Informaticopia http://www.rodspace.co.uk/blog/blogger.html and reproduce them below.

Dr Paul Thornton has written a paper entitled "Why might National NHS Database proposals be unlawful?" in which he makes a strong case that "carry grave & imminent risks for both civil liberties and public health", and that "the legal justifications used to substantiate their proposals are untested in the courts and require independent judicial clarification".

He argues very convincingly that the NHS Care Records Guarantee doesn't provide sufficient safeguards. The acceptance of implied consent to the placing of patient records in a national database, rather than requiring individual and explicit patient opt-in to the sharing of their information is seen as contravening both the Data Protection Act and Human Rights legislation.

The plans outlined by NHS Connecting for Health for a "sealed envelope" to hold sensitive information which the patient feels needs be have restricted, are now beginning to look less secure. The fact that the sealed envelope will not be available for the very first release of the NHS Care Record Service and upload of data to the national database, as previously reported on this blog, is complicating matters!

Dr Thornton makes many good points in his paper but I think his case is weakened by the use of very emotive language in one paragraph suggesting "The abuse of medical information contributes to the transformation of democratic societies into totalitarian regimes. Privacy and consent prevent us drifting into Stalinist psychiatry and the preventive medicine of the Third Reich."

A summary and comment on the paper is available from E-Health Insider and further information on confidentiality and security issues relating to electronic health records and the wider context are available from Ross Anderson's page

I would hope that the arguments in the paper will apply to all interactions between patients and health professionals not just the GP record. I understand the paper is to be considered by the BMAÃ?ƒ‚’s General Practitioner Committee and I would like to see the issues raised discussed much more widely by all professional bodies and royal colleges for health care staff and by patient groups. I would also be interested in some sort of comment or ruling by the Information commissioner. I do not know if a judicial review is appropriate (I don't know enough about the criteria and process involved), but I do feel that wider public debate of these issues is needed, and needs to be integrated with consideration of current government ID card proposals.

Law is the servant not the master

peter.singleton@chi-group.com

12 Jan 06 11:01

Dr. Thornton is very concerned about the legality of the NCRS system and invites the comments of lawyers. They have their place, but laws are there to support the delivery of justice and social aims generally, not as the principal directors of our actions. If the NCRS is worth having (a separate debate) but cannot be delivered as fully working in all aspects immediately, then does that mean that we should not have it just because possible uncertainties in the law might mean that the legal position is not clear? The law has been known to be wrong!

It is not as though the NCRS is at any stage in fundamental breach of the law, only that there may be a risk of harm to some possible individual under certain circumstances. If the same approach were taken in other fields of life, then all cars would be banned, we would have to go around in Mr Blobby suits (warmly welcomed by Health & Safety experts!) – in fact, we really wouldn’t get much done. That is not to say that we should not consider the legal aspects, in the same way as we should consider risks when we drive a car. I would be interested to know what Dr. Thornton would like as an outcome of the judicial review.

In terms of evidence-based practice, there is lots of evidence of iatrogenic error (doctors are human) and that effective IT systems can help reduce error; however, there is little direct evidence of confidentiality risk to individuals through IT systems per se. The lawyers, of course, don’t look at the problem from this angle.

The point about the ‘data controller’ is well made – a search fails to reveal the DPA registration for NCRS, though it could be under the general DoH registration. I have put in a support call to CfH to find out. It looks as though by default you would have to contact the Caldicott Guardian at caldicott.guardian@cfh.nhs.uk

The reference to Dr. Ross Anderson is interesting, as he has long been critical of the NHS on matters of security (his speciality) and confidentiality. However, when I interviewed him some years ago, he admitted that the vast majority of confidentiality leaks are through ‘telephone blagging’ rather than system breaches. People are usually the weakest link – we could try making sure that they don’t get any information from integrated medical systems, which would help confidentiality, but it certainly doesn’t help medicine.

The mythical sealed envelope

12 Jan 06 12:01

The difficulties of implementing this are not technical but the impossibility of deciding what should be in one and defining exceptional cases for access.

Anyone working in this area over the years will have sat in weeks of fruitless discussion over these issues. All could attest there are no definitive answers to these questions.

If you have no record available and the patient does not tell you something (or lies) and bad things happen then the patient is responsible. If you have a record but the system withholds information from you who is responsible?

innappropriate treatment for infertility is delivered because a previous sexually transmitted disease episode is withheld

a fatal drug interaction results from withholding of current medication for a psychiatric condition

a potentially life saving investigation is omitted because HIV status was withheld

a serious anaesthetic complication occurs because an adverse event during a previous termination of pregnancy is withheld

Instead suppliers typically implement

1. Persistent audit trails of who accesses any and all patient identifiable data 2. Flagging 'very important person' records for pre-emptive inspection

Both of these approaches may become unmanageable from a human process standpoint. Certainly without 'legitimate relationships' and role based access maintained at National level, effective policing of these in NCRS is unlikely.

Democracy

james@laing.plus.com

13 Jan 06 13:01

Reading the news section of todays BMJ I think it is clear that those of us living in liberal democracies need to be aware that maintaining rules of doctor patient confidentiality are important and that our governments may not be fascist or Stalinist but they will be tempted abuse the data we hold if they can

Patients in control

helenwilkinsonmakey@fastmail.fm

13 Jan 06 13:01

With references to the last comment about "The Mythical Sealed Envelope" I as a patient want to be in control of my own medical history. It is not up to the DH to decide which Clinican and whom has access to it. I make my own decisions about what I divuluge and to whom noone else, this is my own personal responsibility. When I see a doctor I expect it to be between me and them and noone else without my explicit consent.

Sealed envelopes worry me greatly I am extremely concerned that if clinicans see a warning flag they will be exerting pressure undue pressure on patients so they can break the seal. For my personally if I thought any of my clinical details where going on a national government database I would be witholding clinical information making it potientially hazardous for any Clinican to treat me. Hence why my GP to the extreme step of deregistering me from the NHS and is continuing to treat me.

Helen Wilkinson-Makey

Re Democracy

13 Jan 06 15:01

Yes, the piece on the US Patriot Act is a salutary reminder that a seemingly benign government either may not be what it seems, or may not remain benign forever. To my mind it adds more weight to the argument for a defined data controller for the NHS mentioned above.

Contrary to what some observers have suggested, data held by public bodies, even if concatonated into a central database, is not the same as data held by the government. The comparison is roughly similar to that between the BBC and Pravda during the soviet era. However, proper safeguards need to be in place - which is why assigning a data controller that is not within the DH is essentail.

NCRS Data Controller

peter.singleton@chi-group.com

13 Jan 06 16:01

As far as I can determine (so do not view as definitive) the data controller for the Spine is the DoH (so SARs have to addressed to Skipton House as per DP registration); LSP systems will, of course, be controlled by local NHS organisations. Given that there have been central databases for some time (NWCS, NSTS, Exeter, etc.), some managed by ONS, others by contractors, such as IBM or McKesson, then this arrangement presumably simply continues the existing practice.

Restricting access to records

peter.singleton@chi-group.com

13 Jan 06 17:01

Dear Helen While the circumstances of your case as described in earlier editions give you clear grounds for concern, you are probably not a typical NHS patient (if any of us are). There are many who are prepared to have their data shared for teh wider good (though with caveats as to security). There may even be a few at the other end of the spectrum who would be happy to have their details freely available on the Web for all to see. We do benefit from sharing our medical records at least in part: * for clinical audit - to ensure that medical practice and practitioners are effective and provide quality care - Dr Shipman is probably a clear example of why we need good clinical audit (not only within teams but across teams too), though hopefully rooting out poor or ineffective practice would be a better rationale; * general medical knowledge and improvements in practice - much comes through clinical trials where there is clear consent, but much has also been learned from epidemiological studies using shared data from many sources - without clear consent While none of this may require the sharing of information in a way to identify you directly (though it may be hard to prevent a determined person identifying someone), it is clear that not sharing data at all leaves us in a very poor position. Would you be happy if your doctor were effectively restricted to what he learned at medical school or if little were known about a rare disease that were to affect you because no-one in the region had encountered it before? While guilty of ‘ever-egging’ a bit here, there are real risks if we were all to withhold our data. Would you trade some privacy risk to ensure quality healthcare – assuming that you are given sufficient information to help you gauge the risks and benefits? Hopefully, we can have a system whereby you have choices to help get what you want (or perhaps nearly so) while we all continue to gain the benefits of sharing data appropriately.

Best regards

Peter Singleton

Earth calling Ivory Tower

13 Jan 06 21:01

>>if clinicians see a warning flag they will be exerting pressure undue pressure on patients so they can break the seal<<

There is no need to exert pressure. Most envelopes will be transparent. Healthcare professionals routinely deal with incomplete data, missing records and patients who do not give a full account. A competent clinician triangulates a history from fragmented clues. On the ball clerical staff understand a patient's journey almost to the point of telepathy.

Every patient leaves a trail of referals, appointments, logged encounters with healthcare professionals, notes, test orders, test results, prescriptions etc. Will sealed envelopes potentially include all these areas? Anything left outside your envelope could indicate (at least) the broad nature of its content. Can all these clues be tracked down, descriminated and 'enveloped' to conceal an issue (at least without rendering the total record useless)? This may require more knowledge about both the healthcare processes and software system(s) involved than probably >any< single individual holds.

To suggest a patient and their carers could negotiate this in even the most relaxed circumstances is risible. Better still the Briefing Paper 'envisages' multiple envelopes, time sensitive data release and patient counselling as to the near-infinitely complex implications of concealment/release of each candidate datum. http://www.ardenhoe.demon.co.uk/privacy/Sealed%20Envelopes%20briefing%20paper.pdf

When something bearing the name sealed envelope limps into token existence years late, it will merely save political blushes while paradoxically courting prurience and discrimination against patients who opt for them.

Real issues

helenwilkinsonmakey@fastmail.fm

16 Jan 06 12:01

Dear Peter,

It seems that you are saying the current situation should continue where by clinical data is used without patient consent and without making it truely anonymous as QMAS does. Why is everyone so worried about obtaining a patients fully informed consent? Asking consent should not stop clinical data being available for Public Health/Epidemiology etc

With regards to Shipman the PPA had access to his prescibing data yet noone did anything. Hence it would seem even if the clinical data is available it is not being used effectively.

Yes I agree I am not a typical NHS patient. Indeed I have emails from extremely within CFH to say they agree it would cause extreme distress to have any of my data on these NHS databases. This is inline with DPA yet nothing has been put in place to ensure I can receive NHS care!! I am quite sure as the public become more aware of this it will not just apply to me.

With regards to the Earth to Ivory Tower comment. I have myself been in the situation at major London NHS Trust where a Pain Clinic I was attending for Orthopeadic problems where insistent they had access to my General Surgery records at another hospital within the Trust. I stood my ground very firmly and said NO as they were totally irrelevant but based on this experience I really do believe patients will be pressurised to reveal the contents of their sealed envelopes.

Helen Wilkinson-Makey

Real Issues (2)

peter.singleton@chi-group.com

17 Jan 06 23:01

Dear Helen

You have me on the detail of QMAS, but I suspect that the underlying data while anonymised in a simple sense is not wholly de-identified and would probably not lie outside the remit of the DPA98, so is not ‘truly anonymous’.

Asking for consent sounds easy, but, as ever, the devil is in the detail. There is supposed to be an ‘opt-out’ for NCRS even if it is not there yet (or even soon enough – but then there won’t be enough data in NCRS to really start saving lives for some time either). It provides a choice, even if not the type of choice some people would like (viz. opt-in with plenty of paper forms to be completed and stored).

What about other uses such as research studies? Currently, RECs will often require ‘express consent’ even for epidemiological studies (where no patient contact is required). How many consent forms a day would you consider qualify as ‘junk mail’? I am all there for patient choice, but let us ensure that it is reasonable, both in terms of public expenditure and of the impact on the individual (in terms of risk and conformance).

In this I may not be typical either as my view is rather jaundiced by a recent invitation to take part in a fairly straight-forward research study as a subject. This involved giving some blood (very easy), filling out a nutrition questionnaire (pretty arduous), and completing five consent forms (hugely excessive), one of which I had to post back the following day otherwise the previous four would be ignored – all at the insistence of the REC who were supposedly protecting my interests by not allowing me to just say YES and choosing to waste half-an-hour of my time form-filling to protect their interests rather than mine. (Sorry for the rant, but it is easy to get heated about civil liberties).

On your ‘Ivory Tower’ point, you are probably right that clinicians will be uneasy about having only partial data – it goes against their instincts as scientists. A useful reminder that as ever with ‘systems’ you have to recognise how people work.

However, as the previous commentator said, they are well used to working with partial data and inferring much from the little they have, but equally it is easy to ask and if the patient says NO then one has to work accordingly. I am sure that it already happens when a Christian Scientist refuses a blood transfusion – the clinician knows what should be in the patient’s best interests (medically speaking), but it is the patient’s own values which should prevail (as long as it doesn’t involve the clinician doing anything immoral or illegal). At least under the new system, you should have some choice (eventually) as to what gets shared or not, though admittedly the key agent presently is usually your GP, in whom you clearly have a lot of trust.