Speaking of trust…

I received a letter recently from (apparently) NHS England. In it, they require me to confirm my contact details to them, or face being removed from the patient list of my local GP (whose patient I have been for the last 30 years… in fact, his surgery has changed address more frequently than I have in that period).

In the letter, NHS England note that GP practices need accurate contact details in order to be able to contact me to arrange appointments and vaccinations, report test results, arrange the details of long-term care for chronic illness, or enable a hospital to write to me. Those are all true – but all those needs can be satisfied by my confirming my address details to the practice itself. There is nothing in their letter which convinces me to give my personal data to a third party – except their threat to have me de-listed if I fail to do so. “If you do not respond within four weeks from the date of this letter then we will assume that you have moved away”, they say. Which is odd, since I had a GP appointment a couple of months ago.

When I mentioned this on Twitter, the responses were interesting. Some people simply assumed that the letter was a phishing attempt, and advised me to ignore it… which is an interesting trust problem for the NHS to consider. Others suggested that there is a second purpose for NHS England to collect the data, which is to do with the way in which they fund GP practices. If that were the case, you might expect it to appear among their stated purposes for collecting the personal data, in the letter on the basis of which you are expected to confirm your details. It does not – though if you visit the NHS England Shared Business Services website and go to their FAQ, you will find it mentioned. Again, if you go to their website, you will find some explanation of the role of Shared Busines Services in relation to GP surgeries… but “Shared Business Services” appears nowhere on the letter, which mentions only “NHS England”. To all appearances, this is a third party organisation asking for my personal data.

Taking a hard-hearted financial view, you might say that it’s in their financial interest (and therefore, indirectly, in mine) to ensure that they aren’t paying GPs for patients who don’t exist. But there are some flaws in that argument:

  • I’ve seen my GP within the last 3 months. It’s therefore unlikely that I have moved out of the area. There must be other patients whose records indicate that they are more likely to have gone away; if NHS England are going to incur the cost of writing to anyone, shouldn’t they prioritise apparently “dormant” patients over recent, “active” ones?
  • In the short term, NHS England might indeed save some money by finding a pretext (i.e. my non-response) to remove me from the paid-for headcount at my GP’s surgery. However, since I am a genuine, current patient, if I were de-listed I would have to apply to be re-listed, which would incur extra, unnecessary administrative cost.

But, economics aside, isn’t there a law against collecting data for one purpose, and using it for something else? I rather thought that was what the Data Protection Act was for… but then again, the NHS’ recent history with regard to data protection is tarnished, to say the least. For instance, the HSCIC recently admitted that it simply ignored patients’ requests to opt-out from the care.data scheme, which they had designed as “opted-in by default” in the first place. What’s more, it emerges that care.data cannot distinguish between patients wishing to opt out of having their data shared with third parties, and patients not wishing to opt out of services such a referrals or e-prescribing.

So let’s recap the various failure modes illustrated by these two instances:

  • Designing a system as “opted-in by default”, despite the fact that it involves data-sharing with commercial and public-sector third parties, and that it processes sensitive personal information;
  • Failing to act on opt-out requests;
  • Offering different types of opt-out (good), but then failing to process them accurately (bad);
  • Dubious prioritisation of administrative effort;
  • Lack of transparency about purpose of collection;
  • Threat of de-listing for non-compliance.

Just take a look at those, and ask if they would be acceptable in clinical/surgical practice, as opposed to health service administration.

It seems to me that we have failures, here, of design, technical implementation, governance, transparency and consent – and all of those erode patients’ trust. Public sector bodies, world wide, are desperate to reap the benefits of digital infrastructure, and rightly so: it’s in our interest as citizens that our public sector services should be efficient, cost-effective and technically up to date. But data controllers must show that they are safe and worthy custodians of citizens’ personal data, and that requires a far more mature approach to transparency, informed consent, and genuine opt-out. Stampeding headlong in pursuit of the potential financial benefits of innovation, while ignoring the concomitant responsibilities, is irresponsible and immature.

The NHS is in its 60s; if we are to trust it to exploit technology effectively, in our interest and on our behalf, it needs to grow up.