Hester hits back over TPP patient data security concerns

  • 27 March 2017
Hester hits back over TPP patient data security concerns
Frank Hester with former Prime Minister David Cameron on a trade mission to China (picture from the TPP website)

TPP founder Frank Hester has written to the health secretary Jeremy Hunt, arguing restricting his company’s data sharing scheme to address security concerns would be detrimental to patient care.

It comes as the BMA wades into the increasingly murky debate over who controls access to the GP records of millions of patient.

The doctor’s trade union is now calling on the thousands of GPs using TPP’s  SystmOne electronic record to “urgently consider any action they need to take”, including switching off the system’s “enhanced data sharing function”.

“It has become clear that if patient records are being shared through TPP… GPs are unable to specify which other organisations can have access to their patients’ records.

This differs from the Information Commissioner’s Office’s latest advice that recommends GPs do not switch off SystmOne’s sharing function, despite ongoing data security concerns.

SystmOne is used by about a third of GP practices in England and holds the records of million of patients.

Earlier this month, it was revealed that the Information Commissioner’s Office had “data protection compliance concerns” about SystmOne’s “enhanced data sharing” , which was first introduced in 2012.

Some media have reported that it allowed patient records to be viewed by “thousand of strangers” not involved in their care. TPP has disputed these claims, stating that patients records cannot be accessed without their permission, except in emergencies.

Hester’s letter, obtained by Digital Health News, shows he has taken umbrage with some of the proposed changes to address ICO’s concerns.

“I passionately believe that to stop or restrict sharing in SystmOne would be a detriment to both patient care and the service that can be provided by doctors,” he said.

In particular, he said a proposal to make TPP’s data sharing possible only regionally, rather its current national “enhanced data sharing function”, were “flawed”.

He also objected to a recommendation to limit the scope patient information shared, at the discretion of patient’s GP.

“Our own sharing model used to work in a way whereby doctors could limit the record and restrict what was shared. However, collectively, it was decided this was clinically unsafe and that it would be better to share the whole record.”

As well as Hunt, Hester sent his letter to senior leaders at NHS England and NHS Digital.

Both NHS organisations declined to comment on the letter, referring Digital Health News to an earlier statement. A Department of Health spokeswoman said the health secretary would reply to Hester referred Digital Health News to the same earlier statement.

That statement said that all parties were working together to address the ICO’s concerns and a “full response plan will be implemented by summer”.‎

However, Hester’s letter suggested that there remains deep disagreement between GPs, NHS leaders and TPP about how best to share GP patient data.

In a statement provided to Digital Health News, BMA said the current SystmOne sharing model had patients worried and placed GPs in a concerning position.

“Urgent steps must now be taken by the system provider to address these important issues and to restore confidence of both patients and the profession.”

Hester’s argument against regional data sharing, which he claims would be both more risky for patients care and privacy, also runs counter to latest NHS guidance on data sharing not just for GPs, but across the NHS.

While at an early stage, the NHS has been consulting industry on a new national data sharing scheme that would be based on regional collection, based on STP footprints.

Patient data would then be pooled in a national “data lake” but this may only be population level data, either de-identified or anonymised, rather than a full patient record.

The disagreement also raises many of issues that most concerned GPs about the now defunct care.data national data sharing scheme, specifically that it left them unable to fulfill obligations as data controllers for their patients.

Read Digital Health News’ editorial on the TPP data sharing scheme controversy here.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

NHS North West London ICB cuts virtual ward capacity

NHS North West London ICB cuts virtual ward capacity

The end of ring-fenced funding for virtual wards has contributed to the fall in bed virtual ward bed capacity at NHS North West London ICB.
Digital Health Coffee Time Briefing ☕

Digital Health Coffee Time Briefing ☕

Today's edition includes GOSH using AI to help identify Parkinson's Disease and a look at the challenges of evaluating digital health tech.
BMA advises GPs not to share cloud-based telephony call data with NHSE

BMA advises GPs not to share cloud-based telephony call data with NHSE

The BMA's GP Committee England has warned that NHS England could use cloud-based telephony data to ‘performance manage’ GP practices.

33 Comments

  • I note in this correspondence that nobody has bothered to answer Suzanna’s concerns about her data breach. Why is this? I have one answer. Like me, Suzanna is a patient, not an IT professional. We do not express ourselves in a way that is acceptable to professionals. Or, our problems seem trivial to these experts. It seems that we do not deserve an answer.

    • Sorry, that was my statement quoted by Suzanna. An S1 provider is any service using S1 as their clinical records system. Which is generally found in GP’s and community services such as District Nurses. However there are also Out of Hour services, hospices, prisons and some hospital trusts, a couple of social services and a few mental health trusts using S1.

      To access a record the service needs to register that patient for care and record that the patient has given consent for them to view the record. When consent is recorded that service will see any S1 record, where the patient has given consent for that other service to allow it to be shared.

      All and every access to a record is fully auditable and there should be no reason why you can’t request a copy of your records from your GP (assuming they are on S1). Failing that your local Information Governance team at the CCG should be able to help you.

      I suspect that the reason why no body answered the question was because without knowing all of the details its hard to be constructive.

      Also we are all patients too. I take my data security very seriously and no system is 100% perfect, but knowing what I do about S1 and about record keeping generally I personally have more faith in the way S1 shares, or doesn’t share data, that any other model or system out there.

  • What is the procedure for obtaining details of all occasions on which my records were accessed by an individual or organisation since 2013. I now understand, by following these posts, that this info can be obtained through an audit trail which would identify these parties. Urged by the NDG to make a complaint via Ombudsman/ICO, I only need clarification without obfuscation to explain events since that date. I believed my practice had an in house DG, later revealed to be admin staff only. Now in communication with an unidentified digital NHS staff member (I can only assume) silence is again deafening.

    • Just yesterday I watched ANOTHER doctor leave me in a room alone with their smartcard in and a patient record open.

      The struggle is real.

      • “For any S1 service to view my data I would have to register for care with them. I then have the choice whether to allow that service to either contribute data to my shared record or not, as well choosing to allow them to see my shared record or not. Further more I can apply this decision to my whole record, or just to particular events or items on my record”

        What defines an S1 provider? I believe this may be where my own breach(es) occurred. But nowhere along the line was I given any choice. I believe that my entire record was accessed with profound effects on me. What is the point of having an SCR turned on when the patient may be seeing a redacted version! Further I am finding there are obstacles in the process of requesting an audit trail. It really is proving to be an Orwellian Big Brother. Further, once the former PALS are contacted, their own investigating people have access to the entire record, making a mockery of opt out. It’s basically opt in lite. I didn’t give them permission. Are they perhaps S1 – and the legal Dept? Words not unadjacent to guy and fall spring to mind in my case.

  • I agree with a lot of the excellent comments made above – but in some places you have citywide care records that are not shared based on consent but the ability to provide the best service to those individuals in the form of direct care. The water is, as ever, muddied.

    I totally support the point that for data to be processed, then that processing has to be fair and lawful. It’s not fair if the individual don’t know what’s happening with the data and who it’s being shared with. If it’s not fair then it can’t really be lawful.

    I am going to come down hard now. This mess is caused by some poor GP Practice Managers who are almost oblivious to information governance and GPs who think that this process is somebody else’s responsibility. Well, it’s not. GPs are the data controllers and therefore they are responsible for the consent process. Systm1’s sharing might be a little confusing but it’s fairly clear. GPs can’t hide behind “we didn’t know”. It’s your responsibility to know. If any patients are harmed as enhanced sharing is turned off (even for those who want to) then it will be the GPs who are responsible not the service provider.

    I fully appreciate a lot of Practices completely grasp their responsibilities and do there utmost to inform patients. Some Practice have never heard of Privacy (or Fair Processing) Notices however, that is unacceptable (and soon to be illegal). I fear this debacle arose from the latter.

  • ” I personally am more concerned that My GP can choose to keep some patient access turned off so it is awkward for me to read my record on line when I want to”??? Quoi? This would explain how my SCR has evolved in layout and detail since my first sight of it. Are you saying that what I’m reading may differ from what any third party is reading?

    My Trust’s Information Governance office advised me that a patient can opt out even after a GP practice has released records. Having sent numerous opt out forms to my practice, I have still not received confirmation. Is this all still a work in progress? Where does a patient stand who has applied to opt out following data release. is there a lockdown? No patient should be suspended in limbo. I am driven to bypass my surgery and communicate with the NDG. No way to run a grocery shop.

  • Damian, you are correct but this is where we need to see proper leadership from the government and NHS digital in partnership with the ICO to recognise the NHS as the data controller and be able to hold individuals to account for any wrongdoing. I think the GP is only the data controller for the GP record, the care trust for the community record etc but there is only one record in SystmOne the interface just controls what you can see.
    I absolutely accept the right for the patient to choose when it comes to data sharing with an opt out model however any patient who does opt out needs to make an informed decision and take responsibility for their choice.

    When it comes to social care I am sure all of us in the NHS are fed up with politics and organisational financial structures getting in the way of proper targeted joined up care. It may be time to reverse the 1970’s decision and move social care back into the NHS so that the money flows with the patient. At the moment it costs the tax payer more money to keep people in hospital and hospitals are incentivised for high bed occupancy whilst councils struggle to afford social care bills so you have the situation where NHS is incentivised to keep patients in hospital and so are the council, though everyone knows its the worst thing for the person. Agin to make a real change here will take Government leadership which is sadly lacking.

  • The most important things to remember in al this is that it is the patients record and this needs to be pushed harder, it is not the GP’s record or the nurses record but the patients record. Too many GPs think it is their record. In my experience most people are not aware that the NHS is not a single organisation and assume that the Doctor or nurse in front of them has access to all my medical information so they can give me the best treatment. There is no doubt that data sharing is an important issue but we need to put the medical information boundary as the NHS not each little NHS organisation. When it comes to Social Care it is important to share key elements of the record such as address and contact details and shared care plans. As the ICO has pointed out all the legal frameworks are in place, if anyone accesses my record without a valid reason to do with treating me they are breaking the law. Maybe TPP should add a feature to their patient App to show who’s looked at my record. I personally am more concerned that My GP can choose to keep some patient access turned off so it is awkward for me to read my record on line when I want to. Finally much of the anguish around record sharing could be ended if it was a crime for a corporation to use any part of a patients individual record without consent. As an example, should anyone make the mistake of passing my information to an insurance company without my consent then both the person who made the mistake and the insurance company can be fined at such a level as to make this the of mistake or misuse too financially risky. We should have one NHS, one record per patient not the medieval loose confederation of fiefdoms and empires that the NHS has become.

    • Sadly life is more complicated than that. It is a record of the patient’s healthcare but it the GP who is responsible for the safeguarding of the record, and the GP who can be fined if it is not kept safe (in technical terms the patient is the data subject but the GP is the data controller). The system suppliers (in this case TPP) are data processors and by law should only act on the instructions of the data controller.

      Patients should absolutely be able to decide what happens with their information but the GP is the one responsible for explaining the options, benefits and risks, ensuring there is no coercion, recording the patient’s preferences and then ensuring the patient’s wishes are enforced. GPs therefore need a computer system that they feel allows them to discharge that duty.

      Again I would point out that your comments regarding one NHS and one record are very valid if we are talking about the NHS but SystmOne is used in a number of settings outside the NHS and currently it is not possible to restrict data sharing to NHS only. Even if it were possible individual patients should still be able to choose not to share anything (not possible in SystmOne until recently and anyone who opted out in the past could still have their information shared).

  • This is a very pertinent point, especially in view of data entry from paper records. Ironic also in that data entry personnel are privy to hospital correspondence which may not be made available to the patient. That in itself is unethical.

  • Getting the correct balance between data security and appropriate sharing of clinical data is very tricky. eDSM isn’t all bad, and as other posters have stated, can have huge clinical benefits. Its Achilles heal, and where I believe the ICO should be focussing it’s attention, is that there is no separation in Systmone between a clinician accessing the record and an administrator accessing the record. While GPs et al are bound by professional standards to treat patient records in an appropriate manner, there are far less controls or incentives for admin staff to do so (I’m not suggesting all admin staff are using the functionality inappropriately, but the door is open should any rogue characters choose to do so).

  • There is a different perspective here. Whilst we debate the wrongs of data sharing, for a patient presenting with a serious illness in an NHS urgent care system, neither their record or previous contact information is available to different clinicians. This places NHS 111, ambulance and GP out of hours cliiicians at a serious disadvantage when trying to deliver safe care that meets both the needs and wishes of the patient. Have we forgotten that we have an equivalent duty to share information as well as protect it?
    In developing the right answer here, we should be learning the lessons of previous avoidable harm and death caused by the inadequacy of our current and fragmented urgent care information systems.

    • No one is saying data sharing is wrong (or at least they shouldn’t be). In fact in the majority of cases data sharing is good. However patient’s have the right to choose whether their data is shared and to know who their data is shared with. This is pretty much all that is being asked for.

  • My data was shared without my permission, nationally, and only came to my attention when I noticed my SCR sheet accompanying a referral letter. The IT Mgr thanked me for pointing out the error in their system, but that it was “too late,….its out there now”. The repercussions have been life changing. It seems there are or were, 3 or 4 categories under which past history could be listed. This decision was made (by whom?) arbitrarily and in my case, carelessly, and without the patient’s input. I have been unable to have clarified where this data went, whether it was edited, etc. I am prevented from making an official complaint as there is a form of blackmail whereby information is withheld from the patient “if there is a pending complaint with any Trust”! I am considering having myself “wiped” by applying through the Dept of Health as I already feel like a persona non grata. Ironically, the past history should have included 3 major health events which were missing from my records, and not past, resolved, transient matters relating to traumatic life events. I have been in communication with Dame Fiona and will be seeing my MP. But it’s rather like the police policing the police. It’s all the Government, silly. What a haphazard, amateurish, shambles; beyond compare. I feel disposable; collateral damage.

  • i fail to see how any one could possibly agree to share their data when they can not even see it themselves !!! top of the list for the NHS has to be a mandate to give all people equal access to THEIR health data, even if the quality of that data is very variable, just what are NHS leaders scared of ? maybe that the variance in the quality of that data for a “national” organisation is … embarrassing ? would this variance exist in government (gov.uk) and national private sector organisations (eg banks) ? my honest opinion … absolutely not

  • I’m sure much of the ICO concerns are around data controllers. If data is national, who owns what data? Was/is there enough control within TPP to allow for this segregation of who owns what data.

    However, I would argue the patient controversy is much less than we in the industry perceive. A lot of the public expect the NHS (as the brand they know, not the fractured network of organisations it really is) to have access to their data. That leads to no PROTESTS in the streets of people complaining that their data is potentially shared around the country.

    I do think that there is an issue for the ICO around data protection adherence in processes, but that this situation is mitigated in that patient consent to view is required.

    I’m not a fan of the TPP data sharing model – i.e. its really one big database. But, believe instead in a system should show you a view of the many records that exist about you, joined up by a Master Patient Index. However, I’m realistic in that this isn’t causing patient outrage nationally… maybe a good British grumble.

    • (See comment above) – if it was just NHS that might be ok but we are talking NHS, private providers, prisons, social care, hospices, care homes and more.

      We did a survey locally and the majority of people were happy to share within the NHS but that plummeted when people were asked about sharing with social care.

  • Not all processing of data needs to be nationally … local collection of data (and choice of systems), local operational, financial and clinical management processing of data … but with regard to national provider performance (NHS or other) and giving people control (and access to) their health data, national is the appropriate way forward.

  • In my honest opinion, it is not playing fair to ask people to share all their data or none of it, a simple X is a box is not acceptable and will cause significant chaos. Sort our data out NHS. The best way to do that is to use pathways e.g. Person X chooses to share her data collected to fix a broken leg but not to share her data collected to control her hypertension. In addition, in technology volumes are no longer an issue and with regard to data, in order to treat all equally (that is what good technology does !!!), data should be being processed nationally.

  • Remember this? Procedure at a cardiac arrest;
    1) Take your OWN pulse……

    This old medical mantra for young doctors is sound advice, ie you need to keep calm , especially in a crisis. This is a five year old issue so it would be wise not to make any sudden changes which might throw out the patient safety baby with the IG bathwater. The CCIO and CIO networks will undertake a measured review of these very complex issues and give an independent view in a few weeks. In the meantime, the old wartime motto “Keep Calm and Carry On” has much to recommend it.

    • I don’t think you understand the functionality within the TPP sharing model. The choice of which services can potentially see my data sits with me. So what would be gained from restricting sharing to within some imaginary line, If it is i who is making the choice of who sees my data?
      For any S1 service to view my data I would have to register for care with them. I then have the choice whether to allow that service to either contribute data to my shared record or not, as well choosing to allow them to see my shared record or not. Further more I can apply this decision to my whole record, or just to particular events or items on my record.
      Also if I make the informed decision that don’t want my data shared under any circumstances, then functionality also exists to prevent any sharing overrides. So at what point am I, the patient, not in control of my data?

      • Sorry that wasn’t in reply to you Joe!

      • If the decision really was only down to you then I don’t think the ICO would be so concerned. The reality is that it is supposed to be down to you but anyone with the right login and a few basic facts about you can register you at their organisation and answer the consent question on your behalf and then view your record. You would be unaware of this until you checked your online record or your GP discovered it.

        So if the system works as it should then you are right that they can’t access it without your consent but how do you assure yourself that every person in every organisation is properly trained and monitored? If it was NHS staff only I might be reassured (though have personal experience of NHS staff accessing records for personal gain). But when you add in social care, hospice, care homes, prisons etc then it becomes much harder to regulate.

        This is what concerns the ICO (amongst other things)

        • I agree that someone could register me somewhere else without my knowledge and view my data by falsely recording my consent (data that I have already previously agreed could potentially be shared of course) .
          However my GP would receive a task telling them of this fact. The person doing it would be clearly recorded in my record. This is no different to someone doing exactly the same with my SCR, although in that case I was never directly consented as to whether i was happy for an SCR, it was just assumed because I didn’t opt out. Why is e-DSM any different?
          There is also nothing to stop someone in my local acute accessing my paper records there, but of course the only difference is I would never know. There is always the risk that someone, somewhere will abuse their position, but the evidence will always be there. To not take advantage of the ability to have my full records available 24hours a day to any S1 service I choose to share them, with because of a theoretical risk of unauthorised access is in my mind missing the massive benefits.
          For me the second point you raise with regards to training is the real issue here. If all of us fully understood the functionality and implications of e-DSM AND had the time to fully explain this to all of our patients then we all could have full confidence in the system. However the fact we don’t shouldn’t be the reason we back away from the clinical benefits. Regulations to control access to clinical data need to be applied in exactly the same robust way to all organisations delivering care, irrespective of whether the provider is NHS or not.

          • ‘data that I have already previously agreed could potentially be shared of course’

            There is your first problem – even with explicit dissent to sharing your record can be accessed by anyone in any S1 organisation who has the right RBAC code.

            ‘I was never directly consented as to whether i was happy for an SCR, it was just assumed because I didn’t opt out. Why is e-DSM any different?’

            The difference is in the quantity – SCR has medication and allergies only. S1 shares the whole record. SCR requires an NHS Smartcard to access – eDSM does not. This further reduces the governance around it.

            ‘There is always the risk that someone, somewhere will abuse their position, but the evidence will always be there. ‘

            Agreed, and when the access is electronic there is more evidence – so this is not an argument to go back to paper, or for not sharing. The risk of abuse is greater the bigger the pool, and greater again in a less regulated pool.

            As the regulation currently exists the responsibility for securing the record is on the data controller and not the consumer or the data processor (though that will change with GDPR)

            ‘To not take advantage of the ability to have my full records available 24hours a day to any S1 service I choose to share them, with because of a theoretical risk of unauthorised access is in my mind missing the massive benefits.’

            I totally and 100% agree with you – YOU and I are happy to accept the risk for the benefits gained. However clearly not everyone thinks that way and the risk and benefit ratio is not the same for everyone. 1.4% opted out of SCR (which is a tiny subset of the data shared with eDSM) – that’s 750,000 people in England – should we really ignore this group of people?

  • The issue with regional data sharing is that it is simply not as robust as national sharing. Patients do not conveniently live, work and die all within one STP. Some of them have the cheek to live in one STP but access the acute services across some imaginary line in another STP, heaven forbid some of then even go on holiday on other STP’s!
    TPP’s negativity has nothing to do with ideology but is due to them refusing to move backwards, just to meet other other the software suppliers half way. That would be to the detriment of the millions of us who have a S1 record now.

    • Regional data sharing based upon open standards (e.g. FHIR, XDS, OpenEHR) allows regions to share information with each other but it HAS to be with full citizen engagement and autonomy over consent. TPP may have been ahead of the game but things are moving on quickly and their solution seems a bit limited to meet the integrated data requirements of the new models of care outlined in the 5YFV.

    • Interestingly there has never been a request for regional data sharing in SystmOne. The only request has been for the ability to choose who you share data with – both the data controller and the patient should surely be able to do this?? The choice might be to only share locally or it might be to share nationally – but there should be a choice.

      Also this is nothing to do with the other system suppliers or meeting them part way. This is about the concerns the ICO, and others, have about the model of sharing. The other system suppliers do allow you to choose who you share with and if a patient dissents then nothing is shared (no override). TPP had access to exactly the same regulations and guidance that all the other system suppliers had and they made a conscious choice to go down the path they went down.

  • It is a shame that Mr Hester is so negative about regional data sharing schemes, and I don’t really understand his argument. Whilst it is undoubtedly true that in the long run national data sharing is best, we need to get there one step at a time so that we can earn the trust of the public and professionals involved and also demonstrate the benefits.

    Also pragmatically most people remain in their local area most of the time, and so the benefits of data sharing will largely be realised within the local health economy rather than all over the country.

    If we try to take an ideological stance that national data sharing is best and we should accept nothing else then we are likely to stall the whole initiative which will definitely be to the detriment of patient care.

    • All organisations, services and healthcare professionals have an obligation to ensure consent has been given before viewing any patient record.

      In this regard SystmOne is no different to any other system – it is expected that explicit consent has been given before sharing is allowed, apart from in emergency situations where their is an auditable override function.

      SystmOne simply makes sharing between GPs and other NHS services much easier, which on the whole vastly improves patient care and NHS efficiencies.

      I don’t argue that the NHS (including GPs) does a terrible job of recording consent and informing patients of how their information is being used, however, this is not the fault of TPP. Awareness of consent and sharing issues is a NHS wide problem which in my opinion is mostly born out by an eagerness to collaborate but also by lack of funding for training and a general ignorance around technical issues, particularly in the nursing and allied health professions.

      However, the alternative solution is doctors and nurses continuing to call GP practices and asking information to be faxed over to clinics?

      Consent? Audit trail? Information security? I think not

  • “deep disagreement between GPs, NHS leaders and TPP about how best to share GP patient data”

    No mention of patients or privacy groups as usual.

    As a patient (data subject) this is very clear from my perspective. If you do not have my consent to share my data you should not be sharing it. If you are you are breaking the law.

    That said there is no way I could have meaningfully consented to this as it is completely unclear what is being shared with who and for what purposes.

    • This is the biggest point being made – that patients have not been clearly informed about what is shared and who it is shared with. In addition they cannot choose who their data is or isn’t shared with (it’s all or nothing). And until recently even if a patient expressly dissented from sharing this could still be over-ridden (this will still be the case for most as the ‘consent override’ block was not applied retrospectively).

      Whilst I am very supportive of greater data sharing surely it is not unreasonable to allow patients an informed choice?

Comments are closed.