David Evans is Senior Policy Officer at the Information Commissioner’s Office (ICO). In an interview with “The Information Daily.com” uploaded on 12 March, he spoke about data sharing in general, and specifically about care.data (elsewhere on this blog passim). There’s a video of his interview, which has a backdrop with adverts for “Boilerhouse Health” and “HCI Daily“, both of which appear to be communications companies offering services to the health sector. David says
care.data…the overall project is very good because it’s all about making better use of information in the health service…what care.data appear to have done is failed to get that message across
Oddly, this view, that if only the people behind care.data had communicated its benefits better it would have sailed through, is very similar to that expressed by Tim Kelsey, NHS National Director for Patients and Information and head cheerleader for care.data. Tim said, for instance, after the announcement of a (further) six-month delay in implementation
We have been told very clearly that patients need more time to learn about the benefits of sharing information and their right to object to their information being shared
Both David and Tim are right that there has been a failure of communication, but I think it is completely wrong to see it merely as a failure to communicate the benefits. Any project involving the wholesale upload of confidential medical records, to be processed and disclosed, at various levels of deidentification, to third parties, is going to involve risk, and will necessitate explanation of and mitigation of that risk. What the public have so far had communicated to them is plenty about the benefits, but very little about the risks, and the organisational and technical measures being taken by the various bodies involved to mitigate or contain that risk. Tim Gough has argued eloquently for a comprehensive and independent Privacy Impact Assessment to be undertaken (while criticising the one that was published in January
To be fair, NHS England did publish a PIA in January 2014, which does appear a little late in the day for a project of this kind. It also glosses over information which is extremely important to address in full detail. Leaving it out makes it look like something is being hidden
As far as I am aware there has been no official response to this (other than a tweet from Geraint Lewis referring us to our well-thumbed copies of the ICO’s nearly-superseded PIA Handbook).
To an extent I can understand Tim Kelsey feeling he and his colleagues need to do more to communicate the benefits of care.data – after all, it’s their job to deliver it. But I do have real concerns that a senior officer at the ICO thinks that public concerns can be allayed through yet more plugging of the benefits, with none of the detailed reassurances and legal and technical justifications whose absence has been so strongly noted.
In passing, I note that, other than a message from their very pleasant Senior Press Officer for my blog, I have had no acknowledgement from the ICO of my request for them to assess the lawfulness of previous health data upload and linking.
The ICO has kindly acknowledged receipt of my request for assessment, saying it has been passed to their health sector team for “further detailed consideration”.