NHS litany of failure on records goes on despite claims of ‘due diligence’
WHEN it comes to medical records and data security, the NHS has a chequered history.
Labour’s plans for a national IT system, to enable sending and sharing of patient data, were scrapped in 2011, after estimated costs reached £12billon.
Under the coalition government, plans were drawn up for a national database – called Care.data – which would see information extracted from GP files in order to aid medical research.
But the scheme was put on hold in 2014 and scrapped two years later amid public concern that people had not been properly informed about how to opt out, along with fears the database could be vulnerable to hackers.
It followed a series of scandals over access to medical records – including the sale of NHS data covering 47 million patients to the insurance industry, revealed by The Daily Telegraph.
The debacle saw the resignation of Tim Kelsey, head of Care.data, already under fire for claiming more than £46,000 a year on hotels and travel.
Public confidence was further shaken last year when the NHS fell victim to the biggest cyber attack in history, with “ransomware” crippling 40 hospital trusts.
But health officials are determined to press on with wider access to medical data – insisting that it is vital to improve medical research and make services more responsive to patients.
A new consent model has been drawn up, with every patient promised a “single and simple” way to opt out if they do not want personally identifiable data shared for anything beyond their own care and treatment.
Ministers hope that they will avoid the previous backlash if the public is given clearer information about the plans, due to be launched in March.
But many questions remain unanswered, including whether a data release
such as that disclosed today will be allowed under the new system. Until now, the debate has focused on NHS rules on consent. But, although the National Cancer Registration Service takes NHS data out of hospitals for every cancer patient in the country, it is run by Public Health England (PHE). As an agency of the Department of Health, it is not covered by NHS rules.
While the release of all health data is covered by 2006 legislation, which states it should only be released “for medical purposes”, patients get no say.
That means that when data was extracted from the medical records of almost 180,000 lung cancer patients, no patients or relatives were asked for consent.
Patients can ask to have their full cancer registry record deleted – but officials admit this could potentially harm their own care. PHE insists “due
diligence” was carried out when they were asked to release data on every patient diagnosed with lung cancer in England between 2009 and 2013.
It has stressed that care was taken to ensure that no “identifying” patient information was handed over.
The request from William E. Wecker Associates Inc, a statistical and applied mathematical consulting firm, was authorised, and anonymised information from almost 180,000 patients duly handed over.
Last night, PHE officials said that until they were contacted by this newspaper, they were unaware of any link between William E. Wecker and Philip Morris International, despite their long and public collaboration.
But questions will now be asked about what that “due diligence” process involves. It appears to exclude basic internet searches.