Scottish Parliament's Health and Sport Committee called for views on NHS Scotland's Digital Strategy. Open Rights Group and medConfidential together raised concerns about the past, the present, and the fast approaching future.
Patients should know how their medical records have been used. In order to make properly-informed consent choices, each patient must have the evidence base on which to make that decision. Information provided cannot only cover what might change in the future, but must provide the facts about what has already happened with their medical records.
The responsibility to keep patients informed about what personal data is, and what that means for their rights, is not just down to the Information Commissioner's Office. The NHS has a very important role to play here. When it comes to discussions about future uses of technology, whether that be recommending wearables to track fitness levels, or including patients' records in large data-mining projects, the role of the private sector must be very carefully handled. The NHS is not just a partner in these grand schemes with the private sector, but a custodian of their patient's trust and a guardian of their rights.
Every data flow in and around the NHS in Scotland should be consensual, safe, and transparent. Below, we examine each of these parts in turn, outlining generic principles that should underlie all projects, and then comment on specific existing projects. Consent and transparency are partners; stronger transparency begets stronger consent choices, which begets strong transparency, and so forth. The Scottish Government is in an almost-unique position to benefit from a positive feedback cycle of accountability to citizens.
Citizens in Scotland already have choices as to how their data is used. They should be aware of those choices, and – as they arise – any other choices which affect them.
There are a number of controversial attempts to copy data on many people in order to help a few. This approach is unnecessary, and will ultimately prove unhelpful – and, as in the case of care.data in England, catastrophic for public confidence.
Within the Scottish Government and collaborating organisations, if a citizen consents to data being shared for a purpose, then it should be shared for that purpose – and be seen to be shared safely for that purpose.
The Scottish Farr Institute has the infrastructure to handle data (minimally) safely for research purposes. The formulation of “safe settings” for research is standard and should be the only mechanism by which data is analysed for purposes beyond its primary use.
For non-research uses – which include administrative purposes – the safest way to handle data is to handle only the minimum data necessary. Where a citizen consents to their data being shared for such purposes, that citizen’s data alone should be accessed, and the records of who accessed what information and why should be transparent.
Currently, the only time the public gets to hear about data handling is when it has been done unsafely; this has consequences. As with many safety measures, safe data handling is most noticeable in its absence or failure. If the perpetually caustic ‘drip-drip’ effect of mishandling of data is to change, there must be transparency over all data flows.
There is generally a low public awareness of how citizen data is used. An institution may in this context argue that a new proposal is only a trivial change to existing processes. Even when this is true, however, if members of the public perceive such changes as significantly diverging from what they expect to happen, the cumulative public response can be dramatic.
The problems with the Scottish “Named Person” scheme are numerous – a topic we cover in more detail below – because, fundamentally, the scheme is grounded in the idea of the Scottish Government doing things to Scottish citizens, not with them as core stakeholders. No matter how well-intentioned it may have been, the scope of the Named Person proposals was vast, and the safeguards minimal.
If the conversation had instead been grounded in the idea that the Scottish citizen should be able to see what the Government was doing on their behalf, and that each citizen should be in control of those actions and data sharing (and where those actions were of necessity mandated in legislation – explaining why), the outcome would have been very different.
The Named Person scheme has been chaotic from start to finish, but it didn’t have to be. Properly designed to be grounded in consent and a trusted, accountable, and trustworthy relationship between citizen and state, a scheme that genuinely supported the most vulnerable could have gone forwards.
Privacy by design: a person-centred approach
The vision statements fail to position the individual at the centre of the NHS.
The vision “I have access to the digital information, tools and services I need to help maintain and improve my health and wellbeing” is the only patient empowering statement in the vision. However, it only intends to provide information, tools and services. A truly person-centred approach would be to empower patients to control their own information.
To achieve this requires showing a commitment to work on privacy by design principles. Placing the patient at the centre, and building systems where the patient is able to understand they are at the centre and control their data This includes knowing who has access to their data and being in a position to decide who can access that data.
Placing the individual at the centre of this process can improve patient experience. That patients can open their health records, see who has accessed them, and make decisions about which services or individuals can access that data in the future will improve transparency and consent from the patient’s side.
Ultimately this would allow the individual to remove their data from being processed or being held by certain providers, whether that is specific GPs or initiatives, or services. Data portability would improve privacy and health outcomes by rewarding those who act responsibly with patient’s data and punishing those who fail to respect the privacy of their patients. Those responsible providers are more likely to see more access to data, while the actors who fail to respect patient’s data will find their access to data removed.
At this stage, however, the NHS Scotland vision simply does not reflect this principle. It does not go far enough to articulate and position the individual at the centre. In the following discussions of two NHS Scotland-specific programmes we illustrate how NHS Scotland has failed to place the individual at the centre and has paid a price as a result.
NHS Scotland-specific programmes
The SPIRE system itself is not incompatible with consensual, safe, and transparent data handling. In its current form, it meets baseline criteria of safety, and most aspects of ongoing transparency. It was a first attempt, but will need iteration as rollout resumes.
Unfortunately, SPIRE’s original public communications failed to meet the necessary initial transparency (i.e., many Scottish citizens were unaware of the launch, including concerned patients who had been watching out for it for years) and the programme as a whole therefore fell far short of being able to deliver meaningful consent. As care.data proved in England, while an opt-out is essential, there is no point in providing one that fails to meet expectations – or of which many patients remain unaware until after their data has begun to be processed.
While SPIRE as a single programme could not have done it, NHS Scotland should have seen this as a strategic opportunity to communicate to every Scottish patient how their data is used – allowing them to understand what their choices are, based on factual information about the NHS in Scotland today and tomorrow.
Having discussed this and the most immediate issues with the delivery team, we anticipate the publication of a broader strategic communications plan by NSS Scotland– in consultation with all relevant stakeholders – in due course.
Named Person Progamme
The Named Person scheme, and importantly the public reaction to that debate, should be seen as a challenge to the vision that patients expect their health and social care information to be captured electronically, integrated and shared securely. A more accurate articulation would be that 'patients expect their health and social care information to be captured securely, and shared, following explicit, freely given, informed consent with those that need to see it'.
The information sharing provisions in the Act departed from the two pillars of a good public health initiative that this submission has already laid out: consent, and transparency. As the Supreme Court concluded at para.85 the information sharing provisions of the Young People (Scotland) Act 2014 were not in accordance with the law.
The reasons for this include the lack of safeguards which would enable the proportionality of an interference with the right to privacy to be adequately examined (para.84). The test for information sharing was merely that that the provision of the information is necessary or expedient for the purposes of the exercise of the named person functions. More importantly for those pillars of transparency and consent, there was no statutory requirement to inform the parents of a child about the sharing of information. This left it possible for the state of health of a child to be disclosed to a wide range of public authorities without either the child or young person or their parents being aware of the interference with their right to privacy.
The court went so far as to directly refer to the solution in addressing the circumstances in which the child, young person or parent should be informed of the sharing of information or consent to be obtained for the sharing of information, including confidential information (para.107).
Information sharing is a delicate process, more so when the topic is health information (sensitive personal data) and the subject of the information is a child or young person. The implementation of the Digital Health and Social Care Strategy 2017 - 2022 should take great care in maintaining an emphasis on patient-centred, user controlled programmes for implementation. In practical terms, this means the patient remains in control of their data, who can see it, and who can use it. And that any change in institution or providers that have access to that information only come about through the freely given informed consent of the individual.
Scotland can lead, if it chooses to
Data programmes going wrong is a common occurrence. Large-scale data programmes going well is possible, but needs leadership and engagement with the populace. Scotland can choose to lead the UK, and demonstrate how digital tools can be used to assist and support citizens in their lives; or it can do the same thing over and over again and expect a different result.
It is time for the people of Scotland to take control of their identity online, and the evidence that underpins it and their entitlements. This will deliver a digital ecosystem for the future of the Scottish economy, third sector and public services.
As the Cabinet Secretary for Finance and Constitution, Derek Mackay said in March 2017 in discussing data sharing from the NHS Central Registry “Ministers…intend to work with stakeholders, privacy interests and members of the public to develop a robust, secure and trustworthy system by which an individual member of the public can demonstrate their identity." We hope this same rhetoric will be explored by the Health and Sport Committee, firstly in recognising that this is about the citizen being in control, and secondly in working with diverse stakeholders on these issues.