Information self-determination and the NHS Spine

By Judith Eydmann

In an age where technology is increasing the scope for information sharing, there exists suspicion of anything which expands State ownership of personal data. In addition, highly publicized breaches of security such as the loss in 2007 of computer discs containing the personal details of all child benefit recipients, has undermined public confidence in the State’s ability to protect personal data. Medical records are among the most sensitive class of data and recently have been the subject of much debate.

Since its inception, the NHS has held patient records at the institution which provided the treatment, but the new IT project is in the process of changing this.  The major change is the NHS Spine, an electronic system comprising three elements, PDS, SCR and SUS. The Personal Demographics Service (PDS) stores basic demographics; the Summary Care Record (SCR) is a summary of clinical data. The Secondary Uses Service (SUS) uses data anonymously for reports, research and public health delivery. The PDS cannot be opted out from. The SCR can be opted out from but if a patient doesn’t opt out, they cannot opt-out of the SUS nor have their record deleted at a later date. The Spine has been partially rolled out without all the envisaged functionality such as the ability to hide certain data.

Concerns, particularly over the SCR have been raised by bodies such as the British Medical Association and individual commentators. However, the position advocated here is that whilst concerns are legitimate in their own right, the Spine does not significantly increase risks nor worsen data protection flaws. Rather, the concerns have engendered a debate that has given rise to safeguards and protocols which reflect an improved attitude to data management and it is the failings in the existing system requiring urgent redress.

Criticisms of the Spine can be broadly divided into four categories; security concerns; concern over abuse or misuse of data, lack of proper consultation and questions over the ownership of information. It can be demonstrated that these are not novel problems arising from the nature of the Spine but already exist in varying degrees under the old non-centralized system.

Security Concerns

Since 2007, the Information Commissioner has taken action against 14 NHS trusts for 287 data protection breaches primarily due to lost or stolen hardware and data.  Examples included a GP who loaded his patient database to a laptop which was subsequently stolen and a hospital trust which left computers with unencrypted data on a skip. Despite medical records being some of the most sensitive data held by governmental bodies, security breaches are nominally higher than in any other sector, public or private [1]. These breaches were due to negligence and the Spine is not necessary to avoid these, but neither does it significantly increase the risk though this is difficult to measure.
 
Abuse or Misuse of Data

Concerns over inappropriate access are legitimate as the case of Dr. Andrew Jamieson highlighted.  In January 2010 Dr Jamieson was disciplined for accessing the ‘Emergency Care Records” (Scottish equivalent of the SCR) of several high profile people including senior politicians. This highlights the risk associated with a national database which enables a single user to access the information of an entire population. However, although under the old system no single person would likely to have access to so many well-known people, each record is individually vulnerable to unauthorized viewing potentially by support staff such as records-clerks as well as medics. Under the new system, non-medical staff would not have clearance, reducing the number of people able to view the information. Also, under the old system, unauthorized access is far less likely to be detected as many older electronic databases do not create an audit trail and viewing of a paper record is undetectable.

Consultation

Another criticism is that Summary Care Records were created with inadequate consultation.  A letter was sent to every patient informing them that an SCR would be created for them unless they explicitly opted-out. This passive opt-in was controversial since addresses may not be up to date, letters go missing in the post and some patients will not have English as a first language.

Before the 2010 general election, there was a concerted attempt to accelerate the project. This led to the British Medical Association successfully arguing that insufficient consultation had taken place and “GPs and local medical committees should note that uploads to the SCR should only take place where there has been agreement between primary care trusts and practices that patients have been adequately informed, and that practices have also been fully supported.” [2]. Roll-outs were cancelled by some trusts but others pushed on regardless.

However, lack of consultation is not new. Currently patients are routinely entered onto local databases such as booking or prescription systems without even passive consent.

Ownership of Medical Records

Ownership and distribution of records has come under closer scrutiny with advancing technology.  One journalist goes as far to suggest that medical records should be handed back to patients after each appointment [3]. yet this is not practical. Most people who claim that philosophically, records belong to the patient are unlikely to suggest that they remain physically in the patient’s possession. The records can ‘belong’ to the patient yet remain under the care of the health provider; the notional ownership can simply mean that patients have final veto on who can access the information and how it is used.

The question is whether information about a person belongs to themselves or the one who created it. If a patient pays for care through insurance or by belonging to a society which collectively insures all citizens, it could be argued that the healthcare agencies are employed on behalf of the citizens they serve. If a person pays any other professional for a service such as an architect to design a house; those designs are the intellectual property of the employer though they may give the employee permission to use them for certain purposes. To transpose this logic onto healthcare would affirm the belief of consultant Prof. Pringle that “the information in the record is owned by the patient, but others borrow it for legitimate purposes of patient care." [4].

This view is not reflected in current UK law. The Earl of Northesk asked the House of Lords “Whether individual patients have any legal rights of ownership to the medical records held about them by the NHS. The Parliamentary Under-Secretary of State for Health (Warner) replied that “Patients do not have any legal rights of ownership to the medical records held by the National Health Service but they do have certain rights of access to those records”.   [HL5004]

At the heart of the issue is the tension between individual freedoms and collective goods. Libertarians focus on autonomy whereas communitarians emphasize communal benefit to shared data such as cost reduction, improved public health, better quality of care and medical research. The supporting arguments for the NHS Spine and state-owned information clearly come down on the side of communitarianism. This is contrary to much of the Western world where the libertarian view is dominant and has led to the enactment of strong privacy laws which often stem from a respect for informational self-determination, a far-reaching concept formulated by the German Constitutional Court that asserts the right of an individual “to determine in principle the disclosure and use of his/her personal data”. [5]

Informational self-determination is an extension of the principle of respect for autonomy which permeates many areas of medical ethics. Many ethicists agree that this principle is good and the question is often whether the principle is absolute or should other principles sometimes take precedence. Therefore a pragmatic approach for determining best action vis-à-vis medical records is to determine whether the communitarian benefits can be achieved without violating autonomy.

The first communitarian principle concerns the standard of care, a leading argument used in the NHS information which states that the SCR enables “better, safer care”.  If accident or illness renders someone unable to communicate; without a summary care record, a medic may not be aware of any existing medications, allergies or their blood group. It is a powerful image of an unconscious patient about to be harmed by an allergen, a drug that reacts adversely or the wrong blood group.  Yet this risk has been overstated. There is no reason to suppose that previous methods of negating these problems such as using medical bracelets, seeking information from relatives or using O RhD negative ‘universal donor’ blood, cannot continue. If there are further benefits a patient can, after considering the size of the risk, make an informed free choice since the only person who could be harmed by the decision is herself.

The benefit of cost reduction is topical since many governments are looking to reduce spending. If data sharing in this manner did save money, would it justify over-ruling a patients desire for their records not to be shared? It is difficult to see there ever being a convincing financial case for privacy being violated. Most people would agree that a moral boundary should not be crossed to save money.

The issue of the communal good of research is also valid but data could be released anonymously. The Secondary Uses Service (SUS) element of the Spine already enables anonymous data sharing and a majority would likely opt-in due to the anonymity. A system could be devised where an identifiable Summary Care Record is not a prerequisite to participating in the SUS.

In fact, all the benefits of collective ownership of information under the auspices of the State can be achieved even if the information was owned by the patient.  It is therefore likely that the legal status quo of state-owned records is not readily justifiable. Ideally, the law should be altered to assign ownership of information to the patient.

Yet the more pressing point is this; if the Spine is rolled out with all the proposed functionality and there are no misuses or security breaches, then this actually respects autonomy to a greater degree than the current system. A move towards notional patient-ownership is indicated by the following improvements:

•    There will be the facility to lock down information in a virtual ‘sealed envelope’ so that it cannot be viewed.

•    NHS staff directly involved in treatment will require permission before they can view the SCR (unless the patient is unconscious). The database creates an audit trail which records who has viewed the records (under the current system, unauthorized viewing of a paper file is undetectable).

•    The patient will be able to view their own record online giving greater ease of access and knowledge of what records contain.

•    Though it is not encouraged, a patient can opt-out.

The conclusion is simple; the precautions and conditions instated to allay concerns over the Spine represent an improvement in data-management and those principles should be imposed onto existing records management. No individual should have information entered onto any database without first being informed and given the opportunity to opt-out. Paper files should be sealed with numeric security tags to keep an audit trail of access. Internal electronic records with a practice or hospital should also automatically create an audit of access. Patient access to records and their right to have errors amended should be made easier and any charges for this dropped. The ‘sealed envelope’ principle should be applied to paper records so that health care users can choose to hide sensitive data and have it stored in a secure archive away from the main record.

The NHS Spine prompted a valuable debate but the size and unfamiliarity of the project distracted commentators from the uncomfortable truth that underneath the familiar experience of the friendly surgery which manages records, many of the concerns raised already exist.  Whether or not the NHS Spine is taken forward, this discussion has opened a window of opportunity for the wholesale reform of an inadequate medical records system.

Judith Eydmann read biological sciences at King's College, London before pursuing a career in biomedical publishing, working on a range of science and medical journals with Elsevier and then Current Science Group. She currently works for the Catholic Bishops' Conference and is undertaking a Master's in bioethics, writing her thesis on the ethics of Mental Health Law. She can be contacted at judith.eydmann AT cbcew.org.uk (replace AT with @ and remove spaces). 

-------------------------------

1.    IT Pro.  April 2010. NHS responsible for a third of security breaches.
< http://www.itpro.co.uk/622768/nhs-responsible-for-third-of-data-breaches > Accessed on May 22nd 2010.

2.    British Medical Association.  May 2010. Summary Care Record - joint statement from the BMA GPC and NHS Employers.
< http://www.bma.org.uk/images/scrstatement_tcm41-196948.pdf > Accessed on May 22nd 2010.

3.    Philip Johnston, “Medical records belong to us, not the state, Telegraph 3rd May  2010”

4.    Guardian Technology. July 2006. Patients, not the state, own medical records, says GP. http://www.guardian.co.uk/technology/2006/jul/06/epublic.guardianweeklytechnologysection  > Accessed on May 20th 2010

5.    Antoinette Rouvroy and Yves Poullet. 2009. "The right to informational self- determination and the value of self-development. Reassessing the importance of privacy for democracy." Reinventing Data Protection. Ed. S. Gutwirth, P. De Hert, Y. Poullet. Springer, 2009.

• Social Justice

There have been 0 replies to this Article. + Post your comment here.