Patient choices around information-sharing & access in the NHS: a proposal
Opinion: the way the NHS currently manages patient choices is broken. With the best will in the world, decisions have been made and offers have been made to the public in the past, but which have resulted in a situation now where there is little consistency across the system, where patients have little real control, and we are at risk of losing what good-will and trust exists. But we are now in a position to fix that.
Note: my role is Senior Technical Architect at NHS Digital; I have no formal role in that organisation’s IG or Security functions. I do have a background in IG and Security in healthcare. This note is a personal view.
Scope: I use “patient choices” to refer to the choices patients may wish to make regarding the sharing of, and access to, information about them that has been recorded as part of the provision of care provided by the NHS. Patients have other choices, too: for example whether they wish to receive text messages from their General Practice, and other contact preferences; information around necessary reasonable adjustments. My view is that the area of most concern and which needs addressing urgently concerns the choices around information sharing and access. For the moment, I am also not including any discussion of issues relating to information sharing outside the NHS. All these areas do need addressing, and I expect that the principles outlined in the rest of this note would hopefully apply — resulting in a consistent environment.
The immediate problem:
· We are not, as a National Health Service, transparent in the choices we provide to patients; indeed it is nearly impossible to be transparent, given the number of different, and inconsistent, ways that information can be shared and accessed across the system, for different purposes
· Different choices are offered to patients, often depending on systems rather than information. Specific national systems offer their own choices, whilst choices vary at a more local level sometimes depending on the specific clinical system in use at your General Practice, or any applicable regional sharing arrangements
· We offer different routes for setting different choices: local patient portals, national patient portals, visiting your GP, approaching individual care provider organisations
· It is often necessary for a patient to express more than one choice to control a single flow of data (such as access to your GP record)
· It is impossible for a patient to know, at any one time, where their information may be shared
· The confusion of sometimes having an opt-in, sometimes an opt-out
· The distinction between direct care and secondary uses, and the different choices provided, which make it difficult if not impossible to explain the situation to the public
· The specific effect of expressing a choice are often not clear (eg the impact of the National Data Opt-out)
· All of this means that, potentially, we may be open to challenge under the DPA2018 (which incorporates GDPR into UK law) and may not be in a good place to gain and maintain the trust of the public as we seek to deliver the Long Term Plan, to increase the provision of clinical information across the service, as patients interact with components of that service, and as we seek to increase the degree of patient control
This existing position is a result of individual decisions (both policy and technology decisions) being made over time — all logical and defensible in themselves, but which have inevitably resulted in the current, somewhat confused, position.
The structure of the NHS has also contributed to the situation. Whilst patients may see the NHS as a unified body, it consists of a collaboration between thousands of individual legal organisations. The need for each of these individual legal organisations to take IG responsibility, albeit within a common framework, means that it is very difficult to achieve consistency and consensus. The legal implication is that, for example, organisations are forced into individual point-to-point data-sharing agreements, which need continual management and maintenance.
The structure of legal bodies that make up the NHS changes over time, as NHS Trusts merge, as GP practices change ownership, merge, become part of regional or national chains, or even become part of the local Trust. There is no reason why patients should (or could) be expected to keep on top of such changes, or expect that changes of this kind may change the choices patients have, or the rules under which information flows. Many (most?) patients see the NHS as their local GP practice, their local hospitals, the ambulance service, etc: long-lived structures representing how they interact with the service, independent of the organisational umbrellas under which these services (happen to) sit.
Why now? We are in danger of exacerbating the situation; for example the emerging LHCRs are working up their own, regional, models for patient choice (often building on existing regional data-sharing systems, arrangements and choices). Public concern over data protection and privacy is only rising, in the aftermath of Snowden, Cambridge Analytica, and the more recent privacy concerns over smart voice assistants. The treatment of sensitive clinical data has always had its own complexities and concerns, as illustrated in the response to the care.data proposal. If we are ever to improve the way we access and use GP data for secondary uses, we should be wary of repeating earlier paths.
But we also now have an opportunity to address the issue from a national perspective, given that:
· NHSX has emerged to provide central vision and guidance
· The National Data Guardian (NDG) now operates on a statutory basis
· The system appears open to suggestions around legislative change (if required) in order to address the objectives of the Long Term Plan
The ambition: to deliver “The NHS Patient Choices Model”: a single, national, consistent, coherent, understandable, effective, proportionate, legal and implementable environment for patients to express their choices around how their information is shared and accessed in the NHS. This will be a step-change from the current legacy environment around patient choices, and whilst ensuring consistency across organisations, would relieve those organisations from having to maintain their own policies and procedures, and data-sharing agreements. They would be able instead to rely on a national approach.
The implication is a single national environment; how does this match to a world where we often emphasise local or regional delivery? There is always a balance to be struck between what is done nationally (whether centrally, or locally to defined national standards) and what is subject to local or regional variation. My view is that the model for patient choices merits a national approach, as the only way of achieving transparency as a national health service. This is aligned to the approach as described by Matthew Gould, NHSX CEO: “there will always be some functions that are appropriate for the NHS to do itself and that citizens will expect of us — for example, it’s probably right that things like their data preferences should be set through the NHS’s own app, rather than an alternative”
How? There are four fundamental steps towards achieving such a model:
1. Deciding whether this needs addressing
2. Agreeing what “good” looks like
3. Designing and agreeing a model that aligns to the agreed definition of good
4. Implementing the model
Each of these steps are outlined in the following sections. The immediate intention of this note is to encourage an acknowledgement that this does need addressing — the first step — but also outlines the second, third and fourth steps in order to show that there is a feasible path to follow, and that we are not just expressing a wish for a better place but with little idea of how to get there.
Step 1 — does this need addressing?
The premise behind this note is that this is an issue that does need addressing: to support the ambitions of the Long Term Plan, the (correct) intention is that more information about the patient will be available at the point-of-care, and that we will make more and better use of (de-identified) data to support research and planning. But all that needs to be done in a way that is compliant to DPA2018 (that incorporates GDPR into UK law), the Common Law Duty of Confidentiality (CLDoC) and in a way that maintains the appropriate level of trust with the public. We cannot assume that purely aligning with DPA2018 & CLDoC will be enough: it is necessary, but (quite likely) not sufficient.
As described in the introduction to this note, we currently operate under a hugely complex and inconsistent environment that does not provide a defensible or understandable set of choices to the public. As a patient, I can:
· Ask for my location information stored on PDS to be restricted (the S-flag)
· Approach any organisation and request restriction of processing, or other GDPR rights, under DPA2018
· Choose to opt-out of having a Summary Care Record (SCR), at my GP practice
· Choose to opt-in to including additional information in my SCR (if I have one), at my GP practice
· At my GP practice, choose to request that no identifiable data leaves the practice other than for individual care (the “Type 1”)
· At my GP practice, express specific choices around sharing from the practice to other care settings (such as A&E) through supplier-specific models such as MIG or EDSM (specific to the system currently in use at the practice, and influenced by the current state of individual point-to-point data-sharing agreements
· Set a national “consent-to-share” flag that may or may not be synchronised with system-specific data-sharing choices (at my GP practice)
· At my practice, choose whether to take part in studies or be included in condition-specific registers
· Not be terribly clear whether there is any choice as to how information may be shared between organisations using the National Events Management Service (NEMS)
· Express a National Data Opt-out preference over the use of confidential patient information for research and planning (through a national portal or the NHS App)
· Not have any choice as to how confidential patient information flows to support research, planning and commissioning when it is mandated (such as flows, covered by a Data Provision Notice, from provider organisations to NHS Digital)
· Not have any choice as to how anonymised patient information is used to support research and planning, or commissioning
· Depending on where I am in the country, I may be within the scope of regional data-sharing arrangements, which offer their own various choices
This is certainly not exhaustive. Of the various choices I can choose to make at my GP practice, correct operation relies on the practice staff understanding and correctly applying the various options available through their clinical systems. There are very many choices available if a clinician searches for terms around “consent” in their clinical system. Into this mix, LHCRs are emerging and working to an IG framework; it is as yet unclear whether the result will be multiple LHCR models at a local level, whilst working to a common model for patient choices around interoperability between LHCRs.
In all of this there is no single easy way for any patient to say “I don’t want anything from my medication list shared outside this GP practice”. They would have to explicitly dissent from an SCR, opt-out from any local data-sharing initiatives (eg MIG, LHCR) and somehow hope that medication lists were never the subject of any national pub/sub mechanism involving the practice. In making such requests of the practice, the practice would have a complex set of interactions with their systems to get right. Furthermore, such choices would almost certainly not survive the patient moving practice, or the practice changing its clinical system.
At the moment, it is not only patients that have choices around sharing information to support individual care; organisations have choices too, and those choices interact with patients’ choices. Every organisation, as a legal body, requires the existence of multiple data-sharing agreements with other organisations. This is hard to manage, so we make the best of the situation by creating common template agreements, or use multi-party agreements, or introduce new systems to make it easier to create or manage such agreements. But these approaches do not solve the underlying problem: that the model of point-to-point agreements does not reflect public expectations, or make it possible for anyone to keep track of where their information may be being shared (either because those sharing agreements might not exist, or they might expire or be closed, or by the fact that technical sharing solutions may not be tightly integrated with data-sharing management services).
The creation of data-sharing agreement management services is a natural short-term response to the need for multiple point-to-point data-sharing agreements, but it does not address the underlying issue, which is that a model that, for instance, describes data-sharing between organisation types is both more aligned to public expectations and removes the need for individual DSAs. For example, it is a much easier explanation to say:
“all A&E departments have the right to access critical elements from your GP record if you attend for treatment”
… compared to the current position which is:
“some specific A&E departments will have access to critical elements from your GP record if you attend for treatment. Those departments are those with which specific agreements are currently in force, and which may change at any time”
Is there an alternative? Surely we can extend or fix what we have got, rather than introduce significant change that will undoubtedly by disruptive and costly? That is the position that has resulted in the current situation: a new service emerges, and it defines its own set of choices. The emerging LHCRs appear to be (entirely naturally) following this path. Having said this, there is undoubtedly a risk involved in defining and implementing a radically new model.
Didn’t the National Data Opt-out fix this problem? Unfortunately not. The National Data Opt-out provides a great example of a consistent, national choice for patients, well-described and with the understanding that it will be, ultimately, consistently respected across the system. The limitation is its scope: it only applies in very specific circumstances around the use of confidential patient information for research and planning — representing a very small (and declining) proportion of data usage for research and planning, and does not apply at all for individual care. Its restricted scope made it relatively easy to implement (at least for capturing and storing patients’ choices) — harder to ensure that those choices are respected across the system. It may well provide an exemplar for the ambition expressed in this note: for example, patient choices are stored and accessed centrally, and it provides a national portal for patients to express their choice.
Is this too hard? We are describing something that is very hard, undoubtedly, but the hypothesis is that it is not impossible (subsequent sections outline how it might work). It will surely require a significant investment and process to enact change, none of which is obviously or immediately palatable or appealing. But the alternative is arguably worse — we would potentially be operating unlawfully, and we are likely to struggle to bring the public with us as we introduce greater access to, and use of, information across the system. Whether the costs outweigh the benefits is of course a matter of debate and judgement.
Most people don’t care. It is undoubtedly true that the majority will not express any specific choice when offered to them (albeit the growing general awareness of issues around privacy in the wider community will naturally increase the proportion of those that may wish to take a closer view). But the better the choices we offer to the public, the more trust the public has, and the less such choices may end up being exercised. But we should not explicitly be attempting to minimise the proportion of the population who choose to restrict data-sharing (for example) — if that is what people wish to do, in full knowledge of the implications, then that is precisely what we should be supporting them to do by providing an accessible system.
Who decides? I believe an effective initiator to progress work in this area could and should be a joint commitment from:
· NHSX (as commissioner and budget-holder)
· NHS Digital (delivery)
· The NDG (product ownership & governance).
Steps to define and implement any model would of course require the inclusion of patient groups, privacy advocates, clinical professions and the ICO, amongst other groups.
Step 2 — what does “good” look like?
This section provides an example of how we might define a set of acceptance criteria for any resulting model: it provides a definable set of characteristics against which we may compare new candidate models, and/or compare to the current environment.
There are a number of dimensions to which any patient choices model must be able to demonstrate a satisfactory approach:
1. Effective: it must satisfy the fundamental requirements of enabling the rights of patients
2. Holistic: it should cover all aspects of data sharing, access and use, across all environments, implying a single choices model. Without this, it becomes impossible to explain.
3. Proportionate: it should recognise that there are boundaries within which patients have choices, that those choices are not infinite. There may well be limits to the choices offered (over the legal minimum) in order to be able to scope an implementable and usable service and to support the effective functioning of the health and care system (for example we do not offer choices to patients around the use of anonymised information)
4. Consensual: it must be agreed by public and professionals, and therefore it must be understandable, explainable, supporting “no nasty surprises”
5. Persistent: it must be designed to be long-lived, to be able to cope with change over time. As change will affect the systems in use across the NHS, it must be agnostic to those changes
6. Implementable: migration from current and earlier choice models must be achievable, and achieved
7. Accessible: it must provide suitable facilities for patients to express and maintain their choices for themselves and for those to whom they are responsible
8. Legal: supports and complements the law. New or revised regulation may be required to support the objectives of the model, and we should not assume that this is impossible, given the recent request to the system for suggested legislative change to support the Long Term Plan.
The current mixed environment fails on pretty much all of these dimensions. Note that there are tensions between some of these dimensions; a balance will be required, but resulting in a justifiable and agreed position against every dimension.
Step 3 — a model that aligns to “good”
Is there any conceivable model that would be able to achieve a degree of consensus and achieve a workable balance between the dimensions described in the previous section? Clearly any such model would need to respect a significant amount of public and professional consultation and design, but it is possible even at this early stage to set out some likely indicators, to illustrate that there is a fighting chance of designing such a model:
· Preferences would be stored once, centrally (either logically or
· Preferences would be set by patients (or their representatives) using a nationally-provided portal and via the NHS App
(So far, these are the principles along which the National Data Opt-out has been delivered)
· There would be one, so it is consistent, we can explain it and we can control any interdependencies
· Choices would be based on information, not specific systems (ie choices about how information is shared, not whether we choose to engage or disengage with a specific system)
· Take a national approach, rather than an organisational or regional approach. Set out national expectations to which all NHS organisations align, rather than expecting every single organisation to pick and choose those other organisations to which it wishes to create/maintain a data-sharing agreement. This is a significant step, and many regional approaches take the view that this is a matter agreed locally. Given, however, there is evidence that complete local agreement can be achieved within an individual region, this may be the time to extend, and achieve a single national arrangement. The alternative is the continued existence of a number of different regional models — reasonable within the region, but causing boundary issues and complexities for people moving across the country, or where care is delivered across regions, and keeping the degree of complexity in place that makes the overall model difficult (if not impossible) to explain to the public
· Opt-in vs opt-out. There has been much discussion in this area in the past — there are pros and cons on both sides. A compromise might be:
o If you have previously expressed any information-sharing choices (to restrict or control sharing over the default), then (i) those choices would be respected and (ii) you would need to opt-in to any further sharing
o If you had not previously expressed any information-sharing choices, then you would need to opt-out of the default sharing arrangements
… backed up of course with comprehensive communications to achieve transparency.
A wireframe presentation of how this may appear:
A patient choosing to make specific choices may then be presented with choices affecting a specific use case:
Going deeper, choices would be based on information, not specific systems:
This could be augmented with facilities to ensure that patients not only have the ability to set preferences, but they are informed when changes are proposed or made, and they have access to details about how information is used, eg through their account on the NHS App:
There are clearly a number of critical decisions to be taken: what choices we offer (over the legal minimum) and how we describe the contexts of use (within which certain choices have effect). For example, we currently typically split the world into two: direct (individual) care & secondary uses. This may, or may not, be as granular as we need it to be to support the choices that emerge.
Of course, the model that emerges may be a million miles from this straw-man description.
Step 4 — how would we implement the model?
Having decided there is a problem to address, that we understand and agree what “good” looks like, and that we have agreed a model that aligns to “good” with the public and professions, what might an implementation path require? The intention here is to understand whether this may ultimately be possible, rather than attempt to set out actual timescales or plans. It would certainly be a long-term plan, and we would need to recognise that for a significant period the new model, plus many existing arrangements, would co-exist as part of a migration arrangement.
· Legislative changes may be required — certainly we would need ICO involvement and approval even if it was determined that legislative changes were not required
· Public communications (whether active or passive)
· Explicit onboarding of NHS organisations (potentially driven through contract)
· Migration from existing arrangements: a prioritised, but not sequential, series of exercises to understand the existing point arrangements and work on migrating each to the new environment. Some will be harder than others: the National Data Opt-out would flow reasonably easily, as its overall architecture is likely to align, whereas achieving the aim of allowing patients to express whether their GP record was available would require the culmination of multiple streams (covering SCR as well as local sharing arrangements)
