TPP sharing furore a reminder of the long shadow cast by care.data

  • 24 March 2017
TPP sharing furore a reminder of the long shadow cast by care.data

Care.data, the now defunct NHS patient data sharing scheme, casts a long shadow.

Even when not acknowledged, the fears that the scheme fostered, that the NHS was using, perhaps even selling, our medical data without our say-so, persists.

That fear erupted again this month, as reports emerged that the Information Commissioner’s Officer has raised “data protection compliance concerns” about TPP’s SystmOne.

SystmOne is the second most popular GP electronic record, used by 2700 practices and holding the record of millions of patients.  It’s important that the information held is secure.

The ICO hasn’t expand much on the nature of these concerns.  They relate to the system’s “data sharing function” and whether it holds patient data securely and processes it in a “fair and lawful” way.

Everything else is hotly contested.

Media reports have claimed that the sharing function allows “thousands of strangers” to look at your medical records, providing they have a log-in to TPP.

The “breach” was described as “truly devastating” by MedConfidential and “serious issues with potentially huge implications” by GP IT leader Dr Paul Cundy.

But TPP is adamant that it is all much ado about nothing.

The company points out that sharing has been turned on since 2012, and was rolled out with the full blessing of Connecting for Health, and input from the BMA and RCP.

Except in the case of emergencies, patients must give consent for their records to be viewed and, if records are viewed inappropriately, there is a full audit trial to catch the culprit.

So far there had been not one patient complaint about the system, the company says. Oh, and lives have been saved.

The truth is probably somewhere in between.

NHS leaders, to neutralise the concerns about a care.data like scheme, is moving to a more regional patient data sharing model. TPP’s sharing function is nationwide and proudly so.

Likewise, there is a move towards building an architecture for data sharing where it’s not technically possible to see or change a patient’s data without the right permissions (often supported by excitable slides about blockchains and distributed ledgers).

Like many other data sharing schemes, TPP relies instead on information governance and monitoring to make sure the right people look at the right file.

The question now becomes whether that’s enough.

The company could, with some legitimacy, argue that regulatory goal posts have been shifted. That its set-up was good enough in 2012, and nothing has gone wrong since (and did we mention the lives saved?).

Certainly, even critics of the scheme are not advising GPs to turn off the sharing function. It really does save lives.

However, TPP’s position ignores the heightened sensitivity to the handling of patient data since the care.data fiasco.

The public’s trust in the NHS, and by extension its IT systems, as reliable custodian of their health data had been eroded.

Everyone had a part to play in restoring it.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

AI can help build sustainable services – but only if we mitigate its risks

AI can help build sustainable services – but only if we mitigate its risks

Concerns about AI should not stop progress. They should prompt us to think about how to apply such powerful processing, argue Rebecca Hughes and Paul…
Digital Health Coffee Time Briefing ☕

Digital Health Coffee Time Briefing ☕

Your morning summary of digital health news, information and events to know about if you want to be “in the know”. 👇  News 🧠 Cambridge…
NHS Greater Glasgow and Clyde trials tech for infant respiratory disorders

NHS Greater Glasgow and Clyde trials tech for infant respiratory disorders

A wireless device and software developed by NHS Greater Glasgow and Clyde’s West of Scotland Innovation Hub, is being trialled in young patients.

14 Comments

  • “So far there had been not one patient complaint about the system, the company says ” WRONG.

  • I once had the opportunity to hear the words ” You talk of keeping data secrete, well let me tell you there are no such things as secrets; not since the words ‘Let there be light’ were spoken.” The venue NPfIT at Excel London many moons ago.
    I believe that the NHS and all its sub-contractors (including GPs and Third sector) MUST be controlled by a single Employment Data Governance Protocol.
    Let us see what the GDPR brings forth for the health and social care sectors.

  • Damian is right in saying that Lloyds is a single organisation, so there is no need for its staff to have sharing agreements amongst themselves. I have argued for some years now that the solution to all this is to declare legally that the NHS is a single body, and that provided the NHS is paying for the treatment, subcontracting it, or simply responsible for it, it shouldn’t matter at all where the treatment is taking place: if it’s under the NHS umbrella, it should be considered as part of the same, single organisation. NHS staff shouldn’t need data-sharing agreements.

    I am hugely aware of the immense barriers to good sharing of medical information that have been raised by the inception of the DPA: many of my GP colleagues are now extremely anxious about sharing any information whatsoever, in case they inadvertently get hit by a draconian fine (which as GP partners they will have to pay out of their own pockets, whereas if an institution such as a hospital gets fined, it will ultimately be the taxpayer/patient care that suffers).
    The bottom line for me is simple: I understand entirely what the DPA is intended to achieve, and am in broad agreement with it in most areas of life: but in clinical practice it is no longer fit for purpose when dealing with the IT of a modern health system, and patients will undoubtedly suffer as a result if it isn’t brought into alignment.

  • Perhaps it is time for Tim Kelsey to return? For all his faults of the past I can think of no one better to lead this new phase and bring about a cultural change and an era of openness and trust.

  • Your comments noted – but:
    a) I can select who I want to share my financial data with
    b) I own my financial data and have full access to the records to check for accuracy of the transactions on the account (in fact, financial institutions recommend that the account holder always check for accuracy the transactions on their statement
    c) Errors and incorrect statements made on Health and Social Care records (errors, etc) are left completely unchecked – and it is these inaccurate data records which are being ‘shared’ and can result in increased risk to patient safety!
    On the basis of the banking analogy, would you be happy to just let Lloyds Bank tell you that there is no need to check the transactions on your bank account. I certainly know that personally check all financial statements received as I think that only I can check the accuracy of what is recorded. Perhaps some people, however, never check the items on their bank or Credit Card accounts?

    • With patient online you can see and share your medical records and you can also question the accuracy with your GP. There is still a way to go to get it working well but it’s getting there slowly. And with SystmOne Online you can now see who has accessed your record – something the banks don’t do.

      I must confess I don’t check every item on my bank statement and sometimes go for weeks without looking at it! We are all different.

  • Why not have an automatic audit trail visible to the patient?

    That would provide a deterrent to unauthorised access, since those listed could be asked to justify their actions. This is the procedure in Estonia. On opening the health record, a list of those who accessed the record is automatically generated and is visible. This includes the name, role, date and time of access and is visible in a separate frame.

    • M Tilney – this is one of the changes that TPP are making and patients will be able to see who has accessed their record through their online patient portal. This is certainly a good move and will act as a deterrent. The question is whether it will act as a deterrent to someone with malicious intent? And whether it meets the data protection regulations and common law duty of confidentiality.

      Imagine a wife and children are put in a place of safety from a violent husband/father. Having been denied access to his children he is desperate to find out where they live. He works at a site that uses SystmOne and, knowing name, dob, gender, it is easy for him to search and find where his children are.

      An extreme example but not beyond imagining and one abducted or harmed child is one too many. Of course the benefits have to be balanced against these risks and there needs to be options within the system to block this access.

      • Damian – What do other industries/environments do? in the of a bank account, for example, how do they prevent unauthorised viewing of records & transactions. I think that they allow control by the individual, who can easily change toe password and deny access. Why would not a similar process be effective in the Health & Social Care environment ie. give the individual control as who is allowed to access the record? Makes sense?

        • The situations are not the same.

          Take Lloyds Bank – though they have many branches they are one company and so have one registration with the ICO. So staff access isn’t actually data sharing at all. Plus as one organisation they can control who they employ and what access they have.

          Every single GP practice is a data controller in their own right so if any other organisation views the record then it is data sharing. This means every GP has to meet all the requirements of the data protection act (or risk being fined). GPs don’t have control over the employment or training of other organisations staff so how do they know they are using their patient’s data carefully?

          The TPP argument is that everyone in the NHS should have been trained and should abide by the rules. This is a poor argument in my opinion because working in the NHS means I know this doesn’t always happen AND TPP is not just in the NHS. SystmOne is used in NHS and private health providers, hospices, care homes, social care, prison’s / custody suites and secure units. I am not sure all those organisations have the same standards as the NHS. TPP were asked for an NHS only filter for sharing but declined.

          Coming back to the banking analogy. Imagine Lloyds Bank share your financial records not only within their organisation but also with all other banks – you might still be happy at that. But imagine they also shared with loan & mortgage companies, insurance companies, your employer, local councils and debt collection agencies. Would you still be happy to share everything? Would you be reassured by being told that people will only access your record with your permission?

          Maybe you would still be happy but I think plenty of people wouldn’t be and would justifiably want to be able to opt out of that sharing.

  • “So far there had been not one patient complaint about the system, the company says.” Well, yes. How would I even know that my GP is using SystmOne?
    “Except in the case of emergencies, patients must give consent for their records to be viewed…” Well I certainly haven’t been asked, and if I were, I would say no. And are they really claiming that in non-emergency scenarios, lives are being saved? I can’t imagine anything crucial done by this system that a bracelet couldn’t do.

  • Would you let a 3rd party ‘control’ and view your financial records?
    One of the main concerns of patients is that there is incorrect data recorded, which may affect patient safety and career prospects. If all patients had online access to their own Health and Social Care records, patients would check for accuracy and ensure patient safety. If persons are allowed full access to their own financial records, why are they not allowed to their full health and Social Care records? What is NHS and Social Services afraid of?
    Empowerment of patients leads to enhanced health and wellbeing – in my specific case, I have had online access to my GP health records since January 2014 and it has resulted in me being able to reverse type 2 diabetes, and high cholesterol!
    Why does Social Services continue to treat patients (and their carers) as the enemy? Please give respect to patients
    Quote from a direct of TPP = “the TPP system has been designed for GPs because they are the persons who pay for the system. We don’t need to make the system ‘patient friendly’ because patients do not pay for the system”
    The culture needs to change – patients are important!

  • Excellent piece. Keep calm and carry on.

    • Totally agree that panic and knee jerk reactions are not what we want from this. However that doesn’t mean that we shouldn’t give serious attention to this. We need to keep calm but not carry on regardless.

      Of course TPP are playing this down but that doesn’t mean it isn’t a problem. I’m not sure we can easily dismiss the concerns raised by the ICO, NHS England, NHS Digital, the BMA and others on the basis of a reassuring statement by the very company that is being scrutinised. Would you believe the tobacco industry’s claims of ‘smoking is a much ado about nothing’ when prominent organisations were saying otherwise?

Comments are closed.